Re: Account hacked using Blizzard's Password Reset Utility

On 2008-11-21 21:54:32 -0800, redvet <redvet@xxxxxxxx> said:


Precisely. This happens over and over, but Blizzard blames the victim,
citing all kinds of evil trojans, viruses, loggers, or whatever, but
without being able to name a single one that actually does this dirty
work. The real weakness is in Blizzard customer service, where someone
there can apparently be persuaded to give just enough account
information to someone requesting a password reset to enable a hacker
to steal the account.


What I found disturbing with regard to the customer service issue was
a clear attitude of 'you got your stuff, now go away'. I would have
thought, you know, some sort of investigation, beyond 'its your
fault'.

If you have a moment....What is this authenicator thingy people here
have mentioned? How does that work? I assume there is a charge; is it
a one time fee or is it attached to each billing cycle? - redvet

The Blizzard Authenticator is a SecureID token. This one is not connected to the computer; you enter the randomly generated one-time password manually. (RSA also makes tokens that connect to the USB port, but this one does not do that.)

They are usually used to verify that someone logging onto a network is authorized to do so. The level of security is higher than that of asking for a simple password, but in theory it can be beaten, perhaps by the sort of attacks that some here are claiming took place against my network. In theory, a SecureID token can be broken by a "man in the middle" attack, in which someone intercepts your randomly generated password, redirects it to someplace else, then uses it to log on in your place. He has to log on before the authentication key changes and before you can log on.

If someone were intercepting my email passwords in the manner that DaFox suggested, for example, they would also intercept the SecureID random number. A computer could redirect me to a screen that appears to be WoW, but perhaps with a notification that the server is down. Meanwhile that computer would log on to the real WoW server in my place. Redirecting me to another server also prevents the real server from receiving two simultaneous authentication requests, which, if the SecureID system is implemented properly, would cause the server to reject both requests.

So, by no means is it as foolproof as Blizzard's marketing department seems to think it is. However, breaking into the network does require a little more effort than just phishing a password (Although a phishing scheme could also phish an authentication key from you and log on immediately, change your account information, and deny you access to your account. This would also avoid the problem of the legitimate server receiving two valid authentication requests simultaneously.). It is also cheap. It costs only $6.50. With postage, I think mine came to $7.05. The biggest drawback, of course, is having to have the thing with you when you log on and having to type in a second password.

Personally, I am a bit of a security nut, which is one reason this thing is so irritating to me.
--
Waddling Eagle
World Famous Flight Instructor

.

Relevant Pages