Free Authenticator: Instructions

[Moist]

OH NO, I HAVE TO PAY A FEW DOLLARS TO PROTECT MY BATTLE.NET ACCOUNT POTENTIALLY WORTH HUNDREDS TO THOUSANDS OF DOLLARS. OMGOMGOMGOMGOMG. PLZ NERF AND GIVE FOR FREE!!!!111one.

Sorry for the offensive caps post, but anyone who doesn't have an authenticator for any reason is a complete idiot, and has zero grounds for complaint in the event of being hacked in any way, shape or form.

[Deleted]

OH NO, I HAVE TO PAY A FEW DOLLARS TO PROTECT MY BATTLE.NET ACCOUNT POTENTIALLY WORTH HUNDREDS TO THOUSANDS OF DOLLARS. OMGOMGOMGOMGOMG. PLZ NERF AND GIVE FOR FREE!!!!111one.

Sorry for the offensive caps post, but anyone who doesn't have an authenticator for any reason is a complete idiot, and has zero grounds for complaint in the event of being hacked in any way, shape or form.

Ok I'm an idiot then. If you think it's totally fine to pay for a product you thought you already paid is legitimate then I' am a "complete idiot". You know, people actually stressed their budgets to actually buy d3. They sold it at 60 fuckin dollars.. Why not include an authenticator in the physical edition? We paid 60$ to get what was advertised.

I'm not saying that there are not ways around it but still Blizz here in my opinion is extremely wrong. Banks provide authenticators for free w/o even paying for shiping.

And yes claiming that not paying 5-30$ to get a physical authenticator (or 100$ for a smartphone) is stupid then you are really flexible with your cash. I for once I'm not and I don't want to be forced to buy something that no-one told me I would need it prior to release.

[Ghul]

I'll stick to not using an authenticator, thanks.

already worked out the perfect "fu blizzard, i just hot hacked and its all their fault!" -thread then? if not, you might want to start thinking up a few lines

[Bassch]

Just a bit on the "BLizz wants more money" with the Authenticator thing, the Authenticator itself is free. You pay for the shipping :>.

[Ghul]

Ok I'm an idiot then. If you think it's totally fine to pay for a product you thought you already paid is legitimate then I' am a "complete idiot". You know, people actually stressed their budgets to actually buy d3. They sold it at 60 fuckin dollars.. Why not include an authenticator in the physical edition? We paid 60$ to get what was advertised.

I'm not saying that there are not ways around it but still Blizz here in my opinion is extremely wrong. Banks provide authenticators for free w/o even paying for shiping.

And yes claiming that not paying 5-30$ to get a physical authenticator (or 100$ for a smartphone) is stupid then you are really flexible with your cash. I for once I'm not and I don't want to be forced to buy something that no-one told me I would need it prior to release.

banks work a tiny bit different than a video game brah... something along the lines of -your stored money generates money for the bank- and stuff like that :>

also: you can provide a computer thats able to run any blizzard game, a stable internet connection and still cant free up 20 bucks for an authenticator (wich is gonna last 5 years +, so basically less than 4 bucks a year) to protect your x-hundred dollar investment? are you being serious or do you take us for fools?

[lolvik]

Several things wrong with this. First of all, a full compromise does not mean that they are physically hijacking your computer. If they are, you have more serious problems than your WoW account.

This made my day.

[Moist]

Ok I'm an idiot then. If you think it's totally fine to pay for a product you thought you already paid is legitimate then I' am a "complete idiot". You know, people actually stressed their budgets to actually buy d3. They sold it at 60 fuckin dollars.. Why not include an authenticator in the physical edition? We paid 60$ to get what was advertised.

I'm not saying that there are not ways around it but still Blizz here in my opinion is extremely wrong. Banks provide authenticators for free w/o even paying for shiping.

And yes claiming that not paying 5-30$ to get a physical authenticator (or 100$ for a smartphone) is stupid then you are really flexible with your cash. I for once I'm not and I don't want to be forced to buy something that no-one told me I would need it prior to release.

I assume if you have any serious real world possessions say for example, a car/house, they are insured? Maybe even health insurance? I know for a FACT with every Blizzard title, my shelved WoW account and now my D3 account, my Battle.net account is easily worth a grand. Definitely worth the insurance of spending a few dollars on an authenticator, for the same reason as I pay a hundred a month for insurance for my sexy, sexy car. If you are smoothly sailing up the old "shit creek" and some douche steals your paddle, you are in a world of pain without it.

[lolvik]

OH NO, I HAVE TO PAY A FEW DOLLARS TO PROTECT MY BATTLE.NET ACCOUNT POTENTIALLY WORTH HUNDREDS TO THOUSANDS OF DOLLARS. OMGOMGOMGOMGOMG. PLZ NERF AND GIVE FOR FREE!!!!111one.

Hundreds of thousands?
Or not.

Your credit-card, maybe, but your account? No.

[Moist]

Hundreds of thousands?
Or not.

Your credit-card, maybe, but your account? No.

"To", not "of". As in $300 - $3000, not $300000. Comprehension and understanding is the key.

[Nerph-]

(or 100$ for a smartphone)

I know you got this from someone else, and I'm just about to go sleep so can't be bothered to go fish through the thread to find out who said it, but how is a smartphone authenticator $100? Is it the price for a smartphone thats being talked about or what? because the app itself is completely free...

[Felya]

I know you got this from someone else, and I'm just about to go sleep so can't be bothered to go fish through the thread to find out who said it, but how is a smartphone authenticator $100? Is it the price for a smartphone thats being talked about or what? because the app itself is completely free...

I am pretty sure he is saying he cannot afford a cell phone, because he stressed his budget getting the game. This being an exact reason why an authenticator is required. People using the RMAH, should not be exposed to security mistakes people with bad judgment can cause. Blizzard is willing to lose the money from these people who are willing to spend their last dime on the game, to protect everyone else.

I am sorry that blizzard being willing to lose money on those who are unwilling to get protected, so everyone else can have a safe experience, pisses you off. I am happy that blizzard is willing to sacrifice a lot of income from those without authenticators, to provide a safer experience for the rest of us.

If I were in his place, stressing a budget to get a game, I'd get a cell phone instead. I'd need to be available for all the jobs I have been applying for and a cell phone is better for that than a game. Which would be funny, because I'd have a free authenticator, but no game.

[Cactrot]

Fixed! Remember that Mr China Farmer said that keyloggers are out and haven't been effective in a long time. it's easier to hack insecure forums (lol phpbb), get massive lists of emails + passwords and use that.

Having an secure PC means nothing if you visit diablo 3 forum that uses a forum or host that is extremely insecure.

It still matters if you don't do password and/or email reuse, like you're supposed to. If someone gets my mmo champion password and e-mail, they don't get my bnet password or email. Not reusing a password is pretty basic security...

Its called extortion or coercion and is illegal, look it up. RMAH was advertised to be a part of the game and a feature on the box and should be available to all without spending anything extra. If they demand an extra payment, it is illegal and the app isn't for regular cellphones, just smart phones.

And you cant take those "oh my"'s and "oh me"'s outside. If I pay for a product I expect to get everything I paid for that was advertised with no extra charge, not get them after I buy some more extra features to make them available. Otherwise, its a scam.

And the feature is available. Wasn't airborne combat on the Wotlk box as well? Oh, and the authenticator is available for zero dollars and zero cents to anyone with a computer (that's what this thread is about), so good luck with that argument.

Don't want to pay for an authenticator? Don't. Problem solved.

I don't like that it's required for RMAH either, but your arguments hold no water whatsoever.

[Smashbolt]

Ok I'm an idiot then. If you think it's totally fine to pay for a product you thought you already paid is legitimate then I' am a "complete idiot". You know, people actually stressed their budgets to actually buy d3. They sold it at 60 fuckin dollars.. Why not include an authenticator in the physical edition? We paid 60$ to get what was advertised.

I'm not saying that there are not ways around it but still Blizz here in my opinion is extremely wrong. Banks provide authenticators for free w/o even paying for shiping.

And yes claiming that not paying 5-30$ to get a physical authenticator (or 100$ for a smartphone) is stupid then you are really flexible with your cash. I for once I'm not and I don't want to be forced to buy something that no-one told me I would need it prior to release.

If you scrimped and saved for a copy of D3 and buying an authenticator is too much to afford, what exactly are you planning to buy on the RMAH?

[Cactrot]

If you scrimped and saved for a copy of D3 and buying an authenticator is too much to afford, what exactly are you planning to buy on the RMAH?

Maybe he's planning to sell.

[Moinaldo]

Great post OP... also, pay no attention to the ones whining here, fact is whiners gonna whine.-

[Smashbolt]

Maybe he's planning to sell.

...
Good point. Everyone's so up in arms about what it means to buy off the RMAH, I almost forgot selling existed...

[Choptimus]

Fixed! Remember that Mr China Farmer said that keyloggers are out and haven't been effective in a long time. it's easier to hack insecure forums (lol phpbb), get massive lists of emails + passwords and use that.

Having an secure PC means nothing if you visit diablo 3 forum that uses a forum or host that is extremely insecure.

I don't use passwords for more than one thing though, so I could give you my password for this forum and it wouldn't do you a lot of good

[KbaFewx]

Hey just wanted to say thanks for taking the time to make this thread. saved me a couple bux!

[Jarlathe]

Several things wrong with this. First of all, a full compromise does not mean that they are physically hijacking your computer. If they are, you have more serious problems than your WoW account.

Second, every time you do a fresh install of the app, even on the same device, even if it's from your iTunes backup of it, it generates a new serial that has to be tied to the account, so they can't just steal that auth app and have it work.

Third, it is one more thing they'd have to copy to work through your security. The only way they'd be able to do it would be to crack the authenticator, which would require live access to your machine, or for your computer to be compromised when you added the authenticator, giving them access to the serial number. You'd be screwed with the physical authenticator at that point anyway.

You can go into the settings and goto the restore option to get the serial number of your authenticator. Once you have that, you can restore the authenticator on any device that supports (iOs, Android, emulator) it and generate the correct number. This is what I did when I went from my iPhone to my Android. Now, where I would have an issue (abit a small one) with the OP's method, is I'm pretty sure that you can get that serial number in the emulator, so if you have a keylogger, what's to say it doesn't scan your computer to check for that and grab the serial number?

When you get keylogged, all they get is your password, if you used a desktop authenticator they'd also log your code, but that code is useless after 30 seconds and is unique. It's not like the people who created the keylogger have access to your computer and can run the authenticator application and get a valid code to then login.

I agree it's in theory not as safe as an authenticator on a keyfob or on your phone, but you're making the desktop authenticator sound a lot less safe than it actually is.

See my blurb above, they don't need the code that is generated, they only need the serial number that's tied to your account and they can come back at there leisure. This is also like a man in the middle attack.

My account is already protected with a password and 100% secure, I've never been "hacked" in any games before over 8 years, not even once because I don't fall for stupid e-mails and don't visit suspicious sites.

And yes, if I had a wooden door, and someone tried to force me to buy a steel door, I'd complain too.

I guess you've never heard of, or seen a flash exploit or a java exploit? I guess you go and check each site daily to see if there are updates? I also assume you hang around, or are a member of an elite hacking group that has access to the latest vulnerabilities that they've found in these two programs? Both Flash and Java are known to be major security holes in the windows OS, back in the day, this is how the majority of these keyloggers were getting installed. Person goes to a legit website (MMO-C, Curse, Wowhead ect.) and gets an add displayed. BANG, you are now infected with a keylogger and your account is stripped.

Granted, the sites I gave as an example have become more involved in what adds are getting displayed, but sadly, alot of legit gaming sites still don't give a shit what the add company is serving.

You may think you're 100% secure, but you really aren't. Anyone that thinks a computer can be 100% secure on the internet is an idiot.

[Cactrot]

You can go into the settings and goto the restore option to get the serial number of your authenticator. Once you have that, you can restore the authenticator on any device that supports (iOs, Android, emulator) it and generate the correct number. This is what I did when I went from my iPhone to my Android. Now, where I would have an issue (abit a small one) with the OP's method, is I'm pretty sure that you can get that serial number in the emulator, so if you have a keylogger, what's to say it doesn't scan your computer to check for that and grab the serial number?



See my blurb above, they don't need the code that is generated, they only need the serial number that's tied to your account and they can come back at there leisure. This is also like a man in the middle attack.



I guess you've never heard of, or seen a flash exploit or a java exploit? I guess you go and check each site daily to see if there are updates? I also assume you hang around, or are a member of an elite hacking group that has access to the latest vulnerabilities that they've found in these two programs? Both Flash and Java are known to be major security holes in the windows OS, back in the day, this is how the majority of these keyloggers were getting installed. Person goes to a legit website (MMO-C, Curse, Wowhead ect.) and gets an add displayed. BANG, you are now infected with a keylogger and your account is stripped.

Granted, the sites I gave as an example have become more involved in what adds are getting displayed, but sadly, alot of legit gaming sites still don't give a shit what the add company is serving.

You may think you're 100% secure, but you really aren't. Anyone that thinks a computer can be 100% secure on the internet is an idiot.

In order to hack a computer with an emulated authenticator the keylogger would have to know that the account was using an authenticator, know it was an emulated version, know which emulated version it was, and then pull that restore/serial code and reproduce it. They can do that OR they can jut hit one of the, literally, millions of accounts that don't have that protection. It's kind of like being out camping with friends (and enemies) and having a bear attack. You don't have to outrun the bear, you just have to outrun your friends (and enemies.) It's, generally, not worth the effort to make or use keyloggers that do all that when there's other low hanging fruit. The key point I'm making here is that in practice an emulated authenticator is going to be something like 99.9% as effective as a physical one. It's simply not worth the effort to try to hack authenticated accounts, even with an emulated authenticator. Now, if more and more accounts start being authenticated (for example, because they're forced to to use RMAH) that story may change.

Unless you're specifically making hacker enemies, you don't really need to be 100% secure. If you're specifically making hacker enemies, the authenticator isn't going to save your ass.

You're right that there are zero day exploits, and people who think you can just avoid "bad" websites are ignorant of the real dangers. If I'm not mistaken mmo-champion has even had a bad ad or two in the past (taken down quickly, but that doesn't help you if you've already been compromised for it.) You can't prevent every exploit. However, the chances of getting hacked if you update consistently and keep an antivirus going are pretty damn slim. I hate that computer security opinions seem to be divided up between "lol, just don't go to bad sites and you're fine!!!!!" and "omg my friends computer that wasn't on the internet ever was hacked."

Final note, did you mean JavaScript? It's not the same thing as Java, and you're not really at risk of a java exploit without downloading and running something. Javascript on the other hand... Well, that's why I recommend NoScript. AdBlock also helps against those bad ads, but at the cost of revenue for sites that survive on it...