Here is sommething that baffles me in wake of this massive hacking.
How in the world is it even possible.
Lets take few scenarios.
1. Password was stolen trough phishing.
There are hundreds of thousands of users that created D3/Battlenet account but do not have the game.
Thousands of Users that change passwords all the time
Thousands of error inputs they got trough phishing
So what do the hackers do ?
Do they have a bot that constantly tries to log in D3 with millions of password/username combinations ?
And if yes. How come Blizzard is not indentifying such as security intrusion ??!!
2. Hacked trough session hijacking.
If you actively need to log into players game, its slow process.
Cant imagine the payoff is so great.
Again. There must be thousands of logins from same computer IP.
How come Blizzard is not indentifying this as breach ??!!
But let say breach happened.
You need to sell all equipment and transfer gold to different character. And thousand times.
You need bot for that.
So it means bots do work in D3 , allready ?
If so hacker can actually make more gold by simply bot farming than with all the almost impossible hassle of hacking. That can (and i dont know why its not happening) get hacker account banned and gold repossesed.
So...
Its highly unlogical all in all. Especially if it happens on such massive scale.
session hijacking is most commonly done through man in the middle attacks.
I suspect that some of the people are simply using the same login and passwords at many sites and thus have given their information out. Now someone will come here and say thay haven't...
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what
it offers rather than pass on what might be a great playing experience
because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in
the game mechanics that define the MMORPG genre, then why are you
playing an MMORPG?"
The "home" key is undetectable via keylogger or anything else that I know of, so you should use that key in your password.
Example.
PW without the home key: theorycrafting
PW with home added after "theory": craftingtheory
Velika: City of Wheels: Among the mortal races, the humans were the only one that never built cities or great empires; a curse laid upon them by their creator, Gidd, forced them to wander as nomads for twenty centuries...
Given the percentage of Diablo 2 players who downloaded and installed cheats like MapHack, I am not even remotely surprised that a lot of Diablo 3 players are getting their accounts jacked.
Seriously, has there been any playerbase in the history of gaming with a worse record of cheating than Diablo players? It got to the point where I wouldn't even play public D2 games because I'd always get called an idiot and a noob for not having MapHack.
Here is sommething that baffles me in wake of this massive hacking.
How in the world is it even possible.
Lets take few scenarios.
1. Password was stolen trough phishing.
There are hundreds of thousands of users that created D3/Battlenet account but do not have the game.
Thousands of Users that change passwords all the time
Thousands of error inputs they got trough phishing
So what do the hackers do ?
Do they have a bot that constantly tries to log in D3 with millions of password/username combinations ?
And if yes. How come Blizzard is not indentifying such as security intrusion ??!!
2. Hacked trough session hijacking.
If you actively need to log into players game, its slow process.
Cant imagine the payoff is so great.
Again. There must be thousands of logins from same computer IP.
How come Blizzard is not indentifying this as breach ??!!
But let say breach happened.
You need to sell all equipment and transfer gold to different character. And thousand times.
You need bot for that.
So it means bots do work in D3 , allready ?
If so hacker can actually make more gold by simply bot farming than with all the almost impossible hassle of hacking. That can (and i dont know why its not happening) get hacker account banned and gold repossesed.
So...
Its highly unlogical all in all. Especially if it happens on such massive scale.
From the interview in the 60million gold/hr thread, the people who steal accounts are not even stealing them from Blizzard. They steal them from fan sites that have lower security, and then yes, they have a bot inputting their whole database of usernames and passwords. Some of their team leads are programmers who look for security loopholes in order to keep the bots running. Blizzard closes these holes in time, but the problem is that they don't close them quickly. In fact, many speculate that Blizzard is intentionally being slow in this area, for the simple fact that gold farmers = $$ for Blizzard.
Session hacking has not been confirmed or denied.
Error: 37. Signature not found. Please connect to my server for signature access.
1) I see a lot of people claiming they KNOW one thing or another, but with no proof or reason behind it. To say "These are not hacked accounts" and offer no proof as to why you know this is simply bad.
2) Blizzard Authenticator is free. You pay nothing for the hardware. They charge you $6.50 to ship a physical device to you. This covers shipping costs. If you cannot afford 6.50 you should a) not be playing video games or own a computer capable of playing anything Blizzard releases or b) use the 100% free Mobile App version. I believe it is offered on iOS and Android devices which covers a vast majority on the market.
3) There IS something going on with Battle.net accounts being stolen that go beyond the users control. I personally would look down on people who had accounts stolen thinking they likely purchased gold or otherwise gave out their password and account information by accident. Considering my WoW account was inactive for 6+ months and the password I had parked my account with was 100% unique to that account and never used anywhere else.... And I still logged in months later to find all my gold and items gone.... They did not get the password or account info from me or my machines.
4) It has become BIG BUSINESS to steal accounts in these online games. And people are doing it with every trick in the book. I also believe it's "safe" for them to do this. IE: My employer will not EMAIL our pay stubs because it's apparently NOT a fedral crime to hack/steal email accounts/information. However stealing physical mail is. I believe the same is true for online gaming accounts. It's likely a Federal crime among many other things to steal BANK account information and REAL money. However stealing WoW / Diablo 3 gold is probably a slap on the wrist.
It's pretty easy, one way they do it and is confirmed is that users use the same login and password across most media sites and forums. All they do is hack the password logins from various sites that are not really secure or become a moderator and get the info, then the bot logs in with each user name and password to see if any hits then it adds to the hit list so they can get your things.
Plenty of of sites around the world have shady practises.
Not all of them need to be comprimised in order to pass along your information.
Some of them are designed with the purpose of grabbing your info just to sell. If you look hard enough you can find whole data bases of information to buy cheap.
Along side this senario, the crooks are quite creative. It is not a that much work to create a fan site designed to attract your attention all the while pulling in your login information and contact information in order to create a multi point attack. You willingly hand over your email and personal information makeing those phishing emails easier to customize.
Far too many people are just naive to how devious people can be. Most people do not have a variety of passwords created for use because they are worried that they will forget them.
Around here, that is to say on a gaming site, we are generally the more careful people when it comes to internet security. The average person out there is just insanely out of touch with reality.
In my line of work I often have to help customers enter passwords for their email accounts because they can't input them accurately. They hand over those passwords with little resistence. I would not ever use that info against them, but I know that there are people that would.
I often have to create email accounts for people and I use a simple generic password for them on activation and strongly advise them to change it as soon as they get home. I would bet that out of the couple hundred I have done recently most are still that password. People are lazy and forgetful when it comes to stuff like this. We tell them all about safe internet procedures and it goes in one ear and out the other until something bad happens.
Comments
session hijacking is most commonly done through man in the middle attacks.
I suspect that some of the people are simply using the same login and passwords at many sites and thus have given their information out. Now someone will come here and say thay haven't...
also, people can use a tool to create random passwords. http://www.thebitmill.com/tools/password.html
Epic Music: https://www.youtube.com/watch?v=vAigCvelkhQ&list=PLo9FRw1AkDuQLEz7Gvvaz3ideB2NpFtT1
https://archive.org/details/softwarelibrary_msdos?&sort=-downloads&page=1
Kyleran: "Now there's the real trick, learning to accept and enjoy a game for what it offers rather than pass on what might be a great playing experience because it lacks a few features you prefer."
John Henry Newman: "A man would do nothing if he waited until he could do it so well that no one could find fault."
FreddyNoNose: "A good game needs no defense; a bad game has no defense." "Easily digested content is just as easily forgotten."
LacedOpium: "So the question that begs to be asked is, if you are not interested in the game mechanics that define the MMORPG genre, then why are you playing an MMORPG?"
The "home" key is undetectable via keylogger or anything else that I know of, so you should use that key in your password.
Example.
PW without the home key: theorycrafting
PW with home added after "theory": craftingtheory
Velika: City of Wheels: Among the mortal races, the humans were the only one that never built cities or great empires; a curse laid upon them by their creator, Gidd, forced them to wander as nomads for twenty centuries...
Given the percentage of Diablo 2 players who downloaded and installed cheats like MapHack, I am not even remotely surprised that a lot of Diablo 3 players are getting their accounts jacked.
Seriously, has there been any playerbase in the history of gaming with a worse record of cheating than Diablo players? It got to the point where I wouldn't even play public D2 games because I'd always get called an idiot and a noob for not having MapHack.
From the interview in the 60million gold/hr thread, the people who steal accounts are not even stealing them from Blizzard. They steal them from fan sites that have lower security, and then yes, they have a bot inputting their whole database of usernames and passwords. Some of their team leads are programmers who look for security loopholes in order to keep the bots running. Blizzard closes these holes in time, but the problem is that they don't close them quickly. In fact, many speculate that Blizzard is intentionally being slow in this area, for the simple fact that gold farmers = $$ for Blizzard.
Session hacking has not been confirmed or denied.
Error: 37. Signature not found. Please connect to my server for signature access.
1) I see a lot of people claiming they KNOW one thing or another, but with no proof or reason behind it. To say "These are not hacked accounts" and offer no proof as to why you know this is simply bad.
2) Blizzard Authenticator is free. You pay nothing for the hardware. They charge you $6.50 to ship a physical device to you. This covers shipping costs. If you cannot afford 6.50 you should a) not be playing video games or own a computer capable of playing anything Blizzard releases or b) use the 100% free Mobile App version. I believe it is offered on iOS and Android devices which covers a vast majority on the market.
3) There IS something going on with Battle.net accounts being stolen that go beyond the users control. I personally would look down on people who had accounts stolen thinking they likely purchased gold or otherwise gave out their password and account information by accident. Considering my WoW account was inactive for 6+ months and the password I had parked my account with was 100% unique to that account and never used anywhere else.... And I still logged in months later to find all my gold and items gone.... They did not get the password or account info from me or my machines.
4) It has become BIG BUSINESS to steal accounts in these online games. And people are doing it with every trick in the book. I also believe it's "safe" for them to do this. IE: My employer will not EMAIL our pay stubs because it's apparently NOT a fedral crime to hack/steal email accounts/information. However stealing physical mail is. I believe the same is true for online gaming accounts. It's likely a Federal crime among many other things to steal BANK account information and REAL money. However stealing WoW / Diablo 3 gold is probably a slap on the wrist.
It's pretty easy, one way they do it and is confirmed is that users use the same login and password across most media sites and forums. All they do is hack the password logins from various sites that are not really secure or become a moderator and get the info, then the bot logs in with each user name and password to see if any hits then it adds to the hit list so they can get your things.
Plenty of of sites around the world have shady practises.
Not all of them need to be comprimised in order to pass along your information.
Some of them are designed with the purpose of grabbing your info just to sell. If you look hard enough you can find whole data bases of information to buy cheap.
Along side this senario, the crooks are quite creative. It is not a that much work to create a fan site designed to attract your attention all the while pulling in your login information and contact information in order to create a multi point attack. You willingly hand over your email and personal information makeing those phishing emails easier to customize.
Far too many people are just naive to how devious people can be. Most people do not have a variety of passwords created for use because they are worried that they will forget them.
Around here, that is to say on a gaming site, we are generally the more careful people when it comes to internet security. The average person out there is just insanely out of touch with reality.
In my line of work I often have to help customers enter passwords for their email accounts because they can't input them accurately. They hand over those passwords with little resistence. I would not ever use that info against them, but I know that there are people that would.
I often have to create email accounts for people and I use a simple generic password for them on activation and strongly advise them to change it as soon as they get home. I would bet that out of the couple hundred I have done recently most are still that password. People are lazy and forgetful when it comes to stuff like this. We tell them all about safe internet procedures and it goes in one ear and out the other until something bad happens.
Changing your games' passwords are pointless if you don't bother changing your email's password as well. So many people get hacked this way.