Originally posted by Baitness Watch out, keep your authenticator attached, and I am not feeling too confident in blizzard's account security.
Usually when someone gets hacked it is because a "friend" acquired their login info, they use the same name / password on multiple sites, or they got fished.
I do not believe anyone bypassed Blizzard's security to gain access to your account.
You're absolutely right, another way is a way a friend of mine's accounts get compromised. She'll get drunk and while drunk emailing people will click on links in her email telling her she won a winged gryphon or something and then the next day, bam she logs in and all her characters are naked and everything is gone. Think she'd learn after all these years.
"if I had to decide between the likelihood that someone went out of their way to target me individually or any method to get passwords that does not require error on my part, "
You are missing the point of what I am saying. I'm telling you that it doesn't require wrongdoing on your part for your machine to be vulnerable. It always is.
I'm not accusing you of having a malware ridden machine. I don't know if you do or not.
The people that attack Blizzard accounts are very very good a what they do.
I'm not saying "you NOOB you got keylogged lololol"
Im saying there are always holes. Always.
The people who's job it is to know those holes are a step ahead of your security no matter what. The attackers are always looking for weaknesses. They are exploiting everything they can. They are smarter than you or me or most people when it comes to these things.
If they target you, they will probably win. It's as simple as that.
Even people that work in the field of security get taken by malicious hackers. There is malware out there that the big AV companies have never seen. There are more attacks that you are vulnerable to than you want to know, through no fault of your own.
This isnt me blaming you. The only way you can prevent being compromised 100% is to get rid of your technology.
The stuff happens. And instead of blaming Blizzard or the Peoe who get hacked, I am blaming the real bad guys.
Saying Blizzards securityfeatures are lacking is misinformed at best. I can't think of another gaming company that provides their users with as many tools to protect themselves. I don't think anyone tries to educate their users as much as Blizzard does or communicates about security this well. They are open with information that other companies would never share.
The fact of the matter is, Blizzard are victims here too, and i promise you their damages from these incdents are far far greater than yours. There is no telling how much revenue is lost because of this stuff.
To think otherwise is just enabling the hackers.
Hackers depend on misinformation like this to discourage proper security practices. I would put money on the fact that some of the people posting about getting hacked while they had authenticators to spread doubt in the entire idea of even using one. That's how they think and operate.
Again, you don't have to do something wrong to have vulnerabilities. Every single day your computer is vulnerable.
Originally posted by dubyahite "if I had to decide between the likelihood that someone went out of their way to target me individually or any method to get passwords that does not require error on my part, "
You are missing the point of what I am saying. I'm telling you that it doesn't require wrongdoing on your part for your machine to be vulnerable. It always is.
I'm not accusing you of having a malware ridden machine. I don't know if you do or not.
The people that attack Blizzard accounts are very very good a what they do.
I'm not saying "you NOOB you got keylogged lololol"
Im saying there are always holes. Always.
The people who's job it is to know those holes are a step ahead of your security no matter what. The attackers are always looking for weaknesses. They are exploiting everything they can. They are smarter than you or me or most people when it comes to these things.
If they target you, they will probably win. It's as simple as that.
Even people that work in the field of security get taken by malicious hackers. There is malware out there that the big AV companies have never seen. There are more attacks that you are vulnerable to than you want to know, through no fault of your own.
This isnt me blaming you. The only way you can prevent being compromised 100% is to get rid of your technology.
The stuff happens. And instead of blaming Blizzard or the Peoe who get hacked, I am blaming the real bad guys.
Saying Blizzards securityfeatures are lacking is misinformed at best. I can't think of another gaming company that provides their users with as many tools to protect themselves. I don't think anyone tries to educate their users as much as Blizzard does or communicates about security this well. They are open with information that other companies would never share.
The fact of the matter is, Blizzard are victims here too, and i promise you their damages from these incdents are far far greater than yours. There is no telling how much revenue is lost because of this stuff.
To think otherwise is just enabling the hackers.
Hackers depend on misinformation like this to discourage proper security practices. I would put money on the fact that some of the people posting about getting hacked while they had authenticators to spread doubt in the entire idea of even using one. That's how they think and operate.
Again, you don't have to do something wrong to have vulnerabilities. Every single day your computer is vulnerable.
I know it is and I did not mean to imply blizzard was hacked. When I said I am not feeling confident in it I just meant exactly that - someone else got my password for this and apparantly for nothing else. I still do not know how.
I do not think blizzard are just letting people have access to these things, I know that they have entire offices where people do nothing all day but deal with compromised accounts.
I have no idea how these things are happening I was just relaying my experience and warning people to not make the same mistake I did.
Challeging Fate to a fistfight? I dunno...never heard of a Darwin Award, I'm guessin'.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
I had removed my authenticator since I was confident my PC was clean - this is the only even slightly diablo related website I visit on my computer, everything else is on my phone. I only use firefox with noscript, have not downloaded anything other than the latest nvidia drivers, and visited no odd websites.
However, right after I logged in just a few minutes ago, someone else logged into my account, kicking me off. I quickly went to battle net and reattached my authenticator, while it turned out they were on battle net changing my password. Fortunately the email notifying me of the password change had a link to recover my account in it and reset the password. Also fortunately all of the email to that address is sent to a different email address, so I did not have to worry about the email being compromised.
Point of this?
Watch out, keep your authenticator attached, and I am not feeling too confident in blizzard's account security.
Had this happen just after quiting WoW the first time. I found out through a friend that for a time there were Account GMs in their own company that were making money on the side by actually siding and helping the gold farmers of certain overseas companies. They would access your account after you quite the game, take off your own authenticator if there was still one there, allow that other company access to your account and then get kickbacks from it.
I am not making this up, it was happening around 2007 to me, both mine and my husbands accounts were hacked instantly after stopping payment and during this time certain GM's were reluctant to actually restore the items stolen on the accounts or the characters deleted.
They have a serious security problem STILL happening in their company it appears imo.
You have a point that I was a bit pissy in my post.
But you are incorrect about the OP's statements.
He has made several posts in this thread saying "I do x, y, and z so it must be blizzard"
Here's a direct quote " I am assuming the error is on blizzard's end"
He's directly saying blizzard has been compromised because it can't be on his end, when in fact it is far more likely that his machine was compromised.
Anyone can make a list of things they do that is flawess security, but its never a veryconvincing list to me.
The bottom line is that he's just another poster that is saying "I'm perfect, it must be blizzards fault. Look at all the stiff I do! It's clearly blizzards fault!"
When in fact the thing that allegedly gave them acces to his account was the removal of the authenticator.
If this story is true, I believe it is a case where the OP knows he messed up, regrets it and is kicking himself in the butt, but wants to blame someone else to make himself feel better.
I previously posted that I wasn't trying to blame him, but I should say that obviously the biggest mistake was in fact that very decision.
You have a point that I was a bit pissy in my post.
But you are incorrect about the OP's statements.
He has made several posts in this thread saying "I do x, y, and z so it must be blizzard"
Here's a direct quote " I am assuming the error is on blizzard's end"
He's directly saying blizzard has been compromised because it can't be on his end, when in fact it is far more likely that his machine was compromised.
Anyone can make a list of things they do that is flawess security, but its never a veryconvincing list to me.
The bottom line is that he's just another poster that is saying "I'm perfect, it must be blizzards fault. Look at all the stiff I do! It's clearly blizzards fault!"
When in fact the thing that allegedly gave them acces to his account was the removal of the authenticator.
If this story is true, I believe it is a case where the OP knows he messed up, regrets it and is kicking himself in the butt, but wants to blame someone else to make himself feel better.
I previously posted that I wasn't trying to blame him, but I should say that obviously the biggest mistake was in fact that very decision.
Actually it was just a warning to people. I really was not bothered by it much, I lost nothing and it hardly took any of my time to get it back. Even if I had lost the small amount of gold on my account it would not have been a very big deal, just annoying.
I still do think it is more likely there is a problem on blizzards end. When I say that you assume I mean blizzard's account servers have been hacked, I actually just mean that I don't think the game is secure on its own. So far nobody that avoided the AH and Public games has been problems that I have seen. I imagine it probably has something to do with that. Even game reviewers are getting their accounts stolen, and I imagine they must have at least someone at their workplace making sure the computers stay clean.
To me, this smells of an insider at Blizzard selling peoples account details. There are a lot of stupid people out there, but it doesnt sound like the OP is one of them, and there are many people that DO know better than to use stupid passwords and the same email on forums as their game account etc that are getting hacked.
I read on here somewhere that there was a guy that used the serial number from his guitar as a password, and blizzard told him it was his fault his account got hacked for using a too simple password!?
Also, Blizzards policy on password complexity is laughable. And they allow you infinite attempts to login before locking your account....
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
To me, this smells of an insider at Blizzard selling peoples account details. There are a lot of stupid people out there, but it doesnt sound like the OP is one of them, and there are many people that DO know better than to use stupid passwords and the same email on forums as their game account etc that are getting hacked.
I read on here somewhere that there was a guy that used the serial number from his guitar as a password, and blizzard told him it was his fault his account got hacked for using a too simple password!?
Also, Blizzards policy on password complexity is laughable. And they allow you infinite attempts to login before locking your account....
It is highly unlikily Blizzard store peoples passwords in plaintext format so some "insider" can not be selling accounts.
Password complexity is a stupid practise that needs to be stopped it does nothing at all, learn about some true security, http://www.xkcd.com/936/
I can guarantee you that vast majority of people that got hack had been logged in one way, all this "I have a bagillion anti viruses, nothing can get me" is idiotic, anti viruses work principle of a bad boy list, is this program on the list or not. Now when someone makes a new virus/keylogger anti viruses will typically not pick it up, people have to start reporting these viruses and that means people need to get infect for that to happen.
First of all, your password is not stored anywhere on Blizzards servers. They couldn't tell you your password if they wanted to. They have a hash of your password. If that hash is able to be brute forced or dictionary attacked, that is your own fault for not making a complex password.
As far as password complexity, it is not Blizzards job to make your password complex. That's up to you to do. Sure you can't do capital letters, but if you understood entropy, you would know that you can make a perfectly secure and unguessable password without uppercase letters.
Make sure it is maximum length, if there is no max make it at least 15 characters with 1 number and one punctuation mark or symbol. Unguessable.
Oh yeah, your friends password. If you know that it's his serial number from his guitar, then it's obviously not too secure. I mean, he told you right? Who else did he tell this too?
Beyond that, I don't know much about guitars but I'll say if the serial number was all numbers, yeah easily guessable by software.
Oh and to your point about stupid people, you don't have to be stupid to have a security breach. IT professionals have security problems at home ally he time. The smartest most secure person will tell you that.
To me, this smells of an insider at Blizzard selling peoples account details. There are a lot of stupid people out there, but it doesnt sound like the OP is one of them, and there are many people that DO know better than to use stupid passwords and the same email on forums as their game account etc that are getting hacked.
I read on here somewhere that there was a guy that used the serial number from his guitar as a password, and blizzard told him it was his fault his account got hacked for using a too simple password!?
Also, Blizzards policy on password complexity is laughable. And they allow you infinite attempts to login before locking your account....
It is highly unlikily Blizzard store peoples passwords in plaintext format so some "insider" can not be selling accounts.
Password complexity is a stupid practise that needs to be stopped it does nothing at all, learn about some true security, http://www.xkcd.com/936/
I can guarantee you that vast majority of people that got hack had been logged in one way, all this "I have a bagillion anti viruses, nothing can get me" is idiotic, anti viruses work principle of a bad boy list, is this program on the list or not. Now when someone makes a new virus/keylogger anti viruses will typically not pick it up, people have to start reporting these viruses and that means people need to get infect for that to happen.
It's not highly unlikely it happened to me with a complex password and authenticators, so that age old adage (it didn't happen to me so therefor it doesn't happen at all) is nonsense.
They had this trouble in 2007 and it looks like with D3 that same problem has cropped up. And YES the GMs and account GMs have access to ALL of your info, that's the reason they don't ask you for your password is they already have access to it.
Guarantee huh, care to put money up? You will definitely lose the money. The facts all point to Blizzard having an internal security issue, once again, and due to their PR they decided to sweep it under the rug again.
The reason i know about the inside job was due to knowing GMs that actually worked for Blizzard during the time it happened to me who explained to me what was happening behind the scenes, that there were investigations going on at the time.
To me, this smells of an insider at Blizzard selling peoples account details. There are a lot of stupid people out there, but it doesnt sound like the OP is one of them, and there are many people that DO know better than to use stupid passwords and the same email on forums as their game account etc that are getting hacked.
I read on here somewhere that there was a guy that used the serial number from his guitar as a password, and blizzard told him it was his fault his account got hacked for using a too simple password!?
Also, Blizzards policy on password complexity is laughable. And they allow you infinite attempts to login before locking your account....
It is highly unlikily Blizzard store peoples passwords in plaintext format so some "insider" can not be selling accounts.
Password complexity is a stupid practise that needs to be stopped it does nothing at all, learn about some true security, http://www.xkcd.com/936/
I can guarantee you that vast majority of people that got hack had been logged in one way, all this "I have a bagillion anti viruses, nothing can get me" is idiotic, anti viruses work principle of a bad boy list, is this program on the list or not. Now when someone makes a new virus/keylogger anti viruses will typically not pick it up, people have to start reporting these viruses and that means people need to get infect for that to happen.
It's not highly unlikely it happened to me with a complex password and authenticators, so that age old adage (it didn't happen to me so therefor it doesn't happen at all) is nonsense.
They had this trouble in 2007 and it looks like with D3 that same problem has cropped up. And YES the GMs and account GMs have access to ALL of your info, that's the reason they don't ask you for your password is they already have access to it.
Guarantee huh, care to put money up? You will definitely lose the money. The facts all point to Blizzard having an internal security issue, once again, and due to their PR they decided to sweep it under the rug again.
The reason i know about the inside job was due to knowing GMs that actually worked for Blizzard during the time it happened to me who explained to me what was happening behind the scenes, that there were investigations going on at the time.
Y'know, I was going to say something about this but Dubyahite beat me to it, and in a much nicer fashion than I would have. So uh, have a good day and may your tinfoil hat remain forever free of rips & tears, I guess.
The funny thing about this inside job conspiracy is that it doesn't affect me at all.
Blizzard could put their database up on the Internet for everyone to download and my password still wouldn't get cracked. Unless they want to wait a hundred billion centuries (literally).
Not to mention the fact that they wouldn't have much time to do it before my password changed. Then there's the authenticator to deal with. The largest botnet in the world would have to get extremely lucky to guess my password in that window.
Originally posted by dubyahite Lol itgrowls You need to seriously read up on password encryption. Blizzard absolutely does not have your password in plain text. Not a chance. The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters. They don't know your password. Period. Again, your statements display your lack of knowledge on the subject. I made a response to you in one of the other threads about password hashes. Read it. Look up md5 salted encryption and password authentication. Blizzard absolutely dies not have a plain text version of your password. Blizzard absolutely does not have a plain text version of your password. Say it with me: Blizzard absolutely does not have a plain text version of your password.
I never said they had stored passwords in plaintext, but an insider could without too much hassle get a copy of the hashed/encryped passwords file and then decrypt them at home and sell them on. Its really not that hard.
Originally posted by dubyahite The funny thing about this inside job conspiracy is that it doesn't affect me at all. Blizzard could put their database up on the Internet for everyone to download and my password still wouldn't get cracked. Unless they want to wait a hundred billion centuries (literally). Not to mention the fact that they wouldn't have much time to do it before my password changed. Then there's the authenticator to deal with. The largest botnet in the world would have to get extremely lucky to guess my password in that window.
Thats because you are not as stupid as the average WoW player at a guess. However, knowing how stupid their playerbase is, Blizzard should FORCE people to use more complex passwords, like you do.
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
That was directed at itgrowls. Sorry can't quote on my phone.
But since you mention it, its not a matter of "decrypting" it like you said.
Again, look up salted hashes.
The attacker has two methods of attack on encrypted passwords.
Brute force and dictionary.
If your password can be revealed by either of those methods, then you deserve to have it captured. That's blunt but it's true.
You need to look at some of the posts I and other have made about entropy and password complexity. I don't feel like rettpung it again.
If your password is good enough, it will not be revealed.
To guess my password, a cracker would need to brute force a character space that would take a hundred trillion centuries to complete with current technology. There is a tiny tiny chance he would get it within his lifetime, but the odds are greatly in my favor.
Any cracker will tell you that they wouldn't even attempt such an attack because they can run much faster attacks on the database and get plenty of passwords from people that have terrible passwords.
The most common passwor used is 123456. Seriously.
That would be cracked in seconds. Who do you think they are going to go for? Seconds or a hundred trillion centuries.
Originally posted bystragen001 I never said they had stored passwords in plaintext, but an insider could without too much hassle get a copy of the hashed/encryped passwords file and then decrypt them at home and sell them on. Its really not that hard/
The passwords would be encrypted thus if Blizzard is even somewhat competant the only person(s) with access to the passwords would be the database admin. GMs/the people on the end of the phone have limited access to information and mostly use pre written tools for the options as they do no need access to this information, these people are at the very bottom of Blizzards chain of permissions, if they do have access to the passwords then Blizzard is at fault for being just darn stupid.
That was directed at itgrowls. Sorry can't quote on my phone.
But since you mention it, its not a matter of "decrypting" it like you said.
Again, look up salted hashes.
The attacker has two methods of attack on encrypted passwords.
Brute force and dictionary.
If your password can be revealed by either of those methods, then you deserve to have it captured. That's blunt but it's true.
You need to look at some of the posts I and other have made about entropy and password complexity. I don't feel like rettpung it again.
If your password is good enough, it will not be revealed.
To guess my password, a cracker would need to brute force a character space that would take a hundred trillion centuries to complete with current technology. There is a tiny tiny chance he would get it within his lifetime, but the odds are greatly in my favor.
Any cracker will tell you that they wouldn't even attempt such an attack because they can run much faster attacks on the database and get plenty of passwords from people that have terrible passwords.
The most common passwor used is 123456. Seriously.
That would be cracked in seconds. Who do you think they are going to go for? Seconds or a hundred trillion centuries.
This is kinda my point too.
If Blizzard FORCED people to NOT use stupid passwords like 123456 then it would mean a lot less accounts got hacked.
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
Forcing complexity is easier said than done. Forcing password complexity generates a lot of cost in tech support. It sounds dumb but it's true.
A college professor told me a story of a woman at a business he worked at. Every monday they had to reset her password. Rest of the week was fine, but every single Monday without fail she had to have it changed.
Can you guess why? The weekend. Two days of not using it was too much. She forgot it every weekend.
For a business it's a balancing act. Too much security impedes your users from getting work done. It can be seriously costly and detrimental to your work force.
I'm all for password complexity rules, but I understand why it is the way it is. It's a business decision and frankly they would have a lot of angry customers if they did this. It's easier for them to restore peoples accounts than piss them off right away.
Look at most ofthe online web based services you use. How many if them enforce password complexity seriously? Not many. Even your web email services don't do it. Heck most online banking sites don't do it. I know of banks that just require one number and a low amount of characters.
You could make your bank password 'password1' if you wanted. That's your freaking money. Paypal certainly doesn't do it. Ecommerce sites don't do it.
Singling out blizzard for following the industry standard is not really fair. There are much more critical systems that have far less security. Tell me, does your bank have a free mobile authenticator or do they charge $30 for a physical one? Or do they even have one to offer at all?
These companies know that complexity is important. They know it. The security pros there are not dumb. The users will not tolerate it. It's dumb but it's true.
Chew on this: users will do whatever they can to avoid colors passwords. They actively fight it.
Here's a scenario. Blizzard says you need to have 10 characters minimum, 1 number, and one capital letter. You know what some 'clever' user can do?
Password01
Make them use a symbol you say?
P@ssword01.
People will do this. I promise. Many of them. Those two examples are in every crackers dictionary. Cracked within seconds. The policy is largely useless and that's why companies don't use it on the web. It's just not worth it.
The people that know about passwords do it right regardless. The 'password' people do it wrong regardless n
Besides all that, password complexity is far from the top of the list of Blizzards concerns. The only way it becomes an issue is if the database is compromised.
I had removed my authenticator since I was confident my PC was clean - this is the only even slightly diablo related website I visit on my computer, everything else is on my phone. I only use firefox with noscript, have not downloaded anything other than the latest nvidia drivers, and visited no odd websites.
However, right after I logged in just a few minutes ago, someone else logged into my account, kicking me off. I quickly went to battle net and reattached my authenticator, while it turned out they were on battle net changing my password. Fortunately the email notifying me of the password change had a link to recover my account in it and reset the password. Also fortunately all of the email to that address is sent to a different email address, so I did not have to worry about the email being compromised.
Point of this?
Watch out, keep your authenticator attached, and I am not feeling too confident in blizzard's account security.
Point of this: Use an authenticator. If you have one and turn it off you are asking for trouble.
Yep so many scammers are trying to get battlenet acc its best to just keep it active . I also have my pc clean, scan regulary and watch out which sites i visit tho i did disable my authenticator for 1 week few years ago in wow and got keylogged.
Originally posted by Baitness Watch out, keep your authenticator attached, and I am not feeling too confident in blizzard's account security.
Usually when someone gets hacked it is because a "friend" acquired their login info, they use the same name / password on multiple sites, or they got fished.
I do not believe anyone bypassed Blizzard's security to gain access to your account.
This is complete bullshit... Mine was hacked and I'm very careful.
"You are all going to poop yourselves." BillMurphy
"Laugh and the world laughs with you. Weep and you weep alone."
You have a point that I was a bit pissy in my post.
But you are incorrect about the OP's statements.
He has made several posts in this thread saying "I do x, y, and z so it must be blizzard"
Here's a direct quote " I am assuming the error is on blizzard's end"
He's directly saying blizzard has been compromised because it can't be on his end, when in fact it is far more likely that his machine was compromised.
Anyone can make a list of things they do that is flawess security, but its never a veryconvincing list to me.
The bottom line is that he's just another poster that is saying "I'm perfect, it must be blizzards fault. Look at all the stiff I do! It's clearly blizzards fault!"
When in fact the thing that allegedly gave them acces to his account was the removal of the authenticator.
If this story is true, I believe it is a case where the OP knows he messed up, regrets it and is kicking himself in the butt, but wants to blame someone else to make himself feel better.
I previously posted that I wasn't trying to blame him, but I should say that obviously the biggest mistake was in fact that very decision.
I get your point. These are PC gamers though, I don't think it's a secret the average PC gamer usually likes to view themselves as in the know about all things PC or net related. Geek cred and all that nonsense.
I'm not even that knowledgable in this department, I can make a PC work I can MOD games, and I build my PC's, but at the end of the day, I know what I bothered learning, not much more. I at least know it's best to listen to those who seem knowledgable like yourself. So I'm not going to pretend to be able to argue about something I have no idea about.
The one thing I see that is repeated by many like yourself is that no system is truly protected, I just want to know if that means anything is possible when it comes to this topic?
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
Did you access your account at all through your phone? You said that "everything else is on my phone."
No I did not. I meant that I browsed the web from my phone. I had to access my account once through the web on my pc before it was hacked, and that was when I purchased D3 from battle.net. Otherwise the only time the information was entered was when I turned on the game.
I am really surprised at how important everyone feels the game account is, like I mentioned earlier I value that very little compared to many other things on my computer. I've yet to find for certain what did it, will update of course if a scanner finds something.
Did you access your account at all through your phone? You said that "everything else is on my phone."
No I did not. I meant that I browsed the web from my phone. I had to access my account once through the web on my pc before it was hacked, and that was when I purchased D3 from battle.net. Otherwise the only time the information was entered was when I turned on the game.
I am really surprised at how important everyone feels the game account is, like I mentioned earlier I value that very little compared to many other things on my computer. I've yet to find for certain what did it, will update of course if a scanner finds something.
I wasn't suggesting anything. I was just asking. There's some creative exploits out there targeted at things like smart phones.
Note: I am not pushing any agenda or taking any side.
Comments
You're absolutely right, another way is a way a friend of mine's accounts get compromised. She'll get drunk and while drunk emailing people will click on links in her email telling her she won a winged gryphon or something and then the next day, bam she logs in and all her characters are naked and everything is gone. Think she'd learn after all these years.
What happens when you log off your characters????.....
http://www.youtube.com/watch?v=GFQhfhnjYMk
Dark Age of Camelot
You are missing the point of what I am saying. I'm telling you that it doesn't require wrongdoing on your part for your machine to be vulnerable. It always is.
I'm not accusing you of having a malware ridden machine. I don't know if you do or not.
The people that attack Blizzard accounts are very very good a what they do.
I'm not saying "you NOOB you got keylogged lololol"
Im saying there are always holes. Always.
The people who's job it is to know those holes are a step ahead of your security no matter what. The attackers are always looking for weaknesses. They are exploiting everything they can. They are smarter than you or me or most people when it comes to these things.
If they target you, they will probably win. It's as simple as that.
Even people that work in the field of security get taken by malicious hackers. There is malware out there that the big AV companies have never seen. There are more attacks that you are vulnerable to than you want to know, through no fault of your own.
This isnt me blaming you. The only way you can prevent being compromised 100% is to get rid of your technology.
The stuff happens. And instead of blaming Blizzard or the Peoe who get hacked, I am blaming the real bad guys.
Saying Blizzards securityfeatures are lacking is misinformed at best. I can't think of another gaming company that provides their users with as many tools to protect themselves. I don't think anyone tries to educate their users as much as Blizzard does or communicates about security this well. They are open with information that other companies would never share.
The fact of the matter is, Blizzard are victims here too, and i promise you their damages from these incdents are far far greater than yours. There is no telling how much revenue is lost because of this stuff.
To think otherwise is just enabling the hackers.
Hackers depend on misinformation like this to discourage proper security practices. I would put money on the fact that some of the people posting about getting hacked while they had authenticators to spread doubt in the entire idea of even using one. That's how they think and operate.
Again, you don't have to do something wrong to have vulnerabilities. Every single day your computer is vulnerable.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
I know it is and I did not mean to imply blizzard was hacked. When I said I am not feeling confident in it I just meant exactly that - someone else got my password for this and apparantly for nothing else. I still do not know how.
I do not think blizzard are just letting people have access to these things, I know that they have entire offices where people do nothing all day but deal with compromised accounts.
I have no idea how these things are happening I was just relaying my experience and warning people to not make the same mistake I did.
Challeging Fate to a fistfight? I dunno...never heard of a Darwin Award, I'm guessin'.
Self-pity imprisons us in the walls of our own self-absorption. The whole world shrinks down to the size of our problem, and the more we dwell on it, the smaller we are and the larger the problem seems to grow.
Had this happen just after quiting WoW the first time. I found out through a friend that for a time there were Account GMs in their own company that were making money on the side by actually siding and helping the gold farmers of certain overseas companies. They would access your account after you quite the game, take off your own authenticator if there was still one there, allow that other company access to your account and then get kickbacks from it.
I am not making this up, it was happening around 2007 to me, both mine and my husbands accounts were hacked instantly after stopping payment and during this time certain GM's were reluctant to actually restore the items stolen on the accounts or the characters deleted.
They have a serious security problem STILL happening in their company it appears imo.
You have a point that I was a bit pissy in my post.
But you are incorrect about the OP's statements.
He has made several posts in this thread saying "I do x, y, and z so it must be blizzard"
Here's a direct quote " I am assuming the error is on blizzard's end"
He's directly saying blizzard has been compromised because it can't be on his end, when in fact it is far more likely that his machine was compromised.
Anyone can make a list of things they do that is flawess security, but its never a veryconvincing list to me.
The bottom line is that he's just another poster that is saying "I'm perfect, it must be blizzards fault. Look at all the stiff I do! It's clearly blizzards fault!"
When in fact the thing that allegedly gave them acces to his account was the removal of the authenticator.
If this story is true, I believe it is a case where the OP knows he messed up, regrets it and is kicking himself in the butt, but wants to blame someone else to make himself feel better.
I previously posted that I wasn't trying to blame him, but I should say that obviously the biggest mistake was in fact that very decision.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Actually it was just a warning to people. I really was not bothered by it much, I lost nothing and it hardly took any of my time to get it back. Even if I had lost the small amount of gold on my account it would not have been a very big deal, just annoying.
I still do think it is more likely there is a problem on blizzards end. When I say that you assume I mean blizzard's account servers have been hacked, I actually just mean that I don't think the game is secure on its own. So far nobody that avoided the AH and Public games has been problems that I have seen. I imagine it probably has something to do with that. Even game reviewers are getting their accounts stolen, and I imagine they must have at least someone at their workplace making sure the computers stay clean.
To me, this smells of an insider at Blizzard selling peoples account details. There are a lot of stupid people out there, but it doesnt sound like the OP is one of them, and there are many people that DO know better than to use stupid passwords and the same email on forums as their game account etc that are getting hacked.
I read on here somewhere that there was a guy that used the serial number from his guitar as a password, and blizzard told him it was his fault his account got hacked for using a too simple password!?
Also, Blizzards policy on password complexity is laughable. And they allow you infinite attempts to login before locking your account....
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
It is highly unlikily Blizzard store peoples passwords in plaintext format so some "insider" can not be selling accounts.
Password complexity is a stupid practise that needs to be stopped it does nothing at all, learn about some true security, http://www.xkcd.com/936/
I can guarantee you that vast majority of people that got hack had been logged in one way, all this "I have a bagillion anti viruses, nothing can get me" is idiotic, anti viruses work principle of a bad boy list, is this program on the list or not. Now when someone makes a new virus/keylogger anti viruses will typically not pick it up, people have to start reporting these viruses and that means people need to get infect for that to happen.
stylin'
Wow where to start.
First of all, your password is not stored anywhere on Blizzards servers. They couldn't tell you your password if they wanted to. They have a hash of your password. If that hash is able to be brute forced or dictionary attacked, that is your own fault for not making a complex password.
As far as password complexity, it is not Blizzards job to make your password complex. That's up to you to do. Sure you can't do capital letters, but if you understood entropy, you would know that you can make a perfectly secure and unguessable password without uppercase letters.
Make sure it is maximum length, if there is no max make it at least 15 characters with 1 number and one punctuation mark or symbol. Unguessable.
Oh yeah, your friends password. If you know that it's his serial number from his guitar, then it's obviously not too secure. I mean, he told you right? Who else did he tell this too?
Beyond that, I don't know much about guitars but I'll say if the serial number was all numbers, yeah easily guessable by software.
Oh and to your point about stupid people, you don't have to be stupid to have a security breach. IT professionals have security problems at home ally he time. The smartest most secure person will tell you that.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
It's not highly unlikely it happened to me with a complex password and authenticators, so that age old adage (it didn't happen to me so therefor it doesn't happen at all) is nonsense.
They had this trouble in 2007 and it looks like with D3 that same problem has cropped up. And YES the GMs and account GMs have access to ALL of your info, that's the reason they don't ask you for your password is they already have access to it.
Guarantee huh, care to put money up? You will definitely lose the money. The facts all point to Blizzard having an internal security issue, once again, and due to their PR they decided to sweep it under the rug again.
The reason i know about the inside job was due to knowing GMs that actually worked for Blizzard during the time it happened to me who explained to me what was happening behind the scenes, that there were investigations going on at the time.
You need to seriously read up on password encryption.
Blizzard absolutely does not have your password in plain text. Not a chance.
The reason they don't ask for your password is because that is a security no-no. Big time. It prevents people from giving their password to imposters.
They don't know your password. Period.
Again, your statements display your lack of knowledge on the subject.
I made a response to you in one of the other threads about password hashes. Read it.
Look up md5 salted encryption and password authentication.
Blizzard absolutely dies not have a plain text version of your password.
Blizzard absolutely does not have a plain text version of your password.
Say it with me:
Blizzard absolutely does not have a plain text version of your password.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Y'know, I was going to say something about this but Dubyahite beat me to it, and in a much nicer fashion than I would have. So uh, have a good day and may your tinfoil hat remain forever free of rips & tears, I guess.
Blizzard could put their database up on the Internet for everyone to download and my password still wouldn't get cracked. Unless they want to wait a hundred billion centuries (literally).
Not to mention the fact that they wouldn't have much time to do it before my password changed. Then there's the authenticator to deal with. The largest botnet in the world would have to get extremely lucky to guess my password in that window.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Thats because you are not as stupid as the average WoW player at a guess. However, knowing how stupid their playerbase is, Blizzard should FORCE people to use more complex passwords, like you do.
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
That was directed at itgrowls. Sorry can't quote on my phone.
But since you mention it, its not a matter of "decrypting" it like you said.
Again, look up salted hashes.
The attacker has two methods of attack on encrypted passwords.
Brute force and dictionary.
If your password can be revealed by either of those methods, then you deserve to have it captured. That's blunt but it's true.
You need to look at some of the posts I and other have made about entropy and password complexity. I don't feel like rettpung it again.
If your password is good enough, it will not be revealed.
To guess my password, a cracker would need to brute force a character space that would take a hundred trillion centuries to complete with current technology. There is a tiny tiny chance he would get it within his lifetime, but the odds are greatly in my favor.
Any cracker will tell you that they wouldn't even attempt such an attack because they can run much faster attacks on the database and get plenty of passwords from people that have terrible passwords.
The most common passwor used is 123456. Seriously.
That would be cracked in seconds. Who do you think they are going to go for? Seconds or a hundred trillion centuries.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
The passwords would be encrypted thus if Blizzard is even somewhat competant the only person(s) with access to the passwords would be the database admin. GMs/the people on the end of the phone have limited access to information and mostly use pre written tools for the options as they do no need access to this information, these people are at the very bottom of Blizzards chain of permissions, if they do have access to the passwords then Blizzard is at fault for being just darn stupid.
stylin'
This is kinda my point too.
If Blizzard FORCED people to NOT use stupid passwords like 123456 then it would mean a lot less accounts got hacked.
Cluck Cluck, Gibber Gibber, My Old Mans A Mushroom
Forcing complexity is easier said than done. Forcing password complexity generates a lot of cost in tech support. It sounds dumb but it's true.
A college professor told me a story of a woman at a business he worked at. Every monday they had to reset her password. Rest of the week was fine, but every single Monday without fail she had to have it changed.
Can you guess why? The weekend. Two days of not using it was too much. She forgot it every weekend.
For a business it's a balancing act. Too much security impedes your users from getting work done. It can be seriously costly and detrimental to your work force.
I'm all for password complexity rules, but I understand why it is the way it is. It's a business decision and frankly they would have a lot of angry customers if they did this. It's easier for them to restore peoples accounts than piss them off right away.
Look at most ofthe online web based services you use. How many if them enforce password complexity seriously? Not many. Even your web email services don't do it. Heck most online banking sites don't do it. I know of banks that just require one number and a low amount of characters.
You could make your bank password 'password1' if you wanted. That's your freaking money. Paypal certainly doesn't do it. Ecommerce sites don't do it.
Singling out blizzard for following the industry standard is not really fair. There are much more critical systems that have far less security. Tell me, does your bank have a free mobile authenticator or do they charge $30 for a physical one? Or do they even have one to offer at all?
These companies know that complexity is important. They know it. The security pros there are not dumb. The users will not tolerate it. It's dumb but it's true.
Chew on this: users will do whatever they can to avoid colors passwords. They actively fight it.
Here's a scenario. Blizzard says you need to have 10 characters minimum, 1 number, and one capital letter. You know what some 'clever' user can do?
Password01
Make them use a symbol you say?
P@ssword01.
People will do this. I promise. Many of them. Those two examples are in every crackers dictionary. Cracked within seconds. The policy is largely useless and that's why companies don't use it on the web. It's just not worth it.
The people that know about passwords do it right regardless. The 'password' people do it wrong regardless n
Besides all that, password complexity is far from the top of the list of Blizzards concerns. The only way it becomes an issue is if the database is compromised.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Yep so many scammers are trying to get battlenet acc its best to just keep it active . I also have my pc clean, scan regulary and watch out which sites i visit tho i did disable my authenticator for 1 week few years ago in wow and got keylogged.
This is complete bullshit... Mine was hacked and I'm very careful.
"You are all going to poop yourselves." BillMurphy
"Laugh and the world laughs with you. Weep and you weep alone."
Did you access your account at all through your phone? You said that "everything else is on my phone."
I get your point. These are PC gamers though, I don't think it's a secret the average PC gamer usually likes to view themselves as in the know about all things PC or net related. Geek cred and all that nonsense.
I'm not even that knowledgable in this department, I can make a PC work I can MOD games, and I build my PC's, but at the end of the day, I know what I bothered learning, not much more. I at least know it's best to listen to those who seem knowledgable like yourself. So I'm not going to pretend to be able to argue about something I have no idea about.
The one thing I see that is repeated by many like yourself is that no system is truly protected, I just want to know if that means anything is possible when it comes to this topic?
For every minute you are angry , you lose 60 seconds of happiness."-Emerson
No I did not. I meant that I browsed the web from my phone. I had to access my account once through the web on my pc before it was hacked, and that was when I purchased D3 from battle.net. Otherwise the only time the information was entered was when I turned on the game.
I am really surprised at how important everyone feels the game account is, like I mentioned earlier I value that very little compared to many other things on my computer. I've yet to find for certain what did it, will update of course if a scanner finds something.
I wasn't suggesting anything. I was just asking. There's some creative exploits out there targeted at things like smart phones.
Note: I am not pushing any agenda or taking any side.
http://th3j35t3r.wordpress.com/2012/03/09/curiosity-pwned-the-cat/ As an example.