@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

i had my account jacked before authenticator, logged into battle.net from a public pc while on holidays. not related to my account but one time our guild bank lost quarter of a million gold after an officer got hacked.

got an authenticator and everything has been honky dorie ever since

For anyone that firmly believes this session ID theory, find me the primary source and definitive proof or you are full of shit. Thanks.

@l3illyl3ob: I get that they could kick me off. My question is why couldn't I kick them back off? Did they change my password superfast? Is it possible that they could change my password before they logged in to D3?

As for virus scans, I am running OSX and do not have flash or java installed. As far as I know the only current vulnerabilities are trojans. I know that there will be OSX exploits eventually. There is no such thing as a 100% safe OS. It just seems highly unlikely to me that its the case right now.

If the SC and WoW clients are any indication, all client and server chatter is "player command" oriented. Stuff like "select NNNN", "buy MMMM", "action5". There is no way for the client to build a command and push it to the "Battle.net protocol" that is like "move otherplayer" or even "sell otherplayer weapon" or even "tell me otherplayer account". There isn't supposed to be enough information given to the player's client about any other player let alone enough to take over their account since all players are "cache entities" that are commanded by the server.

If someone has hacked their client to make Battle.net do something it was never designed to do then that is amazing. After years of WoW and a lot of SC2 no one has broken this yet. It isn't impossible there is a serious flaw in the Diablo 3 client that exposes some really crazy flaw in the bigger Battle.net protocol but Occam's Razor suggest someone just figured out the email/password.

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails. also 2 of my friends who have authenticators have had their D3 accounts wiped and guess what? they aren't to blame.

Believe it for not it's not ALWAYS the users fault and i am sick of people believing blizzard is always innocent, sometimes the shit is on their side.

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

@Styl3s said:

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails.

Believe it for not it's not ALWAYS the users fault.

Yeah I had the same thing happen. I had a damn authenticator and lost all kinds of stuff, never to be recovered. There's easy human element ways to get around an authenticator.

That was years ago in WoW though, and I haven't had any issues since.

@greedycheese: I know that nobody wants to admit they could be a victim to it, but there's always the possibility of phishing. Sometimes all it is is a normal looking newsletter or whatever copied from blizzard, but replaced with their own links instead, hoping people would click on them and log into their phony site. Never click on a link from an email, ever.

I just look at the two current theories right now, and regardless of what Blizzard says on the matter, I just don't see any proof for Session ID hijacking, and it's pretty telling to me that every person who gets hacked doesn't have an authenticator. The most likely scenario is that all of this is just traditional hacking. I hope you find out what happened to you, greedycheese.

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

What a stupid thing to say. I use an authenticator, but why on earth should a game require an additional security measure that costs more money (not everyone has a fancy phone like me) to run?

@ildon said:

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

Stupidity might be harsh, I guess, but you could say it's ignorance. People who use the internet accept the risks whether they know it or not, and if they get a trojan/virus/whatever, it is still their fault. It most certainly isn't Blizzard's fault.

@NS1126 said:

Also, Blizzard CS is pretty lax in their reply times.

Do you realize how many support tickets they must be getting for a a launch this large? I agree that waiting sucks, but c'mon. Cut their outsourced, barely literate support team some slack :P

@l3illyl3ob: This is good advice. It's advice that I have given other people. Until this happened, I thought I was following it myself but this whole thing is making me re-evaluate.

@Rawson said:

@Hockeymask27 said:

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

Wrong. There's a Windows emulator for Battle.net authenticators, and there's also a dial-in authenticator that will literally work with any phone.

@zeekthegeek said:

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Also wrong. There's been literally no indication that the session ID hijack has been real. It was started up by a guy at Eurogamer, and is entirely false, because fact checking is hard. Any claims otherwise are people who were phished/keylogged and didn't have an authenticator.

The only way it'd be secure to emulate an Android and run the authenticator was if that machine was completely separate from your gaming machine and never ever connected to any kind of network. If your machine is compromised, so is your Android emulator. It's more work to compromise an account that way, but you only have to know how to do it once in order to automate it as part of your attack. Running an entire additional computer is more expensive and much more of a hassle than carrying an authenticator.

Edit: Also the dial-in authenticator currently only applies to WoW.

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

@TentPole: @TentPole said:

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

How is asking Blizzard a question about authenticators suggesting anything? Blizzard came out and said authenticators are the best security. All I see Patrick doing is trying to get Blizzard on the record about why they don't require them. To me that is just by-the-book reporting.

I didn't even know about the free smartphone apps until after I got hacked. Even if Blizz dosen't require them they could bring them up during the install and make users who choose not to have them click through a big ass warning.

My wow account gat pirated 2x when it was inactive for nearly one year (no game time in it).

I never bought gold or power-leveled, I never logged in my battle.net account from anywhere other than wow and battle.net.

The same thing append to my girlfriend.

So I say that YES they have big security issues.

@Depth said:

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

Even Forbes jumped on the bandwagon.

But seriously, get the authenticator.

@patrickklepek

If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Because not everyone owns a smart phone and you shouldn't compel people to spend an additional $5 on a keyfob to be able to play a game?

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

Regarding Patrick's comment on mandatory authenticators, Blizzard has said that signing up for the SMS service will be mandatory to use the real money auction house.

I'm not sure what you're getting at with this story Patrick, I do appreciate you updating me on the status of diablo 3 and the possible security issues, but I'm not sure that your italicized aggressive questioning is necessary.

in other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the

real-money auction house has been pushed back to an undetermined launch date.

the longer they delay it the better.

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

It's utter nonsense... my accout has been hacked and not becasue I told someone my account or becasue I logged in via an internet cafe... Battle.net 2 is horrible and this sort of this is appauling.

There customer services is a sad joke and they are treating there customers like shit

Soooo.... Can I play in public games without fear yet?

Here's a tip for everyone who is concerned about potentially being the victim of an account compromise. Find a secure computer that you trust--this includes non-jailbroken mobile devices that contain a browser--and change the password on the account that you think is compromised, ensuring that you get the confirmation email. If your password for battle.net is the same as any other password, change it to be unique and long.

Until any forensics are completed that substantiate the sessionid spoofing rumor or some other compromise of the service as opposed to a meat and potatoes compromise of an individual's credentials, it's really hard to believe that people aren't just having run-of-the-mill credential compromises, and the Internet echo chamber isn't helping.

If I were in possession of a large number of compromised battle.net ids and passwords, this is exactly what I would have done awaiting the launch of D3--sit on the accounts until this point in time to furiously gather items to prepare for the immediately impending launch of the RMAH. I would then cash out fast in the initial crazy market rush.

Yeeah, those questions are pretty dumb.
It's almost like you are one of those European Press people who you guys mock in the bombcast.

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

The whole hacking scenario sounded like a bullshit outcry from the get-go. This doesn't sound any different than the fake account compromise I think 4chan came up with or whatever.

Just a bunch of upset individuals venting in a stupid way. Blizzard finally fixed the lag ( I now have a constant 100 ping insted of 300 ) and now the game is near perfect.

My wow acount has been stolen for some time now. Just havnt cared cause I'm over wow. I suppose when I get around to buying diablo 3 ill have to get that battle net stuff sorted out.

@Xeirus said:

@LikeaSsur said:

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

Oh gee, look at another one. Someone has zero sense of irony, maybe you shouldn't use a word you don't understand.

Ha ha, jeez, duder, calm down, it's not that big of a deal. None of us are going to lose sleep over one guy's negative comment.

@Hockeymask27: Android SDK has an emulator, you can run the authenticator in that. There's also a free dial-in authenticator. On top of that, it's only $7 with shipping for the old keyfob (which I have). If $7 is too much for security there's no reason to be complaining when your shit gets jacked.

@Rappelsiini: If you read a little harder you'd see that the formatting is in what Blizzard had previously released and his question on that subject. It's not stupid, it's how Patrick kept notes on shit he wanted to know. Good on you for wanting to ignore the constructive in constructive criticism.

@Toxeia: First of all fuck you no need to be passive aggressive and who said it was supposed to constructive criticism? I just might have had a shitty day I this a way for me to let off some steam. But like I stated it before I was at the time using my phone so it would've been pretty difficult for me to elaboreta beyond my main point. It just struck to my eye as something stupid so I commented on that. Anyway it looks like you and I aren't thinking on the same level and I'm not in the mood to explain anything so I'll leave it to that.

There are a lot of new people and people who haven't played in a long time coming in. It's sad that hackers are taking advantage of this but it will die down once those players get an authenticator. As for should Blizzard make authenticators mandatory, I don't think so. If you have a secure computer you don't need to use it. The thing is that people who think their computer is secure are probably wrong so they get hacked.

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Too much editorializing Patrick. I had trouble understanding who was saying what.

@Rappelsiini: No need to be aggressively aggressive bro. And if you aren't being critical to be constructive you're not doing anyone any good. Sorry you're having a bad day though.

@JBG4 said:

Well, at least this is comforting. I have an authenticator and play mostly offline so this isn't huge to me but I do feel bad for anyone who has had their account compromised.

im sorry your playing diablo 3 offline i call HAX you can do no such thing you need a always on connection to play it

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

It should be pretty obvious why an authenticator isn't required.

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

Ever since I was hacked back in 2010, I've used an authenticator.

"I never thought it would happen to me!"

@Turambar said:

@Green_Incarnate said:

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Did you use the automated account recovery option? Also how long did it take for the issue to be resolved.

Yeah. Took like a minute.

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).

At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..

If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.

The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.

@Turambar said:

@Green_Incarnate said:

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Did you use the automated account recovery option? Also how long did it take for the issue to be resolved.

Yeah. Took like a minute.