Home › Game Forums › Diablo 3
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Hacking - how is it done ?
Lobotomist
Member EpicPosts: 5,981
in Diablo 3
Here is sommething that baffles me in wake of this massive hacking.
How in the world is it even possible.
Lets take few scenarios.
1. Password was stolen trough phishing.
- There are hundreds of thousands of users that created D3/Battlenet account but do not have the game.
- Thousands of Users that change passwords all the time
- Thousands of error inputs they got trough phishing
So what do the hackers do ?
Do they have a bot that constantly tries to log in D3 with millions of password/username combinations ?
And if yes. How come Blizzard is not indentifying such as security intrusion ??!!
2. Hacked trough session hijacking.
- If you actively need to log into players game, its slow process.
- Cant imagine the payoff is so great.
Again. There must be thousands of logins from same computer IP.
How come Blizzard is not indentifying this as breach ??!!
But let say breach happened.
You need to sell all equipment and transfer gold to different character. And thousand times.
You need bot for that.
So it means bots do work in D3 , allready ?
If so hacker can actually make more gold by simply bot farming than with all the almost impossible hassle of hacking. That can (and i dont know why its not happening) get hacker account banned and gold repossesed.
So...
Its highly unlogical all in all. Especially if it happens on such massive scale.
Comments
its been said before but ill say it again
its surprising that Blizzard doesnt lock out the account for 1 hour or more after 4-5 unsuccessful logins
EQ2 fan sites
People could then do a Denial of Service attack so easy. Let's just BS login 5 times for every email we have. Watch as they try to log in themselves are locked. Muahahahahahah.
Hard to believe Blizzard can't/hasn't traced the offended IP. If a forum can do it, I din't see why Blizz couldn't.
Packet sniffing is another method, but it only works in unswitched networks (those using hubs). A sniffer reads packets, identifies a match and relays the match to the hackers data collection server.
Example, if me and bro are on the same unswitched network and bro's system has been infected by a sniffer... when I login his machine sees my login packet and relays out.
Realistically this is very unlikely because most (?) home networks are switched, aren't they? Only other way this could be done is to infect an upstream router (?) but that doesn't sound likely either. I would think most of them are firmware and can't be infected.
---------------------
Actually one other way would be to highjack a DNS server, re-route login packets to a phantom collector and pass the packet through to the real server so nobody notices the highjack. (a man in the middle attack)
blizzard doesnt even check for capital letters in their login.
seriously. they wanna sell their authenticator.
"I'll never grow up, never grow up, never grow up! Not me!"
An easy way to combat it is if you put your password in wrong twice they E-mail you a code that you need to enter before they will let you attempt again..
of course this would only stop brute force type attacks..
Normal way to do that is a second password in a chain. Outer password is subject to brute force, but inner password times out after so many failures. That eliminates the DOS attack but still keeps it secure.
I know for my login to GuildWars, 2 passwords are used
first being my password and 2nd password is a character on my account (Ncsofts rule)
EQ2 fan sites
I can guarantee you that they are not getting into accounts through brute force attempts (Trying passwords over and over) and they are also not getting into them through session hijacks.
People *REALLY* need to understand a bit more about this sort of stuff before jumping to conclusions.
Also throwing around the term 'Hacking' for this is... wrong..
This would be spoofing wouldn't it?Frogster too, on Runes of Magic. Even has a virtual keyboard to mix clicks and keys to bug out keyboard loggers.
There are several possibilities:
1. A lot of the "hacking" cases are not hacking at all, but simple data corruption, which explains why sometimes characters with massive amounts of gold are left untouched, or only low levels seem to be missing their gold.
2. There is a vulnerability in the diablo client itself, or a vulnerability that hasn't been patched yet in Windows/Flash etc. (this happened in WoW not too long ago and it resulted in tons of people being keylogged due to no fault of their own really)
I think this might be the biggest contender, since historically it has the greatest likelihood.
3. There was a leak of information.
4. Bnet has had a security breach in the past, or experiencing one right now.
Obviously the possibilities are nearly endless, but it seems like phishing and other methods can be ruled out, since it seems to be going on on such a large scale.
Blizzard has definitely made a lot of technical mistakes in the past, especially concerning WoW: They had a massive ban wave where hundreds of people were falsely banned; I had a friend who had been falsely banned and we got his account restored after threatening through the BBB (thanks, BBB!).
Blizzard is not immune to hacking and neither are you if you're online.. at least it isn't likely that you are.
Indications are that sessions are being hijacked.
DO NOT JOIN PUBLIC GAMES.
people are being hijacked regardless of public games
like this poster who was hijacked within 12 hours of installing the game - never played a public game
http://www.mmorpg.com/discussion2.cfm/thread/353309/page/1
EQ2 fan sites
So how is it done than?
They neither log in , nor session hijack - you say ?
So how ?
And also. How do they sell the gold ?
They need to walk the character to NPC vendor. Also to stash.
So there is some bot involved. Dont tell me live person is doing this thousand times a day.
And on the end. Dont they see single IP logging hundereds times on different accounts ?
One of the problem is the login which is the email adress. It is easy to find an email on the web. I don't even talk about phishing spam mail once email is discovered
One of the other problem is that people use often the same password/id for any mmoprg, forum, any account on the web. Having one = having all
So
I also remember 2 friends of mine got their WoW account hacked, each at different time, for the first time after they closed their account payment (after 5 years of play). I thought it was very strange.
Yes there are bot in Diablo 3. i heard their will be a ban campaign soon, not sure how effective it will be.
And yes if they can bot they do it. It is hard to detect the users who is using a program, generally, after analysing the bot program, they just rewrite the game code so program don't jump and register who try too.
I just think D3 hacker are from Wow hackers so as they already have their target and weapons they just used it.
They get a lot of usernames and passwords from people that use services that are against many games EULA. Such as buying gold, item trading, power levelling.
That is a starting point, then there are the millions of phishing e-mails, just because you are not stupid enough to respond to them doesn't mean that dave living next door hasn't just entered his details and got himself hacked.
We hear all the time of major databases being hacked, PSN last year, many people use the same details for all of there online accounts/games etc, this data is sold to someone so no doubt it ends up in the hands of people that do this "hacking". I would imagine there are even more data breaches that you probably never hear about.
If you find it hard to believe that it's a real person logging in selling items and moving gold around have you not watched the documentary about gold farmers? These guys will be in and out in seconds, they cost next to nothing to employ and they are made to work sometimes 16 hours a day. Basically amounts to slave labour, but maybe it pays $1 a day more than working in a factory, these guys are being paid next to nothing compared to the amount made selling gold etc to westerners.
Session hijacking in Diablo 3? it's a myth.
Kind of like how one account gets hacked, then all of a sudden the forums are filled with 150 attention seekers screaming their accounts got jacked.
Or it could be that something really happened to their account and they want to know why/how and they get 150 supposed experts on the subject matter claiming it's completely the users fault. Sad part is some, like me, can actually show proof that it was in no way our faults and people like you would still say it wasn't possible. While I agree that a vast majority of cases it is more than likely the users fault but I know from experience this isn't the case every single time.
RIP Jimmy "The Rev" Sullivan and Paul Gray.
It's not keyloggers, or people going to websites to buy gold. The majority of people are getting their accounts comprised because of common password usage. Many people use the same password in several different places. I don't blame people really, when you have hundreds of logins to all these damn websites now, people get a bit lazy and begin to use the same password over and over again. With sites like Curse and surely sites like MMO-Chamoion, wowwiki, and the countless other sites associated with blizzard games that get accessed, it's easy to see why all these poeple are losing their accounts.
My diablo account was comprised. You know how? It was my fault. I used a similar password that I had been using for a long time with various sites. It was a very, very long password and instead of using something new, I would capalitize various letters of it so it would be different. This protected me with other games, however it did not work with battle.net. You know why? Battle.net doesn't recognize capital letters. I did not know this as they don't advertise that fact. I tried it out myself after the fact, it didn't matter if my password was entered uppercase or lowercase, it worked. So I guess when Curse or whatever shitty site was comprised, my password got out there, and bam, easy battle.net account.
There are things Blizzard could do to reduce the amount of comprised accounts. Yes the authenticators help, but simply NOT using our email as a login and allowing capital letters would have helped me.
Sit down and have a think about this for a second rather than scare mongering.
They get your email address from somewhere else, fansite or something. Or they know you have WoW and are likely then to have D3 on the account as well or something. There are numerous ways to find out someone's email address and it is not difficult by any stretch of the imagination.
That's half the battle done right there. If they happen to know your password for one of these things as well then it's likely they already have all they need to get into your account. Now I didn't say they don't log into your account, don't be stupid. Of course they do. What I said is that they are not sitting there 24/7 hammering your account trying to brute force the password. That's a complete and utter waste of their time. They are getting into accounts the exact same way they have done it in every other game that is popular. And no, they don't use bots to empty the accounts either.
Blizzard cannot see which IP's are logging into the accounts either and use that to fight this because it's easy to go through a proxy with a dynamic IP not to mention the fact that there are internet cafe's and such like that will have a number of connections being made from the same set of IP's and logging into hundreds of accounts on a weekly basis so how do they tell the difference between an internet cafe and someone looting accounts?
I set up a new email account for my D3 copy since I did not want to link it to any existing accounts. I set this up the night before release. I bought the game off the blizzard website and have not used the address for *anything*. You know how many emails are in my inbox? 2 - one for registering my account on battlenet and the other is a receipt for buying D3. Funnily enough my d3 account hasn't been touched either even although it uses the same password as the email address itself uses. That password however is only used by those two things and is not even similar to anything else I use.
*YOU* are responsible for your account security. You and you alone. If you consent to using the same email address or password for *anything* else then you are to blame when your account goes for a walk with someone else. Blizzard might be slacking without using case sensitive passwords but at the end of the day if you didn't take any risks to begin with then you wouldn't be in the position of having a compromised account in the first place. This is not up for debate and until someone can provide some credible evidence to prove otherwise it is a waste of time to continue this topic.
You know actually I have the perfect example; One of the guys in my work left a password for a forum he uses on the keychain on one of our OS X crash machines. I subsequently got access to his Second Life account, several forum accounts, his xfire login, his email, his facebook and probably a few other things i never bothered trying. I left him a nice message on his facebook telling him to mind what he does with his keychain and i think he got the message
Who says thousands of accounts are compromised every day? There have been no official numbers AT ALL!
Also a lot of people are jumping on the hacking train and are trolling all the threads telling they are hacked, while they are not!
A lot of trolls have been /facerolled by GM's on official forums! They were not hacked at all and others, claiming they were using a physical or mobile authenticator were flat out lying as they did not have one attached to their accounts!
Don't believe everything instantly! A lot of people are just trolls and like to join in a good Blizzard bash rage and make things up! Happens all the time!
The whole session hacking thing was a HOAX! It has already been confirmed it's technically not possible! Yet people just continue on with this! /facepalm
People claiming they were hacked, while having a physical authenticator attached were also lying! As there has yet to be any proof this has happened!
So please.... People should actually read this topic: http://us.battle.net/d3/en/forum/topic/5592449838?page=1
There are so many people thinking their computer is safe and free from malware, while it might not be the case at all, due to not correctly configured and usage of anti malware and anti-virus programs!
"Hacking" is happening to thousands of people who claim they are security experts but answer these questions:
1. Does anyone else know your pw? (cuz guess what your friends aren t security experts and if their computer is compromised so is your password, or maybe not your friend, maybe his gf or someone else on his computer compromised it)
2. do you ever visit mmo champion, wow wiki, curse game, any and all 3rd party mods for any games ? If you answered yes to this than I've news for you, you've compromised your computer. Because these sites are not secure, those mods you so believe in are not secure.
People will argue and blame game companies all day and talk about what big security experts they are and than download things from third party private providers to their computer (oh yeah Im sure you run it through anti virus and anti spam nothing to do with key loggers or root kits). Some of the code on these sites is downright scary.
TLDR; if you are downloading anything from third party sites you have compromised your computer if you use the same email/pw in any of these other sites you just invited someone to steal your account. Blizz is not 100% safe but it is way safer than any third party site.
Yep.
It certainly isn't all their fault but they do deserve some blame in this because there are steps they could take. Lot of blame to go around really.
1. For god's sake mmo gamers, enough with the analogies. They're unnecessary and your comparisons are terrible, dissimilar, and illogical.
2. To posters feeling the need to state how f2p really isn't f2p: Players understand the concept. You aren't privy to some secret the rest are missing. You're embarrassing yourself.
3. Yes, Cpt. Obvious, we're not industry experts. Now run along and let the big people use the forums for their purpose.
the people with authenticators were not lieing - they were misinformed
they were using a blizzard authenticator, but not one that works w D3
http://us.battle.net/d3/en/forum/topic/5270832325
EQ2 fan sites
Are you asking for possible ways it could be done without compromising either the users machine or BNet servers? If I were a black hat I could poison the DNS cache of a major ISP and change BNet's login server entry to point to a machine of my choosing. Then I log all packets with username / password information. Recreate the packets to go the real login server destination with the victims IP address as the source. The victim would never know the difference.
Again, just theorycrafting.
There are certain queer times and occasions in this strange mixed affair we call life when a man takes this whole universe for a vast practical joke, though the wit thereof he but dimly discerns, and more than suspects that the joke is at nobody's expense but his own.
-- Herman Melville