I’d agree with you, except that Battlenet accounts being hacked isn’t theoretical, it’s rampant. Shit happens daily. I’m not sure how many times Drop Bears members have been hacked, but it’s not a small number.
Two-factor authentication has it’s place, and this is it.
KevinC
4422
The goal is what I was referring to. :) Let me put it another way, though… if this were set up the same way Diablo 2 was, I’m sure there’d be hacking to steal loot / characters / whatever. You have to admit, though, the fact that you can now convert that loot into Euros or USD has to make a really tempting target. That seems to me to be a better target than the usual “hack WoW account to steal gold and sell for USD” that takes place.
Heh, had no idea that info was available online.
Tony_M
4424
Strange for me, as a non-WOW player, to hear everyone so concerned about security. I resent having to type a password in any time I play Starcraft 2. Every time I think “For fucks sake its just a game, let me check a box a save the password”.
Tony
PS: not a judgment on you guys, I understand the amount of effort and emotional investment that goes into a high level WOW character.
Budvar
4425
My understanding, and correct me if I’m wrong, is that most hacking occurs due to fishing, os-side malware, and browser-side exploits. In which case two factor authentication as a form of prevention like the kind provided here is useless. Even as a form of identification it is problematic
I feel the same way, but i have been exposed enough to mmorpgs to know that companies cannot do that anymore.
There is big money in stealing accounts and that is of course why it is so common. It is really a lot like identity theft, but smaller scale, smaller reward and no risk since i don’t think it is even illegal, even if the person who does it is in the same country as you (unlikely unless you live in China).
It is very common for mmorpg fan sites to be compromised in order to plant keyloggers on players. Very common for there to be fishing links on official forums. Very common for fishing emails. Even if you avoid all of those things, it is very common for accounts to be compromised.
Blizzard officially sanctioning and including a real money Auction House, a stupidly stupid stupid idea, is only going to make this problem MUCH MUCH MUCH worse.
Most people wouldn’t be thrilled if they spent 200 hours restoring a junk bike to like new and then someone steals it. The same is true with spending 200 hours leveling your wizard in diablo 3.
Well then I’ll judge it. Having to login to my fucking Starcraft II account is ludicrously annoying. . . especially that I have to do it everytime I start it up. Can it really not remember that shit and log me in upon startup? AIM has been managing that for more than a decade and it seems to work pretty well.
As I understand it, two-factor is vulnerable to a man in the middle attack. But that’s a relatively sophisticated attack that requires the user to be really careless by following a phishing link and allowing malware root access. If the user is that stupid, nothing is gonna stop them from being hacked.
If you’re even mildly careful, two-factor is pretty good security.
Budvar
4429
Well it is an interesting question. In some sense, it’s like any discussion on the economics of prohibition.
In the WoW systmem, RMTs are illegal. There is obviously huge demand (if we take as given that WoW accounts were trading for more than credit card info) for gold and rare items, but also limited supply. Only a select few (those with the skills and networks needed) can be suppliers, and the black market is the sole provider of the service. Naturally it has high value, and thus, hacked accounts, the most economic way to provide gold and rare items, have high value.
Now under RMAH everyone is potentially a supplier. People wanting gold or rare items can go through the RMAH, and don’t need to use the black market. Of course, hacked accounts still are the easiest way to provide gold and rare items, but they compete with the items being sold by legitimate users. If the overall price of the sold items is relatively low, it may just not be worth hacking accounts.
I’m not saying that will or won’t be problematic. I’m just suggesting that any claim that it the RMAH WILL be problematic is overly simplistic.
Budvar
4430
Well, what account hacks are there that don’t actually involve the installation of malware, phishing, or a combination browser vulnerabilities and an infected website?
MiTM doesn’t prevent any of these attacks, which I would suggest (and once again, correct me if I’m wrong) make up the majority of WoW account hacks
ShivaX
4431
A lot of accounts get hacked because people tend to use the same password on the internet. So when Pointless Website X gets hacked, they roll over to WoW, throw in your email address and password and get in. Which is why its always a good idea to use a different password for forums and whatnot and things that actually matter.
Like I said, sure, if you’re not careful (by not running as administrator, and not following phishing links, and not elevating unknown software that tries to run to admin) then yes, you can be hacked. Two-factor authentication at that point just makes the hacker’s job a bit harder…the hacker has to intercept your key, block you from using it (since each key is single-use), and then use it themselves to log in within the 30 or 45 seconds (I forget) that the key is valid. If they fail anywhere along those points, then they still can’t get in.
I’m not saying it’s unhackable, it just makes it harder. It’s like having an alarm on your house…sure any alarm is beatable, but most smart burglars will just go down the street to look for another house without an alarm.
Budvar
4433
No. It just makes it DIFFERENT, not more difficult. Since hackers can already intercept your password, it is then rather trivial to intercept your one-time key. The attack changes in that it requires some automated interception and redirection, but once again, that is DIFFERENT, not harder (it’s really really trivial).
Maybe you get some security out of the obscurity of the method. But in that case, you shouldn’t be promoting it. You would be better off telling everyone not to use two-factor auth for Blizzard.net and to keep you in relative obscurity.
I’m happy to discuss this in the Tech section if the thread is veering to off topic, but this is precisely the sort of hand waving I’m talking about.
There are endless stories of people getting their Blizzard accounts hacked when they didn’t have a two-step authentication of some sort. Stories of people getting hacked while they have an authenticator on their account are much harder to find. They’re out there to be sure, but they just don’t happen with the frequency of unprotected accounts.
Right. If your computer is compromised, no amount of one-time keys or hard-to-guess passwords will save you. You’re hacked. Game over. I totally agree.
I also agree that if you use hard-to-guess passwords, change them frequently, don’t run as administrator, don’t ever follow links from emails, and use a browser like Chrome or Firefox with NoScript, then your chance of being hacked is already vanishingly tiny and two-factor authentication is probably overkill.
But, hey, it came with a free Core Hound Pup. So there.
The RMAH also removes a major vector for hacking, which is people going to 3rd party RMT sites. Sometimes even giving them their account info.
Addendum to my above post: I totally forgot that Blizzard added the smart login thing, where you don’t enter the key unless you login from somewhere other than your computer, from your location and your usual IP address. That make a man-in-the-middle attack totally useless anyway.
Uhhh… what the hell are you talking about?
If I try to log into WoW and someone man-in-the-middles my Authenticator login and logs in as me (which requires an active attacker and is visible, since doing so prevents me from logging in as well), access to my account will be terminated instantly; through the website, through an email, through a phone call, probably all three within the space of 30 seconds.
Good luck stripping the account bare in a minute! More to the point, being forced to do it live would severely impact the revenue stream even if you could strip the accounts that fast.
And if you’re not an active attacker doing it in the only visible way feasible, well, you’ll have to break the encryption scheme to generate keys. Are you familiar with how hard it is to break a 180bit RSA cipher with an oracle you can’t repeatedly query, where guessing wrong too many times will hardlock the attempts?
There was an active virus that worked as a man in the middle, yes. When you enter your authenticator, it intercepted the number, logged into the game, and changed your password, all within one minute. That happened two years ago, and we haven’t heard much about it since.
Two factor authentication is not false security, it definitely helps. I use google’s authenticator for my google accounts and lastpass also. Great feature.
Because it basically wasn’t profitable.
People who are subject to this attack respond by contacting support through one means or another, and there attacker does not have the opportunity to then strip your account of saleable goods and gold at his leisure.
