Battle.net Authenticator Changes

85 Tauren Paladin
3150
While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.[quote]The thing is. It's not "as secure". It's less secure. Until the clear methods of abusing this change which have been described are made impossible, then just saying it's "as secure" doesn't actually make it so. If it did then let me be the first to say "I have a million pounds". No, still hasn't worked.

[quote="23641549427"]There are a lot of valid concerns, which our developers are aware about, however we cannot give a direct response to all posts made.

Never the less we are not ignoring any feedback posted, its read and noted.
The thing is, whilst I understand the need for some level of secrecy here on how systems work. I will mention the age old argument about security by obscurity. It's never a good way.

Just stating that "it's no less secure" without saying anything more isn't really going to fill me (and I suspect many others) with confidence. If the point you're making is that we should blindly trust you. Then, no. I don't blindly trust anyone! Certainly not until the trust is earned.
Reply Quote
85 Tauren Paladin
3150
[quote][quote]

As for authenticator information, this is managed server side not on your actual system.


It is saving data to a folder in the registry under: HKEY_CURRENT_USER > software > blizzard entertainment > battle.net, in a folder cunningly named "authenticator". It creates 2 reg-binary files related to the authenticator and decide whether the client asks for a code or not. Which is why you can remote through a victim's PC and log in to their account without needing a code.

We don't know what they mean yet, but it's only a matter of time before someone decodes them. If you deny write permissions to that folder it will not save anything and ask for you a code every login.
My suspicion is that this is cached details about some generic hardware traits for the machine. This is so you can't just copy the key. It's a nice idea. But discounting the fact that someone may work out how this is encoded, and be able to use it to key their own machine. It's irrelevant since I've outlined some ideas that would mean this wouldn't be much of a barrier anyway.
Reply Quote
85 Undead Priest
8770
Just a bit @*@# that, even if you get an authenticator, if you log from a different country (town) you get locked out from your account. I mean come on... Accounts without authenticator I could understand, but accounts with an authenticator is bull@*@#. I got locked out as I was about to log in from a friends place in the UK (I'm from NL) so I got all freaked out about it.

This is something I was already afraid off and it happened.
Reply Quote
87 Blood Elf Priest
10560
10/07/2011 18:06Posted by Shamit
Will you people please shut the hell up about spoofing IP addresses? Read the thread and realize it's not a valid attack vector.

God dammit...


True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.

Since this is such an obvious flaw and not something blizzard would miss (I hope). They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)

How is that different than a man-in-the-middle attack through a backdoor? (Security wise)
If an attacker is able to tunnel through you, it doesn't matter if you need to put in your key or not.

As far as I know, SSH ports are locked by default and those connections prevented aswell by a normally configured Windows PC*.

*I belive you have to specifically open those ports and I don't think Windows even supports SSH connections out of the box.
Reply Quote
87 Blood Elf Priest
10560
Just a bit @*@# that, even if you get an authenticator, if you log from a different country (town) you get locked out from your account. I mean come on... Accounts without authenticator I could understand, but accounts with an authenticator is bull@*@#. I got locked out as I was about to log in from a friends place in the UK (I'm from NL) so I got all freaked out about it.

This is something I was already afraid off and it happened.

You should be able to put a "will be logging in abroad next time" -flag on your account atleast.
It's truely ridiculous. I think my fiancée once had her account locked for logging in from another part of the country.
Reply Quote
87 Blood Elf Priest
10560

Never the less we are not ignoring any feedback posted, its read and noted.

OT language question:
Which is the correct way to write never the less: Nevertheless or never the less?
I've always written it as one word. (Not a native speaker)
Reply Quote
87 Tauren Druid
11325
This is not as secure. Take the scenario below:

Log onto a friends computer / internet cafe. Keyloggers which are so easy to get capture details. Theres then nothing stopping someone log onto your account.

Having an authenticator or phone that you can carry around will prevent this. I can see why people don't always want to be prompted however it should be optional. I find it reassuring to put in the code (and it only takes a matter of seconds).
Reply Quote
85 Undead Rogue
0
until somebody actually gets hacked because of this change (which nobody has been so far) people haven't got grounds to complain
Reply Quote
3 Blood Elf Warrior
0
well as the authenticator was sold to me under the condition that i got a 1 time use code to enter every time i log on, now changed to maybe once a week or month or whatever gives me grounds i think. would you be a little worried if you didnt have to input a password at all? because thats about the same thing really. if you dont have to put a password every time then keyloggers are even less likely to get account details.
Reply Quote
90 Blood Elf Paladin
14370
Also there is an another issue

if u playing WoW on a public PC ( internet cafe etc) and if that PC inflected by keyloger etc. when u finish the playing ur login details still there and if hacker in the same cafe hacker can acces the account without auth code because ip doesnt change very often in public internet areas (internet cafe etc.)


how about that ?


even i like that its very dangerous if u didnt playing with ur own PC !!!


I often play from internet cafe arenas bgs or instances just because its more fun to be near each other when playing, and this change worries me. One of my friends got hacked on one internet caffe that we went, he was only one from us that didnt had authenticator but he bought after that so we can continue playing from internet caffe`s from time to time. Now this worries alot, i bought this to use it, but blizzard wants me to use it less? For when i use it at my pc i have no problem, i actually like that i dont get to insert the code each time, but there should be a option to disable or enable this option via battle.net
Reply Quote
81 Blood Elf Warlock
2425
I agree. This is a bad change. We paid for authenticators which work in a stated way; By changing how they work you are ripping us off.

Even if everyone were using the free ipod/iphone app and not a physical authenticator I would still be annoyed that the changed functionality wasn't better communicated to people, causing alarm for many.

Look at the overwhelming tone of the posts in this forum. You simply have to change it back.
Reply Quote
10 Gnome Mage
0
17/06/2011 10:48Posted by Johnothn
A nice move.. but if your machine is infected and sombody has remote access to your machine.. wouldn't it then be able to log into your account from their too?


Most infections are RAT's meaning that can control your PC completely and awhile you're AFK or leave your PC on over night your account could be completely destroyed then good luck making a ticket saying you got hacked because they've done it all on your IP so a GM will just think it's a scam to double your wealth on wow by giving it to a friend and saying you was hacked.
Reply Quote
85 Blood Elf Rogue
4870


True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.

Since this is such an obvious flaw and not something blizzard would miss (I hope).


Oh yeah, the fact that anyone could log into ANY account with Rift was pretty obvious as well, still it took them WEEKS and like a million hacked accounts before the problem became obvious and even then it was a PLAYER that found the problem. Add to that the fact that stupid ##@* like SQL Injection is still the No1 way systems get compromised and I'm very very doubtful that nothing obvious could get missed "even" by Blizzard (ask Sony, Nintendo, Microsoft, ... about their great unbreakable security).

They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)

How is that different than a man-in-the-middle attack through a backdoor? (Security wise)
If an attacker is able to tunnel through you, it doesn't matter if you need to put in your key or not.[/quote]

If they manage to get your key (which has to be some key/hash stored locally) together with probably your IP (though my IPs changed a few times, so they might be using the MAC instead, still trivially spoofable) and they got free reign on your account.

As far as I know, SSH ports are locked by default and those connections prevented aswell by a normally configured Windows PC*.

*I belive you have to specifically open those ports and


Wrong. Windows barely blocks anything outgoing and certainly not SSH (I use it daily, never get prompted by UAC about it). In fact if anything is unlikely to be blocked it is SSH (only http(s)/imap(s)/pop3(s) are less likely), and if that is an issue just run your SSH server on port 80, problem solved.

I don't think Windows even supports SSH connections out of the box.


Right, but that doens't matter as a GUI SSH program already is less than 0.5Mb (PuTTY) so getting something with SSH support on a PC is trivial if you already have access.

Anyway, it's probably still secure enough for a game but I rather turn it off and put in my key every time. The fact that Blizzard doesn't want to give any meaningful details about the security scheme to me means it's unreliable and probably relies on the hackers being too dumb to find out how it works. Hint: gold selling and account cracking is big business, they WILL find out, and when they do...
Reply Quote
85 Troll Druid
8270
I just got asked to enter my authenticator code at the login screen. Is this normal? Kinda freaks me out now because they made this change..

EDIT:
Last week I got asked for the code aswell, I thought it was a bug or something
But this week (today) I got asked for my code again (Just once a week tho, it seems)
Is this normal blizz?

Would love a blue response, it would calm me (and maybe others with thesame 'problem')
Edited by Younicorn on 14/07/2011 22:15 BST
Reply Quote
- World of Warcraft
90 Worgen Death Knight
14390
I'd like to say I love the change atleast since I almost never log in from another location other than from my home. A opt-in, however, option would be quite good I suppose for those who doesn't really "feel" protected anymore.
Reply Quote
Blizzard Employee
Last week I got asked for the code aswell, I thought it was a bug or something
But this week (today) I got asked for my code again (Just once a week tho, it seems)
Is this normal blizz?


Yes it is :)
Reply Quote
90 Night Elf Druid
10860
I just attached an authenticator to my account, and I'm glad that it doesn't ask for the code every time I log in. That was the main thing holding me back from purchasing one in the first place. The game sometimes drops me to login screen when changing characters. I'd hate to type in authenticator code every time I drop out while I'm in a major cross-alt crafting rage.
Reply Quote
100 Dwarf Paladin
13110
There is one basic principle about security (not just computer security), that generations of engineers have had to re-learn again and again the hard way, because for some reason it is always omitted from the text books. It is simply this:

Security and Convenience are Antagonists.

I am not a professional cryptographer, but have a solid math and CS background. I ... erm ... reverse engineered a few secured pieces of software in my youth. :-) Later on I hardened an USB dongle or two by designing custom (but not obscured) authentication protocols that could withstand attacks with USB monitoring hardware (unlike the standard software included with the dongle). I have followed COMP.RISKS for a few years before that - it's amazing how creative attackers can be, and how stupid defenders ...

And I am telling you that whenever you make any security procedure more convenient, you are almost always making it less secure. If you don't see a loss of security, chances are extremely high that you are missing something.


I am pretty sure that your statistics guys were telling you that the new Battle.Net authenticator scheme would still catch 99.999whatever% of fraudulent login attempts. Those statistics, however do not and cannot account for new attack vectors opened by a weakened process (but let's not go into statistics here).


Some people in this thread obviously value the gain in convenience. So overall security can possibly be improved by getting a larger fraction of the player base to actually utilize this additional security feature. But other people don't like their personal loss of security, and would rather refuse the additional convenience to stay more secure.

I suggest you let players decide individually if they want to be prompted for a code always, hourly, daily, or weekly. Those who ask for less convenience are not as paranoid as you might think.
Edited by Mücke on 15/07/2011 15:42 BST
Reply Quote
90 Undead Priest
9845

I suggest you let players decide individually if they want to be prompted for a code always, hourly, daily, or weekly. Those who ask for less convenience are not as paranoid as you might think.

No, it should be enabled at all times, if not the hacker can easily get in and change the value if he is able to change it. In the end your sitting there thinking you are actually secure when you are not!

There is a reason for why I want my authenticator to prompt me every time for a login:

In each login, the code is valid for like 1 minute - if my pc is infected/whatever it is still just a 1 minute window and if they try to login in that window, Im right there watching it. I notice if I get kicked out and able to login back right afterwards - check my stuff. It also accounts for a warning bell that something is wrong with my pc that I clearly have to fix! (as it's highly chance my computer is infected if that happens!) This has actually saved me once before due to borrowing my computer to a friend for 15 minutes and he put his stupid USB pen drive in my computer with nasty stuff on it..

Also the authenticator (non-mobile one) is a "secure" device which generates a secret that can't be sniffed as it is _not_ connected to the internet.

Why Blizzard have changed this is out of my mind, I payed for an authenticator prompting me for every login... so I want this back! (without changing prompt intervals etc, as that makes the feature basically makes the authenticator insecure again)


Now ... rumours says that Blizzard did these changes because the authenticator actually run out of tokens for certain time intervals .. and that indeed rings me a warning bell Blizzard. I still want my original feature I payd for back, or I simple want my money back.

There's also a good old saying, why change something that works as brilliant as it did? You simple don't change stuff that's been working Blizzard..

(my background is bsc cmp.eng and msc sw.eng so I'm allowed to say this actually rings a few warning bells in my inner body ..)

Reply Quote
85 Draenei Shaman
3915
I too would like to see an opt out option. I live in a house share, and any one of my housemates could see me typing my password.

I got a mobile authenticator so that i didn't have to worry about "practical jokes" and the deletion of characters i have spent a lot of time and money on.

Please Blizzard...think this through and realize this is a bad move for a lot of your paying customers!
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]