RSA security hack not affecting Blizzard authenticators
by Mathew McCurley 
Mar 18th 2011 at 3:30PM
RSA Hack and Blizzard Authenticators
Pokzin,
The Blizzard Authenticators are based off modified Vasco tokens. I'm sorry to hear about RSA's troubles, but it will not affect the Blizzard Authenticator.
The Blizzard Authenticators are based off modified Vasco tokens. I'm sorry to hear about RSA's troubles, but it will not affect the Blizzard Authenticator.
It doesn't look like Blizzard will be harmed by this at all. As a reminder, please keep your account safe by not clicking links in emails that don't appear to be from Blizzard, always check your email headers for incoming email addresses, and if you have any questions about whether an email is legitimate, contact Blizzard first. And do please get an authenticator for your account. Check out some of our own security articles here.
Filed under: Blizzard, Account Security
Reader Comments (Page 1 of 2)
Sleutel Mar 18th 2011 3:38PM
I love that WoW is safe while the tokens used by the huge global company I work for aren't.
pwn3d Mar 18th 2011 3:45PM
What makes you certain that wow is safe?
Sleutel Mar 18th 2011 3:47PM
I'm sorry that you were unable to properly interpret my comment as "WoW is unaffected by this particular hack." Next time I will endeavor to remember to post all comments in the form of a complex diagram showing my exact meaning and excluding all other possible ridiculous interpretations.
John Mar 18th 2011 3:52PM
The article indicates that EMC had their networks infiltrated, not that someone has figured out how to remotely predict the 6-digit key a given RSA device will cough up.
Now, the questions are:
1. why didn't EMC use their own product to enhance security ?
2. did the people who hacked EMC use access to the EMC network that is not protected by a RSA key?
pwn3d Mar 18th 2011 3:57PM
Along with the complex diagrams, please include interesting or informative content as well.
Sleutel Mar 18th 2011 4:03PM
@pwn3d:
Here is a diagram I believe may assist you in comprehending this comment thread.
http://i54.tinypic.com/257davm.jpg
Hollow Leviathan Mar 18th 2011 4:07PM
What's not interesting about our MMO video game accounts being more secure than, say, the network of a cyber-intelligence firm like HBGary or whatever undisclosed major corporation for which Sleutel works?
pwn3d Mar 18th 2011 4:11PM
@Sleutel
ur mom
icepyro Mar 18th 2011 4:40PM
Okay, since Sleutel won't explain it to you, allow me.
According to the article, the data that was hacked was more along the lines of source code to how the fobs work.
The Blizzard authenticator is already well known and if you want to make an app that imitates the Blizzard authenticator, you can.
The data that is missing as to why WoW is safe is the combination of the internal key unique to the fob, the exact time the database server has, which it uses to encode they key and come up with the expected authenticator code, and what account that fob is associated with.
As long as that database is safe, which it is, which those that use RSA is still, and so on, then your account is safe.
PJ Mar 18th 2011 5:47PM
Sleutel there is no reason to be an arrogant ass. He quite rightly asks you how you know. And the fact is you don't know. You want to believe. Of course a company is going to say they are safe, no company is going to say "we are totally insecure, and if you use our services you may get hacked."
People believe that statement, but they don't know.
pwn3d Mar 18th 2011 11:13PM
I actually could write at some length about PKI, security tokens and wow security specifically since I have a background on those topics. But seeing what posts get highlighted and what gets voted down around here illustrates to me that my time would be better spent explaining the concept of newspapers to my dog. A few people wanted to discuss the subject, but a few seem determined to blather on this subject which they know little about as they seem to do with every other topic.
Sleutel Mar 18th 2011 11:56PM
@pwn3d:
It was nice that you turned that hardtoken keyfob in to lost and found that one time, but I'm not sure it quite qualifies as a "background."
johnthediver Mar 18th 2011 3:55PM
As a reminder, please keep your account safe by not clicking links in emails that don't appear to be from Blizzard,
Let me fix that for you...
As a reminder, please keep your account safe by not clicking links in emails, even if they appear to be from Blizzard.
Hollow Leviathan Mar 18th 2011 4:05PM
In fact, you should probably give it a long hard think before you click links in emails, or links of any sort.
Also, disable flash ads as often as humanly possible. Your personal safety is worth making a few companies weep for lost ad revenue. They can use jpg or text ones next time.
incoming00 Mar 18th 2011 4:29PM
i've received many emails that appear to be from blizzard, sometimes even using the exact email that blizzard sends me in their response. a few things that gives me the idea it isnt real is that every response from blizzard they address me by my first name. the fake email just says 'Hello'. secondly world of warcraft will be misspelled (like worldofewararcft). any email i get now, regardless if the email is legit from blizz or not, i just sign out, close my browser and open a different browser and log in directly into the main website. most of the emails i get nowadays are regarding changes to my account, so i log in to be safe nothing has been changed.
Eirik Mar 18th 2011 4:35PM
My email reader at home is set up to not display HTML, causing links to be shown in full text. This makes it astoundingly easy to see that someone buttered up a us.battle.net link through some third site.
The closest I came to being sunk, though, was when I used a browser email interface to look through the spam folder (which my ISP doesn't forward to me normally). And that, sadly, can't be configured to display the emails "without HTML".
So I couldn't see the URL before I clicked on the link. The fact it sent me to a page asking for a password when it should not have was a clear indication that I wasn't in kansas any more, and the kindly man with the magic mushrooms didn't give them to me for my health....
icepyro Mar 18th 2011 4:46PM
Just so you understand how email works (or any form of mail for that matter), it does not verify the sender. There are many programs that can send an email that has a return address of an official Blizzard (or anybody for that matter) address.
I can also make links in email say one thing and link to another (as can anybody).
This is why you should never click a link in email.
<insert "the more you know" splash animation>
Eirik Mar 18th 2011 5:12PM
@icepyro: "I can also make links in email say one thing and link to another" ... which is why I prefer to read email in text (vs HTML). Also, less chance of inadvertently clicking on a link when doing copy/paste when reporting.
Ronin Mar 18th 2011 8:02PM
How about just making sure that the email associated with your account, is not used for _anything_ else?
I used to use my main email account for my WoW account. I would get occasional phishing emails dressed up to (try to) look like they came from Blizzard. Then I made a new email account which I _only_ use for my WoW account. I also have a third address that I made specifically to create an account so I can post on a certain WoW fan-blog.
Of those three emails, guess which one never gets phishing emails? That's right, the one actually associated with my WoW account.
My original, generic email that I still use for friends and family (and that I've used in the past to sign up for various WoW fansites and guild websites) gets MULTIPLE phishing emails DAILY. (It also gets lots of spam mail like most email addresses do.) Most of the phishing emails are obvious fakes; some are copy-pastes of actual Blizzard emails, but from a modified email address. I mark them all as phishing scams, because (above and beyond everything else) Blizzard has a different email for me, so I know these aren't real.
The WoW email account I created ) _only_ gets the occasional email from Blizzard. Never any spam mail, and never any phishing email.
The third account, that I made to register for that WoW fansite, gets two or three pieces of spam per week. None of them WoW-related.
You can see my point: Blizzard never sells/gives away my WoW email address. The other addresses I use, have been given away/sold/whatever. If you have your WoW email address/account name set up so that is the _only_ thing you use that address for, you won't be getting cleverly disguised emails that you have to go check to see if they're real or not.
Biskit333 Mar 18th 2011 4:19PM
In addition to watching the from address in emails, it is important to check if the message has been forwarded through another account and what service sent it. Hackers can mask their email to appear identical to the real blizzard ones, but the header will show you that if it really was sent from b1izz4rdd@hotmail.com, it isn't legit. To be safe, as other commentors have said, never click links in emails. I believe all of the current messages from blizzard give you instructions on how to navigate to the appropriate pages through battle.net, and do not include direct links.