Re: Account hacked using Blizzard's Password Reset Utility

On Sat, 22 Nov 2008 07:36:47 -0800, C J Campbell
<christophercampbell@xxxxxxxxxxx> wrote:

On 2008-11-21 21:54:32 -0800, redvet <redvet@xxxxxxxx> said:


Precisely. This happens over and over, but Blizzard blames the victim,
citing all kinds of evil trojans, viruses, loggers, or whatever, but
without being able to name a single one that actually does this dirty
work. The real weakness is in Blizzard customer service, where someone
there can apparently be persuaded to give just enough account
information to someone requesting a password reset to enable a hacker
to steal the account.


What I found disturbing with regard to the customer service issue was
a clear attitude of 'you got your stuff, now go away'. I would have
thought, you know, some sort of investigation, beyond 'its your
fault'.

If you have a moment....What is this authenicator thingy people here
have mentioned? How does that work? I assume there is a charge; is it
a one time fee or is it attached to each billing cycle? - redvet

The Blizzard Authenticator is a SecureID token. This one is not
connected to the computer; you enter the randomly generated one-time
password manually. (RSA also makes tokens that connect to the USB port,
but this one does not do that.)

They are usually used to verify that someone logging onto a network is
authorized to do so. The level of security is higher than that of
asking for a simple password, but in theory it can be beaten, perhaps
by the sort of attacks that some here are claiming took place against
my network. In theory, a SecureID token can be broken by a "man in the
middle" attack, in which someone intercepts your randomly generated
password, redirects it to someplace else, then uses it to log on in
your place. He has to log on before the authentication key changes and
before you can log on.

If someone were intercepting my email passwords in the manner that
DaFox suggested, for example, they would also intercept the SecureID
random number. A computer could redirect me to a screen that appears to
be WoW, but perhaps with a notification that the server is down.
Meanwhile that computer would log on to the real WoW server in my
place. Redirecting me to another server also prevents the real server
from receiving two simultaneous authentication requests, which, if the
SecureID system is implemented properly, would cause the server to
reject both requests.

So, by no means is it as foolproof as Blizzard's marketing department
seems to think it is. However, breaking into the network does require a
little more effort than just phishing a password (Although a phishing
scheme could also phish an authentication key from you and log on
immediately, change your account information, and deny you access to
your account. This would also avoid the problem of the legitimate
server receiving two valid authentication requests simultaneously.). It
is also cheap. It costs only $6.50. With postage, I think mine came to
$7.05. The biggest drawback, of course, is having to have the thing
with you when you log on and having to type in a second password.

Personally, I am a bit of a security nut, which is one reason this
thing is so irritating to me.

Mahalo to you both,CJ & Xymmie,I'll probably buy one after the next
hack. - redvet
.

Relevant Pages