PSA: Blizzard Authenticators now Vulnerable to Keylogging

[Samah]

And don't ask me how it does this - I have one and I can't figure out how it works).

The Blizzard authenticator uses a technology called SecurID [http://en.wikipedia.org/wiki/SecurID], which is what many banks and other financial institutions provide to their customers. The technology itself is VERY secure. However, most security systems are still vulnerable to a man-in-the-middle attack.
Doing a MitM attack with a keylogger is absolutely trivial and I'm shocked that it took this long for it to manifest. It's not that it "took them four years to crack", I'd say it's more like it was more effort than it was worth. Now that there is an increasing number of protected accounts, hackers have decided it's worth doing.
The problem is that the SecurID token is being used at an insecure location, ie. your PC. If you run an operating system that is a greater target for keyloggers and you don't have the latest antivirus software installed (assuming the latest AV updates can catch it), you have no guarantee that your system is secure. If you are using your SecurID token at a relatively secure location (such as an ATM or actually AT the bank), you're not going to have any problems.

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

From Wikipedia:

While RSA SecurID tokens offer a level of protection against password replay attacks, they might fail to provide adequate protection against man in the middle type attacks. In the attack model where an attacker is able to manipulate the authentication data flow between a user and the server, the attacker will be able to then forward this authentication information on to the server themselves, effectively masquerading as the given user. If the attacker manages to block the authorised user from authenticating to the server until the next token code will be valid, he will be able to log in to the server.

This is not Blizzard's fault, it is an inherent flaw in SecurID. SecurID is still in my opinion the best choice for account security. If you're running any version of Windows (given that it's the largest target for viruses), you would be rather silly to not be running some form of antivirus software anyway. If you still get hit with a keylogger, either you're not paying attention to your AV updates or you were unlucky enough to pick it up within the day or two before AV companies release a fix.

 

[Zer_]

Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Tried the demo for that? It's... well, without all the hate, I describe it as a pretty generic RTS.

Quasi-generic, but with some nice improvements. Ultimately though, more of the same-old is what the doctor ordered. Not looking for some ground-breaking changes like how Dawn of War 2 abandoned base creation, or Company of Heroes abandoned any pretense of the AI playing honestly... There is a demographic which I fall under, I don't know how large a group we are, but it's people who want more of the same. Some new guns or new units are nice, and a new collection of maps or levels to play in, but the same thing we enjoyed previously, we just want more of it. Give me a new campaign for Far Cry, maybe a new kind of rifle or pistol, and I'd be happier with that than I was with Far Cry 2 or Crysis. Release ten new maps and/or a working bug-free map maker for Sid Meyer's Railroads and you'd have a hard time pulling me away from the PC. And I can't even fathom how much time I'd blow playing Freelancer if the campaign was longer or there were 50% more systems to explore.

Do you ever not whine?

Thursdays. Apocalypse Lane mellows me out, it's hard to be bitchy when Obama starts singing "Respect".

The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

My bank account is really, really secure. And just recently, my bank gave out new cards with these handy-dandy chips embedded in them to make it even MORE secure. Didn't have to pay ten bucks for the card, and if anything goes wrong with my account for reasons beyond my control, THEY have to make it right again.

Maybe Blizzard's authenticator wouldn't piss me off so much if it didn't cost the end-user, since we already have to pay monthly fees for the game. If you're charging for the software itself, then charging for monthly access, I'd damn well expect better security as part of the deal. But then, if you charge a further amount for that better security, it had better be 100% foolproof. 99% doesn't cut it, 75% doesn't cut it, 100%! Otherwise, if someone has the authenticator, and it fails, Blizzard had better be willing to refund the cost of the damn thing, plus refund the full amount paid for the services and software, because 3 years of gameplay can be wiped out faster than you can say "Mumorpeger".

Name any other computer developer that has put your account security as high as Blizzard.

Oh, and don't whine about SC2's release in 3 installments. It was either that or the game would've taken another 2-3 years to release, and if that was the case you'd be whining about THAT instead. So take your pick. Blizzard isn't going to rush a game out the door and I will stand by that kind of dedication any day. Of course you seem to be happy with half-finished games like Star Wars: The Force Unleashed or any other incomplete/buggy game you can think of.

Also, if someone wanted to hack your bank, they would. But fortunately to most would-be hackers out there, hacking a bank carries a lot more goddamn risk than hacking some dude's WoW account.

Oh yeah, speaking of Freelancer, you do know that it was one of those games that was released far too early, right? Oh sure Microsoft didn't help their case at all by putting pressure onto the developer, but hey at least it wasn't all that buggy. Had it been Blizzard who was developing Freelancer, you'd have a much larger game to explore.

 

[KeyMaster45]

*snip*

You are making a mountain out of a mole hill, the authenticator was 100% unhackable until this keylogger showed up, and the appearance of it was an inevitability when you consider how many hackers around the world devote their sad pathetic lives to fucking up someone's account for this game.

The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

The authenticator has not been out for 4 years John, to my knowledge it was put into the blizzard store just last year. I'm more shocked that its been cracked so fast, but when you think about the supposed method being employed I'm shocked it wasn't thought of sooner. It ingeniously simple.

 

[John Funk]

*snip*

You are making a mountain out of a mole hill, the authenticator was 100% unhackable until this keylogger showed up, and the appearance of it was an inevitability when you consider how many hackers around the world devote their sad pathetic lives to fucking up someone's account for this game.

The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

The authenticator has not been out for 4 years John, to my knowledge it was put into the blizzard store just last year. I'm more shocked that its been cracked so fast, but when you think about the supposed method being employed I'm shocked it wasn't thought of sooner. It ingeniously simple.

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

 

[Eri]

But there is a security flaw, and people need to be aware of it.

PEBKAC, nothing is wrong with the device.

 

[KeyMaster45]

*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts.

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

 

[Doc Theta Sigma]

*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts.

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

Good point... Except the authenticator code is unique so you'd still be typing it down somewhere.

 

[Baron Khaine]

*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts.

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

Good point... Except the authenticator code is unique so you'd still be typing it down somewhere.

With that method, you don't need an authenticator, just a text file hidden away somewhere.

Now if the tracked that down, then those are some damn dedicated hackers.

 

[Altorin]

Hey Funk, was that Thanks to Proteus214 for the Update? If it was.. wtf?

ehh, whatever, my life will go on I suppose.

 

[digotw]

Better yet, delete WOW from your hard drive and never speak of it again.

 

[fletch_talon]

*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts.

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

Good point... Except the authenticator code is unique so you'd still be typing it down somewhere.

With that method, you don't need an authenticator, just a text file hidden away somewhere.

Now if the tracked that down, then those are some damn dedicated hackers.

I believe some keyloggers have the ability to take a screenshot when you make a keystroke. This is why you're solution isn't all that secure.
Basically when you press ctrl+C a screenshot is sent showing whatever it is you just copied.

 

[John Funk]

Hey Funk, was that Thanks to Proteus214 for the Update? If it was.. wtf?

ehh, whatever, my life will go on I suppose.

No, for the original post.

 

[Flawedhero]

So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Easy there, tiger. If you have a phone from this decade, chances are there is an authenticator program for $1 or free. Also, it works against 99% of all viruses; there is an entire one virus that does this.

Don't get me wrong, I'm no fanboy of anyone, they've done their share of stupid shit but you may very well just be overreacting a bit.

 

[acosn]

Research is your friend when trying to make an argument.

So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

A brief trip to the Blizzard store will tell you that the authenticator actually costs $6.50 USD. Digging further you'll find that the authenticator actually does still work (This is just one trojan) and beyond that the cost is actually to cover shipping and handling. Cash grab? What cash grab?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

Anyone complaining about delays from Blizzard games doesn't follow or play Blizzard games at all. Delays are to always be expected, and if you really want to nit-pick details how exactly can the release date get pushed back when Blizzard never gives one? The new Battle.net 2.0 system is all but identical to steam. I blame Blizzard for doing a poor job explaining it sufficiently but they've basically said that so long as the game gets initially authenticated you can play single player, AI, and the map editor in an "offline" mode. Gee. Sounds familiar, eh?

And yes, Blizzard is splitting SC2 into three games. But then, we're living in a world of sequels. There's Halo 3, god of war 3, GTA 5, COH 2.21, Madden 21, and such and so on. Blizzard is splitting the game into three so that they don't further delay it, but also not simply cut corners. Instead what you're getting is three individual campaigns that are each individually about as long as the entire single player game portion of SC was. Oh god they are so ripping you off brah! /sarcasm.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

All aboard the baw train? With piracy getting pervasive in the PC world combined with the increasingly smaller player base companies need to go out of their way to protect their products.

Regarding the keylogger- It's a trojan. It feeds you a false error code and sends the correct one to another server which whomever uses it can then use to jack your account.

If you practice normal security measures on your computer (Firefox + noscript, anti-spyware like Spybot, and a non-crap anti-virus like Kapersky or AVG) this won't be a problem anymore than your run of the mill keylogger would be.

I've played WoW since it came out and I am still yet to be key logged.

 

[Zer_]

So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Easy there, tiger. If you have a phone from this decade, chances are there is an authenticator program for $1 or free. Also, it works against 99% of all viruses; there is an entire one virus that does this.

Don't get me wrong, I'm no fanboy of anyone, they've done their share of stupid shit but you may very well just be overreacting a bit.

Nah he really really hates Blizzard for some reason. I have yet to find any logical reason for it, but then again, hatred is rarely logical. I do <3 Khell, though, I'd have a few beers with the man.

 

[Altorin]

Hey Funk, was that Thanks to Proteus214 for the Update? If it was.. wtf?

ehh, whatever, my life will go on I suppose.

No, for the original post.

it's all good, my objection came off more serious then I meant for it to be

 

[Bigsmith]

I think blizzard need to add something else and i no exaclty what, when u go to log in u type in ur user name and pass word, ur authenticator is u have one. But then a numpad appears on screen with the numbers 1-9 on in a random order, u then using mouse only click in your 4 digit code with the order of the numbers changing every time u press one, in order to log in.
U would recieve this number as an email a few days b4 the system comes out.

anyone who has played Runescape members should no what im talking about. the runescape bank pin.

 

[WhiteTigerShiro]

Not worried, my authenticator is safely retired along with my copy of wow.

Sadly, the only way to be safe from having your WoW account attacked.

Frankly, I saw this coming a couple years back when I first heard about the Authenticator. Not that I don't applaud the effort, the authenticator is an awesome idea (though I don't want a lot of companies to start using the idea, lest I be running around with 20+ authenticators), but I knew it would only be a matter of time before the gold farmers found a way around it.

But again, as the MMO Champion article says, it isn't any reason to not have an authenticator... at least for the time being. Those gold farmers are tenacious little fucks, so we can (uneasily) rest assured that this is only the scouting party, with the army just beyond the horizon.

 

[jerrrry]

My bank account is really, really secure. And just recently, my bank gave out new cards with these handy-dandy chips embedded in them to make it even MORE secure. Didn't have to pay ten bucks for the card, and if anything goes wrong with my account for reasons beyond my control, THEY have to make it right again.

Maybe Blizzard's authenticator wouldn't piss me off so much if it didn't cost the end-user, since we already have to pay monthly fees for the game. If you're charging for the software itself, then charging for monthly access, I'd damn well expect better security as part of the deal. But then, if you charge a further amount for that better security, it had better be 100% foolproof. 99% doesn't cut it, 75% doesn't cut it, 100%! Otherwise, if someone has the authenticator, and it fails, Blizzard had better be willing to refund the cost of the damn thing, plus refund the full amount paid for the services and software, because 3 years of gameplay can be wiped out faster than you can say "Mumorpeger".

There is no such thing as a 100% secure system. Enough time and money (and ingenuity) can break any system. A system is also only as strong as it's weakest part. In the case of WoW authenticator, the weakest link is arguably the Windows OS. They have done a lot to make it a non-trivial issue to crack someone's WoW account, but there's plenty of ways to get into a person's computer to see what they are doing or take control, so for any way they try to make it more complex to log in to WoW on your PC, there will be ways to break the system for people who want to badly enough.

By the way, your bank account is secure partially because you don't insert your debit card into your PC. If you used online banking (which is currently very popular and has much more at risk then a WoW account...at least for people with what most would consider normal priorities in life) then it would not be much more difficult for someone with a key-logger on your system to get your account ID and PIN for your bank account. If you are not careful with your system, bad things can happen no matter what anyone else does to try and guard their software against it.

 

[FBPH]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

What about the mandatory Motion Plus for certain titles? What about the Wii Fit? Or the weird health sensor thing coming up? Hell the Wii "controller" is a wiimote + peripheral nunchuk.

A lot of new title will be needed it. So it's not a waste. What about the Wii fit? Play Skate it or Shaun White. They are a blast. Not out yet so I have no comment. And...you need those to play the games. What about them?

Well seeing as those peripherals are needed, wouldn't that be more of a cashgrab? And I had only intended to give other examples of official Nintendo peripherals