Page 5 of 11 FirstFirst ...
3
4
5
6
7
... LastLast
  1. #81
    Quote Originally Posted by Gourmandises View Post
    Not that authenticators would have helped... they're easy hackable aswell
    Yes, Genius. And I'll bet that's why banks use the exact same Vasco Security to protect the funds of millions.
    ---Veritas Aequitas:Truth is Justice---

  2. #82
    Quote Originally Posted by Ryme View Post
    All of the data that was stolen is accessible remotely? I would have thought that information of this level would have been stored on an internal network.
    Not possible. the game needs acces to all stolen information in order for you to log in. Therefor it can be acces from the outside.

  3. #83
    It seems that the authenticators will infact be useless if you had a mobile one.
    Blizzard states it here

    Why not immediately revoke the mobile authenticators?
    Similar to the decision surrounding secret question and answer, we still believe that keeping mobile authenticators active provides a layer of security against unauthorized users who don't have access to the compromised data. In fact, the mobile authenticator information by itself won't grant access to a Battle.net account -- that still requires the actual password as well. We are working quickly to deploy new mobile authenticator software and will notify players to update as soon as it's available.
    This means if they unencrypt the passwords, and then use a legitimate 3rd party authenticator like Winauth, they could plug in the serial number of your Auth and gain access. Simple as that after they break the encryption to the passwords.

  4. #84
    Mechagnome reemi's Avatar
    Join Date
    Aug 2009
    Location
    Montreal
    Posts
    677
    Think I'll just report my mastercard as stolen, and I'll get a new one!

  5. #85
    Brewmaster Jess Day's Avatar
    Join Date
    Dec 2011
    Location
    Farmer Land UK; Prev Los Angeles, CA.
    Posts
    1,374
    Quote Originally Posted by Ryme View Post
    All of the data that was stolen is accessible remotely? I would have thought that information of this level would have been stored on an internal network.
    For that network to allow you to login it has to have some remote access capability. How do you expect to be able to use your password to login if the server can't access your password to validate it?

    They can't do more than they are doing. All data has to be read at some point so it needs to be readable some way or another. It's encrypted as well as it can be to still be usable. However, someone has to write the encryption in the first place; And if one person can write it, someone else can crack it.

    That's just how it is.

  6. #86
    Grats Us , world first !
    well yes the only got EU e-mails ..

    sorry i had to

    on the other hand , well it can happen , sony was /is not a small company and it happend to them too.
    Blizz makes a ton of cash normal that they are being attacked too.
    First time they had a probleme of this kind in 7 years? i dont see a big probleme they got my mail so what?
    i can change my pw , my secret questions and evrything no big deal ^^

  7. #87
    Well, considering how many people bashing when it happened to rift... usually with "would never happen to wow", well... I knew it then but perhaps you all now that it could happen to anyone :P

    Should EU battlenet accounts change their emails? Even though Im not playing anymore why hand out characters for free :P
    Your lord is under attack! Your lord is under attack!

  8. #88
    Blizzard is a massive company, so things like this can happen. There's no point in whining about it. Every large company has problems like this once in a blue moon. But at least Blizzard is informing us asap and telling everyone exactly what to do and what they're going to be doing. That's always a good sign.

  9. #89
    Brewmaster Jess Day's Avatar
    Join Date
    Dec 2011
    Location
    Farmer Land UK; Prev Los Angeles, CA.
    Posts
    1,374
    Quote Originally Posted by Kaeh View Post
    It seems that the authenticators will infact be useless if you had a mobile one.
    Blizzard states it here



    This means if they unencrypt the passwords, and then use a legitimate 3rd party authenticator like Winauth, they could plug in the serial number of your Auth and gain access. Simple as that after they break the encryption to the passwords.
    By the time they've unencrypted it the software update will be out and make it all a null point anyway.

    There is a reason banks use the same system. It takes ages to crack and by the time it is the breach has been detected and a fix applied. Breaches will obviously happen, they'll just very very rarely involve anything useful being obtained before it's been made useless by updates.

  10. #90
    Quote Originally Posted by lordcalin View Post
    for those asking / saying the authenticators can't be compromised, blizz already said in the FAQ section they were, all it takes is knowing the mobile authenticator serial number which is why / how windows desktop authenticators exist even tho blizz never wrote them. And the hackers got em, so yeah, in this instance, authenticators mean shit.
    Don't waste your breath. I've been trying to explain that to people for years now and they still don't listen. They just spoat the same old same old about banks using them and that they are infallible ect.ect. The system Blizzard uses and the system the banks use are two different beasts. Last company I worked for I installed an RSA authentication system. The moblie device apps do not use a simple serial number to sync them with the main server unlike Blizzard. If I have your Bnet authenticator serial number, I pretty much have your authenticator.

    This was bound to happen at some point.

  11. #91
    I'm actually very impressed at how the community is handling this. WoW Players seem to be generally alright with it, and accept that things like this happen. However, if you go to the Diablo III forums it's just one big pile of 'derp' over there.

    Good job, everyone. At handling this situation like adults. I'm so proud. <3

  12. #92
    The Lightbringer Tharkkun's Avatar
    Join Date
    Oct 2008
    Location
    Minnesnowta
    Posts
    3,458
    Quote Originally Posted by Muezick View Post
    Authenticator doesn't mean crap if they got the serial numbers for each account(Which they did) and the algorithm for the random number generator that the battle.net authenticator uses.

    With this information your authenticator will be USELESS, since they can write third party software, plug in Serial numbers and just get the same code your authenticator would produce.

    basically, go unpair your authenticator, generate a new serial, repair it and change your pass word

    and then go to EVERY SINGLE WEBSITE you use your battle.net e-mail in association with that uses the same pass word and change all THOSE pass words too
    Says only software authenticators, aka mobile authenticators. So all it requires is an update, change the algo and it's good.

  13. #93
    Quote Originally Posted by lordcalin View Post
    that was my first thought when they mentioned hashed passwords, without case-sensitivity decrypting is not as hard as they make it out to be, the possible characters are much more limited.
    It depends. The passwords must still be hashed in a predermined form, you can't have "foo" and "FOO" and expect them to hash to the same (which they won't). So they internally convert it before storing the hashed password. The problem is that no one else knows how they convert it, chances are they convert all password the same though (all upper/lower).. which would be bad as there would be a lot less combinations, also once you found out one you could more easily find out the rest (probably).

    But if they've been smart about it and based the conversion on something non-static, maybe an internal number (every X chars should be upper case) that varies for different accounts they can still maintain almost the same level of security from a hacking point of view as case sensitive passwords.

  14. #94
    Quote Originally Posted by Kaelynath View Post
    I'm actually very impressed at how the community is handling this. WoW Players seem to be generally alright with it, and accept that things like this happen. However, if you go to the Diablo III forums it's just one big pile of 'derp' over there.

    Good job, everyone. At handling this situation like adults. I'm so proud. <3
    Maybe that has to do with the fact that REAL MONEY is involved in D3 - not in WoW....

  15. #95
    The Lightbringer Tharkkun's Avatar
    Join Date
    Oct 2008
    Location
    Minnesnowta
    Posts
    3,458
    Quote Originally Posted by Mormodes View Post
    Authenticators won't save your credit card numbers from being stolen
    No credit cards, billing info, personal information was stolen. So they have email addresses and an encrypted password database which will take quite some time to crack each individual password. I think Blizzard covered their ass pretty well with technology here.

    By the time they are able to start compromising accounts, forced password changes will happen. That's assuming they don't have an authenticator which means they are sol.

  16. #96
    Brewmaster Jess Day's Avatar
    Join Date
    Dec 2011
    Location
    Farmer Land UK; Prev Los Angeles, CA.
    Posts
    1,374
    Quote Originally Posted by Jarlathe View Post
    Don't waste your breath. I've been trying to explain that to people for years now and they still don't listen. They just spoat the same old same old about banks using them and that they are infallible ect.ect. The system Blizzard uses and the system the banks use are two different beasts. Last company I worked for I installed an RSA authentication system. The moblie device apps do not use a simple serial number to sync them with the main server unlike Blizzard. If I have your Bnet authenticator serial number, I pretty much have your authenticator.

    This was bound to happen at some point.
    And the problem can be fixed before anything valuable is lost. That is the point. They're not infaliable, nothing is. The idea behind having encrypted passwords on the level they have is they take so long to crack the problem gets fixed before anyone loses anything.

  17. #97
    I am Murloc! Irony's Avatar
    Join Date
    Apr 2010
    Location
    Halifax, NS.
    Posts
    5,822
    Surprised it took this long for someone to get in. At least unlike Sony they told us right away.

  18. #98
    It's OK Bliz,

    just use the web form "i'm hacked".


    Jokes aside, the value of the email database for advertising cannot be measured, millions and maybe more, for gaming companies....


    let teh *yes, teh, spam begin.

  19. #99
    You need more than the serial number. You need the 40 character token secret, which is generated when you request a mobile authenticator and saved on the servers and your phone. The serial number alone is useless.

    Now if both of those items were indeed breached, then yes. Unlink your authenticator and generate a new one!

    In fact, I'd do it anyway. All you need to remove an authenticator from someone's account is their secret word, and the serial to the authenticator. Now, you just crack that password, and now you have their account.

  20. #100
    It can happen to the best companies in the world. In fact no one is protected or can even say they are "immune" to this.

    On the safe spot, everyone should realy do what blizzard recomends now, even if you think you are not on the affected group of people.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •