... unless the auction house is using http! Interesting...
... then there's the matter of the Authenticator optionally not being required on every log in. There could be a token stored locally, that is returned to the server on subsequent logins, although blizzard describes it as "remembering the location you logged in from."
- If there's a token, then a stolen token along with your password might allow someone to login form anywhere.
- If there's no token, then some ip spoofing would be required. I wonder who Blizzard's network provider is.
Also, these authenticators themselves are sometimes compromised, as in the SecurID hack last year: http://www.rsa.com/node.aspx?id=3872
Log in to comment