New wave of hacks

[Deleted]

The hackers are bypassing the authenticators. When will people stop suggesting this shit when it's not helping a single bit ?


THEY ARE BYPASSING THE AUTHENTICATORS in some cases. Not all of the ones that got hacked had an authenticator, but some did and even they got hacked.


I havent joined a single public game since I read about this on diablofans.


Also, The game has just been released and theres already this much accounts being compromised ? Coincidence? I think not.

[Repefe]

Wasn't it 6 Euro? That's how much it was last year, price might have gone up I guess.

I also can't imagine a lot of phones not supporting the mobile authenticator. My phone is an ancient piece of shit, and it supports it. I don't have the free one available to iPhones etc, but I think mine cost like 50 cents to download into my phone.

http://eu.blizzard.com/store/search.xml?q=Authenticator It's 10 euros now. The mobile authenticator I don't know ... I have E72 with symbian and can't find an authenticator for it.

[Deleted]

So does this mean that if I login to my D3 acc from different IP it will be locked till I do a password reset ?

I know it does for WoW O.o but since the games have an unified login I can imagine it should work for every one of them.

[Deleted]

Apparently it is easier to nerdrage and blame somebody else. Every topic on this issue goes through the same loops. Expect "The authenticator should be free" demands soon.

If i was to ever get hacked, it is always 100% somebody elses fault, unless i hack myself ofc.


To suggest anything otherwise is folly.


The fact that i could have better prevented somebody else from hacking me is irrelevant. It is still 100% the fault of somebody elses actions.


I fixed the page btw, and extremely interesting that i now have the knowledge of how to screw MMO Champion forum boards up completely

---------- Post added 2012-06-01 at 11:09 AM ----------

The hackers are bypassing the authenticators. When will people stop suggesting this shit when it's not helping a single bit ?


THEY ARE BYPASSING THE AUTHENTICATORS in some cases. Not all of the ones that got hacked had an authenticator, but some did and even they got hacked.

Bypassing authenticators is as easy as -

1) Key Logging Authenticator keystrokes
2) Preventing legitimate user from logging on
3) Use the keystrokes to hack log on


The theory of it is as simple as 1,2,3.

[Repefe]

I fixed the page btw, and extremely interesting that i now have the knowledge of how to screw MMO Champion forum boards up completely

Damn you I want that knowledge. Something with list b i quote ... I will find out eventually !!!

[Keosen]

I do not concern myself with responses from companies, unless those companies have no reason to possibly safe skin. In this case Blizzard has quite a few reasons to downplay any possible breach, hence I'm staying on my side and not on Blizzards or protestors. Any PR department would do the same as Blizzard did. If EA said it, no one would believe it. I have no real reason to mistrust Blizzard, but I don't have any reason to trust them either.

Hence, I'm just stating from a hypothetical view.

Obviously, many of the hacked accounts should normally be due to bad user/personal security, perhaps even all, but that's no reason to assume that Blizzard is somehow infallible.

When there was a MiM attack that bypassing the authenticators didn't Blizzard instantly respond and verify it?
Why they didn't keep it hidden?
I mean there is simply no way to hide a massive secutiry hole, EA couldn't do it, SONY couldn't do it, Steam couldn't do it, why Blizzard can?

The hackers are bypassing the authenticators. When will people stop suggesting this shit when it's not helping a single bit ?

I have an authenticator i'm not hacked thus you just saying bullshits.
Does it make sense?

I havent joined a single public game since I read about this on diablofans.

I'm playing Public games since day 1 i haven't been hacked.
Does it make sense?

THEY ARE BYPASSING THE AUTHENTICATORS in some cases. Not all of the ones that got hacked had an authenticator, but some did and even they got hacked.

Do you actually have a proof of that?
Do you know what a proof is?
And no a random guy lying instead of admitting that he tried to cheat is not valid.

Also, The game has just been released and theres already this much accounts being compromised ? Coincidence? I think not.

Not it's not a coincidence it's statistic fact, more accounts, more people, more compromised accounts, it's called common sense.

[Deleted]

Bypassing authenticators is as easy as -

1) Key Logging Authenticator keystrokes
2) Preventing legitimate user from logging on
3) Use the keystrokes to hack log on


The theory of it is as simple as 1,2,3.

and all of this in 30 seconds.

[Vespian]

and all of this in 30 seconds.

Actually, the duration/window in which you can use the code is about 2 minutes. That said, most of this process is automatic and scripted, so it will not take more than 3 seconds + latency to complete the action.

When there was a MiM attack that bypassing the authenticators didn't Blizzard instantly respond and verify it?
Why they didn't keep it hidden?
I mean there is simply no way to hide a massive secutiry hole, EA couldn't do it, SONY couldn't do it, Steam couldn't do it, why Blizzard can?

A MiM attack is still client side. Hence no breaches on the part of Blizzard. And perhaps Blizzard isn't hiding anything, perhaps they simply do not know. Or perhaps they keep it under wraps until they solved it.

For the record, many companies that get hacked, do not publicly announce it until many months later. Even though they're legally forced to report it, they only have to report it when they have verified it. In other words, any company that expresses that "no indication of hacks has been found" could be lying through their teeth, but it would exempt them from such a law.

[Keosen]

Bypassing authenticators is as easy as -

1) Key Logging Authenticator keystrokes
2) Preventing legitimate user from logging on
3) Use the keystrokes to hack log on


The theory of it is as simple as 1,2,3.

/facedesk

Physically stealing your password right now is as easy as
1) Find you IP
2) Through your ISP find your home address
3) Get in a train, airplane ,ship, helicopter
4) Break into your house
5) Use ninja skills to get behind you without noticing me
6) Write down your password while you typing it
7) Vanish

The theory of it is as simple as 1,2,3,4,5,6,7.

/facedesk again

[Deleted]

Actually, the duration/window in which you can use the code is about 2 minutes. That said, most of this process is automatic and scripted, so it will not take more than 3 seconds + latency to complete the action.



A MiM attack is still client side. Hence no breaches on the part of Blizzard.

Ehm NO.


The code can be used within the 30 seconds not more. Unless they have a fix themselves for this.

I have a android phone with the authenticator in, All codes I've used after the timelimit has passed, never worked so i had to type in the new one.

[IxilaFA]

If i was to ever get hacked, it is always 100% somebody elses fault, unless i hack myself ofc.


To suggest anything otherwise is folly.


The fact that i could have better prevented somebody else from hacking me is irrelevant. It is still 100% the fault of somebody elses actions.

Actually, it's not completely their fault. Sure they initiated the action that caused the hack, but they wouldn't have been able to initiate it if you hadn't left the door open for them. It's like a burglar breaking into your house. If you use all of the precautions you can, it's 100% the fault of the burglar for actually deciding to break in. However, if you leave the door open, they are still the ones who decided to rob your house, but you're also at fault for leaving the door wide open.

Same thing with at fault accidents. Unless you believe that everyone who was in an accident and was declared not at fault did everything right. For example, I was in a "not at-fault" collision with a bicyclist who was illegally crossing the street. Sure it wasn't entirely my fault, but I still should've been aware of my surroundings and maybe the accident would have never occurred. (She was OK, by the way)

Bypassing authenticators is as easy as -

1) Key Logging Authenticator keystrokes
2) Preventing legitimate user from logging on
3) Use the keystrokes to hack log on


The theory of it is as simple as 1,2,3.

Is it that easy? Because getting a virus that is capable of intercepting internet data onto a system is not as easy as getting a keylogger on there. If somebody is stupid enough to let their computer get that messed up, it's their fault and they should quit the internet forever.

Actually, the duration/window in which you can use the code is about 2 minutes. That said, most of this process is automatic and scripted, so it will not take more than 3 seconds + latency to complete the action.

Each code is valid for 2 minutes. That doesn't mean from the moment you pressed your authenticator, since the login server has no idea when you actually push the button. A new one is cycled in every 30 seconds on your authenticator, however, IIRC. I've had instances where I pushed my button, typed in my code, and it was already invalid because I waited too long. When I was using a mobile authenticator, I used to wait until the last possible moment to enter the code (when the bar was almost full), to minimize the risk.

What I'm saying is, a code may be valid for 2 minutes, but it's not necessarily the code that a MiM attack might get. The code they might get could have 5 seconds left on it, for all they know.

[cFortyfive]

are you sure its not just ah lag? the pics also dont prove anything.

Don't know or care about hacks but respective pages have been promoting easy duping methods since basically release. I didn't try any of them on my own account because they seemed rather easy to trace back but they definitely worked.

[Vespian]

The code can be used within the 30 seconds not more. Unless they have a fix themselves for this.

Try it. I did. (Besides the point though, it doesn't really matter as long as it's more than 10 seconds).

[IxilaFA]

Don't know or care about hacks but respective pages have been promoting easy duping methods since basically release. I didn't try any of them on my own account because they seemed rather easy to trace back but they definitely worked.

Explain how duping is possible when all data is stored server-side. Please, I'd love to hear it.

[Keosen]

Explain how duping is possible when all data is stored server-side. Please, I'd love to hear it.

Are you really expecting a technical answer from people who barely know what server/client-side programming means?

[IxilaFA]

Are you really expecting a technical answer from people who barely know what server/client-side programming means?

No, but it's humorous to see them attempt an answer.

It's the same type of people who insist that there will be private servers and hacks and dupes for D3 eventually, it just requires time for the hackers to develop the code...Right...

[Howard Moon]

Another suggestion: install NoScript on your internet browser. Takes some getting used to, but it provides an additional, solid layer of security against shady websites (not that I.. ahem.. frequent any of them he he).

[maky13]

The hackers are bypassing the authenticators.

Wrong. Blizzard specifically said that no D3 accounts with authenticator have been hacked. Do you have any proof to claim otherwise, or?

Bypassing authenticators is as easy as -

1) Key Logging Authenticator keystrokes
2) Preventing legitimate user from logging on
3) Use the keystrokes to hack log on

And yet, it`s very hard, because it has to be done real-time. That thing alone makes it a lot more complicated, and also not worth it for the hackers. They only access the accounts when they have actual customers. The sticky on this section - http://www.mmo-champion.com/threads/...s-and-security - explain this aspect in more detail.

Bottom line: get an authenticator, you won`t get hacked.

[Vespian]

No, but it's humorous to see them attempt an answer.

It's the same type of people who insist that there will be private servers and hacks and dupes for D3 eventually, it just requires time for the hackers to develop the code...Right...

It's extremely humorous to suggest that there won't be. Any fool knows that there are private WoW server. Any fool understands that the principle remains the same.

And yet, it`s very hard, because it has to be done real-time. That thing alone makes it a lot more complicated, and also not worth it for the hackers.

Explain please? It's no harder than a simple key logger, it just has more functionality (sending the user client to a fake server, while automating a log-in process on the actual server from their own clients).
- Very tiresome, having to correct "technical people" that don't understand technology.

[Cairhiin]

The hackers are bypassing the authenticators. When will people stop suggesting this shit when it's not helping a single bit ?


THEY ARE BYPASSING THE AUTHENTICATORS in some cases. Not all of the ones that got hacked had an authenticator, but some did and even they got hacked.


I havent joined a single public game since I read about this on diablofans.


Also, The game has just been released and theres already this much accounts being compromised ? Coincidence? I think not.

It's probably more logical to assume that there's a new hacking spree because people are using illegal third party websites to buy gold.