Hacks Decimate Diablo III Debut - HotHardware

Hacks Decimate Diablo III Debut

5 thumbs up
New Software Authenticators Not Identical To Original Design:
There are several  fundamental difference between the physical keyfobs Blizzard initially provided and the later software versions.

First, the physical devices (hard tokens) are designed to be tamper resistant whereas the software tokens are theoretically vulnerable to attack vectors that could extract what's known as the seed record. That's the code used to generate the sequences themselves. With it, an attacker could generate codes that fit a particular account.

Second, our investigation indicates that the 30s validation window has been substantially lengthened, at least for mobile devices. We were consistently able to log into our Diablo 3 account 120 seconds after a code was displayed on screen (150 seconds after it was generated). Codes now appear to expire roughly every 160-170 seconds. We asked several friends to verify that this was the case for their devices as well; the behavior held true across multiple users in different locations.



Third, Blizzard has chosen to disable, by default, the option that requires an Authenticator key each and every login. The FAQ states that "The authenticator system will now intelligently track your login locations. If you are logging in consistently from the same location, you may not be asked for an authenticator code. This process is designed to make logging in faster when you're at a secure location."

We manually opted for an Authenticator validation every single time. IP addresses can be spoofed.

Uncertain Impact:
It's important to understand that neither longer access windows nor IP tracking are ipso facto evidence of a security problem. Blizzard has far more information regarding the nature of hacking attempts than is externally available. There's plenty of evidence of a problem, but no proof as to what the attack vector or cause might be.

The greatest problem with the Authenticator is that Blizzard has positioned it as the solution to the problem of being hacked. The company's "Account Compromise" page gives some basic information on how to install Windows updates or an antivirus program, but gives very little information on the sorts of dangerous practices that can lead to account theft. Given that social engineering attacks are responsible for far more data theft than any sophisticated key logger, the company's policies in this area are misdirected at best.

Blizzard's Response:
Blizzard has issued an official response to the concerns, which includes the following: "Historically, the release of a new game... will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III... We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them."

We've reached out to the company for more information on this topic and will post any updates or additional details we receive. What's important to understand in all this is that the Authenticator is a tool. You can still have your data stolen if you use one; it makes the task much harder but not impossible.

The account compromises are hitting Blizzard hard, coming as they do on the heels of a tumultuous launch week, but there's no evidence that the game's security model is fundamentally compromised. Even the Authenticator attack vectors we've discussed are breaches that would only affect the individual user. Players should be doubly wary of potential scammers right now, but there's no reason to panic.

We'd like to thank Mark Sinclair, of the blog SecuringWoW, who helped out with testing Blizzard's authenticator and contributed valuable information on the topic. His blog has a number of useful security tips for ensuring your account stays protected.
 

Article Index:

1 2 Next
0
+ -

From what I've been able to pick up, level 50+ players that play public games have their names pop up on some kind of Recent Players list (I'm level 10, so I have no idea). This list has all the information hackers need to log into their account and steal their gold and stash. So they're not "hacking" their account battle.net per se, just that hero's items and gold. Still a very terrible thing, and that's why the authenticators aren't working since they're able to circumvent that security system completely. It's doubly bad since they tried to cram this always-online DRM down our throats by saying it's there to prevent just this sort of thing. Sad thing is, it's still going to sell like hotcakes and other publishers aren't going to look at the fan outcry, just the sales numbers and think it's a great idea.

0
+ -

Sacky,

It's far too simplistic an approach and far too obvious. Your D3 account is tied to Battle.net, you don't use a separate login/PW.

There's some speculation that playing public games might expose user information. I can't say for certain that there isn't an underlying flaw somewhere in the security stack. There *are* potential weak points in the Authenticator, and there are some attack vectors it doesn't guard against.

Therefore, yes, it's possible to hack someone who still has one--but an attack vector as obvious as the one you're citing would have been picked up immediately. The forums would be flooded with tens of thousands of hacked players, Blizzard's entire network security board would light up in red. There may be an undisclosed exploit in play, but it's not that simple.

0
+ -

I think you're right. I'm still bumbling my way through figuring out how to assign hotkeys, no way I understand how all the account stuff works. I was just going by what people are saying in this one topic:

http://www.gamefaqs.com/boards/930659-diablo-iii/62865117

0
+ -

How wide spread is this problem?

So far i haven't had many problems with this game. The only problems were a couple disconnects the first day and playing in window mode gave me some problems. Before i played the beta i expected this game to feel out of date and might turnout like another dukenukem,however, now i need to force my self to stop playing it. With unused snow days i have had a lot of time to play and might even beat nightmare mode tonight.

Trying to get a view buddies to pick up the game, but i am the only one that likes pc gaming over console.

0
+ -

Is it just me or does the article topic imply that there is widespread hacking going on and yet in the article the reverse is written.

Totally made me panic there for a bit.

0
+ -

Fat78, Lipe23,

Unknown. There's definitely hacking going on. It's fair to say that the surge of people buying DIablo III has led to a surge in hacking and hacking attempts.

How much of it? No one knows. Word of mouth is unreliable; some people claim to know multiple individuals who've been hacked; I don't know anyone who's been hacked personally.

0
+ -

The first thing that was a bit stupid is that by default they made it so that you are not asked for an authenticator code at each login. With WoW I always had to enter my authenticator code and will be changing that setting as soon as I get home for DIII.

0
+ -

omega,

Blizzard made changes to the ways authenticators worked just about a year ago. At that time, you wouldn't necessarily get a prompt every time you logged in as long as you were logging in from the same location consistently. As soon as you'd try to log in elsewhere (or if someone else tried to log into your account), a prompt would appear. It's at least based on your ip, but could include other system identifiers.

Source: http://us.battle.net/wow/en/forum/topic/2674529777

0
+ -

Couple things no system ever is in-penetrable. Also with enough trial and error someone could fiqure out authenticator randomizer algorithm and is no longer safe. Anything is possible all it takes is time.

0
+ -

No mention of the problem of Friends and Family using your account to play your game account and just spend the cash.

Same normal gripping from whiners who do not understand how a database works so they claim someone stole their gold from their account.

And if you bought gold from the Web your computer is probably compromised the minute you clicked on the gold buying site or gave them your card number (even the temp cards).

Same scam as the "there is a bug in my salad! I refuse to pay for the glass of wine" that restaurants have to put up with.

1 2 Next
Login or Register to Comment
Post a Comment
Username:   Password: