Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Fuzzy Avatars Solved! Please re-upload your avatar if it was fuzzy!

Diablo 3 accounts hacked, gold and items stolen

1678911

Comments

  • sunshadow21sunshadow21 Omaha, NEPosts: 354Member
    Originally posted by dubyahite

    There is a setting in battle.net you can turn on to force it to ask for the authenticator every time you log in. I can only imagine that they did this because of customer complaints or something, which is pretty freaking stupid. 

     

    Anyways, the option is there to make the authenticator work as intended in a secure fashion. 

    It shouldn't even be an option. Too many people will never see that optional checkmark, assume that Blizzard knows what they are doing, and complain when it fails. I understand that Blizzard wants to retain customers, but part of implementing security measures and penalties is having the balls to enforce them despite the inevitable losses you will take elsewhere.

  • dubyahitedubyahite Lincoln, NEPosts: 2,483Member
    Originally posted by sunshadow21
    Originally posted by dubyahite

    There is a setting in battle.net you can turn on to force it to ask for the authenticator every time you log in. I can only imagine that they did this because of customer complaints or something, which is pretty freaking stupid. 

     

    Anyways, the option is there to make the authenticator work as intended in a secure fashion. 

    It shouldn't even be an option. Too many people will never see that optional checkmark, assume that Blizzard knows what they are doing, and complain when it fails. I understand that Blizzard wants to retain customers, but part of implementing security measures and penalties is having the balls to enforce them despite the inevitable losses you will take elsewhere.

    I would agree with you except I just found the reason this happens. I kind of suspected this was the case but I didn't say anything because I didn't know for sure. 

    This actually makes sense. From the Blizzard authenticator FAQ

    http://us.battle.net/support/en/article/battle-net-authenticator-faq#q6

     

    "Why don't I get an authenticator prompt every time I login to the game?


    The authenticator system will now intelligently track your login locations. If you are logging in consistently from the same location, you may not be asked for an authenticator code. This process is designed to make logging in faster when you're at a secure location."

     

    Now, I'm not sure how it verifies your location, but I imagine it is IP. A cookie or something would be incredibly insecure so I can only hope it's by some other means. 

     

    Hopefully this restores a little bit of faith in the Authenticator for you. 

     

    Shadow's Hand Guild
    Open recruitment for

    The Secret World - Dragons

    Planetside 2 - Terran Republic

    Tera - Dragonfall Server

    http://www.shadowshand.com

  • sunshadow21sunshadow21 Omaha, NEPosts: 354Member
    Originally posted by dubyahite
    Originally posted by sunshadow21
    Originally posted by dubyahite

    There is a setting in battle.net you can turn on to force it to ask for the authenticator every time you log in. I can only imagine that they did this because of customer complaints or something, which is pretty freaking stupid. 

     

    Anyways, the option is there to make the authenticator work as intended in a secure fashion. 

    It shouldn't even be an option. Too many people will never see that optional checkmark, assume that Blizzard knows what they are doing, and complain when it fails. I understand that Blizzard wants to retain customers, but part of implementing security measures and penalties is having the balls to enforce them despite the inevitable losses you will take elsewhere.

    I would agree with you except I just found the reason this happens. I kind of suspected this was the case but I didn't say anything because I didn't know for sure. 

    This actually makes sense. From the Blizzard authenticator FAQ

    http://us.battle.net/support/en/article/battle-net-authenticator-faq#q6

     

    "Why don't I get an authenticator prompt every time I login to the game?


    The authenticator system will now intelligently track your login locations. If you are logging in consistently from the same location, you may not be asked for an authenticator code. This process is designed to make logging in faster when you're at a secure location."

     

    Now, I'm not sure how it verifies your location, but I imagine it is IP. A cookie or something would be incredibly insecure so I can only hope it's by some other means. 

     

    Hopefully this restores a little bit of faith in the Authenticator for you. 

     

    It's a step in the right direction.

  • Creslin321Creslin321 Baltimore, MDPosts: 5,359Member
    Originally posted by MikkelB
    Originally posted by wormywyrm

    It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.

    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost image

     I'm going to say something that will upset some people on this thread but...

    I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC.

    And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.

    I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.

    Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.

    Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.

    Are you team Azeroth, team Tyria, or team Jacob?

  • dubyahitedubyahite Lincoln, NEPosts: 2,483Member
    Originally posted by Creslin321
    Originally posted by MikkelB
    Originally posted by wormywyrm

    It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.

    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost image

     I'm going to say something that will upset some people on this thread but...

    I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC.

    And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.

    I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.

    Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.

    Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.

    To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.

     

    As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience. 

    I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot. 

    It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software. 

    Give it a shot, you might be surprised. 

    Shadow's Hand Guild
    Open recruitment for

    The Secret World - Dragons

    Planetside 2 - Terran Republic

    Tera - Dragonfall Server

    http://www.shadowshand.com

  • JeroKaneJeroKane OsloPosts: 5,353Member Uncommon
    Originally posted by dubyahite
    Originally posted by Creslin321
    Originally posted by MikkelB
    Originally posted by wormywyrm

    It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.

    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost image

     I'm going to say something that will upset some people on this thread but...

    I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC.

    And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.

    I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.

    Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.

    Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.

    To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.

     

    As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience. 

    I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot. 

    It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software. 

    Give it a shot, you might be surprised. 

    I used Avast Free Home edition and a seperate Anti-malware program before.

    Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.

    Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!

    Especially if you surf the internet a lot, it's even recommended to do it more than once a week!

    cheers

  • TortanicTortanic Goodsprings, NVPosts: 85Member


    Originally posted by JeroKane

    Originally posted by dubyahite

    Originally posted by Creslin321

    Originally posted by MikkelB

    Originally posted by wormywyrm It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.
    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
     I'm going to say something that will upset some people on this thread but... I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC. And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something. I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans. Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far. Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
    To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.   As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.  I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.  It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.  Give it a shot, you might be surprised. 
    I used Avast Free Home edition and a seperate Anti-malware program before.

    Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.

    Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!

    Especially if you surf the internet a lot, it's even recommended to do it more than once a week!

    cheers



    MSE misses alot on detection, it is clean and straight forward though.

    If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products.
    (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)

    Nothing is really secure or fool proof - think "resistant."

  • Creslin321Creslin321 Baltimore, MDPosts: 5,359Member
    Originally posted by dubyahite
    Originally posted by Creslin321
    Originally posted by MikkelB
    Originally posted by wormywyrm

    It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.

    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost image

     I'm going to say something that will upset some people on this thread but...

    I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC.

    And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something.

    I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans.

    Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far.

    Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.

    To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.

     

    As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience. 

    I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot. 

    It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software. 

    Give it a shot, you might be surprised. 

     I'll give it a shot, thanks for the tip :).

    Are you team Azeroth, team Tyria, or team Jacob?

  • JeroKaneJeroKane OsloPosts: 5,353Member Uncommon
    Originally posted by Tortanic

     


    Originally posted by JeroKane

    Originally posted by dubyahite

    Originally posted by Creslin321

    Originally posted by MikkelB

    Originally posted by wormywyrm It is so much more difficult to get hacked these days with Windows 7 and people are much more tech saavy now...  At this point it really is the users fault.
    Still, a lot of people don't use two accounts for windows 7 (admin and a normal user) and/or they disable the UAC. Windows 7 is more secure then it's predecessors, but if people don't use the options given to them, all hope is lost
     I'm going to say something that will upset some people on this thread but... I knowingly and willingly don't adhere to best security practices.  I only use an admin account, and the first thing I do is disable UAC. And why?  Because that crap is annoying.  I realize that I may leave myself more exposed to hackers by doing this, but honestly, that's a better alternative than having to deal with that annoying popup everytime I do something. I also don't run anti-virus because it is also annoying, and likes to gobble up my processor ticks with its constant scans. Despite all this though, I miraculously never really get viruses or get hacked.  Maybe I'm lucky, maybe it's because I'm pretty good at recognizing phishing attempts...but whatever the reason, I have been safe thus far. Sooo I dunno, I almost feel like having to constantly deal with self-imposed draconian security can be worse than getting hacked once or twice.  As such, my approach is "mid-range" security.  I have authenticator because I think Battle.NET is high risk, but I'm not going to set it so I have to authenticate every single time...because that's...well, annoying.
    To be perfectly honest, UAC is kind of a joke. It doesn't really do much but annoy people like you said. If there's one thing I've learned, anything that annoying ends up becoming the thing that people just click yes on no matter what it says. On top of that, I've never witnessed it actually catch any kind of threat before. I guess it is possible, but I'm not sure what it's supposed to catch.   As far as anti-virus goes, if I might be so bold as to make a suggestion to you, turn on Microsoft Security Essentials. It's the built in anti-virus that is installed with windows 7 now. It is both suprisingly effective while also having a very minimal footprint on your system in my experience.  I know, who would have guessed that Microsoft could actually do that properly. It provides real-time protection as well as standard scanning stuff, includes spyware definitions, and has all the basic stuff like scheduled scans and whatnot.  It's not the most advanced AV software out there, but it gets the job done and like I said has a pretty small footprint compared to other software.  Give it a shot, you might be surprised. 
    I used Avast Free Home edition and a seperate Anti-malware program before.

     

    Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.

    Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!

    Especially if you surf the internet a lot, it's even recommended to do it more than once a week!

    cheers


     


    MSE misses alot on detection, it is clean and straight forward though.

    If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products.
    (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)

    Nothing is really secure or fool proof - think "resistant."

    The best protection tho, is from yourself!

    Stay clear from suspicious websites, like Online CD key websites that offer games for prices too good to be true! Or any RMT site!

    Don't auto open emails! Inspect every link in emails as to what the "REAL" url is, before clicking it!  Phising emails are the NUMBER 1 cause of getting keyloggers and so getting your accounts hacked!

    Clearing your browser cache on regular basis!  And use different passwords on Account sites that contain personal and credit data (like bank, MMO's, etc) and regular far less secure sites like fansites, (public) forums, etc.

    Cheers

  • dubyahitedubyahite Lincoln, NEPosts: 2,483Member
    Originally posted by Tortanic

     

    [snip]

     


    MSE misses alot on detection, it is clean and straight forward though.

    If you've a bit of patience Comodo (https://www.comodo.com/) has a bunch of nice products.
    (I use the free Firewall+AV+Sandbox thing and it's pretty lovely as far as that sort of software goes.)

    Nothing is really secure or fool proof - think "resistant."

    No AV is perfect, they all miss stuff. But as far as performance goes MSE actually does quite well. It has tested better than Norton, AVG, Sophos, McAfee, and other popular software in independant studies. Some programs like Panda, Avast, Kaspersky, Bitdefender and others have done better than MSE.  Not sure about how well Comodo tests. 

     

    I personally think that of all the free stuff out there, Avast performs the best as far as detection percentage goes. It consistently places in the top few and is significantly better than paid solutions. 

    Shadow's Hand Guild
    Open recruitment for

    The Secret World - Dragons

    Planetside 2 - Terran Republic

    Tera - Dragonfall Server

    http://www.shadowshand.com

  • SlampigSlampig Chantilly, VAPosts: 2,376Member Uncommon
    Originally posted by thekid1

    Eurogamer writer gets his Diablo 3 account stolen.

    This Diablo 3 soap is even better then Age of Conan and WAR right after release.

     

    http://www.eurogamer.net/articles/2012-05-21-diablo-3-accounts-hacked-gold-and-items-stolen

    So he didn't have an Authenticator, kind of left that out didn't you? Not saying it is a panacea (look it up) but it TOTALLY helps...

     

    Enough of this one sided "reporting", makes yourself look like you have an agenda...

    That Guild Wars 2 login screen knocked up my wife. Must be the second coming!

  • sunshadow21sunshadow21 Omaha, NEPosts: 354Member

    I think my biggest difficulty with Blizzard's response is that they are saying absolutely nothing about the situation is their fault or within their control. The authenticators are fine enough, but to make that your only response is a bit lame. Virtual keyboards that allow you to enter a password without the use of a physical keyboard is one approach at least one other game has used, wouldn't be that hard to implement. I'm sure a security professional could come up with even more creative, yet relatively unobtrusive, ways to handle the problems they face. Internet security takes a bit of effor and creativity on the part of the defenders, but not nearly as much as some seem to think, and it shouldn't require an authenticator for a game either. If Blizzard were to actually try to seriously design and implement a security system and actually enforce it, none of the individual measures taken would have to be that drastic or that hard to maintain, yet I bet a lot of the problems would go away. They just don't seem to care about it. That is the part that concerns me. If a problem is found, it's quickly fixed and pushed under a rug as if it never happened, so  the root problem never gets dealt with. This is where Blizzard has fallen behind the curve compared to a lot of other companies and games.

  • iceman00iceman00 Westland, MIPosts: 1,363Member
    Originally posted by dubyahite
    @iceman

    I'm not here to flaunt my knowledge. I'm here to discuss an issue of particular interest to me.

    I don't understand why my knowledge of the subject is an excuse to attack me. There are plenty of people in this thread with little to no understating of security who are posting random nonsense and trying to pass it off as fact.

    Should you be quoting them and accusing them of missing the point? Because they most certainly are missing the point in a big way.

    Again, I'm not here to "flaunt" my knowledge. I am here because this subject is interesting to me.


    I am just here to discuss the topic of security which most people dont have a clue about.


    Look I don't care that your average user doesn't know how to protect themselves. Not my problem. What I do care about is when those same people go around spouting off nonsense as if they know what they are talking about.


    I mean, there was a guy in this very thread flipping out because Diablo opened port 80. Seriously. Then he tries to tell people that this is some huge security flaw.

    That is the person that is missing the point, not me.

    Okay, so one person said that.  Thing is, just about everyone else didn't.

    So why continue to erect such a straw man?  Apologies if the post I made came across as too harsh, it was more a take on how dismissive you were of everyone you wrote about.

  • iceman00iceman00 Westland, MIPosts: 1,363Member
    Originally posted by MikkelB
    Originally posted by iceman00
    Originally posted by kreken
    Originally posted by sunshadow21
    Originally posted by JeroKane

    And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.

    Rest my case.

    A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.

     

    When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.

    I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?

    Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?

    If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.

     

    1.)  Mandatory texts/email if you login from a different IP address.

    2.)  If you have an authenticator, you gotta authenticate with every login.  Don't wanna do that?  Don't buy the authenticator.

    3.)  Increased complexity with passwords. 

    Really, number 3 alone goes a long way.

    And really, you talk about how people "should" be computer literate.  People should also be able to change their oil or a tire on their car.  Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem.  In a perfect world, IT security wouldn't be neccessary.  When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.

    I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.

    Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.

    My second point, at least according to Blizzard's records, won't be needed..... yet.  But really, using the authenticator once every 7 days , really not much of a point.  Which I think brings up an interesting correlation.  Most of those who are going to use an authenticator, chances are their tech knowledge is more than satisfactory.  They probably aren't making the mistakes most people make.  So I guess I begin to wonder if "nobody who uses an authenticator had their account compromised" is one of those "true but irrelevant" statements, considering that authenticating once every 5-7 days is sorta pointless, and wouldn't stop an account from being compromised, since they operate in a span of minutes, not days.

    And Blizzard needs to seriously think about tighter security in terms of the RMAH.  ONE HACK is all it will take to cause an absolute nightmare.  It wont' matter how many blizzbots screaming "the person getting hacked is a f**ktard who deserved it" there are.  So perhaps we can go on something with point 3/passphrases.  That really doesn't cost much, and is very easy to do, and there's an understandable reason.

    And yeah, agree with you on the DRM.  Just wish Blizzard would see it that way.  Bad timing for me to try out the game (due to busy schedule) but their DRM is so absurd (and the attempt to corral people onto the RMAH so nakedly obvious) I'm still not sure how much I'll play the game once I have time.

  • ArChWindArChWind Some Place, WIPosts: 623Member Uncommon
    Here is what bothers me about this authenticator thing.
     
    First off and most importantly I was playing open beta weekend I was hacked. I just did not realize it until the other day but the same thing happened to me as others. “you have logged in from another location’ Insta disconnect. Try to log in. ‘account in use’. try to log in again ‘your password is invalid’ Shut down and restart and everything is OK. Nothing missing out of characters. Did not know where to write a bug report but then forgot about it. I though it was a bug.
     
    Now here is why I have problems with this authentication shit and if did I have a key logger active just for a hack to get some gold?
     
    I log in ‘every day’ to my BANK account from this computer. I do most of my business through this computer with credit cards. I have done all my business through websites spending money and all the accounts in 5 years I have yet to be breached and NOT one of them requires an authenticator. ZERO. Why does a game require a device that government officials require to log in to VPN?
     
    If any suspicious activity was to happen I would know about it in under 24 hours. I have a website and it has no activity other than what I do with it. I have a domain and can have a million email addresses if I want them and I have 3 specific emails targeting game sites so I can find out who sells off my information. Not one has to this day sent me a phishing mail because even when it get to me it gets deleted by security scans. I don’t sign up for anything game related directly except news letters. I get most of my mail from this site about topics I read and have interest in. In other words I do not get spammed with garbage just normal 5 to 10 emails a week or in cases of MMORPG.com 10 to 20 mails a day because I selected the subject.
     
    This whole thing smells fishy to me.
  • iceman00iceman00 Westland, MIPosts: 1,363Member
    Originally posted by dubyahite
    Originally posted by MikkelB
    Originally posted by iceman00
    Originally posted by kreken
    Originally posted by sunshadow21
    Originally posted by JeroKane

    And yet it's exactly these kind of gamers that SCREAM they have the perfect security on their computer and apply the best security practices, so that it only can be Blizzard's fault that they got hacked.

    Rest my case.

    A fair number of people have also given good reasons to question Blizzard's commitment to seriously dealing with this problem. Especially for those who have never had a problem with anyone else despite ample opportunity to have had it, the evidence is there that at some level, it is Blizzard's responsiblity to deal with it, even if it isn't directly their fault. A lot of people could do more, certainly, in the security aspect, but that does not absolve Blizzard when those users exist across the internet, and yet it always seems like Blizzard's name is at the forefront of these conversations when it comes to suspect gaming companies.

     

    When a company has this serious of issues this consistently, it becomes much, much harder to simply blame the end user.

    I am curious, what would you like Blizzard to do? They already have the best security practices listed on their website. It is up to the end user to follow them or not. Do you want them to implement something like NPS (Network Policy Server) that will check if updates are up to date, antivirus is installed, signature files are updated and do a quick virus scan before allowing them to login into the game?

    Nowadays, there is no real excuse to be computer illiterate since the computers are an intergral part of our daily lives. If you don't spend even a little time to learn a bit about the tool you are using than you shouldn't be using it. It seems people don't realize that computer is a tool and if you don't take care of it, it will "rust" and will underpeform or do other unintended operations. If you leave your hand saw in the rain for two months, how good you think it will cut wood next time you use it?

    If I was a hacker for gold selling sites, would I target an unpopular game or a game with a lot of potential market? The hackers are in this to make money and it doesn't make business sense to target small demographics game where profit margin is very small. Looks like Blizzard fell a victim to its own popularity.

     

    1.)  Mandatory texts/email if you login from a different IP address.

    2.)  If you have an authenticator, you gotta authenticate with every login.  Don't wanna do that?  Don't buy the authenticator.

    3.)  Increased complexity with passwords. 

    Really, number 3 alone goes a long way.

    And really, you talk about how people "should" be computer literate.  People should also be able to change their oil or a tire on their car.  Yet the simple fact is a huge amount don't, and whining about how they should isn't going to fix the problem.  In a perfect world, IT security wouldn't be neccessary.  When dealing with the average end user, you have to operate with the assumption they really don't know a lot of what they are doing.

    I actually agree with your points here. The thing is, these're games we're talking about. Blizzard is for obvious reasons interested in getting as much players to buy and play the game. Implementing the points you listed as mandatory, no matter how good they're, is not going to help the userfriendliness of the game. When it's harder to get to play the game, more people are stop playing it. Same as with DRM, people are going to opt for pirating anyway, because when you implement DRM like in Assassin's Creed 2 for example, you've less frustration playing it without the DRM then with it. Concerning Diablo 3, just look at all those complaints around the internet about the mandatory 'always online'-resctriction. Couple that with mandatory use of the authenticator and people are just not going to bother with the game, which would be a shame really.

    Point 3 is interesting at the moment concerning Blizzard policies. It seems that the passwords aren't forced to be case-sensitive. That's pretty bad of them. Aside from the increased complexity, I rather have that they would allow more characters to be used and that they would stimulate users to use passphrase, instead of passwords. Win - win for both sides.

    This is a very important issue you raise. 

     

    Anyone who has worked in the IT industry can tell you that any company (not just game companies) has to weigh several factors when implementing security policies such as those suggested.  This is especially true when you are enforcing these policies on customers as opposed to employees.  

     

    It would be great to add a little forced complexity to people's passwords, but it is a tougher decision than it seems at first glance. Personally I would be all for it, but I know for a fact that Blizzard (or any other company) would have to deal with a lot of issues this would cause their customers as well. 

     

    Not to many MMO companies actually enforce password complexity on their users. Bioware did a decent job by forcing one uppercase letter and one number in their password, but really that is a lot more innefective than you might think.  

     

    Here is an example, with Bioware's rules the password 'Tizftye7' would be an acceptable password. It's not particularly strong but at least it's not '123456'.  There are no words in it, and it appears totally random. It's not going to be in a dictionary attack so a cracker would need to use a guessing attack on it, which implies more time to crack it. 

     

    What this level of password security protects against is relatively slow online brute force or guessing attacks. Repeated attempts to guess the password on the services website by attempting to log in would take months to complete all possible password guesses that would be required to guess that password. The exact search space of said password would be 5.46 x 1023  or 546,108,599,233,516,079,517,120 possible passwords with that password length and alphabet size (characters that a cracker must account for). Seems like a big enough number.

    However, with current technology, your average cracker can make about one hundred billion guesses per second offline if they have acquired a password database. This would take less than an hour to complete the attack offline. If the attacker is running the database through a botnet or something, it would be a matter of seconds.

    So that level of password complexity protects against one thing, online attacks made by repeated login attempts to a website or the actual game service. The thing is, you are already protected against these attacks in most cases. After a few logins the system wants additional verification or it might even lock your account. This level of password complexity adds no security at all. 

     

    To really enforce a system where users must make secure passwords would require very long lengths (at least over 12 characters), one symbol, one number, at least one uppercase letter, and lower case letters as well.

    They would also need to prevent people from using common passwords and probably dictionary based passwords as well. Anything that can be found in a crackers dictionary immediately eliminates the need for a guessing attack and any and all complexity is then useless. 

     

    Like MikkelB said, from a business perspective they simply can't enforce password complexity of this level. It would piss off a large portion of their users as well as create extra costs for the company in having to support these users. A person who can't remember their password is going to generate extra cost for the company in customer service and technical support on a regular basis. For a video game, it's just not realistic. I believe that it seriously would drive people away from the game.

     

    Now, the whole passwords not being case sensitive thing from Blizzard is absolutely bonkers. Out of all this stuff that has been talked about that actually pisses me off a great deal. I don't understand why they would actively undermine the security of those who choose to use a complex password.  I think I might email their customer service about that and bitch today. 

     

    As far as enforcing password complexity on users, it's a hopeless battle for a company. If you only do a little (like Bioware) you are not really adding any security. To actually add security to passwords through complexity would have a large impact on your busines and the usability of your software, for something that (let's face it) is not that important. It's a video game account. Most companies have the capability to restore your account to a pre-hacked status for no charge.

    Ever hear of the phrase "not seeing the forrest for the trees?"

    Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:

    1.)  outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed.  With the tech available, it's going to happen.  Now Blizzard can't control for that part, I think we all agree.

    2.)  To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales.  I don't think anyone really disputes that.

    3.)  Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure.  Blizzard has done that.

    4.)  What can we do to stop the "brute force" incidents?

    5.)  Don't need every layer or nothing.  That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.

    6.)  The argument you make about complexity..... applies to capital letters as well.  Given the way you do 5, we should then never ask for capital letters right?

    Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

    As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well.  Okay, maybe I just have a really freakin pessimistic view of human nature.

  • iceman00iceman00 Westland, MIPosts: 1,363Member
    Originally posted by JeroKane

    I used Avast Free Home edition and a seperate Anti-malware program before.

    Now I only use Microsoft Security Essentials and it works for me. No virusses nor mallware as of yet.

    Mind you! I also clear my browser cache, cookies, history, passwords, etc at least once a week!

    Especially if you surf the internet a lot, it's even recommended to do it more than once a week!

    cheers

     I also use Security Essentials (still have Malwarebytes on my PC if I need it).

    I think after 14 pages, everything that can be said has been said, and we can all end agreeing on something.

    Microsoft makes a product that actually works surprisingly well. 

    LOLWTF......

  • sunshadow21sunshadow21 Omaha, NEPosts: 354Member
    Originally posted by iceman00

    Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

    This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.

  • dubyahitedubyahite Lincoln, NEPosts: 2,483Member
    Originally posted by iceman00
    Originally posted by dubyahite

    [snip]

    Ever hear of the phrase "not seeing the forrest for the trees?"

    Once we get past all the fancy sounding numbers and techno speak, there are a few conclusions:

    1.)  outside of a multi pronged system, if a hacker gets a pw with your name in the database, chances are you are screwed.  With the tech available, it's going to happen.  Now Blizzard can't control for that part, I think we all agree.

    2.)  To create a "hack-proof" system would require so many layers that yes it would be extremely unfriendly, and would impact their sales.  I don't think anyone really disputes that.

    3.)  Since you can't really stop them once they get the database, the only thing you can do is make sure your db is secure.  Blizzard has done that.

    4.)  What can we do to stop the "brute force" incidents?

    5.)  Don't need every layer or nothing.  That would be akin to saying that I need every layer of possible security on my computer, or I should just run without a firewall, no av/malware protection, with internet explorer with UAC disabled on my windows 7, and head to where hackers are known to have infected a site broadcasting my IP.

    6.)  The argument you make about complexity..... applies to capital letters as well.  Given the way you do 5, we should then never ask for capital letters right?

    Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

    As far as "its a video game account, it isn't important", most people aren't going to look at it in the stoic rational manner you just did, gotta control for those kind of things as well.  Okay, maybe I just have a really freakin pessimistic view of human nature.

    1.) This is not true. While no password is "uncrackable" you can make a pasword complexe enough that it will never be cracked by a cracker. This was the point of my post. They are not going to even attempt a character space that would require 13 trillion centuries to complete. Ever.

    2.) Then we agree. But even then there is still risk of hacking, even if they did all this stuff.

    3.) This is incorrect. Again, if your password would take 13 trillion centuries to crack, a cracker is not even going to attempt a character space that large. They are going to go for the lowest common denominator and end up with about 20% of the passwords in the database. 

    4.) Make complex passwords. I explained this. My passwords will never be cracked by brute force with currently available technology. Not only that, but no cracker will even attempt a crack that would expose my passwords. 

    5.) I agree here. The case sensitive crap on blizzard passwords is just inexcusable. 

    6.) Yes. Capital letters are required for password complexity. I already said in previous posts that I was pissed about the case sensitive thing from blizzard. 

    Shadow's Hand Guild
    Open recruitment for

    The Secret World - Dragons

    Planetside 2 - Terran Republic

    Tera - Dragonfall Server

    http://www.shadowshand.com

  • zymurgeistzymurgeist Pittsville, VAPosts: 5,215Member Uncommon
    Originally posted by sunshadow21
    Originally posted by iceman00

    Blizzard isn't really concerned about tradeoffs here, since, as you rightly point out, even simple things like case-sensitivity isn't there.

    This is the biggest difficulty I'm having. If they can't even be bothered to implement something as basic and usually automatic as case sensitivity, why should I accept their claims that it's all the user's fault when clearly they aren't intrerested in doing the simple things that can be done on their end? Case sensitivity by itself wouldn't a major thing, but combine it with other simple things like a virtual keyboard to get around keyloggers, and other similar simple, easy to implement ideas, and the impact would be significant with fairly little cost to Blizzard.

     It's not a case of can't be bothered or cost. They used to have case sensitivity. It's a problem with their customers. They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means. While I may disagree with their decision I'm not naive enough to think Blizzard is just clueless or not listening to theit customers. It's because they are listening to their customers and doing the math. Also this hacking is fairly rare. You hear a lot about it but their customer base is huge compared to other games.

    "Strong and bitter words indicate a weak cause" ~Victor Hugo

  • gatherisgatheris Charlotte, MIPosts: 995Member Uncommon
    Originally posted by itgrowls

    It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.

    complete bull

    beyond not handing out your passwords to one and all it is up to the business to protect your data - period

     

    image

  • AIMonsterAIMonster Apopka, FLPosts: 2,059Member

    There is a rumor going around that a hacker can spoof your ID (obtained by joining a public game with the hacker) and bypass the need to use the authenicator.  I don't know if it's true, but some people "claim" to have been hacked even with the authenicator active.

    It's probably untrue and Blizzard claims that there are no reports of accounts breached that used an authenicator.

    Still, Blizzard doesn't exactly have the best security and privary protection.  Registering an e-mail account on Bnet will open you open to multiple phishing attempts even if you never used the e-mail address for anything else (or at least it did at one point).

    image

    Raptr link because it's the cool new trend:
    image

  • RednecksithRednecksith Madison heights, MIPosts: 1,238Member
    Originally posted by gatheris
    Originally posted by itgrowls

    It's interesting to me that this is happening when there are free ways of dealing with it. Heck even the authenticators are cheap and free delivery. So why are people posting about this again? It's the users fault if they get hacked at this point due to the security that Blizz emplemented. It really is. I'm not a Blizz fan when it comes to the direction their company is going but i have to say they did the right thing when it comes to security for their players.

    complete bull

    beyond not handing out your passwords to one and all it is up to the business to protect your data - period

     

    Complete bullshit.

    It is up to the USER to keep their PC safe and secure. It's not Blizzard's fault somone clicked a bad link, went to a site with a bad ad, fell for a phishing attempt, etc.

    How exactly is Blizzard supposed to make sure you do none of the above? The only thing they can do is warn and attempt to educate you, and that's a hell of a lot more than they are required to do. To say nothing of providing free mobile authenticators, and at-cost physical ones.

    Now if Blizzard's servers get hacked (which they have not) then yes, it is their responsibility.

     

  • RainBringerRainBringer AucklandPosts: 150Member
    Originally posted by zymurgeist

     

    They aren't morons what many of them are is children or people with no computer skills whatsoever. This is a calculation they made fully aware of what it means.

    So, understanding the difference between an Uppercase " A " and a lowercase " a " is now a matter of "computer skills". I see the Blizzard defence club is getting desperate enough to throw out ridiculous statements since they are running out of anything substantial to say, might wanna stop before you guys start blaming the player for any leak on Blizzard's end...or wait has some fangirl already thrown that excuse out already? 

     

    Virtual keyboard seems like a decent precautionary measure for such cases. Yea I can see it happening sometime in the near future.

    "Just pay and download a VK app for $15.99 and you can be free of all your hacking woes!

    But Only works if you have bought ALL our Blizzard™ Authenticator versions 1, 2, v5, x15, zz20 and special edition 2 for service pack 3(until we put out more ca-ching junk applica...err Required Software Protection)."

     

    Online-always DRM is working as intended, yea?

    But it would be funny if Anon strikes against BNet for this D3 debacle. Shit would hit the exhaust fan.

    image
  • LagozLagoz LohjaPosts: 92Member

    If you play blizzard games you should know by now to get an authenticator.

    I've never been hacked after getting it.

Sign In or Register to comment.