Battle.net Dial-in Authenticator Now Available

[Kewi]

Man-in-the-middle proof of concept for an easy test:

On windows, edit your HOSTS file to redirect login.battle.net (or whichever it is) to 127.0.0.1 and you'll never connect to blizzard, code is never sent to them, keys are never invalidated.

A hacker changes 127.0.0.1 to their personal logging server, and now all your login information is sent to them directly.
Alternatively they could do this by DNS hijacking on yhr TCP/IP settings and forcing all DNS resolutions to go to a server they control.
They could also program in hijacks into their trojan to alter wow.exe I'm fairly sure.

Man in the middle is the easy part. Once that's done all that's left is the authenticator...

--------------------------------------------------

So, as for authenticator keys,
Keys are valid for a bit more than 30 seconds, I actually think they are good for 1-2 minutes, but regardless, if you enter your authenticator code 2, 3, 4 times in rapid succession you just gave them the login code, plus the 2 codes to remove your authenticator. I believe this is why they added the e-mail verification, as it does add the extra step that they must also know your e-mail address before trying this attack to succeed.

---------------------------------------------------

As for "darn it i just wanna play, stop this blizzard, why do people want to hack my account"... Well the 'Market value' of our accounts, gold, and items is set by the people that buy the products.... We only have our fellow WOW players purchasing habits to blame... This is basically economics at work -- supply & demand...

Blizzard unfortunately has a very popular game that they have to secure because economics encourages this activity.. People demand more security and they are offering it to people that want it. If you feel this extra step is too much work, that you have to do very infrequently, then so be it, you are not required to sign up for any of their services.

I for one, have been asking them to implement IP/Sys ID checks since hacking became an issue...




If they let people have both, a hacker would need to:

1. Install a trojan
2. Wait until e-mail address & password were captured (hopefully caught by anti-malware such as a password protector/keylogger finder)
3. MIM WOW login servers
4. Spoof your IP Address, or route their connection through a proxy close to your location
5. Run software to spoof your system ID, which blizzard could probably write code to obstruct easy spoofing -- such a time-based factor altering the ID
6. Within ~45-60 seconds of you typing them... Get a minimum of 3 logins, the last 2 being sequential...
7. Log in to Account Management to remove your authenticator
8. Log into your E-mail account to verify the removal
9. Attach their own authenticator
10. Lock you out of everything

Of course, depending on how they go about your IP address, most of this will be in vein if the dial-in authenticator notices a problem and then declines entry without the other information -- then again, I haven't looked at the system to see if someone who gets to your account management panel can see your special codes or what not. On top of that, the number may not work outside the US (or other country, when they roll it out)... Or it may have an additional cost or step/annoyance/delay simply to log in.




Just my thoughts on this, I support this change, I hope they allow it to be used with the other authenticators.

[Simca]

@Kewi: It is has been revealed that it wasn't actually a MITM attack at all, and that the Blizzard representative was incorrect. It was just a fancy injection/keylogger combination.

The rest of your post is spot on though, and I 100% agree.

They need to let it be used with other Authenticators... it will make hackers jobs HELL.

[Kewi]

The dial-in authenticator says that you "may" get a call if logging in from a different location. This may just be a poor choice of words but that doesn't sound very secure to me. Also, what other criteria can trigger it? If you fail to put the password in a couple times will that trigger it? What happens if you don't have access to that particular phone for whatever reason? I know where I live my cell phone often loses signal so I wouldn't want to register that. Using my house phone would make it so I could only log in from one location.

Changing credit card information can trigger it (mainly name/account mismatches)... Unusual IP Addresses (as in, a Class A/B/C change that you've never used before).

As for not access to phone: Simply don't use the feature. It's not required, it likely never will be FORCED on you. Although if you want an alternative, Google Voice will give you a phone # that you can then route to your cell and home number, or you can call in from *any* available phone, then use that to route your call to the 1800 number -- and that is all free. You could also likely tie in GVoice to skype or other VOIP phone numbers.
But like physical authenticators, they just don't work if you don't have access to them/forget them/loose them.. Just like your password doesn't work if you forget it... These are just extra security steps, extra security requires extra responsibility.... generally... (though this phone in method is a lot less responsibility and a lot easier to manage, which is why I'm glad they offer it (read: not force it)

Wrong password multiple times: Not likely to trigger the issue, unless another flag is raised

I am also glad that it is not mandatory. Though I do think a similar method to remove an existing authenticator would also be good option to offer (read: not force) (Meaning, to remove a physical authenticator you must call in to an automated system)

---------- Post added 2010-11-09 at 11:47 PM ----------

@Simca:
MITM is still a possible method though ;-) and I'd *probably* throw an injection/keylogger in the MITM category anyway -- It's suppressing/altering the message to blizzard, and then the MITM resends the data you meant to send...

But yes, technically it's more one sided as it's not fooling the blizzard server to think it's logging into the client PC -- though that would be necessary with a dial-in authenticator (to spoof IP & Sys ID)...


But I'm not a security expert, just an IT lurker >.>

[Giants]

This is the end to all hackers... if u use it :P!

[Jodah]

Changing credit card information can trigger it (mainly name/account mismatches)... Unusual IP Addresses (as in, a Class A/B/C change that you've never used before).

As for not access to phone: Simply don't use the feature. It's not required, it likely never will be FORCED on you. Although if you want an alternative, Google Voice will give you a phone # that you can then route to your cell and home number, or you can call in from *any* available phone, then use that to route your call to the 1800 number -- and that is all free. You could also likely tie in GVoice to skype or other VOIP phone numbers.
But like physical authenticators, they just don't work if you don't have access to them/forget them/loose them.. Just like your password doesn't work if you forget it... These are just extra security steps, extra security requires extra responsibility.... generally... (though this phone in method is a lot less responsibility and a lot easier to manage, which is why I'm glad they offer it (read: not force it)

Wrong password multiple times: Not likely to trigger the issue, unless another flag is raised

I am also glad that it is not mandatory. Though I do think a similar method to remove an existing authenticator would also be good option to offer (read: not force) (Meaning, to remove a physical authenticator you must call in to an automated system)

---------- Post added 2010-11-09 at 11:47 PM ----------

@Simca:
MITM is still a possible method though ;-) and I'd *probably* throw an injection/keylogger in the MITM category anyway -- It's suppressing/altering the message to blizzard, and then the MITM resends the data you meant to send...

But yes, technically it's more one sided as it's not fooling the blizzard server to think it's logging into the client PC -- though that would be necessary with a dial-in authenticator (to spoof IP & Sys ID)...


But I'm not a security expert, just an IT lurker >.>

Yea, my biggest concern really is the use of the word "may" in their description. That is what concerns me the most. It makes it sound like theres a 50/50 chance on if this will even attempt to stop someone. I may (see what I did there?) just be fixating on the word too much though.

[Tyberes]

This seems like a lot of work just to play a game...

it's a lot of work sure. but people can never be too secure.

[Dariela]

I scanned thru the FAQ, but didn't see the only 2 questions I had about the system (Admittedly I'm burnt from just banging my head against some ICC hardmodes, so I may have missed it...)

1) Does the new dialup authenticator give you a corehound?
2) Does the new dialup authenticator count for guild ranks requiring an authenticator?

I have one of the key fobs, so it's not a concern for me currently, but it would be good to know for when the battery inevitably dies.

[prankstar]

that may be but it will also decrease a lot of the work blizzard have to do to get the accounts back that people were stupid enough to let get hacked in the first place

[Kewi]

This is the end to all hackers... if u use it :P!

Quiet possibly. I made an elaborate reply about how IP Spoofing is very difficult in practice (requiring a very complex trojan to steal e-mail info, hijack your login attempt, and then forward spoofed login sessions back to the hacker)..

But ultimately that dial-in authenticator can't be removed by a hacker, as it requires a phone call to remove... and the hacker never gets your PIN -- they can only hijack the one-time login key if they can 'fake' the invalid login request/attempt..


But I still think both systems would be better -- Requiring a phone call to remove an authenticator, as well as IP/sys ID checking on logins also requiring an authenticator


btw, anyone have a link to the blue post? The MMO blue tracker seems to be dead.

---------- Post added 2010-11-10 at 12:17 AM ----------

that may be but it will also decrease a lot of the work blizzard have to do to get the accounts back that people were stupid enough to let get hacked in the first place

Intelligent people can get hacked.

There are dozens of zero-day exploits on the internet that even smart people *can* occasionally become victim to, such as an Adobe Flash vulnerability on a site like MMO-Champion or Wowhead or MainTankadin or Curse which encourage the disabling of protections (e.g. javascript) in order to use their website, thus also loading a trojan advertisement and compromising their system

As intelligent people can not 'secure' closed source programs that require the company to release a patch, everyone is 'vulnerable' at times, especially if AV/firewall rules are not designed to handle how the trojan works.


and to say you never load wowhead, mmo, curse, wowwiki, wowinterface, wowace, or any other javascript using website, without allowing javascript or seeing a flash banner slip through security, is really more of a lesson in paranoia then in intelligence ;-) and props to you.