Possible RMAH loophole?

[Useful]

My personal opinion is that Blizzard should require RMAH players to link a Battlenet Authenticatior to the account.

this. couldnot agree more! include free Authenticatior in game package and problem solved =)

[Alhoon]

An authenticator is NOT a guarantee that you will not be hacked. Just as anti-virus software is NOT a guarantee that you will never get a virus. It's just REALLY secure, but people with authenticators can and do get hacked. It's just harder.

Technically, only ways of getting hacked with authenticator is by someone hacking Blizzard servers, and there's absolutely nothing you can do with that. Other way is that you have a specific keylogger trojan on your computer that steals your authentication code as you type it and uses it simultaneously. It's possible and those kind of software are around, but it only happens if your own computer is infected. If you have an anti-virus software installed and updated, it's safe to say the latter will never happen. Then again, if you deal with any real money transactions on your computer and don't have an anti-virus software, someone hacking your battle.net account is the least of your worries.

[Orange Joe]

Read up. People with authenticators can, and do, get hacked. Not that it isn't a good idea to have one, but it's not 100% safe.

I fully agree with your second recommendation though.

you got word of mouth on 1 person i have yet to hear of 1 true case were someone got hacked while having an active autenticator on their account

and your story isn't sounding right if your officer DID get hacked he/she could have made a ticket along along with the gm and got the money back

[Yoshimiko]

No offense..but when has WoW ever been "Hacked"?

Hacking is a felony(a rather severe one at that), The silly stuff you see in game is usually just exploiting, or packet sending/altering. The difference between hacking and the stuff you see in game is like the difference of Jaywalking and Serial killing. They aren't even in the same ball park.

As for how this would be handled - It's the exact same as someone whose Debt Card gets stolen. Only this would probably never happen since you need to do it from the IP the original account holder uses. I'm sure their'll be a lot of fail safes since we're dealing with real money - that only the biggest idiot could screw up.

IE Theirs a way for your acct to be compromised with the authenticater but it's incredibly difficult. You basically have to GIVE your authenticater numbers to a fake site AND your password, then not do anything about it for 5-10 minutes. It's no different from any other phishing site for your credit card info. If you're dumb with it, you'll lose it, the end. :P

[Punks]

Hardly any is not the exact same as 'none'. Officer in my guild got hacked - she does have an Authenticator.

She lied, plain and simple. Blizz has reported that not a single person has been hacked by the methods used to steal normal non-auth accounts,

[Deleted]

She lied, plain and simple. Blizz has reported that not a single person has been hacked by the methods used to steal normal non-auth accounts,

please supply a source.
not that I don't find it plausible but I'd like a source nevertheless.

either way you might or might not have noticed this but credit card information is rarely stored accessible to a user, i.e if you look at the credit card number it usually says **** **** **** 1234 or something like that.

this is essentially "online security for dummies", i.e "do not save valuable data in plain text".

also I would like to point out that the few times an authenticator-style security has been broken it has been in a controlled environment for the sole purpose of breaking it.

without going into too much detail authenticator codes are only valid for a very short period of time.
this means that whoever is trying to hack you can't just wait for you to login, steal your code and use it tomorrow. no he has to use it on the spot or else it won't work. this time critical step is a huge issue for attack methods such as key loggers.

it is just not feasible for a hacker to waste so much effort on an authenticator-protected account.
real life example:
who'd you rather date out of two twins, the one who is all over you or the one who ignores you?

[Badmilk]

She lied, plain and simple. Blizz has reported that not a single person has been hacked by the methods used to steal normal non-auth accounts,

Actually far from the truth, They have not released such a statement because there has been people that have been hacked it was on the front page about how it works when authenticators were released.

Its called a man in the middle attack and it basically blocks the code you entered from being sent to blizzards' servers, thus giving you an error, meanwhile they use the code that went to them instead to login.

It can be done its just quite rare.

OT: personally yes i do believe that anything that is using the RMAH should have extra "defences" Someone said that you have to put funds into your Battle.net account and not actually through anything else which is a good idea tbf, but i also think there needs to be something else I just personally can't figure out what.

[Tyrianth]

How is that possible.

No system is 100% secure. The obvious solution to bypass an authenticator is to use a man-in-the-middle attack. It's an attack that entails the hackers to intercept the message on the way to blizzards auth servers.

User enters username, password
System prompts for auth code
Man-in-the-middle forces system to display an invalid code error
Hacker on the other end of the man in the middle is waiting with the correct code and promptly uses it access b.net account

[Orange Joe]

Actually far from the truth, They have not released such a statement because there has been people that have been hacked it was on the front page about how it works when authenticators were released.

Its called a man in the middle attack and it basically blocks the code you entered from being sent to blizzards' servers, thus giving you an error, meanwhile they use the code that went to them instead to login.

It can be done its just quite rare.

OT: personally yes i do believe that anything that is using the RMAH should have extra "defences" Someone said that you have to put funds into your Battle.net account and not actually through anything else which is a good idea tbf, but i also think there needs to be something else I just personally can't figure out what.

they released that statement to cover their ass if and when someone did get hit by a mitm attack
i have yet to see one real claim over someone being hacked while having an authenticator please feel free to prove me wrong


till then while i know it is possible it is very very unlikely to happen and will continue to believe no one has been hit by one

[bigfoot1291]

Like previously stated, if you have an authenticator on your account, if they don't have your authenticator, then they're not getting into your account, unless it's intercepted, and used, within 30 seconds of becoming active. Even less, due to human reaction time via typing and the code possibly not being refreshed at the exact second you look at it.

If you see yourself get disconnected within 30 seconds of logging in and get notice that your account tried to log in somewhere else besides your normal location and think "meh whatever I wont bother", then who's fault is that?