Chances of getting hacked with an Authenticator

[Lolzar]

Man in the middle attack is all I know.

You type in correct info.

Middle man gets it and sends false info to wow. They immediately use your info to gain access. Its surely much more rare.

I use keyscrambler so it really doesn't matter unless the also happen to have a way around that. Which is doubtful.

I already use AV+FW. Multiple addons in FF dedicated to safety as well.

Unless I give someone my info and tell them my authenticator code at that exact moment it probably is never going to happen. And if it did that keylogger would be so dedicated that I would be honored to let him vendor my stuff and steal all my gold.

[underdogba]

can't you get some kind of Android emulator for the pc. if so can probably get it free if cost is an issue

Having the authenticator running on the same PC as WoW defeats the entire purpose of two-factor authentication. The protection that the authenticator affords you is derived entirely from the fact that two different devices are involved.

[Purrfunctory]

And this is just the laundry list of what is required right now. In another 6 years that list will probably seem ancient and there will be twice as many in addition. As long as there is enough money to be made they will do it.

You also have to remember that these people are also often stealing the money from the people they are selling gold too as well. Blizzard will often at the very least revoke any gold distributed by a compromised account. So these people very well may be stealing not only gold from an account but actual money from the people buying it.

Make no doubt about it these are not script kiddies in thier mom's basement. These are highly organized groups of criminals that have a very very extensive supply and distribution system.

You are correct regarding the incentive. In fact, I clearly mentioned in my post that the incentive to crack computer systems (game user accounts in this case) has thus far increased especially when considering WoW. Gold selling is another argument for the increasing incentive.

I clearly used the term "crackers" to refer to these criminals. I agree, these are organized groups performing these actions making their time that much more important. A script kiddie has all the time in the world and is mostly hacking and cracking for enjoyment. In this instance we are talking about criminals who want to maximize their profit. Maximizing profit doesn't usually include spending hours or days to bypass proper security measures not when so many in this thread have made themselves easy prey by indicating they don't use an authenticator.

---------- Post added 2011-03-07 at 08:59 PM ----------

Having the authenticator running on the same PC as WoW defeats the entire purpose of two-factor authentication. The protection that the authenticator affords you is derived entirely from the fact that two different devices are involved.

Excellent point. I am very interested in the security measures taken by those indicating they have been cracked even while using an authenticator. If they were cracked when using an authenticator then they almost certainly would have been cracked without an authenticator. Probably safe to assume they had some serious security holes likely the same security holes that those stating they will never use an authenticator have.

[pinycone]

Nope, my account was compromised two summers ago, and my stuff was restored a week later, and I bought an authenticator and have had no troubles since. I dont even think theres a MITM virus for macs yet, so the only way my account is getting hacked again is one of my friends getting me.

[Varabently]

So, a few of the people in my guild refuse to shell out the £6 (!) for an authenticator because they say that it doesn't make enough of a difference.

So I'd like to ask, have you, or anyone in your guild, or fuck it, anyone you know on wow, ever had their account compromised with an authenticator attached on it. Please reply saying if you have or have not so we can get some statistics. I'll get a poll running too.

Some edits:
I know almost no-one is actually "hacked", almost all of it is keylogging. For the purposes of this thread, assume they both mean having your account compromised by a third party.
For an explanation on how Authenticators actually work, try reading mercutiouk's post on page 5.

Nothing gives better statistics than polls! Everyone I have seen get hacked didn't have authenticators.

[Hugsforlove]

I honestly dont see how anyone could get it hacked WITH an authenticator , only if it were a family relative with the means to get a hold of the authenticator... I've never seen anyone personally get hacked with one though

[Seezer]

It's not about the $6 or whatever, it's about the 20+ seconds each time you want to log in. I would rather get hacked once per year than use an authenticator. But if you like running suspicious executables or visiting chinese web pages with internet explorer, by all means go for it.

Try 3 seconds bro.

[SHT]

The question people need to ask themselves is: "How much is the amount of time and effort, as well as the current enjoyment factor for me worth?" In my case, I think the $10 authenticator pays for itself and although the postage was a bit much I simply split it with a few friends and then we were all happy.

Security is really in the hands of the person who owns the account. I personally have a seperate email account with a 20 character password and I never use this except if I need to read an email (which is rarely), so I keep the password tucked away safely. I also make sure to change my account password at regular intervals. Although, if the person never browses any dodgy websites and only uses that email for Battle.net then they should never have any problems.

[Deleted]

If I get the serial number of your authenticator I can get into your account no problem. Guard it with your life.

Correct but if I give you my username and password withotu an authenticator you can do that also. Very much the same with the exception your serial isnt stored on your computer (big difference).

If I don't get the serial number, I would have to see two consecutive codes in a row that you do not use in order to break into your account.

Incorrect, it is far from that simple. If it were the case that all authenticators shared the same number serie and the seed was just used as an offset it would work but the series themselves are different. You'd basically have to try all possible seeds and validate them using the two codes you have. All this is assuming you know hos the authenticator version works (possible ofc since mobile clients exist now)

[graagh]

Nah, most of them are liars. There have only ever been a couple cases documented to any extent with legitimate indicators that an authenticated account was "hacked." Most of the time it's people blowing smoke with no evidence.

Authenticators are not and never will be 100% effective, but you know what... neither are condoms. Most rational people don't consider their minute fallibility an excuse not to use one. If they don't, it's usually something else, like laziness (don't have one) or something worse.

---------- Post added 2011-03-07 at 02:15 PM ----------



I do think you've been watching movies too much, son.

It's "possible" yes. It's also possible that a meteor could wipe us out a month from now and we'd only see it coming long enough to regret our inability to act. Doesn't mean we give up on the security of our daily lives. Do I not lock my door just because I know if a robber really wanted to he could break the window?

You secure yourself with an authenticator, and you make yourself a non-target to the level of attention you describe, because it's much easier to go for multiple soft targets than to focus effort on one person who knows what the hell they're doing.

I didn't say don't get one. I did say it's entirely possible. I'd be pretty surprised if someone didn't figure out the logarithm (or at least some) used by now.

[rzzr]

I got hacked with an authenticator. My account had been hacked so I went out and got one, applied it to the account and was hacked again! I think that there is a small time period at the start before the authenticator starts working. Got my stuff back so Bliz must have been able to look at their records to see what happened. Never been hacked since then.

[Eroginous]

Here's the simple truth. Authenticators aren't some high tech wireless connectivity device with real time Blizzard server monitoring capabilities. Instead they are a device that is programmed to provide a limited number of 6 digit codes based on an algorithm generated by your 10 digit key that is found on the back of your authenticator.

These codes are extremely limited in that they are not only reusable, but there is a maximum number of codes alloaated to each authenticator. For instance, you type in your email/password and then wow prompts you for your authenticator code. You press the button on your authenticator, and it gives you a preset 6 digit code based on the CD key on the back. You enter it, and Blizzard's website allows you to log in.


Here's what really happened: The code you entered matched one of the codes found on a short list that is associated with the Key found on the back of your Authenticator, which is just one of the few codes your authenticator is programmed to come up with.

Here's the deal. Each authenticator is issued a limited number of 6 digit codes. These codes are based on the algorithm that is generated by the keyfob you have, using the 10 digit key found on the back. There is a maximum number of 699,999 different codes that can be generated by an authenticator, and keeping your account secure means that only a specific amount of them could possibly work at any given time.

So Blizzard devised a way to restrict access based on duplicate entry of the assigned codes within a certain period of time (based on server side login information, not authenticator BS) to keep accounts safe.

Basically, if your authenticator gave you the code '019462' and you entered it with the rest of your login info, Blizzard then logs that 6 digit key as unusable for a period of time after you use it. Then you have X number of available codes to use for your login until that one resets and can be used again.


I can guarantee that authenticators are not programed based on time sensitive information, as that would require some sort of up link with Blizzard servers, and authenticators are just a keychain.


This means that the codes have already been pre programmed, and that the device you call an authenticator just spews out a random code when you need it.

[Cactrot]

Here's the simple truth. Authenticators aren't some high tech wireless connectivity device with real time Blizzard server monitoring capabilities. Instead they are a device that is programmed to provide a limited number of 6 digit codes based on an algorithm generated by your 10 digit key that is found on the back of your authenticator.

These codes are extremely limited in that they are not only reusable, but there is a maximum number of codes alloaated to each authenticator. For instance, you type in your email/password and then wow prompts you for your authenticator code. You press the button on your authenticator, and it gives you a preset 6 digit code based on the CD key on the back. You enter it, and Blizzard's website allows you to log in.


Here's what really happened: The code you entered matched one of the codes found on a short list that is associated with the Key found on the back of your Authenticator, which is just one of the few codes your authenticator is programmed to come up with.

Here's the deal. Each authenticator is issued a limited number of 6 digit codes. These codes are based on the algorithm that is generated by the keyfob you have, using the 10 digit key found on the back. There is a maximum number of 699,999 different codes that can be generated by an authenticator, and keeping your account secure means that only a specific amount of them could possibly work at any given time.

So Blizzard devised a way to restrict access based on duplicate entry of the assigned codes within a certain period of time (based on server side login information, not authenticator BS) to keep accounts safe.

Basically, if your authenticator gave you the code '019462' and you entered it with the rest of your login info, Blizzard then logs that 6 digit key as unusable for a period of time after you use it. Then you have X number of available codes to use for your login until that one resets and can be used again.


I can guarantee that authenticators are not programed based on time sensitive information, as that would require some sort of up link with Blizzard servers, and authenticators are just a keychain.


This means that the codes have already been pre programmed, and that the device you call an authenticator just spews out a random code when you need it.

NO. WRONG.FALSE. INCORRECT.

You are flat out wrong. There is not a predetermined number of codes. The authenticator uses an algorithm (DES, 3DES, or some other one I can't remember right now), a shared secret between you an blizzard, and time to generate a code. The codes are psuedo random, thus they cannot be predicted.

There is not a list. There is not a set number of codes. That is just completely wrong in every damn way.

Blizzard has flat out SAID which algorithms are used to generate the keys. Yes, it is based on time. The phone ones even have a sync button. The keychain ones sometimes get out of sync, and you can call blizzard and get it adjusted if it gets too far out of sync. Your claims have no basis in reality and are completely verifiably incorrect

[skrump]

Authenticators make a huge difference because the hacker actually has to be online and actively targeting you as you log on.

For example lets say the hacker has compromised 50 systems and all 50 are logging in at the same time with a Authenticator, the hacker now has a 30 second time frame to log on your account from the point you enter your authentication number.
The hacker only has enough time to get a single account.

However if nobody uses a authenticator the hacker then only needs to look at a long list of names/passwords and hack into them at his own leisure.

[Deleted]

Except that the code is only valid for 30 seconds and you are full of shit.

Swing and a miss! I have a mobile authenticator, as an experiment I wrote down a code and then waited for 8 or 9 other codes to go past then logged in with the original.

Whatever time limit there is, its longer than 30 seconds

[Cactrot]

Having the authenticator running on the same PC as WoW defeats the entire purpose of two-factor authentication. The protection that the authenticator affords you is derived entirely from the fact that two different devices are involved.

False again. A huge part of the point of the authenticator is the separation, it is NOT the ENTIRE purpose.

If you have an emulated phone on your computer with the authenticator installed, in order to bypass it you would need the keylogger AS WELL AS something to run emulator, run the authenticator, and steal the code and then use it.
An attack like that would need to know that you're using an emulated one, not a real one, which emulator you're using, and how to access it. That's a pretty damn specific attack. No way would it be worth the effort. Hell, it'd probably be easier to just use the standard authenticator bypassing attack than to make one that specific.

Does having an emulated authenticator open you up to more attack vectors than having a physical one? Yes. Does it make the authenticator not effective? Hell no. It is still by far the best single thing you can do to keep your account secure.

[TeracottaMaid]

Was Google searching the subject. And going to rez this dead thread. But I did in fact just get hacked over the weekend with an authenticator on my account. 60,000g gone, my Fury (lol) set gone, but not my actual gear? And then whatever malware kicked me off the game and isn't letting me log back in so I have no clue what else is damaged. I am incredibly upset because I consider myself more computer literate then the average person and absolutely refuse to click on any link for anything on the internet pretty much. This is dumb. Hate you all.