Chances of getting hacked with an Authenticator

[Brett Skullcrack]

Unless they're using a MitM attack explained here they will NOT manage to get on your account.

No. The authenticator is 100% secure against man in the middle attacks (yes I know there was a successful attack against authenticator protected accounts that Blizzard erroneously called a man in the middle attack). The attacker must be able to physically modify the game binary or inject his code into the memory space of the running WoW process in order to compromise a user that's protected by an authenticator; that is completely different from a man in the middle attack.

[Roasty]

Let's break this down for people who say it is impossible, as I have been hacked personally with a key chain authenticator on the account. The code that you read is created based on some sort of security algorithm(probably a psuedorandom number generator), which I can make an educated guess at saying, is most likely the same for most authenticators, and in the less likely case there 6-7 different algorithms that Blizzard uses. So all someone needs to do even if they aren't key logging and kicking your account in the 60 seconds the code takes to change, is have the algorithm and they will know what your code will be at a given time in the future once the log your PW/code at a static time.

If you want to keep picking the argument apart, that's fine by me, and it helps further the understanding of the limits of securing your account, go ahead, I don't claim what I listed to be the exact way it works, but basing it on a lot of probables. Only thing I can say for certain is the yes it can happen even with the authenticator.

[mercutiouk]

It's not about the $6 or whatever, it's about the 20+ seconds each time you want to log in. I would rather get hacked once per year than use an authenticator. But if you like running suspicious executables or visiting chinese web pages with internet explorer, by all means go for it.

What?

Does taking hold of a piece of plastic, hitting a button and reading a number which you then punch in take 20 seconds in your world?
"I'd rather be without my account for 4/5 days once a year than not have to worry about it. Holding small electrical items takes time and I don't have that kinda time to waste. Yes, I'm that badass"

[ContentsMayVary]

There's nothing more secure, the chances to get hacked with an authenticator are almost immeasurably small.

You send something, it is intercepted and a false key is sent in it's place. It is then used to log into the game server with your account info before it changes. My authenticator changes every 15 seconds. It would have to be one fast man in the middle attack to actually be used.

This is correct. And furthermore, if a hacker DID do what is described above, you would notice that you couldn't log into your account (since a false key was sent thus preventing you from logging in). Therefore whenever you log in successfully, you *know* that nobody intercepted your key.

[silentsyco]

The fact of the matter is that in most cases the people trying to gain access to your account (Gold farmers and account sellers and the like) are INCREDIBLY more likely to just move on and look for a new account to get access to than they are to put forth the effort to get onto your account that has an authenticator.

[Brett Skullcrack]

The code that you read is created based on some sort of security algorithm(probably a psuedorandom number generator), which I can make an educated guess at saying, is most likely the same for most authenticators, and in the less likely case there 6-7 different algorithms that Blizzard uses. So all someone needs to do even if they aren't key logging and kicking your account in the 60 seconds the code takes to change, is have the algorithm and they will know what your code will be at a given time in the future once the log your PW/code at a static time.

Yes it is in effect a pseudorandom number generator. However the seed is different for every authenticator (it is the number you type to battle.net to attach an authenticator to your account). Without knowing the seed, even if you're able to observe a long sequence of the generated values, it is computationally infeasible to predict future values.

[Benitora]

I've never seen anyone in WoW get hacked.
I've seen people getting Keylogged though.

But the amount of people I've seen getting keylogged after they got a Authenticator?
Zero. Haven't heard nor seen anyone getting keylogged after they got one.

[Brett Skullcrack]

This is correct. And furthermore, if a hacker DID do what is described above, you would notice that you couldn't log into your account (since a false key was sent thus preventing you from logging in). Therefore whenever you log in successfully, you *know* that nobody intercepted your key.

What's more, an attacker just observing your traffic would not be able to learn the authenticator code because it is never sent as plaintext over the wire. The attacker would have to read the code in your system (meaning it's not a man in the middle attack).

[sirnoobalots]

having an authenticator is like having a bigger lock on your shed/house/car/whatever then the person next to you if a hacker can get another account easier then yours then they are going to go after the easy one

authenticators are not that hard to get past. if you have a key logger on your system that is just looking for stuff pertaining to wow then they can figure out the algorithm or something close to the one in your authenticator and just start plugging in number until one of them works or if you have almost no security on your computer then hackers and yes it is hacking can just replace your wow.exe file with their own and hijack your wow session

computer security is not entirety about having the most robust firewall its about having enough of a firewall that its too much work to get past it as the hunter said to the other hunter while being chased by a bear "i don't have to outrun the bear i just have to outrun you"

[Deleted]

Cant help but to think that the people here claiming that they were "hacked" while having an authenticator attached to their account, are just claiming so since they feel stupid now afterwards they the actually didnt have an authenticator...

Yes there have been cases, but only using man in the middle attacks. Also considering the withdrawal of some Android apps with malicious code, this could very well happen on a phone also. On a secured PC with an external authenticator, no way.

[dicertification]

I know three people in rl who were compromised with an authenticator, but all three also ran third party programs along with wow (I won't get into details). Just like I warned them, they were duped by a high jacked browser page. I have never been hacked, and have been playing since early vanilla.

[mercutiouk]

Let's break this down for people who say it is impossible, as I have been hacked personally with a key chain authenticator on the account. The code that you read is created based on some sort of security algorithm(probably a psuedorandom number generator), which I can make an educated guess at saying, is most likely the same for most authenticators, and in the less likely case there 6-7 different algorithms that Blizzard uses. So all someone needs to do even if they aren't key logging and kicking your account in the 60 seconds the code takes to change, is have the algorithm and they will know what your code will be at a given time in the future once the log your PW/code at a static time.

If you want to keep picking the argument apart, that's fine by me, and it helps further the understanding of the limits of securing your account, go ahead, I don't claim what I listed to be the exact way it works, but basing it on a lot of probables. Only thing I can say for certain is the yes it can happen even with the authenticator.

Again, no, get a clue before guessing.

It works like this:

Secret code in your authenticator (private key part of a public/private encryption key set): 3462452456456

So you hit the button on the front. The time is 14:52:13

145213 (this next bit is the encryption algorithm these things use at least 56 bit encryption so make this a LOT more complicated, simple here for simple minds) *2/2000/50000=2513965542.79672564 at this point divide the numbers before the decimal point by the numbers after the decimal point. To make things stupidly simple cos I can't be arsed making it all fit that's 31.5537 and lots more numbers after the decimal place.

The authenticator displays "315537" this is the public half of the public/private encryption pair

You login to blizzard servers. You punch in the public key. The server checks the time (to within the last 20 seconds) and does the encryption in reverse. If at the end of working all this crap out the reverse maths spits out 3462452456456 then grats the public and private key match and you login.
If not, you don’t.

NOW.
Firstly the encryption method used on the private key will be VERY securely held. It will be known to no-one in blizzard, was likely generated by a system to act as a "seed" for all blizzards authenticators so is likely known to at most a small handful of humans on the entire planet. The machine that generates these seeds will be kept VERY secure (and probably not online). No matter how many public sides of the key you get no-one ever knows this private half of the pair (unless you also know the Algorithm).

Secondly the private key won't be known to anyone in the same way as the above. Blizzard will have installed the software on their servers that know the private key based on the wee number on the back. Again, very few humans will know this number.

Third the key fobs will have a tiny amount of lithium or other oxygen reactive metal in them that will destroy the chip holding the private key and algorithm if the thing is forced open.

Fourth assuming someone gets to open yours (in a vacuum of course to avoid point 3) they still only have YOUR private key, they still don't know anyone else’s and they still need your other details. Even in this case though, they actually have to physically get their hands on the authenticator, they can't magically "know" its numbers however many of them they get.

Now please, get the idea, these things are used to secure bank internal networks and are used on peoples bank account for a reason. They are REALLY, REALLY hard to beat. Unless you have access to the actual authenticator itself or can trick a user into entering and you intercepting a number of its codes and use them to remove it from the account before the person takes any form of action to check on things there is NO way you can beat these. Even assuming you got hold of 3 codes real-time from some poor user you'd still have to log into account management and remove the authenticator before the user logged in to check. As soon as the most recent authenticator code is used and accepted all previous are immediately invalid.

This isn't just some crap made up on how these work, this is something I’ve properly looked into. The above is a rather simplified version but it covers enough.

[Profyrion]

having an authenticator is like having a bigger lock on your shed/house/car/whatever then the person next to you if a hacker can get another account easier then yours then they are going to go after the easy one

authenticators are not that hard to get past. if you have a key logger on your system that is just looking for stuff pertaining to wow then they can figure out the algorithm or something close to the one in your authenticator and just start plugging in number until one of them works or if you have almost no security on your computer then hackers and yes it is hacking can just replace your wow.exe file with their own and hijack your wow session

computer security is not entirety about having the most robust firewall its about having enough of a firewall that its too much work to get past it as the hunter said to the other hunter while being chased by a bear "i don't have to outrun the bear i just have to outrun you"

Please don't spread misinformation.

Your computer has to be completely compromised for a working authenticator to be bypassed by a "man in the middle" attack. Key loggers are not even remotely effective in this regard. The attacker has to watch you enter the code from your authenticator, capture that data somehow (screenshot), and then trigger your compromised game client to send a fake authenticator passcode to the Blizzard servers. He then has until the code expires to enter it on his end in order to access your account.

The seed that produces your authenticator codes cannot be (easily) deciphered/duplicated simply by logging your keystrokes and feeding a list of them into a script. You need some very sophisticated hardware/software to pull that off, and a huge sample of codes to run through them. Very few people would have the means and motive to take it to that level.

[Brett Skullcrack]

This isn't just some crap made up on how these work, this is something I’ve properly looked into. The above is a rather simplified version but it covers enough.

Haha, I especially enjoyed the automatically self-destructing private key bit

[mape1992]

Got hacked once. Then i did a virus-scan and installed an authenticator on my iPod, never had any issues since then

Haven't heard of anyone with an authenticator that got hacked, ever.

[epec]

Again, no, get a clue before guessing.

It works like this:

Wow that's probably the first post I've seen in this thread that actually contained valid information about how amazingly well authenticators work. This same type of encryption system is used by google, in GMAIL now because of how well it worked for Blizzard. So people bashing Authenticators or saying they got hacked with one are probably full of it or just don't want to look dumb for not having one and getting hacked. The level of hacking efficiency required to break the authenticator code would be blackhat level, by hand without a man-in-the-middle Trojan on your computer, is something far beyond anyone willing to waste their time to hack a wow account.

[Delilith]

The only way to get hacked using an authenticator is either getting your authenticator stolen or having a virus on your computer that really shouldn't be on your computer.

[Deleted]

had the same password for over 5 years without authenticator and i used to play from a web cafe...so those getting hacked are doing something terribly wrong... and i guess you should be really unlucky to be hacked with an authenticator so no...

[sinofasin]

There is always a chance of getting hacked no matter what...my friend just got hacked 2 days ago with an authen...though his account was recovered like 2 hours after discovering with just opening in game tix.

[xenaros]

I've never known of anyone being hacked with an authenticator (except one guy who said he had one to seem more a victim then admitted he didnt). No security system is 100% safe, there will always be times when it is beaten, but it's a hundred times better than having no authenticator (everyone I know has been hacked at least once in 5 years, I got hacked at end of WotLK so got an autheticator then)

Our guild makes sure that everyone in the guild has one, if they do not then they do not get access rights to gbank (to prevent it being looted if hacked). Not sure how the guild checks who has an authenticator, maybe by looking at core hound pet (is there an achieve for it?)