Questo sito fa un ampio uso di JavaScript.
Per favore, abilitare JavaScript nel tuo browser.
[Classico Theme]
[Thottbot Theme]
Blizzard authenticator no longer safe?
Invia risposta
Ritorna all'indice del forum
Messaggio di
diminus
Earlier tonight, i tried to log into my account. But my password was rejected several times. I checked to make sure i was spelling everything correctly and didn't have caps lock on. Everything was as it should be. And here's the clincher, I have an authenticator attached to my account. This makes me think that the Blizzard authenticators are no longer safe to use if they can be hacked around.
Messaggio di
Leechesx
So were you hacked?
Did you eventually get logged on?
If you got logged on, was anything missing?
Your post jumps from "my password was rejected" to "blizzard authenticators are no longer safe" very suddenly.
Messaggio di
diminus
Sorry for that. No I have not been able to log on yet. Going to give Blizzard a call in the morning to try to get my account back.
Messaggio di
shipwreck
The authenticator is a security token, which is a device (or application) used to provide an extra layer of security beyond a simple password which could be guessed. I believe the Blizzard authenticator would be classified as a synchronous dynamic password token.
Security for authentication is an ongoing battle because of the value of accounts.
The system Blizzard uses is a system that has had vulnerabilities since it was conceived, but it's still a very popular type of token for many services around the world. It seems well-suited for adding a significant layer of security to an account at a very low cost (or none at all via software) for a client.
I think it would be prudent to understand the system a bit more before believing it's completely compromised.
Messaggio di
frostely
Earlier tonight, i tried to log into my account. But my password was rejected several times. I checked to make sure i was spelling everything correctly and didn't have caps lock on. Everything was as it should be. And here's the clincher, I have an authenticator attached to my account. This makes me think that the Blizzard authenticators are no longer safe to use if they can be hacked around.
Just because you can't verify your password doesn't necessarily mean your authenticator has been compromised. Most likely you may have forgotten/changed it. Less likely you could have been socially hacked, or someone accessed your account using your own authenticator. Unlikely that authenticators are compromised.
Did you have the keyfob or mobile authenticator? If mobile, is it a rooted Android?
The system Blizzard uses is a system that has had vulnerabilities since it was conceived, but it's still a very popular type of token for many services around the world.
How so?
Messaggio di
Gontier
Earlier tonight, i tried to log into my account. But my password was rejected several times. I checked to make sure i was spelling everything correctly and didn't have caps lock on. Everything was as it should be. And here's the clincher, I have an authenticator attached to my account. This makes me think that the Blizzard authenticators are no longer safe to use if they can be hacked around.
Authenticators are
not
bulletproof, and never has been. It's an
additional
layer of security. Having an authenticator does not mean you can be reckless with your PC's security or having a low security password, you can still have nasty backdoors/viruses/keyloggers in your PC that can access your information if you're not cautious.
Having that said, if it's a mobile authenticator you have, did you try resyncing it? If it fails to sync with your account then you'll be prompted with the "Invalid password" error which can be solved by resyncing it.
Messaggio di
tialaramex
The mobile authenticator doesn't need to sync "with your account", all the synchronisation does is ensure that the mobile authenticator knows the correct time. The mobile authenticator software contains a shared secret, the one you entered into your B.net account when you set up the authenticator, and it combines that with the current time to produce the eight digit code shown on the screen. Blizzard knows the shared secret associated with your authenticator, and it knows the correct current time, so the login server can figure out the same eight digit code and check they match.
So long as you keep correct time (to within a minute or so) you won't need to "re-sync" ever.
Messaggio di
rabican1
Earlier tonight, i tried to log into my account. But my password was rejected several times. I checked to make sure i was spelling everything correctly and didn't have caps lock on. Everything was as it should be. And here's the clincher, I have an authenticator attached to my account. This makes me think that the Blizzard authenticators are no longer safe to use if they can be hacked around.
What makes you think there is something with your authenticator? It sounds to me like someone/something changed your password.
I don't get challenged by the authenticator everytime I log in. So if something has your password they can log in with it until they get prompted for the second authentication factor, aka your authenticator.
I suspect that in the end you will find your authenticator is working just fine. You have probably shared your credentials or have some malware on your PC.
Messaggio di
Zuji
Someone jacked your authenticator and used it to play a prank on you.
The only attack the authenticator is currently known to be susceptible to is the Man-in-the-Middle scenario, e.g. an eavesdropping on an unsecured WiFi network. However, that applies to
all
methods of authentication, so you'd have a
lot
more serious things to worry about in such a case than your WoW account.
Messaggio di
Sarielais
What makes you think there is something with your authenticator? It sounds to me like someone/something changed your password.
I don't get challenged by the authenticator everytime I log in. So if something has your password they can log in with it until they get prompted for the second authentication factor, aka your authenticator.
I suspect that in the end you will find your authenticator is working just fine. You have probably shared your credentials or have some malware on your PC.
You don't get prompted for the authenticator if you have already authenticated on that computer and location, by default. That lasts for about 30 days I think. If anyone tried to log in from any other location, it will require an authentication code. You can always disable that feature, so that it requires authentication each time you log in from any location, but that's a hassle and only useful if there's people at your location who could know your password.
It's possible the security system forced a password reset due to repeated failed attempts. Like you said, they can type in the password but the system will prompt the authentication each time they try to log in from an unauthenticated location. They should never be able to bypass that.
Messaggio di
ElhonnaDS
I'm curious if the OP checked their characters on battle.net to see if anything was missing, or if there had been any changes in professions or servers. If nothing was changed, it likely wasn't hacked.
In nearly all cases, when an account is compromised that has an authenticator, it's because someone did it from the computer the person normally logs in from. Since the prompt only happens once a week on a computer that you have used the authenticator on, a roommate, spouse, friend, parent or child with access to your computer will often be able to change the password. It's usually more likely that someone else was on your computer than some random hacker went through the necessary steps (which from what I have been lead to believe requires significant time and/or equipment and generally requires them to be somewhere in the vicinity of your computer) to get around your authenticator.
As other people have suggested, logging on from a new location might force a password change as well. There was a period of time where I had to change my password twice a month when I was visiting my boyfriend out of state, because every time I logged in it triggered a security thing. It was funny because my passwords over time changed in tone from "ButterflyKittens" to "RidiculousNonsense" to "&%^@&$*This" because I was so annoyed by it. This was back when you had to log in with the authenticator every time, though, so I'm not sure if they still do it.(##RESPBREAK##)8##DELIM##ElhonnaDS##DELIM##
Messaggio di
Eccentrica
I myself have been hacked, with an authenticator on my account, on a secure wifi network. I don't share my account details witth anyone, don't use my WoW email account for anything other than WoW, don't buy gold, don't visit nefarious sites. I only log on to WoW from my desktop, no one uses it but me, and I do run scanners.
On the occasion of my hacking I playing the game, was dc'd and when I tried to log back in my password was not accepted.
The only explanation that makes any sense to me is that I must have picked up a nasty from WoWwiki. So yeah, its entirely possible to have your account hijacked without doing anything clearly foolish.
Invia risposta
Non hai effettuato l'accesso. Per favore,
accedi
per inviare una risposta o
registrati
se non hai ancora un account.