Authenticator increased security idea.

[Unholyground]

Its pretty simple, Blizzard has likely already thought of it. How about once you are logged in while using an authenticator it locks your account login so you cannot be disconnected by someone else trying to connect to your account, and the same thing for the battle.net account. Basically have a message pop up saying the account is in use and locked for the time being. I am pretty sure they can do this easily. That way it cock blocks assholes trying to intercept your one time password to login.

[vesseblah]

Does nothing for the current vulnerability. You misunderstood how the circumventing of authenticator works.

Best thing Blizzard can do is making their login process secure again. It was cracked years ago by the writers of unofficial WoW server software. Using reliable and well-known techniques such as public key encryption and/or SSH tunneling during the login process would eliminate the current vulnerability and all hacks that attack the same weakness. Also it would kill off all unofficial servers from getting new patches.

[Iacom]

It's a man-in-the-middle attack, is what they've said on the WoW forums. The virus takes the real authenticator code, sends a wrong one to Blizzard, so it'll tell them you've entered the wrong code when the virus has the real one. You won't be the first to log on, that's the problem.

[Kabbalah]

The recent authenticator hack is done with a man-in-the-middle attack. When you try to log on the attacker intercepts your data package and sends it to Blizzards server. This makes the server believe that the attacker is originator of the package. Using your idea means the account is now locked to the attacker, making it even more difficult to recover your account.

On wow.com people are suggesting that the WoW client should send your own ip address like login information so the server can check if the package ip address matches your client ip address. This idea is also flawed because many of us are using a router to connect to the internet, which means our computer has a different ip address than our router. What Blizzards server sees in this scenario is, router ip address in the package header and computer ip address in the payload. It would result in a lockout.

[Unholyground]

There still has to be some way to do it and make it impenetrable.

[Kabbalah]

There still has to be some way to do it and make it impenetrable.

People should stop clicking on every link they see...

[Unholyground]

People should stop clicking on every link they see...

As true as this may be. I personally don't have any problems with security as of yet. There are a lot of people that just don't have the time or yearn to learn about internet security for one reason or another and it tends to be people of an older demographic and people who hang around on the shadier side of the internet. As far as security is concerned tho Blizzard could think of something even further to protect us, they waste so much time, money and effort on restoring hacked shit you'd think they would learn by now.

[Whoopsa]

1) Get real virus scanning software (Norton works fine).

2) Don't use Internet Explorer (ActiveX controls are what automatically downloads viruses most times).

3) Don't download anything from sites you don't trust, including torrents.

4) Be like me and play WoW for 4.5 years without an authenticator and never get keylogged.


I've been doing this long before authenticators existed, and a little common sense can go a long ways.

[kathor]

Computer- and Internet security is a huge field, and Blizzard is not capable of simply inventing a solution that makes online services hack-proof. Don't you think such a solution would have been implemented by Internet banks by now if it was that easy (most of these use the same, or very similar, solution as World of Warcraft does today)?

There are some solutions that may be more secure, and I have mentioned one such technology in the thread in the News forum (http://www.mmo-champion.com/news-2/a...33/#msg2241433) called ZTIC. But the Internet is not likely to be 100% hack proof, ever! And as long as there are humans in front of the screen, we're even further away from the 100% secure Internet. Almost everything can be hacked, one way or another.

So no, there is no easy way to make your account impenetrable - the hackers are smart guys!

[Gilgemesh]

the way a mim works is the virus monitors your outgoing information, intercepts it, redirects it to another computer on a different network, that computer stores the information then redirects false information to the intended target FROM you. The second the stored information is saved, the second computer system attempts to log in to the blizzard website and change the account password via form filling application, it is VERY fast, they can log in and change your information before you get your stuff typed in a second time, the server will then do a refresh with your new information, and they have your account. your second password fails and you cry WTF.

Be careful, MIM's can also add download requests to put more keyloggers or even the pieces of some really nasty large viruses and assemble them on next system idle. Though this is not what most hacker would want to do, as they don't want your system failing or crashing due to nasty O/S kill viruses prevent you from using your passwords and credit cards, which are what these guys are really after.


MIM attacks are fairly short lived because they are more easily logged and traced, but with a zero day attack, they might get 2000-2500 people before they get nailed. 5-10000 if they're very lucky.

The defense is still the same, clean your system. Stay away from dodgy sites. There is also some add blocking software out there that can prevent some add based attacks. Use an authenticator. If you've got the money, then there's a neat way to do things. Surf the web on one computer. Use another for your sensitive games/bill paying. This is what I do, I surf the web on my less secure, not so great computer. I play games and online bank on my more secure gaming machine. This means problems from dodgy sites have a VERY VERY slim chance of spilling over to other machines.

No defense is impenetrable. Well no, I'm wrong. Machines that are not connected to the internet very very rarely get viruses. The strongest defense is no power to the device. There is no attack that can bypass OFF.

[conscript]

As far as security is concerned tho Blizzard could think of something even further to protect us, they waste so much time, money and effort on restoring hacked shit you'd think they would learn by now.

Which means that the situation is far harder to solve than you can imagine. Blizzard has likely poured tens of thousands of hours into trying to find solution to the issue of account security. If you thought of an idea like the one you posted in a couple of minutes chances are good Blizzard thought of it in 2005 and dismissed the concept.

There used to be an issue with games like SC and WC3 where the log in information would be matched with your cd key. If someone randomly got the same cd key as you either by stealing it from the box and Walmart or through a key crack they downloaded off the internet you were essentially screwed. When you went to log on battle.net to play it would give you a message telling you that your cd key is already in use. The resolution for the problem was to send your original cd case with the key printed on it to Blizzard so they could investigate and send you a new cd key. The execution in Wow would be slightly different since you use account names and not cd keys for the game, but the same issue would result. Man in the middle schemes or just people getting your account info could essentially lock you out of the game completely while they did anything they wanted.

[Gilgemesh]

1) Get real virus scanning software (Norton works fine).

2) Don't use Internet Explorer (ActiveX controls are what automatically downloads viruses most times).

3) Don't download anything from sites you don't trust, including torrents.

4) Be like me and play WoW for 4.5 years without an authenticator and never get keylogged.


I've been doing this long before authenticators existed, and a little common sense can go a long ways.

you just told the whole world I'm next come get me. NO VIRUS SCANNER WILL CATCH ZERO DAY ATTACKS. They're called zero day because nobody knows about them except the author. You are at many times the risk of someone using the authenticator, no matter what security you've put in place. Don't get cocky because you haven't been hit. Hell for all we know you have been hit and they just didn't find anything worth using.

[Kabbalah]

While Blizzard could make our accounts more safe, they can't make it failsafe. Everything Blizzard may come up can be circumvented by hackers.
As you said lots of people don't have time to learn about internet security. That's why every attack so far was directed at their personal computer neither server nor the WoW client. Blizzard can't control how you handle your computer and as long as those people don't learn they'll be prone to attacks.

[Unholyground]

While Blizzard could make our accounts more safe, they can't make it failsafe. Everything Blizzard may come up can be circumvented by hackers.
As you said lots of people don't have time to learn about internet security. That's why every attack so far was directed at their personal computer neither server nor the WoW client. Blizzard can't control how you handle your computer and as long as those people don't learn they'll be prone to attacks.

This is true. Operating systems are one of the problems too.

Anyone who mentioned Norton as an anti virus should uninstall it now. Mainstream virus scanners are what hackers target not the free to download much better ones which actually find way more viruses than Norton can. So try never to use a mainstream scanner.

[Phage0070]

NO VIRUS SCANNER WILL CATCH ZERO DAY ATTACKS.

Not true. Virus scanners don't just check for known virus patterns these days, they used heuristics to check for "sketchy behavior" that can indicate virus-like behavior. Referencing memory in other applications, obfusticated calls, and in this case interception of another application's communication would be picked up by a scanner and flagged as an issue. This is without having specific knowledge of the particular program.

In this particular case the Trojan was built on a base which is common to several different malicious programs. Virus scanners were easily able to detect it instantly upon release, so they really can be helpful. That being said, having an authenticator greatly reduces your chances of being hacked and is a good idea.

[Eletharin]

1) Get real virus scanning software (Norton works fine).

2) Don't use Internet Explorer (ActiveX controls are what automatically downloads viruses most times).

3) Don't download anything from sites you don't trust, including torrents.

4) Be like me and play WoW for 4.5 years without an authenticator and never get keylogged.


I've been doing this long before authenticators existed, and a little common sense can go a long ways.

You're taking good precautions, but get off your soapbox because you're missing :

5) Nobody has decided to hack my account yet and I'm somewhat arrogant about it.

Not all viruses come from shady websites or malicious torrents, sometimes you can be infected though vulnerabilities in legitimate software. I just hate the self righteous attitude people get when talking about people who have been hacked. I've never been hacked, and I've never been hit by a meteorite, but I don't delude myself to believe I'm not susceptible to either one.

The best solution is vesseblah's ... make the login process secure again. Once they crack it, change it up yet again.

[Eletharin]

Not true. Virus scanners don't just check for known virus patterns these days, they used heuristics to check for "sketchy behavior" that can indicate virus-like behavior. Referencing memory in other applications, obfusticated calls, and in this case interception of another application's communication would be picked up by a scanner and flagged as an issue. This is without having specific knowledge of the particular program.

In this particular case the Trojan was built on a base which is common to several different malicious programs. Virus scanners were easily able to detect it instantly upon release, so they really can be helpful. That being said, having an authenticator greatly reduces your chances of being hacked and is a good idea.

True he was being a bit too specific ...

THERE ARE VIRUSES NO VIRUS SCANNER WILL CATCH

Better?

[Copain]

It's impossible to make impenetrable. You can make it hard/harder, but not a perfect defense.

Bliz likely has been investing money in this. Money isn't the end all; just because you have money doesn't mean instant answers to problems, be patient.

It's not to hard to avoid getting the virus, just avoid questionable sites and make sure you avoid sites with a lot of adds/popups.

[Unholyground]

Direct G3 network connection to the authenticator server could work. Some way to remove the middle man vulnerability, that way they would be forced to hack the actual Blizzard servers.

[Copain]

Reducing the authenticator code active time window does actually totally break the man in the middle type hack.

If someone wanted to hack the authenticator security again after this change would be made, it would be close to impossible to hack.

"It's impossible to make impenetrable. You can make it hard/harder, but not a perfect defense."