Chances of getting hacked with an Authenticator

[Fins]

So far the only hack I've heard of being successful on authenticatored accounts are man in the middle viruses. Basically it's a program that overwrites/replaces your Wow.exe and mimics the login screen. When you enter your info, the program gives you an unable to connect response and from that point the hacker has however long authenticators take to cycle to login and change your information (although they would be unable to remove/change the authenticator in anyway). Happened to a friend of mine.

[Vetis]

can't you get some kind of Android emulator for the pc. if so can probably get it free if cost is an issue

[Jademist]

If you have a capable mobile phone or an iPod touch its for free.

I have never met anyone who got hacked who has an authenticator.
The authenticator creates a unique set of numbers every time and each authenticator is unique to the account its bound to.
Unless the hacker gets a hold of your authenticator, they really can't do anything.

[Mehdi]

I forgot my authenticator at work on a raid night.

I called Blizzard, told them my secret question / answer - they removed it.

Less than 48 hours later... I was hacked.

O_O

Good thing it took only a few hours to restore everything.

[Seahippo]

Mine was free on my iphone. Sometimes it is annoying, like when you dc and have to relog, but it only takes an extra 5 seconds. It's well worth it imo, I have put so much time and effort into my account I would lose my mind if it got hacked. We all have if you think about it.

[epec]

So far the only hack I've heard of being successful on authenticatored accounts are man in the middle viruses. Basically it's a program that overwrites/replaces your Wow.exe and mimics the login screen. When you enter your info, the program gives you an unable to connect response and from that point the hacker has however long authenticators take to cycle to login and change your information (although they would be unable to remove/change the authenticator in anyway). Happened to a friend of mine.

Even then, the window to hack the account is rather small. The code expires eventually, on Blizzard's end, because it's based on time. This is why authenticators are so amazingly effective.

[harky]

Think of it like this: Normal internet security might stop 99% of attacks and the authenticator will top 99.9%+ of attacks that would have otherwise succeeded (this is due to man in the middle attacks being easier attacks to detect). If you were hacked with an authenticator, you would have been hacked anyway without one. However, it is also very likely that your account was compromised and your authenticator protected you without you ever realizing your account was in danger.

It's a lot like people who are anti-vaccine. You have a school with 1,000 kids in it. 5 are not vaccinated. The entire population of the school is exposed to disease. All 5 of the non-vaccinated get the disease. 7 of the vaccinated get the disease. Does this mean you shouldn't get vaccinated? Absolutely not. It means that if you weren't vaccinated there was a 100% chance to get infected and if you were there was a 1 in 142 chance.

At this point there is no reason for any serious guild to allow anyone guild bank access if they do not have an authenticator. My guild does not allow people to join who do not have authenticators at all, but we do have a grandfather rule allowing old members who refuse to get one to be in the guild. These members do not have guild bank access, nor will they ever.

[Deleted]

I have heard the term "Man in the Middle attack" a load of times but have never really understood exactly what that means?

For the benefit of myself and potentially others who read this thread, would someone be so good as to give an "in a nutshell" definition of exactly what it is please?

[Shockington]

There's nothing more secure, the chances to get hacked with an authenticator are almost immeasurably small.

I have heard the term "Man in the Middle attack" a load of times but have never really understood exactly what that means?

For the benefit of myself and potentially others who read this thread, would someone be so good as to give an "in a nutshell" definition of exactly what it is please?

You send something, it is intercepted and a false key is sent in it's place. It is then used to log into the game server with your account info before it changes. My authenticator changes every 15 seconds. It would have to be one fast man in the middle attack to actually be used.

[Sertano]

Unless the hacker gets a hold of your authenticator, they really can't do anything.

This is not entirely true. There are a few ways to hack to account without using the authenticator, but the investment in time/resources is generally not worth it for hackers.

[Alfadorfox]

The only way for you to get hacked if you have an authenticator is a man-in-the-middle attack, and even that requires them to also either infect your WoW executable or completely control your outgoing packets so the authentication never reaches Blizzard servers, otherwise the authentication code will be rejected as having already been used. And if you have your computer compromised that badly, you have bigger problems than your WoW account being hacked.

An exhaustive brute-force attack is always theoretically possible, but since it would require them to try all possible passwords with every possible authenticator number within one minute, it would overload Blizzard's own servers, assuming the attacker had a futuristic machine capable of sending that many packets in one minute. Their only plausible chance to get in to your account other than man-in-the-middle is by using complete random passwords and authenticator codes... and on that, GOOD NEWS! With a six-digit authenticator (the keyfob is; I think the phone version has even more digits), the chances of randomly getting in to your account are divided by exactly a million. Now, if you have an easily guessable password that they already know... they can probably get in eventually by randomly guessing authenticator codes, since they have a one in a million chance each time and can set it up to automatically keep trying once a minute. So having an authenticator is still no excuse for having an easily guessable password.

...Small note here, having an authenticator is still subject to "lead pipe cryptography", defined as physical access to your kneecaps. Fortunately, most gold farmers don't hang out in dark alleys waiting to steal people's keys and beat them until they reveal their password. That's mostly reserved for governments.

[Herecius]

Very small but entirely possible, nothing is foolproof, but not having the authenticator is like leaving your car unlocked and hoping everybody is nice. The Man-in-the-middle attacks that circumvent authenticators on WoW typically work like this: the bug sits on your computer, and the hacker simply activates it. When it does, it automatically kicks you offline. When you try to reconnect, the hacker is there ready to intercept the connection. Tada, he has access to your account for a little while. When somebody is hacked with an authenticator, it's usually a 'get in and out as fast as possible' hack, with the hacker immediately booking it for a mailbox and dropping all of your gold and valuables ASAP, since getting control of the account is generally very fast, since the hacker only has temporary access until they log out once.

[Zamfix]

I've had an authenticator for almost two years, played the game for six years, never been hacked once.

To get hacked with an authenticator, someone has to pretty much be specifically targeting you, and if you have a hacker solely out to get just you, then you're much more likely to get hacked.

If you responded to a phishing email and gave them your login and password but you have an authenticator, you're less likely to get hacked, since there's thousands of morons without them that responded to that phishing email that are much easier to hack.

[Zulandia]

I have heard the term "Man in the Middle attack" a load of times but have never really understood exactly what that means?

For the benefit of myself and potentially others who read this thread, would someone be so good as to give an "in a nutshell" definition of exactly what it is please?

In this case an attack which replaces your WoW.exe with a login screen lookalike, takes what you enter there sends it off to wherever and then gives you a fake "Failed to connect" message while the attacker logs into your account.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

For more information.

[Deleted]

about half the people i know who play wow have been hacked at some point, i got my authenticator before it happened to me, and im sure i wouldve been hacked by now if i didnt have one. my friend laughed at me when i forgot my auth when visiting him sometimes are locked my self out of my own account, but he changed his tune when his account got hacked lol.

they'll cry when theyre chars are naked, if thats what it takes then so be it :/ but its definately worth getting. its less than one month of wow and saves potentially a lot of time and frustration.

[PBitt]

They greatly reduce the chances of you getting hacked, especically if you are already careful. It's still possible, but seeing as IMO they are dirt cheap, they are totally worth it for the extra security and the much rarer chance of getting hacked. Think of it like locking your car, I guess, there is a chance that someone is going to break in and steal stuff but a lot less of one than if you had just left it open with the keys in it.

[Deleted]

There's nothing more secure, the chances to get hacked with an authenticator are almost immeasurably small.



You send something, it is intercepted and a false key is sent in it's place. It is then used to log into the game server with your account info before it changes. My authenticator changes every 15 seconds. It would have to be one fast man in the middle attack to actually be used.

Thanks for that.

I can see how they would potentially be a rather rare occurrence as most people who would WANT to steal accounts like that would see that as far too much work for far too little reward.

[Hypernetic]

This right here is valid information.

People claiming to have gotten hacked/know people that have been hacked with authenticators are most probably lying.

Authenticators aren't 100% sure, but they aren't far from it.

Or they were victims of a prank by a friend/roomate/etc.

[harky]

I have heard the term "Man in the Middle attack" a load of times but have never really understood exactly what that means?

A man in the middle attack is a type of attack that literally puts another step in a process.

Normal: You -> Blizzard
Man in the middle: You -> Hacker -> Blizzard

By diverting your login/authentication information to a third party (the man in the middle) it then allows that party to do a normal login using the information you just submitted.

[Truhan]

I actually know about three people on a different forum I go to that got their accounts hacked that had authenticators at the time.