No Authenticator, No Diablo III Cash Auction House

[Eri]

And yet, until they fix the Man-In-The-Middle attacks that people were already using to hack D3 this won't do any good.

It'll help SOME but if they're that desperate then yeah, they'll just use Session Hijacks or MITM for which the authenticators help none.

None of those ever happened for Diablo.

This actually did happen, it was reported on here that people were using session identifiers whilst afk in peoples games in order to get access to account details and items.
I've tried to look for the news report on here but bringing up Diablo related references brings a tonne of results.

To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn?t involve these "traditional" methods -- for example, by "session spoofing" a player?s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technologically impossible.

Straight from the mouth of blizzard.

 

[Sean951]

And yet, until they fix the Man-In-The-Middle attacks that people were already using to hack D3 this won't do any good.

It'll help SOME but if they're that desperate then yeah, they'll just use Session Hijacks or MITM for which the authenticators help none.

None of those ever happened for Diablo.

This actually did happen, it was reported on here that people were using session identifiers whilst afk in peoples games in order to get access to account details and items.
I've tried to look for the news report on here but bringing up Diablo related references brings a tonne of results.

To that end, we've also seen discussions regarding the possibility of account compromises occurring in ways that didn?t involve these "traditional" methods -- for example, by "session spoofing" a player?s identity after he or she joins a public game. Regarding this specific example, we've looked into the issue and found no evidence to indicate compromises are occurring in this fashion, and we've determined the methods being suggested to do so are technologically impossible.

Straight from the mouth of blizzard.

Don't bother, Blizzard hate is in vogue now, just behind EA and a bit ahead of Nintendo (though Nintendo get's it for wildly different reasons).

 

[Ympulse]

Let's look at how this RMAH affects hacking. It is important to first look at what the point of this game actually is. This game has 2 big things that define it, randomized dungeons and the RMAH. What this means is that the focus of the game is on finding items. Diablo games have always been a gear grind dungeon crawler. The actual game isn't that long, but then you get to farm bosses, make yourself stronger, and get better gear.

In D2 days, items had no value. How I mean that, is that there was no legitimate way to sell items, and as such in the designed system the items have 0 real value. This makes the game economy item driven, everything only has a value within the game. You farm items to trade for better items to help you farm more items. PvP aside, that is a big (some might say only) focus on the game. Dupers enter the picture and try to screw things up, as they always do. They try to control the in-game economy through duping and account hacking. With that control, they try to sell items online to give the items real value.

Now D3 enters the picture. Blizzard looks at the hackers from D2 and figures, if we legitimise item sales, then black market sites wont exist. If theres no point in black market sales then hacking wont be needed. That second line may seem odd to you, because its completely counter intuitive. By creating a RMAH, blizzard has given every item in the game an intrinsic value. Needless to say by legitimising the hackers end game, it promotes the steps that get there. Instead of saying "hacking is bad, don't do it. we will not stand for it" Blizz has basically said "Hacking is bad, don't do it. But if you are gonna do it anyways, we want a cut."

Seriously, blizzard saw what hackers did to D2 and came to the conclusion hey why don't we do that to our own game first? Well, suprise suprise the hackers are here too. The ONLY way a RMAH would be of any use is with a completely secure game. And as many have said, theres no such thing, hackers get into everything.

Now blizzards reply is to sell authenticators? This is like a win-win for blizzard. They see a problem and now not only is it the customers fault, but the solution is to give them more money. (Yes its a free mobile app, but not everyone has a smart phone)

GG Blizzard, well played.

I'm just going to quote this on the off chance that it'll actually be read.

In other news, Blizzbots are more rabid than Bioware fans and more diehard than Valve fanboys.

I've got a bucket with holes in it that has the Blizzard logo stamped into the side. Guarantee it'll sell for at least $500

 

[Lyri]

Straight from the mouth of blizzard.

Ah that would explain it I suppose, I saw an article on here regarding session IDs and I believe it was Blizz who suggested that was the possible problem, hence their investigation.
Thanks for digging up the follow up though.

Don't bother, Blizzard hate is in vogue now, just behind EA and a bit ahead of Nintendo (though Nintendo get's it for wildly different reasons).

Yes my discussion must be some kind of feverish rabid Blizz hate right?
TrueFax time: I don't own Diablo 3 and neither do I intend too, I own all the Warcraft 3 games and played WoW for a while, I even have an authenticator and threw money at them like the little cash shop whore I am.
So please, let us not assume that someone saying something that could be a negative as an attack on the company itself, that's just bad form.

I don't hate Blizz, I was just reading the thread and figured I'd hop in.

 

[Ympulse]

Whee, double post.

Another thing people fail to understand is that Blizzard is a huge company with a lot of employees, and an IA department that has zero supervision placed over it. There are hundreds of stories from former wow GMs wherein they took account information from work, sold it to 'hackers' and laughed three or four months down the line when they got fired for it, because they made a year's worth of money for a hour's worth of work.

That same company and those same people are now handling your D3 accounts. But hey, it's the end-user's fault because they didn't buy an authenticator. Because GMs can't disconnect authenticators from accounts or anything.

Hell, a good friend of mine (who was fired in the recent mass layoff) made damn near $200k last year doing just that.


Catchpa: politically correct

 

[Maniclings]

Blizzard sell the authenticaters at cost, they make no money selling them at all. They lose money.

Gold farmers say the most common way people get into your account is from hacking forums for usernames and passwords. Don't use the same password for forums and other things that you use, forums really don't have great security.

The gold farmers also say they can't get info about players directly from blizzard.

So it seems that what goldfarmers are saying and what blizzard is saying about the whole session id spoofing idea actually matches up (its not happening, accounts are hijacked by traditional means of logging in with username and password). Who would have thought that a major company would follow the law and tell the truth to its customers.

http://www.youtube.com/watch?v=8NUQTATy5dc
http://www.youtube.com/watch?src_vid=8NUQTATy5dc&v=PWvHcoqru7I&annotation_id=annotation_954173&feature=iv

The people getting hacked were probably being hacked by bots, that is why only the most recently played character would be hacked and not every character. The biggest thing they are after is most likely the gold more than the items(you can't be sure people will have items worth anything but the gold will always have some market value) since the gold is shared there is no reason to go after more than one character, and the more accounts you can harvest in the least amount of time the more money you are going to make.

This would be happening if the RMAH existed or not, blizzard games are extremely popular and consumers have put real money value on the virtual items and gold in the game since D2 and WOW.

Blizzard want to keep their RMAH as secure as they can, requiring users to add a bit of extra security to their accounts to be able to use it, really doesn't translate as a major "OMG WHAT AN EVIL BAD MANNER COMPANY MAKING ME SECURE MY ACCOUNT TO MAKE REAL MONEY TRANSACTIONS IN THE GAME OMG OMG OMG RAAAAAH" If I was planning on using the RMAH I would kinda wanna make sure my account was as secure as possible, I think it is a good thing Blizzard has made this a requirement, unfortunately things cost money. Terrible I know.

 

[Eri]

Whee, double post.

Another thing people fail to understand is that Blizzard is a huge company with a lot of employees, and an IA department that has zero supervision placed over it. There are hundreds of stories from former wow GMs wherein they took account information from work, sold it to 'hackers' and laughed three or four months down the line when they got fired for it, because they made a year's worth of money for a hour's worth of work.

That same company and those same people are now handling your D3 accounts. But hey, it's the end-user's fault because they didn't buy an authenticator. Because GMs can't disconnect authenticators from accounts or anything.

Hell, a good friend of mine (who was fired in the recent mass layoff) made damn near $200k last year doing just that.


Catchpa: politically correct

Uh no, they can't. And even if they could it wouldn't matter because they'd be caught. Blizzard has their own internal affairs division. If you go read the credits to their games you'll see them listed.

 

[Ympulse]

Uh no, they can't. And even if they could it wouldn't matter because they'd be caught. Blizzard has their own internal affairs division. If you go read the credits to their games you'll see them listed.

did you even read my post? Read it again. this time paying closer attention to the sentence with the acronym IA in it.

done re-reading? Okay then. Those IA people you tout as defenders of the faith are human beings, just like you and me. And when someone is handed a roll of hundreds to keep quiet about a bit of backroom dealing, they look the other way nine times out of ten.

Blizzard is comprised of thousands of human beings, all who have their own identities and agendas.

 

[Eri]

Uh no, they can't. And even if they could it wouldn't matter because they'd be caught. Blizzard has their own internal affairs division. If you go read the credits to their games you'll see them listed.

did you even read my post? Read it again. this time paying closer attention to the sentence with the acronym IA in it.

done re-reading? Okay then. Those IA people you tout as defenders of the faith are human beings, just like you and me. And when someone is handed a roll of hundreds to keep quiet about a bit of backroom dealing, they look the other way nine times out of ten.

Blizzard is comprised of thousands of human beings, all who have their own identities and agendas.

Well you've already decided it's all a big conspiracy that Blizzard's involved in. At that point, nothing I say would change your mind so I'm not even gonna bother debating it anymore.

 

[Ympulse]

Well you've already decided it's all a big conspiracy that Blizzard's involved in.

That's one hell of a logical jump, my good sir. Are you practiced in logical gymnastics bychance? Bottom-tier employees making a living for themselves does not constitute a conspiracy.

But hey, whatever lets you sleep at night.

 

[praus]

I was very annoyed to discover the dial-in authenticator doesn't work for D3. I don't want the auction house, I just want -security-. I do not have a smart phone, and no, I am NOT paying extra to buy an extra product because YOU CAN'T MAKE YOUR GAME SECURE.

No, they are selling an extra security measure because you can't make your PC secure.

The only way to access an account is with the password. Everyone who got hacked had their password stolen

Ain't that the fucking truth. I played WoW for about 5 years and never once had a problem. My computer is pretty damn secure. The one time I logged into WoW on someone else's computer BAM, account hacked, all my stuff stolen.

 

[Sean951]

Whee, double post.

Another thing people fail to understand is that Blizzard is a huge company with a lot of employees, and an IA department that has zero supervision placed over it. There are hundreds of stories from former wow GMs wherein they took account information from work, sold it to 'hackers' and laughed three or four months down the line when they got fired for it, because they made a year's worth of money for a hour's worth of work.

That same company and those same people are now handling your D3 accounts. But hey, it's the end-user's fault because they didn't buy an authenticator. Because GMs can't disconnect authenticators from accounts or anything.

Hell, a good friend of mine (who was fired in the recent mass layoff) made damn near $200k last year doing just that.


Catchpa: politically correct

I feel as though this would violate some federal laws in a pretty hard core way, but I'm too lazy to actually check that out.

 

[rembrandtqeinstein]

Its just a game, it isn't my job. Not that I'm buying this stupid thing but how could they possibly make it any harder to play....the servers are already down 1 day a week for blizzards crapular maintenance schedule.

Meh torchlight 2 will be out soon, and so will borderlands 2. A friend let me play his D3 and all I can say is nothing special about it at all. If anything the controls were more laggy than d2 which worked just fine when played on DAILUP.

 

[Frostbite3789]

I was very annoyed to discover the dial-in authenticator doesn't work for D3. I don't want the auction house, I just want -security-. I do not have a smart phone, and no, I am NOT paying extra to buy an extra product because YOU CAN'T MAKE YOUR GAME SECURE.

No, they are selling an extra security measure because you can't make your PC secure.

The only way to access an account is with the password. Everyone who got hacked had their password stolen

Because we all know that never happens from server side hacks. Ever.

 

[ProtonGuy]

people are still playing this game?

I agree with this fine forum user completely. The whole game kind of felt like a hic-up after act 1, boom, done, credits.

 

[samsonguy920]

I'll be surprised that this goes a month before news of account thefts begin to occur. Authenticators are not foolproof, just an extra layer of defense. When it comes to the chance to rip people off for real money, you can rest assured there will be people with the motivation to go the extra mile.

Here's a tip: Drop your Blizzard account now. That's the only foolproof way.

 

[Frostbite3789]

I still don't get why this hasn't caused as big as a fuss as the bloody ending to Mass Effect 3.

If it were an EA game, people would be rioting in the streets. But because it's by the Blizzard part of ActiBlizzard, people are mostly ok with it. Because Blizzard still sometimes still pretends to love us.

 

[Zenn3k]

people are still playing this game?

They lost another one tonight.

Gotta farm hell for GOLD, to buy items off the AH, to progress in Inferno, its soooo boring.

I figured out the problem with D3 however, nothing that drops is ABOVE your level, its always below. Patch 1.03 is actually suppose to address this for Inferno only, but the problem remains in every other difficulty.

What happens you find a good item, that says level 20 requirement, and you're level 17? You go, sweet, something to strive for! Except in Diablo 3, this doesn't happen, ALL the loot that drops is below your level, by design.

This is why level 60 requirement items don't drop in Hell, even though most people will probably hit 60 before finishing Act 4 Hell.

Just a small example, I played 5 minute of Torchlight, and at level 5, an item for level 7 and level 8 dropped, suddenly I had a reason to progress, I wanted to level so I can wear that new awesome gear! Not once does this happen in Diablo 3, its a fundamental flaw in the loot system that few have really recognized, but its why everyone feels required to use the AH, so buy items FOR their level instead of 5 levels below it. And interestingly enough, as soon as you buy a few items for your level, you slaughter the content as the game intended you to do, instead of struggling.

D3 is broken at its core. This problem is currently even worse at Inferno difficulty, because nothing in Act 1 will drop thats really useful in Act 2, you need loot FROM Act 2 to kill anything IN Act 2. Its terrible.

 

[zefiris]

5Well you've already decided it's all a big conspiracy that Blizzard's involved in.

You clearly have no idea what a conspiracy is. The word you're looking for is corruption, not conspiracy.
And, uhm, if you know anything about business, you'd know it's far more common than most people are comfortable to admit.

You yourself are a part of the problem. You are lying to defend a company, without having any idea whatsoever if your white knighting has any merit - you don't even know the CONCEPT of what you are talking about and are apparently completely ignorant about corruption existing. And you are spreading your ignorance.

This is why companies get away with lax security in the first place. So good work. Your behavior makes it so there is no need for a conspiracy - just generic corruption. A blizzard employer selling a few user names is completely risk free. They will never be caught. How could they? At the end the user will be blamed, because it is impossible to prove that an user didn't have lax security in some way.

Edit: Obviously, user security is still at fault for most account compromises. It's never hacking, because you cannot brute-force a game (unless the game has no delay between attempts, in which case the company would be 100% at fault). It's likely something like 30% keyloggers, 65-69% phishing, and 1-5% Blizzard's fault.

 

[Aprilgold]

Good idea, if people put their items in the AH and a hacker sees it, he could either pay for it, or hack the account, hmm.

people are still playing this game?

No, the servers are completely empty, so they're shutting them down in about a month or two.

Seriously, because that puts a smile on my face.

So... they, make you be online to play the singleplayer cause they want to make people use the RMAH.... and then they impose a limitation on who can actually use the RMAH.

Not really seeing any sense here.

Its DRM, so it has no sense of any sort. Of course Steam is the acception for just being brilliant in how to make DRM without being so-so intrusive or stupid.

---------------------- ------------------------------- -----------------------------------

Dug themselves a hole with the Always Online thing, then dug themselves a grave with this stupid ass blockade ontop of a blockade, good work Blizzard, good work.