All good demons go to... um... sequel? - Diablo 3 Announced

Joe_M · 2012-05-12T23:29:56.000Z

Angrycoder:

You are much better off putting your efforts into running some virus scanning software and more importantly, using something like lastpass or 1password to ensure the passwords for all your accounts are different/random.

Yeah, I’ve been using Password Depot to log into League of Legends and store my website passwords ever since I had my LoL account keylogged some months ago (clicking on random links on the Riot forums while half asleep at 3 a.m. is not advisable). It has a handy feature that lets you drag passwords from a toolbar into virtually any field in any application while (supposedly) protecting your clipboard from keylogger attacks. I don’t know how secure all their fancy encryption is but it makes me feel safer and I haven’t had any problems since the one account fiasco.

RobotPants · 2012-05-13T01:48:10.000Z

Budvar:

The attack changes in that it requires some automated interception and redirection, but once again, that is DIFFERENT, not harder (it’s really really trivial).

Uh huh. If it was really really trivial, it would be happening all the time.

Budvar · 2012-05-13T04:07:53.000Z

Telefrog:

There are endless stories of people getting their Blizzard accounts hacked when they didn’t have a two-step authentication of some sort. Stories of people getting hacked while they have an authenticator on their account are much harder to find. They’re out there to be sure, but they just don’t happen with the frequency of unprotected accounts.

Well obviously. Most accounts aren’t two-factored authenticated. Why target the minority? This isn’t a serious argument for the security of a system. The problem with the system is widely recognised. It doesn’t add a significant amount of complexity for the attacker.

Where two factor auth becomes really useful is if , you authenticate the transaction. My bank does this already. The SMS to verify the transaction has the date, the total amount, and the target account number or biller reference. A MiTM attack is quite transparent, as I can verify the amount and destination of my transaction. If Blizzard offered this, then yes, you could say they are increasing the security of their system in a meaningful way, as any hacked account transactions would be immediately transparent.

Read this from 2006. The issues with two factor auth are hardly new:

http://www.schneier.com/blog/archives/2006/11/fighting_fraudu.html

Budvar · 2012-05-13T04:36:01.000Z

AaronSofaer:

Uhhh… what the hell are you talking about?

If I try to log into WoW and someone man-in-the-middles my Authenticator login and logs in as me (which requires an active attacker and is visible, since doing so prevents me from logging in as well), access to my account will be terminated instantly; through the website, through an email, through a phone call, probably all three within the space of 30 seconds.

Good luck stripping the account bare in a minute! More to the point, being forced to do it live would severely impact the revenue stream even if you could strip the accounts that fast.

And if you’re not an active attacker doing it in the only visible way feasible, well, you’ll have to break the encryption scheme to generate keys. Are you familiar with how hard it is to break a 180bit RSA cipher with an oracle you can’t repeatedly query, where guessing wrong too many times will hardlock the attempts?

If by “active attacker” you mean a person sitting in front of a screen, then no. Your attacker in an automated proxy. Nothing in the attack cannot be automated.
It isn’t visible, because the proxy intercepts everything you send, sends it on your behalf, and then sends the reply it received back to you. It’s all transparent. You login, attacker intercepts, logins in as you, you get authentication message, you send authentication message to attacker, attacker passes on authentication, logs in as you. Attacker changes password and presents “System Maintenance” screen. Even better, the attacker just times out your requests, making you think it’s a network problem. All this can be automated.

Seriously, have any of you security masterminds read any security focused mailing lists or blogs? How about a quick google search for the failure of two factor authentication? It has enough issues that you can’t just claim that turning it on increases your default level of security. In it’s naieve form it’s already been profitably worked around by some criminals

You may argue that it only target people who like on phising links, or get malware installed (which can be anyone with a browser that uses the internet), but in that case it doesn’t really raise the default level or security does it? The Phished will always be phished, and the wise are generally careful enough anyway.

Budvar · 2012-05-13T04:44:29.000Z

FieryBalrog:

The RMAH also removes a major vector for hacking, which is people going to 3rd party RMT sites. Sometimes even giving them their account info.

Totally.

Also, if like PayPal and online gambling sites, you might actually have to provide personally identifiable information to actually cash out, then the security of the system increases enormously. The lack of anonymity would really drive away a lot of hackers and scammers.

Telefrog · 2012-05-13T06:56:36.000Z

Budvar:

Well obviously. Most accounts aren’t two-factored authenticated. Why target the minority? This isn’t a serious argument for the security of a system. The problem with the system is widely recognised. It doesn’t add a significant amount of complexity for the attacker.

Where two factor auth becomes really useful is if , you authenticate the transaction. My bank does this already. The SMS to verify the transaction has the date, the total amount, and the target account number or biller reference. A MiTM attack is quite transparent, as I can verify the amount and destination of my transaction. If Blizzard offered this, then yes, you could say they are increasing the security of their system in a meaningful way, as any hacked account transactions would be immediately transparent.

Read this from 2006. The issues with two factor auth are hardly new:

http://www.schneier.com/blog/archives/2006/11/fighting_fraudu.html

Oh, Christ. I already know the the issues. Are really advocating that people should not use the authenticator? Just fuck it all and use their Blizzard account with no other protection? Really?

KevinC · 2012-05-13T07:07:25.000Z

shrug Despite being meticulous about security regarding my system, my WoW account was hacked twice during a 1.5 year period (when I was not playing). Never found any keyloggers, didn’t go for any phishing scams, etc. I tend to try and use different passwords for different sites, but maybe something shared the same credentials as my WoW account. Who knows.

When I eventually DID come back to WoW for a couple months, I decided to put an authenticator on my account. I have an Android phone, so it was free and painless. Most importantly, my account has never been hacked since. Is it foolproof? Of course not. But it has worked for me and everyone else I know that’s installed it and has been completely painless to implement to boot. So I can give two shits about Budvar’s bloviating, the factors of why it’s worked doesn’t matter. It’s free and it certainly doesn’t hurt the security of your game account, so why not?

AaronSofaer · 2012-05-13T07:37:56.000Z

Budvar:

If by “active attacker” you mean a person sitting in front of a screen, then no. Your attacker in an automated proxy. Nothing in the attack cannot be automated.

For someone who claims to be an expert, you apparently don’t know what active attacker means. That’s funny.

Also, stripping the account isn’t something they automate; it’s something they have people do a-la gold farming.

It isn’t visible, because the proxy intercepts everything you send, sends it on your behalf, and then sends the reply it received back to you. It’s all transparent.

Not being permitted to log into the game is hardly transparent. You can attempt to obfuscate the attack, but denial of service (which I use in the most literal of senses) is a textbook example of “visible”.

You login, attacker intercepts, logins in as you, you get authentication message, you send authentication message to attacker, attacker passes on authentication, logs in as you. Attacker changes password and presents “System Maintenance” screen.

And then you check to see if the system is actually undergoing maintenance, which it’s not, and then the “password changed” email hits your email account and you freak out and shut the account down. Done.

Seriously, have any of you security masterminds read any security focused mailing lists or blogs?

I’m hardly a security mastermind, but at least I know what an active attacker is, and have at least a smidgen of contextual information about the practicalities of an attack.

As to your question, why yes. I find security and privacy to be fascinating subjects. Don’t get me started on why DNS-SEC is a terrible fucking idea and should never have been greenlighted.

charmtrap · 2012-05-13T08:30:50.000Z

Budvar:

If by “active attacker” you mean a person sitting in front of a screen, then no. Your attacker in an automated proxy. Nothing in the attack cannot be automated.

It isn’t visible, because the proxy intercepts everything you send, sends it on your behalf, and then sends the reply it received back to you. It’s all transparent. You login, attacker intercepts, logins in as you, you get authentication message, you send authentication message to attacker, attacker passes on authentication, logs in as you. Attacker changes password and presents “System Maintenance” screen. Even better, the attacker just times out your requests, making you think it’s a network problem. All this can be automated.

By switching to only requiring you to login with the authenticator once a week or when something changes, Blizzard has made all of this way more difficult. As long as you don’t log in with it every time, the chances of discovering that you’ve been hacked and stop them before they can strip your account goes way up.

markv · 2012-05-13T10:32:10.000Z

I’m a bit miffed here at the comment about how an authenticator doesn’t improve your default security, when in fact it does. It completely removes the success of any brute force attacks that can and do happen. I’m no security expert, but that seems pretty common sense to me.

ArmandoPenblade · 2012-05-13T10:37:46.000Z

markv:

I’m a bit miffed here at the comment about how an authenticator doesn’t improve your default security, when in fact it does. It completely removes the success of any brute force attacks that can and do happen. I’m no security expert, but that seems pretty common sense to me.

Yeah, but realistically, a 20-character phrase for a password also effectively removes brute force attacks from the equation and spares you the additional annoyance of the authenticator.

Marcus · 2012-05-13T10:38:59.000Z

Armando Penblade:

Yeah, but realistically, a 20-character phrase for a password also effectively removes brute force attacks from the equation and spares you the additional annoyance of the authenticator.

But doesn’t spare if you if you have a key logger.

stusser · 2012-05-13T10:41:19.000Z

markv:

I’m a bit miffed here at the comment about how an authenticator doesn’t improve your default security, when in fact it does. It completely removes the success of any brute force attacks that can and do happen. I’m no security expert, but that seems pretty common sense to me.

Yep. That guy is a fool. Ignore him, and use an authenticator.

Starlight · 2012-05-13T11:11:20.000Z

RobotPants:

Uh huh. If it was really really trivial, it would be happening all the time.

It /is/

Seriously, just sign up for the SMS or phone call-back service. Either are better at actually /preventing/ account changes, and will warn you about remote logins.

John_Reynolds · 2012-05-13T11:35:43.000Z

Well, I just set it up from my home # and got the pin # created. Really don’t want to spend 100+ hours building different toons in D3 to have my account hacked and everything tied to it ransacked.

Greg_Vederman · 2012-05-13T11:55:50.000Z

Are you people FUCKING crazy? Diablo FUCKING III is coming out in two days and you’re going back and forth about FUCKING authenticators?

Let’s geek-out for FUCK’s sake! Let’s talk about the FUCKING game like we are FUCKING giddy about it!!!

I want to read posts like:

“I’m going to print out a screen grab of my Barbarian’s abs onto tissue paper and masturbate with it!”

“I’m not going to have sex with my wife between now and launch so that I can unleash my full potency on Diablo’s face Tuesday morning!”

“I’m going to see what happens when I stick the Collector’s Edition thumb drive up my butt!!!”

Any or ALL of these statements would be better than post after post about authenticators and internet security.

In late 2009 I found out I had cancer and I thought to myself that I couldn’t die yet because I hadn’t played Diablo III (among other important reasons). That’s how badly I’ve wanted this game. I’m healthy now and I’m FUCKING excited for Tuesday.

After 12 years, Diablo III is about to launch, people. Get. Fucking. PUMPED!11!11!!!

That is all.

Armiger · 2012-05-13T12:03:57.000Z

Fuck.

Greg_Vederman · 2012-05-13T12:05:57.000Z

Armiger:

Fuck.

Exactly!

MrCoffee · 2012-05-13T12:06:15.000Z

2 more fucking days.

Rock8man · 2012-05-13T12:08:55.000Z

I’m pretty pumped. It’ll probably get here from Newegg by next week. I’ve waited over 10 years, what’s another week?

But man, part of me has envy for those that aren’t into Diablo. They’ll have so much more free time compared to me. I’ll be putting a lot of time into this, and a lot of it will be heartache and pain. I only play Hardcore, so after the first playthrough, there will be a lot of heartache and pain.

I just hope that Hardcore Diablo 3 is not as hard to start off with as Hardcore Diablo 2 was. It wasn’t until patch 1.10, a few years after the release of Diablo 2, that they really got hardcore right. It was finally well balanced and hard enough that it was an incredible challenge, but easy enough that it felt like it was actually possible for me and my group of friends to beat.