|
While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.[quote]The thing is. It's not "as secure". It's less secure. Until the clear methods of abusing this change which have been described are made impossible, then just saying it's "as secure" doesn't actually make it so. If it did then let me be the first to say "I have a million pounds". No, still hasn't worked.The thing is, whilst I understand the need for some level of secrecy here on how systems work. I will mention the age old argument about security by obscurity. It's never a good way. Just stating that "it's no less secure" without saying anything more isn't really going to fill me (and I suspect many others) with confidence. If the point you're making is that we should blindly trust you. Then, no. I don't blindly trust anyone! Certainly not until the trust is earned. |
|
|
My suspicion is that this is cached details about some generic hardware traits for the machine. This is so you can't just copy the key. It's a nice idea. But discounting the fact that someone may work out how this is encoded, and be able to use it to key their own machine. It's irrelevant since I've outlined some ideas that would mean this wouldn't be much of a barrier anyway.[quote][quote] |
|
Just a bit @*@# that, even if you get an authenticator, if you log from a different country (town) you get locked out from your account. I mean come on... Accounts without authenticator I could understand, but accounts with an authenticator is bull@*@#. I got locked out as I was about to log in from a friends place in the UK (I'm from NL) so I got all freaked out about it.
This is something I was already afraid off and it happened. |
How is that different than a man-in-the-middle attack through a backdoor? (Security wise) If an attacker is able to tunnel through you, it doesn't matter if you need to put in your key or not. As far as I know, SSH ports are locked by default and those connections prevented aswell by a normally configured Windows PC*. *I belive you have to specifically open those ports and I don't think Windows even supports SSH connections out of the box. |
Just a bit @*@# that, even if you get an authenticator, if you log from a different country (town) you get locked out from your account. I mean come on... Accounts without authenticator I could understand, but accounts with an authenticator is bull@*@#. I got locked out as I was about to log in from a friends place in the UK (I'm from NL) so I got all freaked out about it. You should be able to put a "will be logging in abroad next time" -flag on your account atleast. It's truely ridiculous. I think my fiancée once had her account locked for logging in from another part of the country. |
OT language question: Which is the correct way to write never the less: Nevertheless or never the less? I've always written it as one word. (Not a native speaker) |
|
This is not as secure. Take the scenario below:
Log onto a friends computer / internet cafe. Keyloggers which are so easy to get capture details. Theres then nothing stopping someone log onto your account. Having an authenticator or phone that you can carry around will prevent this. I can see why people don't always want to be prompted however it should be optional. I find it reassuring to put in the code (and it only takes a matter of seconds). |
85 Undead Rogue
0
|
until somebody actually gets hacked because of this change (which nobody has been so far) people haven't got grounds to complain
|
|
well as the authenticator was sold to me under the condition that i got a 1 time use code to enter every time i log on, now changed to maybe once a week or month or whatever gives me grounds i think. would you be a little worried if you didnt have to input a password at all? because thats about the same thing really. if you dont have to put a password every time then keyloggers are even less likely to get account details.
|
Also there is an another issue I often play from internet cafe arenas bgs or instances just because its more fun to be near each other when playing, and this change worries me. One of my friends got hacked on one internet caffe that we went, he was only one from us that didnt had authenticator but he bought after that so we can continue playing from internet caffe`s from time to time. Now this worries alot, i bought this to use it, but blizzard wants me to use it less? For when i use it at my pc i have no problem, i actually like that i dont get to insert the code each time, but there should be a option to disable or enable this option via battle.net |
|
I agree. This is a bad change. We paid for authenticators which work in a stated way; By changing how they work you are ripping us off.
Even if everyone were using the free ipod/iphone app and not a physical authenticator I would still be annoyed that the changed functionality wasn't better communicated to people, causing alarm for many. Look at the overwhelming tone of the posts in this forum. You simply have to change it back. |
10 Gnome Mage
0
|
Most infections are RAT's meaning that can control your PC completely and awhile you're AFK or leave your PC on over night your account could be completely destroyed then good luck making a ticket saying you got hacked because they've done it all on your IP so a GM will just think it's a scam to double your wealth on wow by giving it to a friend and saying you was hacked. |
Oh yeah, the fact that anyone could log into ANY account with Rift was pretty obvious as well, still it took them WEEKS and like a million hacked accounts before the problem became obvious and even then it was a PLAYER that found the problem. Add to that the fact that stupid ##@* like SQL Injection is still the No1 way systems get compromised and I'm very very doubtful that nothing obvious could get missed "even" by Blizzard (ask Sony, Nintendo, Microsoft, ... about their great unbreakable security). They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :) How is that different than a man-in-the-middle attack through a backdoor? (Security wise) If an attacker is able to tunnel through you, it doesn't matter if you need to put in your key or not.[/quote] If they manage to get your key (which has to be some key/hash stored locally) together with probably your IP (though my IPs changed a few times, so they might be using the MAC instead, still trivially spoofable) and they got free reign on your account. As far as I know, SSH ports are locked by default and those connections prevented aswell by a normally configured Windows PC*. Wrong. Windows barely blocks anything outgoing and certainly not SSH (I use it daily, never get prompted by UAC about it). In fact if anything is unlikely to be blocked it is SSH (only http(s)/imap(s)/pop3(s) are less likely), and if that is an issue just run your SSH server on port 80, problem solved. I don't think Windows even supports SSH connections out of the box. Right, but that doens't matter as a GUI SSH program already is less than 0.5Mb (PuTTY) so getting something with SSH support on a PC is trivial if you already have access. Anyway, it's probably still secure enough for a game but I rather turn it off and put in my key every time. The fact that Blizzard doesn't want to give any meaningful details about the security scheme to me means it's unreliable and probably relies on the hackers being too dumb to find out how it works. Hint: gold selling and account cracking is big business, they WILL find out, and when they do... |
|
Edited by Younicorn on 14/07/11 22:15 (BST)
I just got asked to enter my authenticator code at the login screen. Is this normal? Kinda freaks me out now because they made this change..
EDIT: Last week I got asked for the code aswell, I thought it was a bug or something But this week (today) I got asked for my code again (Just once a week tho, it seems) Is this normal blizz? Would love a blue response, it would calm me (and maybe others with thesame 'problem') |
|
I'd like to say I love the change atleast since I almost never log in from another location other than from my home. A opt-in, however, option would be quite good I suppose for those who doesn't really "feel" protected anymore.
|
|
I just attached an authenticator to my account, and I'm glad that it doesn't ask for the code every time I log in. That was the main thing holding me back from purchasing one in the first place. The game sometimes drops me to login screen when changing characters. I'd hate to type in authenticator code every time I drop out while I'm in a major cross-alt crafting rage.
|
|
Edited by Mücke on 15/07/11 15:42 (BST)
There is one basic principle about security (not just computer security), that generations of engineers have had to re-learn again and again the hard way, because for some reason it is always omitted from the text books. It is simply this:
Security and Convenience are Antagonists. I am not a professional cryptographer, but have a solid math and CS background. I ... erm ... reverse engineered a few secured pieces of software in my youth. :-) Later on I hardened an USB dongle or two by designing custom (but not obscured) authentication protocols that could withstand attacks with USB monitoring hardware (unlike the standard software included with the dongle). I have followed COMP.RISKS for a few years before that - it's amazing how creative attackers can be, and how stupid defenders ... And I am telling you that whenever you make any security procedure more convenient, you are almost always making it less secure. If you don't see a loss of security, chances are extremely high that you are missing something. I am pretty sure that your statistics guys were telling you that the new Battle.Net authenticator scheme would still catch 99.999whatever% of fraudulent login attempts. Those statistics, however do not and cannot account for new attack vectors opened by a weakened process (but let's not go into statistics here). Some people in this thread obviously value the gain in convenience. So overall security can possibly be improved by getting a larger fraction of the player base to actually utilize this additional security feature. But other people don't like their personal loss of security, and would rather refuse the additional convenience to stay more secure. I suggest you let players decide individually if they want to be prompted for a code always, hourly, daily, or weekly. Those who ask for less convenience are not as paranoid as you might think. |
|
No, it should be enabled at all times, if not the hacker can easily get in and change the value if he is able to change it. In the end your sitting there thinking you are actually secure when you are not! There is a reason for why I want my authenticator to prompt me every time for a login: In each login, the code is valid for like 1 minute - if my pc is infected/whatever it is still just a 1 minute window and if they try to login in that window, Im right there watching it. I notice if I get kicked out and able to login back right afterwards - check my stuff. It also accounts for a warning bell that something is wrong with my pc that I clearly have to fix! (as it's highly chance my computer is infected if that happens!) This has actually saved me once before due to borrowing my computer to a friend for 15 minutes and he put his stupid USB pen drive in my computer with nasty stuff on it.. Also the authenticator (non-mobile one) is a "secure" device which generates a secret that can't be sniffed as it is _not_ connected to the internet. Why Blizzard have changed this is out of my mind, I payed for an authenticator prompting me for every login... so I want this back! (without changing prompt intervals etc, as that makes the feature basically makes the authenticator insecure again) Now ... rumours says that Blizzard did these changes because the authenticator actually run out of tokens for certain time intervals .. and that indeed rings me a warning bell Blizzard. I still want my original feature I payd for back, or I simple want my money back. There's also a good old saying, why change something that works as brilliant as it did? You simple don't change stuff that's been working Blizzard.. (my background is bsc cmp.eng and msc sw.eng so I'm allowed to say this actually rings a few warning bells in my inner body ..) |
|
I too would like to see an opt out option. I live in a house share, and any one of my housemates could see me typing my password.
I got a mobile authenticator so that i didn't have to worry about "practical jokes" and the deletion of characters i have spent a lot of time and money on. Please Blizzard...think this through and realize this is a bad move for a lot of your paying customers! |
