Blizzard Says Battle.Net Hasn’t Been Compromised

@Bartz: He actually asked it before they said that, he didn't run the questions until they answered them, and they answered them with the update, this morning.

That would be true if Diablo was a single player game but that is a dead horse beaten for decades....

This all sounds just like when external hacks swept through WoW where players thought and swore they kept their accounts secured but actually missed something.

As for how to help without sending out stuff to everyone or forcing everyone to buy smart phones, maybe they need to create a "desktop authenticator". Make it part of their Battle.Net account where all you have to do is download and install it and it provides an interface similar to what smart phone users see for their 2 step login. This is possible now but it is a bit too technical for lot of people and also it isn't ideal but it is much better than going without.

@Hockeymask27: http://us.battle.net/support/en/article/battle-net-dial-in-authenticator-faq

I have the token authenticator, so I can't tell you where it would be on the Security page.

Have the duders mentioned what's for TNT today? (I haven't finish listening to the bombcast) Or we just assume it's more Diablo? (they could go back and play Max Payne 3)

@Rawson: I must of missed it. All I see is this when I tried to add one. If you could link me that be sweet.

@Mihos said:

This completely dodges the whole question of why the fuck I have to log in to play a single player game to begin with.

You already know why.

@Hockeymask27 said:

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

Wrong. There's a Windows emulator for Battle.net authenticators, and there's also a dial-in authenticator that will literally work with any phone.

@zeekthegeek said:

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Also wrong. There's been literally no indication that the session ID hijack has been real. It was started up by a guy at Eurogamer, and is entirely false, because fact checking is hard. Any claims otherwise are people who were phished/keylogged and didn't have an authenticator.

Right, in most of the discussions, I don't think there was much question of Battle.Net in general or people's logins being compromised. There was a question of whether session ID spoofing/session hijacking was being used to log into Diablo 3 servers as another player without needing any access to that player's login info.

I suppose that's what they're addressing in this bit:

Additionally, Blizzard claims to have found no evidence of account spoofing after players join a game.

“We’ve determined the methods being suggested to do so are technically impossible,” said the company.

But that doesn't exactly instill that much confidence. I've seen other network techs say "that's impossible" until they see someone do it in front of their face.

If it is session hijacking, then no combination of password protection or authenticators is going to do squat.

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

From the issues I've been seeing, it had nothing to do with login/password.  It was people being able to exploit data packets which isn't traditional.  Why isn't blizz addressing all those complaints?

The six stages of debugging:

1. That can't happen.

2. That doesn't happen on my machine.

3. That shouldn't happen.

4. Why does that happen?

5. Oh, I see.

6. How did that ever work?

Looks like Blizzard is still at stage 1. Just because you can't see how a hacker intruded into your system doesn't mean it's impossible. Hacking often involves creating odd situations that the code simply cannot handle and that the original programmer has never even thought of. By the sound of it their intrusion detection systems don't detect the attack vector either so they'd only see that a hack occurs when the hacker logs in normally again.

@Mihos: They've already spelled out the reasoning. You've refused their logic and used your own.

This completely dodges the whole question of why the fuck I have to log in to play a single player game to begin with.

Next thing will be someone getting banned from their single player game.

Good to hear, although it only clarifies their statements in their forums, and doesn't explain why a number of people are so confused about how their accounts were attacked. I suppose some people could be malicious, but its seems like other were just honestly confused about how their accounts were secured. Perhaps a better tutorial on how to utilize the authenticator is in order.

Also I don't agree with Blizzard's password strength algorithm: Length is more important then limiting repetition. And they limit you to 16 characters... why? Still, they have progressive security options in comparison to other services, so they're clearly interested in protecting accounts.

This will continue to be an issue for a while. With items not being soulbound, and a cash auction house to sell stolen loot on, I can see it being worse than other online games.

I have an authenticator though, so no worries.

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

Yes it does. Usually Patrick is straight to point and concentrates to the stuff that matters but this just feels like he is trying to question the man with nonsense. If he had something reasonable I'd love that but he doesn't.

@greedycheese: Sounds like a hypothetical that you scribbled down because that very series of events cannot take place.

@Xeirus:

Because tacos.

I was one of the people that had his account compromised. I was not using an authenticator at the time and I was playing on the mac. (Not implying that OSX is somehow hackproof, just giving a data point)

The thing that was odd was that I was playing the game at the time. I got booted with an error message that said that my account was already connected. Then I was unable to log back in.

So my question is: What traditional method can work while I am logged in? If they just got my password through traditional means why couldn't I log back in and kick them out?

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

It's easy; they can't make an authenticator necessary because a) not everyone has a smart phone, b) it's $5 to get the key chain authenticator and not everyone has access for one of those, c) some people just don't want to have to deal with it.  
  
That said, I have one and have never had my account hacked. 

@Rappelsiini said:

I'm sorry Patrick but your questions regarding Blizzards statement seem pretty stupid.

Sorry, but so does your response.

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I'm sorry Patrick but your questions regarding Blizzards statement seem pretty stupid.

@Hockeymask27: Several of the CE of their games came with them.

I have an authenticator and play mostly single-player so this isn't huge to me but I do feel bad for anyone who has had their account compromised.

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

The launch of Diablo III has been a series of highs and lows. The game seems pretty great, but the always-on online requirements have come under scrutiny, and allegations of account hacking surfaced a few days back.

Blizzard did issue a statement earlier this week regarding compromised accounts, but I didn't run the studio’s comments yet because I was waiting for the company to answer a series of questions, which are below:

• "We'd like to take a moment to address the recent reports that suggested that Battle.net and Diablo III may have been compromised." -- Does Blizzard's analysis of the situation suggest there has been zero compromise of Battle.net and the subsequent "hacks" are 100% the result of outside interference?

• In a follow up post, a community manager wrote: "We have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password." What exactly are "traditional means"?

• In the same post, the same community manager said: "[We] have done everything possible to verify how and in what circumstances these compromises are occurring." Can you outline what these circumstances are to help players combat against it?

• If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Blizzard public relations told me the answers to my questions lay within an update this morning. That's mostly true.

Blizzard claims Battle.net has not been compromised, and the number of customers who have contacted the company about compromises has been “extremely small.” An actual number was not disclosed, and Blizzard said it has not received reports of account issues from any customers using the company’s authentication services.

For more details on those authentication services, click right here.

The issues in question have arisen from accounts being accessed using a user’s login and password, which Blizzard characterizes as a “traditional” mean of compromising an account. Blizzard outlined ways to protect yourself:

“The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.”

Additionally, Blizzard claims to have found no evidence of account spoofing after players join a game.

“We’ve determined the methods being suggested to do so are technically impossible,” said the company.

In other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the real-money auction house has been pushed back to an undetermined launch date.