|Explaining the Authenticator|
|Diablo 3 players don't need any more bad news. The game is already staggering from a debut marred by enormous lag spikes, dropped games, and auction house errors. Now, widespread allegations of hacking are taking further chunks out of Blizzard's hide. This time though, there's an added twist: A significant number of those hacked claimed to be using Blizzard Authenticators. This has led to counterclaims that the victims must be lying, as well as a great deal of confused discussion over whether or not such a thing is even possible.
To that end, there's something all of you need to understand up front. The Authenticator that Blizzard sells is not guaranteed proof against having your account hacked. Blizzard, to be fair, never says it is. The company could be doing more to teach users how to protect themselves (more on that in a bit), but it doesn't claim the Authenticator is a bulletproof vest.
The Battle.net Authenticator adds a second "factor" to an existing account in order to create a two-factor authentication system. In addition to a normal password, users must enter an eight-digit number. The original (and still available) Battle.net Authenticators were physical keyfobs that displayed a sequence every thirty seconds; Blizzard has augmented these physical devices with mobile applications. Codes cannot be used twice; a successful code will be invalid if used again.
The Authenticator offers an additional layer of protection if your password is guessed via brute force techniques or accidentally shared with the wrong people.
What the Battle.Net Authenticator Does NOT Do:
If your system has been fundamentally compromised by a keylogger or other trojan, the Authenticator isn't going to save your butt.
The Blizzard Authenticator uses a SecurID-style mechanism; the keys themselves are supplied by Vasco, not RSA. While the exact implementation details are unknown, SecurID-type protection systems are vulnerable to man-in-the-middle attacks. Such attacks occur when a malevolent party inserts itself into a transaction between client and host and is able to essentially eavesdrop on the conversation.
In simplest terms, a program that can insert itself between your system and Blizzard's servers and intercept your authentication code before it's transmitted to Blizzard can immediately turn around and use that code to access your account without your knowledge.
|Changes to Authenticator Security|
|New Software Authenticators Not Identical To Original Design:
There are several fundamental difference between the physical keyfobs Blizzard initially provided and the later software versions.
First, the physical devices (hard tokens) are designed to be tamper resistant whereas the software tokens are theoretically vulnerable to attack vectors that could extract what's known as the seed record. That's the code used to generate the sequences themselves. With it, an attacker could generate codes that fit a particular account.
Second, our investigation indicates that the 30s validation window has been substantially lengthened, at least for mobile devices. We were consistently able to log into our Diablo 3 account 120 seconds after a code was displayed on screen (150 seconds after it was generated). Codes now appear to expire roughly every 160-170 seconds. We asked several friends to verify that this was the case for their devices as well; the behavior held true across multiple users in different locations.
Third, Blizzard has chosen to disable, by default, the option that requires an Authenticator key each and every login. The FAQ states that "The authenticator system will now intelligently track your login locations. If you are logging in consistently from the same location, you may not be asked for an authenticator code. This process is designed to make logging in faster when you're at a secure location."
We manually opted for an Authenticator validation every single time. IP addresses can be spoofed.
It's important to understand that neither longer access windows nor IP tracking are ipso facto evidence of a security problem. Blizzard has far more information regarding the nature of hacking attempts than is externally available. There's plenty of evidence of a problem, but no proof as to what the attack vector or cause might be.
The greatest problem with the Authenticator is that Blizzard has positioned it as the solution to the problem of being hacked. The company's "Account Compromise" page gives some basic information on how to install Windows updates or an antivirus program, but gives very little information on the sorts of dangerous practices that can lead to account theft. Given that social engineering attacks are responsible for far more data theft than any sophisticated key logger, the company's policies in this area are misdirected at best.
Blizzard has issued an official response to the concerns, which includes the following: "Historically, the release of a new game... will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III... We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them."
We've reached out to the company for more information on this topic and will post any updates or additional details we receive. What's important to understand in all this is that the Authenticator is a tool. You can still have your data stolen if you use one; it makes the task much harder but not impossible.
The account compromises are hitting Blizzard hard, coming as they do on the heels of a tumultuous launch week, but there's no evidence that the game's security model is fundamentally compromised. Even the Authenticator attack vectors we've discussed are breaches that would only affect the individual user. Players should be doubly wary of potential scammers right now, but there's no reason to panic.
We'd like to thank Mark Sinclair, of the blog SecuringWoW, who helped out with testing Blizzard's authenticator and contributed valuable information on the topic. His blog has a number of useful security tips for ensuring your account stays protected.