Changes to Authenticator Security
There are several fundamental difference between the physical keyfobs Blizzard initially provided and the later software versions.
First, the physical devices (hard tokens) are designed to be tamper resistant whereas the software tokens are theoretically vulnerable to attack vectors that could extract what's known as the seed record. That's the code used to generate the sequences themselves. With it, an attacker could generate codes that fit a particular account.
Second, our investigation indicates that the 30s validation window has been substantially lengthened, at least for mobile devices. We were consistently able to log into our Diablo 3 account 120 seconds after a code was displayed on screen (150 seconds after it was generated). Codes now appear to expire roughly every 160-170 seconds. We asked several friends to verify that this was the case for their devices as well; the behavior held true across multiple users in different locations.
Third, Blizzard has chosen to disable, by default, the option that requires an Authenticator key each and every login. The FAQ states that "The authenticator system will now intelligently track your login locations. If you are logging in consistently from the same location, you may not be asked for an authenticator code. This process is designed to make logging in faster when you're at a secure location."
We manually opted for an Authenticator validation every single time. IP addresses can be spoofed.
It's important to understand that neither longer access windows nor IP tracking are ipso facto evidence of a security problem. Blizzard has far more information regarding the nature of hacking attempts than is externally available. There's plenty of evidence of a problem, but no proof as to what the attack vector or cause might be.
The greatest problem with the Authenticator is that Blizzard has positioned it as the solution to the problem of being hacked. The company's "Account Compromise" page gives some basic information on how to install Windows updates or an antivirus program, but gives very little information on the sorts of dangerous practices that can lead to account theft. Given that social engineering attacks are responsible for far more data theft than any sophisticated key logger, the company's policies in this area are misdirected at best.
Blizzard has issued an official response to the concerns, which includes the following: "Historically, the release of a new game... will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III... We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them."
We've reached out to the company for more information on this topic and will post any updates or additional details we receive. What's important to understand in all this is that the Authenticator is a tool. You can still have your data stolen if you use one; it makes the task much harder but not impossible.
The account compromises are hitting Blizzard hard, coming as they do on the heels of a tumultuous launch week, but there's no evidence that the game's security model is fundamentally compromised. Even the Authenticator attack vectors we've discussed are breaches that would only affect the individual user. Players should be doubly wary of potential scammers right now, but there's no reason to panic.
We'd like to thank Mark Sinclair, of the blog SecuringWoW, who helped out with testing Blizzard's authenticator and contributed valuable information on the topic. His blog has a number of useful security tips for ensuring your account stays protected.