Blizzard Says Battle.Net Hasn’t Been Compromised

Hacking is playful cleverness, use cracking instead.

@JBG4 said:

@Bunny_Fire: I meant not playing multiplayer... The reports that I have read regarding this situation has stated that most people who have been hacked at this point have recently played multiplayer. I wasn't saying that I play the game offline without a connection, I was using offline to say that I have been playing mostly single player. I should have specified that a little more I guess.

yes yes you should as i understand that offline is impossable to do with diablo as for saying that and i quote " I wasn't under the impression that I needed to go into so much detail about that but I guess some don't have the mental capacity to understand things that aren't blatantly spelled out for them." that i dont have the mental capacity to understand these things is extremely childish to personally attack me in such a way when i read a comment i take it for what it is after all I am replying to what your comment is not what i think it may be or imigine it may be.

sure i said your hacking which is the only way i understand that you can possibly play offline it was not meant as a personal insult ... So yes next time i ask you to think about your post try not to resort to insults (though i myself am sometimes guilty of this as i am not perfect)

@DCam:

I don't disagree with anything you've said in this last post. The simple fact is we don't know how Blizzard programmed Diablo 3 servers to behave. They could have chosen not to do a connection-based method to keep the bandwidth overhead down. People with anecdotes of playing over wi-fi on airplanes seem to support this. It's possible it's a very tolerant connection, though. The bottom line for me is that with internet security a company often does not know when they have a problem. I don't believe my own programmers when they say their code is perfect so why should I believe Blizzard when they say hacking them is impossible? Session ID theft is indeed possible if they handle it too leniently. The posters saying they unquestionably believe a company to have a secure environment just because they say they do don't know much about internet security. The truth no one wants to tell laymen is that no system is completely hack-proof. The best anyone has is guesses until they're proven wrong.

@Archaen

Certainly, such concepts are not limited to web browsing. A Session ID is more useful in a connectionless request-response protocol like http. In a connection-based protocol, sending a session id doesn't make sense after the connection is established and authenticated -- it's overhead. Armchair architecture going up, but it sounds likely that there are parts of the overall client-server interaction in Diablo III that are request-response based -- the auction house -- and parts that are connection based -- the game world state. It seems like inventory and character state could be handled with either communication style.

For request-response or connection based communication, Blizzard could bind a session to an ip address and not allow the session to change source ips without fully re-authenticating -- username, password and authenticator token, if enabled.

@ichthy: Ahh I see, thanks for the clarification. I wonder if by implementing a security question to change the password if that would make it more difficult for the accounts to be compromised. But I'm clearly no security expert. Well at least I have managed to regear my barbarian and am back on track and crushing my way through act 3. :)

the account hacking problem has been plaguing WoW TW realm for like 2 or 3 years already thanks to the sloppy security of TW realm's publisher

they try to cover it with some kinda of phone lock account protection, but then even MORE people got hacked(including me, twice) with that stupid phone lock on.

then last year blizzard decided to merge this piece of crap with Battle.net, in prep for SC2 or diablo3, I forgot which

my vote is that the security issues that's been plaguing asia are somehow brought into battle.net with this merger

@RedRavN said:

@Mnemoidian: Thanks for the info. Unfortunately, I dont have a "smartphone" so I can not run any apps on any of my devices. So I will have to get a physical authenticator at some point. One thing I dont get is how is it possible for these hackers to change my b-net password without my knowledge? Shouldn't they have to answer my security questions to do so? Why did I not recieve an e-mail alerting me to a password change. From my research, this has also been the case in compromised accounts that occur when people get booted in game and get their password reset. This to me indicates that the hackers have bypassed Blizzards own security system on their end, so that they are not even "aware" of passwords being changed through their system.

Obviously, If I had an authenticator this probably would not have happened but there seems to be a very real issue on blizzard's end that I hope they are working to fix, even if they never admit it publicly. You should not be able to have your password reset if you are logged in at the time. Just because a solution exists for the problem doesn't mean that Blizzard should be let off the hook and not be trying to invest in security for the core game in my opinion.

This might seem kinda dumb, but to change your e-mail, you need your security question. To change your password, all you need is your old password.

@Mnemoidian: Thanks for the info. Unfortunately, I dont have a "smartphone" so I can not run any apps on any of my devices. So I will have to get a physical authenticator at some point. One thing I dont get is how is it possible for these hackers to change my b-net password without my knowledge? Shouldn't they have to answer my security questions to do so? Why did I not recieve an e-mail alerting me to a password change. From my research, this has also been the case in compromised accounts that occur when people get booted in game and get their password reset. This to me indicates that the hackers have bypassed Blizzards own security system on their end, so that they are not even "aware" of passwords being changed through their system.

Obviously, If I had an authenticator this probably would not have happened but there seems to be a very real issue on blizzard's end that I hope they are working to fix, even if they never admit it publicly. You should not be able to have your password reset if you are logged in at the time. Just because a solution exists for the problem doesn't mean that Blizzard should be let off the hook and not be trying to invest in security for the core game in my opinion.

@fozzyozzy said:

What I'm saying is that the conversation here shouldn't be so much about what could have been done on the user side, but instead pushing Blizzard to think outside of the normal means box for methods to prevent these issues.

The commercial release is barely two weeks old and the developer is already underselling (perhaps not 100% truthfully) the number of cases here. I know there have been methods to hacking for a long time, is it "venting" to wonder if maybe there's something server side being exploited?

I think the appropriate analogy is identity theft. Now maybe the victim didn't shred every single piece of junkmail, but then there are people who casually leave their belongings out in the open. My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I'm not seeing Blizzard underselling how many have been compromised - looking at their forums, there are at least a dozen posts from Community Managers on the subject. They are just saying that no reported cases have shown that there has been an active authenticator (not dialin/SMS) on the account on the time of the account - even in the cases where people HAVE claimed there was an active authenticator.

Further, I'm not sure what you mean about how Blizzard should think outside the box? As far as I am aware, they provide the most security options for their users than any other game developer. Even Steam only has a few of the features (SteamGuard) that Blizzard use to keep your account safe. And you can't really put it on their side if your account is compromised because you fell for a phishing scam (hey, you're only human, mistakes happen) or used the same password as on a site that had their user databases stolen in the last few years. Or wound up with a keylogger because of some shady ad-banner, or some other crazy shit that's going around.

You seem to have some idea of what they should have done, as you are saying that they should've done more. What have they missed? What more can they do, except force everyone to use authenticators?

(And yes, I realize that there are ways to get around authenticators. It's significantly harder than just getting past a static password, though.)

@RedRavN: If you have an Android device or iPhone (or iPad, I suppose), you could just download the free mobile authenticator. It's as safe as your phone/device is.

Direct links:

https://play.google.com/store/apps/details?id=com.blizzard.bma

http://itunes.apple.com/en/app/battle.net-mobile-authenticator/id306862897?mt=8

You then need to connect it to your battle.net account. And you should write down the recovery information, etc, in the app. Of course, if you don't have such a device, the keychain gadget is the only way to go.

edit: for good measure, here's Blizzard's "Help! I got hacked!" page to get you started recovering your account: http://us.battle.net/en/security/help

@RedRavN: If it is a keylogger as you hypothesize then what would you have blizzard do?

@fozzyozzy said:

You're right. I'm a user and this is my experience, what will you do to prevent it in the future?

Less Drew Carey is probably where I would start if I were you.

But seriously, why are you asking me what I will do to prevent your issues? I am not really interested in roleplaying Blizzard tech support.

I was playing single player the other day and my account got compromised. I was disconnected from my game and then could not log back in. I reset my password and logged into diablo 3. All my items and gold were gone (fortunately on a lvl 20 barb) and there were 2 players on my recent players list that appeared. Since I play singleplayer obviously these jackasses are the ones who compromised my account. So I reported them to Blizzard.

I don't have an authenticator because I did not even know this was so prevalant in the community, but the fact that I have to spend more money on some device on top of a $60 game is pants on head retarded. If that is Blizzards security solution, it should be included in the game. Also, I don't give out my username and password and I was not phished or anything. The hacking must be going on through a java imbedded keylogger or something. This means you can pick up this stuff by just browsing the net.

I wish people would just stop buying gold. Obviously, there are a lot of people who buy it because the market is just so crazy. But do these people know where it comes from? Farming is kind of legitimate even though they ruin the games economy by selling in the first place, but stealing from other people sucks, especially since they cant be prosecuted.

Blizzard needs to stop blaming the consumer like its my fault for not knowing I was supposed to buy some device just to casually play the game. They need to own up to the fact that they have a huge security problem at the moment and that it is out of control. Or they need to put in an offline mode so I dont have to deal with this BS.

@TentPole said:

@fozzyozzy said:

My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I don't like people who decided what conversation I should and should not have.

You're right. I'm a user and this is my experience, what will you do to prevent it in the future?

@fozzyozzy said:

My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I don't like people who decided what conversation I should and should not have.

What I'm saying is that the conversation here shouldn't be so much about what could have been done on the user side, but instead pushing Blizzard to think outside of the normal means box for methods to prevent these issues.

The commercial release is barely two weeks old and the developer is already underselling (perhaps not 100% truthfully) the number of cases here. I know there have been methods to hacking for a long time, is it "venting" to wonder if maybe there's something server side being exploited?

I think the appropriate analogy is identity theft. Now maybe the victim didn't shred every single piece of junkmail, but then there are people who casually leave their belongings out in the open. My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

*shrug* I am not appolgizing for Blizzard but stating things learned from years of this in WoW. The way Battle.net authentication works, the client is told who is playing not the other way around. There is no way to rig either the WoW or SC2 client to switch Player IDs while connected so I'm inclined to believe there is no way to do that in Diablo 3 as well. All objects are treated as anonymous objects commanded by the server to move so there is no connection or communication player to player. The tech just doesn't support the kind of things some posters are claiming it does.

And I am not claiming Battle.net is 100% secured either but I am going to claim that it is probably easier to hack random desktop machines and random people. Years and years and years of this where every time I've had to deal with it, it turned out to be something a player did instead of Blizzard. It isn't that any of those people were stupid or were careless but those guys are incredibly clever and persistent. WoW and Battle.net attacks are often the first time people have ever dealt with identify theft and they often they are angry and embarrassed it happened to them where the last thing you will get from them is all of the facts partially because these schemes often involve never noticing them.

Could there be something wrong with the Diablo 3 client that leaks sensitive info to a hacker? Yes there could be. Is it more likely that the player accidentally exposed their account information outside of Battle.net? More likely by magnitudes.

@fozzyozzy: Oh, you're going to have to say more than "kerfuffle approximately a year ago". I'm probably blanking temporarily, but I don't know what you are talking about.

And for what it's worth, I'm more willing to believe Blizzard's claims that everyone who has so far come forward claiming they have an authenticator attached to their account when they were compromised had their authenticator attached afterwards (or were using the dial-up authenticator).

I'm not apologizing for Blizzard. I'm saying that it's a terrible world where gold buyers have caused a climate where people aren't even able to be lax with security on their game accounts. At the same token, I don't see why anyone should blame Blizzard, when provided with the tools to keep your account (relatively) safe. If you want to blame someone, blame the jerks who are creating a market where the content of our accounts has a monetary value. Blame the jerks who are working hard to get into our accounts.

And if you (as in anyone reading this) is the unique(?) case where an authenticator has been breached, then you clearly need to contact Blizzard and let them know about it, rather than gnashing your teeth on a forum where they are extremely unlikely to see it.

Considering how willing Blizzard is to recover account contents for you (not needed myself, but from what I've seen of friends who have been compromised), I don't see why there's so many people spewing vitriol in their direction.

Came back to the game last night to find my character totally stripped, save for the soul-bound items. I don't mind the hackers so much, it's these ridiculous apologists on the forums.

"Oh you got hacked because it's your own fault for not taking precautions A-Z! Wait, you did take all the precautions? Then you must be lying because Blizzard and any other online entities are impregnable fortresses of security."<-- says the person who obviously doesn't remember any kerfuffle approximately a year ago...

... unless the auction house is using http! Interesting...

... then there's the matter of the Authenticator optionally not being required on every log in. There could be a token stored locally, that is returned to the server on subsequent logins, although blizzard describes it as "remembering the location you logged in from."

• If there's a token, then a stolen token along with your password might allow someone to login form anywhere.
• If there's no token, then some ip spoofing would be required. I wonder who Blizzard's network provider is.

Also, these authenticators themselves are sometimes compromised, as in the SecurID hack last year: http://www.rsa.com/node.aspx?id=3872

Protocols other than http don't even use Session IDs in a way that can be hijacked...

@Ethan_Raiden said:

You'll want to run a virus scan, and not visit anymore sites where you can buy gold. Also consider buying an authenticator. Account security is your responsibility, not the company that made the product that you're using.

This is of course, obvious for all other industries, unfortunately we as gamers have a lot of growing up to do.

You are a gullible idiot if you think this is how most people get hacked.

You'll want to run a virus scan, and not visit anymore sites where you can buy gold. Also consider buying an authenticator. Account security is your responsibility, not the company that made the product that you're using.

This is of course, obvious for all other industries, unfortunately we as gamers have a lot of growing up to do.

@jakob187 said:

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

Not true. When my WoW account got hacked, it was a unique password that contained 27 characters, alpha-numeric, as well as an authenticator on it. That story can be told over and over when it comes to Battle.net. The same happened with my brother and three of my friends, one of which is pretty much the most hardcore I've ever seen about passwords (he has something close to 40+ different passwords for all his accounts).

It can literally happen to anyone at any time. I would suggest looking up how easy it is to hack into a Battle.net account before saying someone is a "victim of his own stupidity".

With that said, one of my friend's Diablo 3 account was hacked two days ago. He has an authenticator attached to it as well as a 19 character alpha-numeric password. Customer support got everything taken care of within a 48 hour time span. He's a little discouraged now, and he's already said that if he gets hacked again that he'll quit the game and stop giving Blizzard money. It's understandable, especially since Blizzard touts so hard about security...yet it's easy to hack a Battle.net account.

Your friend has a 19 character password? When the password requirement is 8-16 digits in length?

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

Not true. When my WoW account got hacked, it was a unique password that contained 27 characters, alpha-numeric, as well as an authenticator on it. That story can be told over and over when it comes to Battle.net. The same happened with my brother and three of my friends, one of which is pretty much the most hardcore I've ever seen about passwords (he has something close to 40+ different passwords for all his accounts).

It can literally happen to anyone at any time. I would suggest looking up how easy it is to hack into a Battle.net account before saying someone is a "victim of his own stupidity".

With that said, one of my friend's Diablo 3 account was hacked two days ago. He has an authenticator attached to it as well as a 19 character alpha-numeric password. Customer support got everything taken care of within a 48 hour time span. He's a little discouraged now, and he's already said that if he gets hacked again that he'll quit the game and stop giving Blizzard money. It's understandable, especially since Blizzard touts so hard about security...yet it's easy to hack a Battle.net account.

@EXTomar said:

@Berserk007 Do you realize your complaint is moot anyway? Instead of losing items to whatever on Battle.net you get a shot at getting them back where if you lose your items in a single player game you start over. I'm unclear why this is preferable.

How exactly do you lose item's in a single player game? If you mean like a lost save file, hey that's on you, you should have backed it up. Diablo 3 is designed to be completely under Blizzards control, so much in fact that there is no offline play. Hey I get it you have to deal with piracy, exploiting gold farming ,etc, but by treating this in MMO buisness model Blizzard has disenfranchised a lot of people who just wanted to play the damn game and could care less about online features. BTW moot is such an arrogant word

@Berserk007 Do you realize your complaint is moot anyway? Instead of losing items to whatever on Battle.net you get a shot at getting them back where if you lose your items in a single player game you start over. I'm unclear why this is preferable.

@jasonefmonk said:

@smfE:

My last comment could have been worded better/gentler; as a second-language writer you're doing pretty well.

@BionicRadd:

You have a really limited idea of what people can do with account numbers and other personal information when gathered from a banking website. Just bill pay? Ever heard of a money transfer? Regardless your analogy is awkward and not very useful. A password is a security measure, a doorknob is not. Your antivirus comment has the same flaw.

To address the point you tried to make; yes a condom and the pill is better than one alone. You are failing to understand my fundamental issue. If I want to have sex I should never be forced to use any contraceptive, it's my responsibility to make those choices and take any necessary steps involved. It is on me if I want my password to be "opensesame" or "kNxjLN2bW9LoNGsb". It's my prerogative whether I feel the need for an authenticator or the Prime Minister's permission every time I log in.

Yep, it certainly is. It is also your fault when your weak password gets your account stolen. Blizzard shouldn't require an authenticator any more than condoms should be required for sex. However, if you want to maximize your chances of not getting your lady pregnant, you should wrap it up. If you want to maximize the chances of not getting your account hijacked, you should use an authenticator.

As for my bank's web site, none of my account numbers are visible or accessible when you are looking at my account. Only same account transfers are allowed, so unless they want to transfer all my checking account money to my savings for funsies, their options are pretty limited.

Just got hacked, all items on character are gone. I am now in a supposedly 6-8 hour wait to have items etc restored according to the customer service website. Also II am on a 75 minute wait by phone. Now hopefully I can get the stuff back but even so for me at least it makes this game almost not worth playing at all.

For all their effort in making this into a world of Warcraft lite, where you are always online I think they have in effect destroyed the game, no offline play and now we have to deal with account hacking and a slew off other problems. You know what could have avoided all these problems.....a SINGLE PLAYER GAME WITH MULTIPLAYER FEATURES....by trying to wrangle gold farmers etc out have done nothing but create a gold mine for them.

I can't believe I am saying this but seriously how can I get a refund because this is not what I paid for.

@smfE:

My last comment could have been worded better/gentler; as a second-language writer you're doing pretty well.

@BionicRadd:

You have a really limited idea of what people can do with account numbers and other personal information when gathered from a banking website. Just bill pay? Ever heard of a money transfer? Regardless your analogy is awkward and not very useful. A password is a security measure, a doorknob is not. Your antivirus comment has the same flaw.

To address the point you tried to make; yes a condom and the pill is better than one alone. You are failing to understand my fundamental issue. If I want to have sex I should never be forced to use any contraceptive, it's my responsibility to make those choices and take any necessary steps involved. It is on me if I want my password to be "opensesame" or "kNxjLN2bW9LoNGsb". It's my prerogative whether I feel the need for an authenticator or the Prime Minister's permission every time I log in.

@lorex said:

Blizzard seems to have every buying into the notion that if you dont use an authenciator then its the customers fault for not protecting their own info. The official Diablo 3 fourms are filled with this sychophantic acceptance that it has to be this way. I certainly did not ask for the game to require me to always be connected to their servers to play, this was forced on the players by the company. Now to be told individual customers did not do enough seems like shifting the blame to me. Its on Blizzard to fix the problems with their servers. If the the only way to secure your account is with an anthenciator, then Blizzard should make them free to everyone. I know they are free online for smardphone users but not every customer fits into that category. Also there is a lot of denial on Blizards part that there is no security breach beyond traditional methods already known. It will be interesting to see what happens with the RMAH goes live and the first reported hacks are reported. Yoy think people are mad not when its just virtual money and items missing, imagine the hell that will be raised if actual money is stolen.

7 dollars shipped is pracically free. You probably spend more than that on an average lunch. If you don't have a smartphone or an ipod touch, spend 7 bucks and stop acting like there is some way Blizzard can protect you from your crappy password and internet habits.

Yea, listen to Blizzard. Everything is fine, keep paying $60 for a game where you can get your account stolen by doing nothing. Yep. Putting those millions of dollars to good work there Blizzard. I've lost all faith in this company. Greed and wealth kills all.

Blizzard seems to have every buying into the notion that if you dont use an authenciator then its the customers fault for not protecting their own info. The official Diablo 3 fourms are filled with this sychophantic acceptance that it has to be this way. I certainly did not ask for the game to require me to always be connected to their servers to play, this was forced on the players by the company. Now to be told individual customers did not do enough seems like shifting the blame to me. Its on Blizzard to fix the problems with their servers. If the the only way to secure your account is with an anthenciator, then Blizzard should make them free to everyone. I know they are free online for smardphone users but not every customer fits into that category. Also there is a lot of denial on Blizards part that there is no security breach beyond traditional methods already known. It will be interesting to see what happens with the RMAH goes live and the first reported hacks are reported. Yoy think people are mad not when its just virtual money and items missing, imagine the hell that will be raised if actual money is stolen.

@jasonefmonk said:

@smfE:

Your feelings of superiority because you believe you argue for some greater good is ridiculous.

I said nothing about getting hacked. This isn't about hacking it's a about social engineering and how it effects all of our internet use. People using the same passwords across many accounts, using easy to guess passwords, and using logins on insecure machines are the issue.

If you want the extra layer of security it is there and available to you. Considering all of these lost accounts are the users fault, Blizzard won't gain get any more bad press about it than Apple did with iTunes, or than Facebook has; if they do, it's shoddy reporters that don't understand the issue. Teaching people how to use the fucking internet will make them safer with all of their internet use. Blizzard properties are trivial things compared to your bank account or medical records. Would you argue to have an authenticator for them as well? How many do you want to keep stuffed in your pocket?

The password may not be the be-all-end-all of internet security, but a second password certainly isn't the solution.

P.S. Insinuating I don't care about my things because I don't want another item to carry around is dumb. There is no dichotomy between those two things. You write very poorly, I hope English isn't your first language.

Know what someone can do if they get the password to my bank's web site? See how much money I have. That's it. Theoretically, they could set up some billpay stuff to use my money to pay their electric bill, but there's a minimum 2 day lead time on that, so, yea, I guess there's that. Fact is your blizzard account has a monetary value in the hands of the right person. Blizzard did not invent the authenticator and I think if you look at what other types of companies do use/offer authenticators, you will find a common thread. Your basic argument is you don't need a deadbolt because you have a really nice door knob, but it's not a one or the other situation. Both is better and there are people out there aggressively trying to get into as many Battle.net accounts as possible. By your logic, if you're a smart PC user, you shouldn't need an anti-virus program, because you won't do anything that would expose you to viruses.

@jasonefmonk: 1: Nope english isn't my first language, i speak and read 3 languages how many do you? Nope i don't feel superior and yes i believe that arguing for some greater good is ridiculous.

2: I don't care if you said anything about getting hacked. Yes this is about being hacked, simple links being posted on offical game forums can easily contain keyloggers. Yes it's a good idea to use different passwords to your accounts, i do that myself. Even if you do this you can still ofcouse get hacked.

Teach people basic things how to venture safe on the web that's a good idea atleast Blizzard is trying to.

An extra layer of security is useful especially if you care for your security.

3:This doesn't have any relevance to what we're talking about. Why are you talking about press, Facebook, Apple and iTunes? Why are you comparing Blizzard properties to bank accounts and medical records. (weak weak arguments)

Yes ofcourse i would want an authenticator for my bank account .

How many authenticators would i want in my pocket? 1 because they generate a different number everytime. We actually have this kind of security here in Denmark for our bank account and services. It's working without any problems here and people are happy with it.

It just seems like Blizzard has had such a customer service nightmare since D3's launch night that they're giving nothing but canned responses like the one above. Give it about 3 months, they'll get it together with Diablo.

@smfE:

Your feelings of superiority because you believe you argue for some greater good is ridiculous.

I said nothing about getting hacked. This isn't about hacking it's a about social engineering and how it effects all of our internet use. People using the same passwords across many accounts, using easy to guess passwords, and using logins on insecure machines are the issue.

If you want the extra layer of security it is there and available to you. Considering all of these lost accounts are the users fault, Blizzard won't gain get any more bad press about it than Apple did with iTunes, or than Facebook has; if they do, it's shoddy reporters that don't understand the issue. Teaching people how to use the fucking internet will make them safer with all of their internet use. Blizzard properties are trivial things compared to your bank account or medical records. Would you argue to have an authenticator for them as well? How many do you want to keep stuffed in your pocket?

The password may not be the be-all-end-all of internet security, but a second password certainly isn't the solution.

P.S. Insinuating I don't care about my things because I don't want another item to carry around is dumb. There is no dichotomy between those two things. You write very poorly, I hope English isn't your first language.

@jasonefmonk: My advice to you is maybe you should start thinking beyond your own nose tip. Just because you see you as a perfect competent user who will NEVER get hacked or anything, there's millions and millions of other people Blizzard has to make their systems and secure for, maybe so they wont get a bad rep hmm that's maybe one of the things. If it's enough to bring pain and sweat to you by typing a password to login life is hard for you.

This is not about some people being overall lazy but think of a little bigger perspective. If blizzard doesn't take accounts worth many money and games serious perhaps just perhaps those people wont buy their games again? How much is the cost of these devices that are Made In China, 50Cent maybe, is it worth keeping people safe and secure and not loose tons of revenue because you can't be 100% safe with the internet these days. Yes i think so, especially if you think longterm and keeping costumers. Else Blizzard wouldnt be able to have the fan base they have if they didn't take these subjects serious.

I have an authenticator with me in a key ring and it's really not that hard to have with you if you actually care about your things.

Think beyond dude, it will help you that's my only advice!

@HellBound: Welcome to gaming. This is why I wish we could step back a bit in technology and always have a direct connect and LAN option. Sometimes, I just don't care that much about being online.

Also for those saying use an authenticator (not talking about the free app), but security should be free. Paying 6 dollars to have a key-chain with a code is ridiculous for a fucking game account. This is what society has become. Caring about fake virtual items. Pretty soon they will be offering insurance plans.

Guys, this shit is real. All my items for my primary character are gone. I came back to my level 30 Demon Hunter on act 3, all nude and without her weapons. She only had one of her rings for some reason, but everything, including the stuff in my stash, has completely disappeared.

I managed to get some new stuff for my character, but all the things I legitimately found for my character has made all my 25 hours of play time simply for naught, and I carry no motivation to play this game now. I warn you all to change your passwords to something big, because I have a feeling this can happen to anyone at anytime.

My friend just got his account hacked and he just played singleplayer. This is disgusting and stupid. Blizzard deserves no defense. The people that do are just the ones that it has not happened to yet. First the servers can't handle the amount of people and now the security is a joke. Speechless.

@Archaen said:

@jesterroyal said:

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

As an internet security professional I can definitively tell you that session ID theft is a real thing. Whether it's happening to Diablo III or not I can't say but this isn't an issue that's an old wives tale. This is checked by security firms on every application we make when we go through security audits. It is very much an issue with all online applications.

I never meant to imply that it wasn't real. I just meant that it is a super easy culprit to blame. Someone always brings it up and many times its easier to say that some "chinese hacker" stole your session ID than to admit you had a weak password or a virus riddled computer. As an IT professional myself who removes viruses all the time for people who "didn't go to any strange sites" or "just don't know what happened"(Fake coupon sites. *sigh*), I've seen its easier to blame an outside circumstance beyond your control. Session ID hacking is near impossible for the end user to diagnose and is the hard to explain boogey man for nearly every MMO i've spent time around. Its scary and implies there's someone with enough skill and malicious intent to take your pants from you while you are wearing them.

I guess in short I never meant to question the possibility, just the plausibility.

@Turambar said:

@BionicRadd said:

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

I doubt that specifically because he would have had mere minutes to change my password. I had logged into my account about 2 to 3 minutes before being booted off. I would further posit the question to you: can you imagine a way by which I would have had my password stolen? Once again, my internet history essentially only contains Giantbomb, AnimeVice, Wordpress, Blizzard, Gmail, Edgewood College, UW Madison, Wisconsin Department of Education, UW Health, youtube, Dayforce, and various mainstream news sites for the past week. I have not downloaded attachments from any e-mail, nor recieved any such e-mails. My password is over 10 letters, contains capitalization, numbers, and is romanized Chinese. If you have a theory as to how my password would have been stolen in light of that, I would love to hear it.

Same way my friend's account got hacked even though he hadn't logged into WoW in 3 months. Short answer - I don't know, but most of it is either social engineering or keylogging. This is what these people do, all day long, 7 days a week, 24 hours a day. The fact that you were on when they took control of your account is possibly incidental. Doesn't change the fact that they have to get your password to change your password. Until I see documented proof of someone pulling off this supposed "session hijacking", all the people proclaiming "it can be done" are blowing smoke, as far as I am concerned.

http://howsecureismypassword.net/

10 characters, no symbols based on your description and is an actual word of some kind? 169 days for 1 pc to crack it (they will use more than 1 pc to try it). By comparison, my giant bomb password will take almost 1000 years to brute force. Understand that these accounts aren't being taken by script kiddies just messing around with people. This is a business and they make a lot of money off this stuff.

@EXTomar said:

As for those who say you can still get hacked with authenticator attached: The way the modern system works is that if it detects an attempt from an IP-location which the account has never logged into it will challenge with the authenticator. If someone is able to defeat or guess 8 digit response, automatically trigger a "change your password" if it succeeds and kick them out. They would be forced to go to "www.battle.net" where they would be challenged again the authenticator/8 digit response. The system isn't foolproof or bulletproof but it is hard to defeat. It is way more likely someone they know, got access to their home machine and logged into WoW from their own machine (which it wouldn't automatically recheck with the authenticator) and stole items instead of some super hacker in Asia. The sad truth is that many hacks are actually done by acquaintances in familiar settings.

The hack in question gets around a login entirely, which would bypass the authenticator as well assuming it doesn't monitor each and every packet. If you can hijack a session you don't need a password or even a user name. Whether this security flaw exists or not we can't say, but if it does the authenticator would be worthless.

@jesterroyal said:

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

As an internet security professional I can definitively tell you that session ID theft is a real thing. Whether it's happening to Diablo III or not I can't say but this isn't an issue that's an old wives tale. This is checked by security firms on every application we make when we go through security audits. It is very much an issue with all online applications.

It's kinda funny how innocent Blizzard always are when it comes to security issues, while Battle.net passwords aren't even case-sensitive.
 
Basic security is hard guise

Move along, nothing to see here.

I didn't mean it that way. I am merely pointing out with that real example how someone I knew who was being ultra careful every other time decided for whatever reason (maybe a beer or two) slipped up and in a way they didn't expect. He didn't even think about it where we had to text them "hey someone has your account!". When they got back and saw the damage, they swore up and down in vo-com it was impossible, that they were so careful, that it had to be some new hack or a flaw in Battle.net, and so on when someone simply asked "Where did you login last?" and you could hear the /facepalm.

2 Step Authentication and physical authenticators are great ways to add tighter access control to any system. I don't understand why the automatic rejection and hatred of such systems where it isn't so much about the person not being careful as much as they are being careful by adding another authentication layer.

I can't see this as anything other than a lie. My WoW account was hacked four separate times. The first time I kind of deserved it, used the same pass as my email. The second time I had a separate pass, but it was kind of weak. The third and fourth times I had a completely unique to Battle.net password, using max characters, numbers and letters, no sensible way to discern it, and after EACH hacking I did THOROUGH sweeps of my computer with every tool available to me, never finding a damned thing. This happened across multiple computers, and it happened across years. There has never been any explanation for any of them. I can't find any other explanation besides a problem on their end.

I'm half suspicious that it's them just trying to sell me an authenticator.

@EXTomar: I have NEVER logged onto my Bnet account from a computer not owned by me. I have NEVER shared my passwords with anyone. I am very careful with my own computer, and have never had any other accounts I use on my computers breached in this way. It's on their end. If you've never experienced it, good for you, I didn't for the first four years or so of WoW's life either, but clearly somebody found a way to fuck with it on their end, because it's sure as fuck not me. Not after four times with no intrusions on my computers.

Are these competent users who swear up and down that they've been super careful with password credentials only to find out when Blizzard does a trace it is indeed a clean, one try login attempt from an internet cafe in Indonesia?

Because of WoW and dealing with this from a guild management perspective, I've come to realize people who think they are smart with their Internet usage often make basic mistakes in trust and pay for it. They visit their cousin's house for a family thing and plays a little WoW with them not realizing that machine used was infected to the gills with spyware due to his pr0n surfing habbits and the next day I see his character logged in the middle of the night and cleaned withdrew from the guild bank to the rank cap and stripped it the entire thing clean. It wasn't that he was incompetent but trusted and assumed they were just as competent.

@smfE: Because it's either an app I have to have open, a phone number I have to call, or a silly little device I have to keep with me and (I assume) charged when I have no issue creating and maintaining a secure password. Making it mandatory punishes competent users for the mistakes of careless ones. It would also force Blizzard/Activision to cover the cost of the devices for many users.

It is enough of a pain to have to type my password every time I log in to Battle.net from my personal computer. This isn't helping anyone be more secure, it's helping them be lazy with their secure information.