(06-12-2012, 11:43 AM)Elric of Grans Wrote: Authenticator is free software. Since it is essentially a second password that changes every time you log in, it would be improbable someone would bother dealing with it just to harass some gamers. Seriously, if you have that kind of time and ability, break into the FBI or something! Situations like Sony and Steam involved real money and credit cards, not gold and armour; there is a huge difference in motivations here.
Yeah, some man-in-the-middle attacks were used to get around the authenticator on WoW accounts a couple years ago, and that's the only known B.net hacks involving authenticators. Blizzard has put in some countermeasures of some kind (no details) and we haven't seen even man-in-the-middle be used against them for some time. Keep in mind man-in-the-middle still requires the client computer to be compromised so the network traffic at login can be redirected to where the hackers want it. The only other way around the authenticators would basically involve someone compromising the authenticator's algorithm that it uses to arrive at the realtime code using it's base key and someone finding out said key attached to the account; i.e. reverse-engineering the authenticator process itself. If they get that info, then, well, they'll have everything else, anyway. And, no one's going to put out that kind of effort for some profit in virtual gold. That kind of thing was done at Lockheed for defense stuff.
With all the people out there w/o authenticators and that huge bunch of passwords and emails to try, the hackers aren't going to bother with going around authenticators. They can't 'keep' the account, they can only trade stuff off the account for one session.
Quote:Is it really so implausible that Blizzard would lie about something like that? They sell the game, and they sell the authenticator (at least I think they do?), so they have to lose a lot here. Many other companies that got hacked in the past tried to cover up the event, and only admitted it after proof became undeniable.
I think it's very implausible. It's simply not something Blizzard would want to risk their reputation on. When the authenticators were gotten around with a man-in-the-middle attack a few years ago, they disclosed it. In 2001, when B.net got hacked, they disclosed it. They also sell the authenticators, if you get a physical one, for the shipping cost. They lose money on them, but they make it back on customer service costs in accounts they don't have to restore. They're definitely not using authenticator sales as a money-making thing.
It's one thing to have a breach. If you have one and disclose it as soon as you know, many users will accept that and continue to be customers. Trion and Steam have gone through this recently. Try to cover it up, and disclose it only when found out, and you have Sony. They're still dealing with that because they handled it badly.
With their history on dealing with B.net hacks in the last five years, I'll give them the benefit of the doubt on this. I've done forensics on a few people's machines after they got hacked that, according to the user, 'had to be' Blizzard's fault. In every case, they either had a compromised machine, or after asking some questions, it was the same password as another previously compromised account, as is being used for D3.
As well, I haven't had any issues myself. If Blizzard had ways for the hackers to get info out of their databases, the small numbers getting hacked now would become a huge flood. I know they look like a big number now, but as a percentage of accounts, it's very small. And you're talking not just D3. You're talking SC2, WoW and D3 all use the same authentication database. If Blizzard was hacked, I'd expect 5-10% of all those accounts to be taken, not 0.01% or 0.1% of new no-authenticator B.net accounts. There'd be no way to hide a breach of that size.
I work in IT security for a local college, and know how (in)secure the average user is with passwords and the like, and how gullible people are to phishing emails. It's absolutely amazing how otherwise smart people, with degrees even, totally lose their minds when presented with an email telling them to enter their credentials or get their accounts closed.
--Mav