greedycheese

Well said. I wholeheartedly agree.

It feels like Microsoft forgot the "Horse" part of "Trojan Horse"

They didn't give me any reasons to shell out $400+ dollars for this thing.

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

@TentPole: @TentPole said:

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

How is asking Blizzard a question about authenticators suggesting anything? Blizzard came out and said authenticators are the best security. All I see Patrick doing is trying to get Blizzard on the record about why they don't require them. To me that is just by-the-book reporting.

I didn't even know about the free smartphone apps until after I got hacked. Even if Blizz dosen't require them they could bring them up during the install and make users who choose not to have them click through a big ass warning.

@l3illyl3ob: This is good advice. It's advice that I have given other people. Until this happened, I thought I was following it myself but this whole thing is making me re-evaluate.

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

@l3illyl3ob: I get that they could kick me off. My question is why couldn't I kick them back off? Did they change my password superfast? Is it possible that they could change my password before they logged in to D3?

As for virus scans, I am running OSX and do not have flash or java installed. As far as I know the only current vulnerabilities are trojans. I know that there will be OSX exploits eventually. There is no such thing as a 100% safe OS. It just seems highly unlikely to me that its the case right now.

@ThatPrimeGuy: I don't think so. They have free smartphone apps, a sms service and they sell the authenticator for 6 bucks which has to be close to cost. Not exactly an enviable revenue stream...

@Alorithin: I don't know what to say, man. It's the internet and I can't prove anything. I know it sounds unlikely that's why I want someone to help me figure this out. One second I was playing with two friends, then poof.

It's not that big of a deal. I didn't even have much gold, only lost 40K.

I just want to know what I can do to keep it from happening again. (I immediately got an authenticator after this.)

I was one of the people that had his account compromised. I was not using an authenticator at the time and I was playing on the mac. (Not implying that OSX is somehow hackproof, just giving a data point)

The thing that was odd was that I was playing the game at the time. I got booted with an error message that said that my account was already connected. Then I was unable to log back in.

So my question is: What traditional method can work while I am logged in? If they just got my password through traditional means why couldn't I log back in and kick them out?