Hacks Decimate Diablo III Debut

Article Index:   
Diablo 3 players don't need any more bad news. The game is already staggering from a debut marred by enormous lag spikes, dropped games, and auction house errors. Now, widespread allegations of hacking are taking further chunks out of Blizzard's hide. This time though, there's an added twist: A significant number of those hacked claimed to be using Blizzard Authenticators. This has led to counterclaims that the victims must be lying, as well as a great deal of confused discussion over whether or not such a thing is even possible.

To that end, there's something all of you need to understand up front. The Authenticator that Blizzard sells is not guaranteed proof against having your account hacked. Blizzard, to be fair, never says it is. The company could be doing more to teach users how to protect themselves (more on that in a bit), but it doesn't claim the Authenticator is a bulletproof vest.



The Battle.net Authenticator adds a second "factor" to an existing account in order to create a two-factor authentication system. In addition to a normal password, users must enter an eight-digit number. The original (and still available) Battle.net Authenticators were physical keyfobs that displayed a sequence every thirty seconds; Blizzard has augmented these physical devices with mobile applications. Codes cannot be used twice; a successful code will be invalid if used again.

The Authenticator offers an additional layer of protection if your password is guessed via brute force techniques or accidentally shared with the wrong people.

What the Battle.Net Authenticator Does NOT Do:
If your system has been fundamentally compromised by a keylogger or other trojan, the Authenticator isn't going to save your butt.

The Blizzard Authenticator uses a SecurID-style mechanism; the keys themselves are supplied by Vasco, not RSA. While the exact implementation details are unknown, SecurID-type protection systems are vulnerable to man-in-the-middle attacks. Such attacks occur when a malevolent party inserts itself into a transaction between client and host and is able to essentially eavesdrop on the conversation.

In simplest terms, a program that can insert itself between your system and Blizzard's servers and intercept your authentication code before it's transmitted to Blizzard can immediately turn around and use that code to access your account without your knowledge.
 

Image gallery

Related content

Comments

Comments
sackyhack 2 years ago

From what I've been able to pick up, level 50+ players that play public games have their names pop up on some kind of Recent Players list (I'm level 10, so I have no idea). This list has all the information hackers need to log into their account and steal their gold and stash. So they're not "hacking" their account battle.net per se, just that hero's items and gold. Still a very terrible thing, and that's why the authenticators aren't working since they're able to circumvent that security system completely. It's doubly bad since they tried to cram this always-online DRM down our throats by saying it's there to prevent just this sort of thing. Sad thing is, it's still going to sell like hotcakes and other publishers aren't going to look at the fan outcry, just the sales numbers and think it's a great idea.

Joel H 2 years ago

Sacky,

It's far too simplistic an approach and far too obvious. Your D3 account is tied to Battle.net, you don't use a separate login/PW.

There's some speculation that playing public games might expose user information. I can't say for certain that there isn't an underlying flaw somewhere in the security stack. There *are* potential weak points in the Authenticator, and there are some attack vectors it doesn't guard against.

Therefore, yes, it's possible to hack someone who still has one--but an attack vector as obvious as the one you're citing would have been picked up immediately. The forums would be flooded with tens of thousands of hacked players, Blizzard's entire network security board would light up in red. There may be an undisclosed exploit in play, but it's not that simple.

sackyhack 2 years ago

I think you're right. I'm still bumbling my way through figuring out how to assign hotkeys, no way I understand how all the account stuff works. I was just going by what people are saying in this one topic:

http://www.gamefaqs.com/boards/930659-diablo-iii/62865117

fat78 2 years ago

How wide spread is this problem?

So far i haven't had many problems with this game. The only problems were a couple disconnects the first day and playing in window mode gave me some problems. Before i played the beta i expected this game to feel out of date and might turnout like another dukenukem,however, now i need to force my self to stop playing it. With unused snow days i have had a lot of time to play and might even beat nightmare mode tonight.

Trying to get a view buddies to pick up the game, but i am the only one that likes pc gaming over console.

lipe123 2 years ago

Is it just me or does the article topic imply that there is widespread hacking going on and yet in the article the reverse is written.

Totally made me panic there for a bit.

Joel H 2 years ago

Fat78, Lipe23,

Unknown. There's definitely hacking going on. It's fair to say that the surge of people buying DIablo III has led to a surge in hacking and hacking attempts.

How much of it? No one knows. Word of mouth is unreliable; some people claim to know multiple individuals who've been hacked; I don't know anyone who's been hacked personally.

omegadraco 2 years ago

The first thing that was a bit stupid is that by default they made it so that you are not asked for an authenticator code at each login. With WoW I always had to enter my authenticator code and will be changing that setting as soon as I get home for DIII.

ESilow 2 years ago

omega,

Blizzard made changes to the ways authenticators worked just about a year ago. At that time, you wouldn't necessarily get a prompt every time you logged in as long as you were logging in from the same location consistently. As soon as you'd try to log in elsewhere (or if someone else tried to log into your account), a prompt would appear. It's at least based on your ip, but could include other system identifiers.

Source: http://us.battle.net/wow/en/forum/topic/2674529777

DHampton 2 years ago

Couple things no system ever is in-penetrable. Also with enough trial and error someone could fiqure out authenticator randomizer algorithm and is no longer safe. Anything is possible all it takes is time.

UntrainedBrain1 2 years ago

No mention of the problem of Friends and Family using your account to play your game account and just spend the cash.

Same normal gripping from whiners who do not understand how a database works so they claim someone stole their gold from their account.

And if you bought gold from the Web your computer is probably compromised the minute you clicked on the gold buying site or gave them your card number (even the temp cards).

Same scam as the "there is a bug in my salad! I refuse to pay for the glass of wine" that restaurants have to put up with.

JGhioca 2 years ago

Amazing graphics. Fun story, but pointless after first play through. IF you enjoy the grind then the game is fine...otherwise it gets old.

http://diablo3goldfarmen.com/

Post a Comment
or Register to comment