diablo 3 accounts hacked

[TheMadHatterXxX]

I'll admit before I was laughing at people and thinking haha how can they get their accounts hacked, I've never done anything even remotely sketchy with any phishing websites or anything to that effect on my computer.

This is some serious shit.

 

[Bash]

http://www.examiner.com/article/accounts-on-diablo-3-hacked

Going to listen to the examiner? Sources?

I have not seen any credible proof that someone with an autheticator has been hacked.

I loved the forum posts of people claiming to have been hacked with one and being put on blast by a blue poster.

 

[tickle_me_emo]

Has anyone found the malware that is causing people to get hacked?

If not, it's probably not a malware issue, it's a session ID jacking issue.

Going to listen to the examiner? Sources?

I have not seen any credible proof that someone with an autheticator has been hacked.

I loved the forum posts of people claiming to have been hacked with one and being put on blast by a blue poster.

how is that not a valid source?

http://www.alexa.com/siteinfo/examiner.com

 

[Bash]

Has anyone found the malware that is causing people to get hacked?

If not, it's probably not a malware issue, it's a session ID jacking issue.


how is that not a valid source?

http://www.alexa.com/siteinfo/examiner.com

Because the author of that article is a glorified blogger.

 

[Dallows]

Going to listen to the examiner? Sources?

I have not seen any credible proof that someone with an autheticator has been hacked.

I loved the forum posts of people claiming to have been hacked with one and being put on blast by a blue poster.

Every time I hear about someone getting hacked they do not have an authenticator.

 

[octoberasian]

Has anyone found the malware that is causing people to get hacked?

If not, it's probably not a malware issue, it's a session ID jacking issue.


how is that not a valid source?

http://www.alexa.com/siteinfo/examiner.com

It's definitely not malware, spyware, trojan, or virus.

I can attest to it myself as I posted earlier. My friend got hacked, scanned his computer with every possible software that can look for them, and nothing.

Nada.

Zip.

Zilch.

No infection. No rootkit. No malware, virus, spyware, or trojan.

My friend only has the following accounts online: Skype, Steam, Silkroad Online (never hacked account, still plays it time-to-time), League of Legends, Blizzard/Battle.net (Starcraft II), and Relic (Company of Heroes),

He also has an account on Twitch.tv since he streams games he has on Steam on that site.

No other public forum accounts since he has no care about them including [H].

No accounts on Facebook or Twitter-- doesn't care about them.

No accounts on sites like Reddit, etc.

And, he uses Firefox with NoScript, and I've had him join OpenDNS a year ago. He also has updated virus definitions and Windows updates.

So, how in the world did they get into his account? According to him, his password is usually between 10 to 12 characters long. And, you'd have to have lived with him his entire life to figure out his passwords.

I am still going by session hijack-- server-side on Battle.net, not client side.

 

[TheMadHatterXxX]

Every time I hear about someone getting hacked they do not have an authenticator.

Yo, seriously stop trying to spread your blizzard koolaid, you are misinformed and obviously brainwashed.

I have MANY user accounts and passwords for various OTHER things that have never ever gotten compromised and have never need an authenticator. It just so happens that 2 weeks into this game, a user name and account that I own for it happened to get hijacked? WOW what a huge coincidence that is. But I bet it must not have anything to do with Blizzard.

 

[GishForever]

Yo, seriously stop trying to spread your blizzard koolaid, you are misinformed and obviously brainwashed.

I have MANY user accounts and passwords for various OTHER things that have never ever gotten compromised and have never need an authenticator. It just so happens that 2 weeks into this game, a user name and account that I own for it happened to get hijacked? WOW what a huge coincidence that is. But I bet it must not have anything to do with Blizzard.

All well and good, but that doesn't make their statement false.

 

[acidic]

Because the author of that article is a glorified blogger.

who is then credible enough to you ffs.

 

[Dallows]

Yo, seriously stop trying to spread your blizzard koolaid, you are misinformed and obviously brainwashed.

I have MANY user accounts and passwords for various OTHER things that have never ever gotten compromised and have never need an authenticator. It just so happens that 2 weeks into this game, a user name and account that I own for it happened to get hijacked? WOW what a huge coincidence that is. But I bet it must not have anything to do with Blizzard.

I don't care who it has to deal with. The point is people with authenticators aren't being "hacked."

That's FACT.

 

[Bash]

who is then credible enough to you ffs.

Yes no reason not to trust her journalistic integrity.

That and wading through the shit that is her past work...

 

[gregnash]

See I havent played a blizzard game since back in late 2007 when I finally quit WoW. That was right before the instituted the battle.net and authenticator stuff. So when I signed up for this and started playing I naively said "Nah, wont be me."

Well I learned my lesson, luckily I don't believe in having my bank account directly tied to stuff like this nor do I add an account of any type. If I do add an account it is usually attached to a CC that has been set up to send me notifications every time there is a transaction charged to it.

 

[Oomps]

I don't care who it has to deal with. The point is people with authenticators aren't being "hacked."

That's FACT.

My wow account was previously which leads me to question their claims.

 

[Dallows]

My wow account was previously which leads me to question their claims.

Now let me say something without it being taken the wrong way.

I have no reason to believe you based off that statement. You haven't provided any sort of proof, story, information, etc. Nothing to back up your claim.

 

[NastyNative]

Diablo is being hacked with Authenticators from what I have been reading!

They can hack your account through public games.
The hacker can some how ping your location and set up a virtual enviroment of your computer.
Now this is the part that is a bit sketchy to me and peeps that own
Authenticators can clarify this.

Does the Authenticator only force the system to ask for the key 1 time?
for example;
Your at the log on screen and you put in your User name + password
then look at your Authenticator and put in the key provided.
Now for some reason 2 mins after you log in you get disconnected.
Your back at the log in screen, does the system ask for the Authenticator
key again or because only a short period has passed it bypass's
the Authenticator?

If it bypass's the Authenticator on a second log in then its the perfect
time to get past the Authenticator.
Ping location through a public game, make a vitual enviroment of your
preys location. Some how mess with his connection to disconnect him.
Have a short time to log in and changes his password.

Now how the hell are they getting people's User Names and Passowords?

 

[Breath_of_the_Dying]

You can set the Authenticator to be required for every login, although it is not by default. I'm not sure what conditions require me to use my authenticator and what conditions dont. Just to be on the safe side, I turned on always require on log in, and also set up SMS alerts.

It may be a pain, but so is using keepass to store all my passwords that are 12-16 characters in length with random symbols. I dont need my house to get robbed before I learn to lock my door and arm my alarm system every time I leave.

It sucks, most people just dont know about authenticators. I just realized most of my friends that arent avid gamers probably dont know. I'll have to educate them on the matter. I have no pity for an account that gets hacked that didnt use an authenticator. For those that did get hacked while using an authenticator: my heart goes out to them, but I have yet to hear a concrete example where that was the case.

 

[Litfod]

I have to admit I didn't realise you could do the authentication via a phone app, so that's me signed up. Not that I'm particularly worried about my level 5 barbarian, but still...

 

[Ryom]

Instead of going all out with hardware fobs, SMS, phone calls, and custom programs for authentication, why doesn't Blizzard just send an auth code to the email address that the account registered to? Seems like it would be vastly simpler and less of a headache for 99% of the user base. Something akin to Steam Guard like Valve does... and if a login is attempted from a different IP address you'd get an auth code sent to your email as well regardless of if you had extra account security setup or not.

 

[evilsofa]

Instead of going all out with hardware fobs, SMS, phone calls, and custom programs for authentication, why doesn't Blizzard just send an auth code to the email address that the account registered to? Seems like it would be vastly simpler and less of a headache for 99% of the user base. Something akin to Steam Guard like Valve does... and if a login is attempted from a different IP address you'd get an auth code sent to your email as well regardless of if you had extra account security setup or not.

Because Blizzard can't sell emails for $7.

Hey, did I just start a conspiracy theory?

 

[WarriorX]

Because Blizzard can't sell emails for $7.

Hey, did I just start a conspiracy theory?

There is a FREE mobile App fyi.

 

[NastyNative]

Breath_of_the_Dying Limp Gawd

I just beat the game and Im not worried about getting my account hacked yet!
I was going to order a physical AUTH, but thansk for pointing out the free app.

The Battlenet app is free for android phones.
Need to create a Google Play account and download the App for FREE!

I even turned out my SMS which is done in the Battlenet account.
Which is Battlenet sending you a txt message everytime there is any
movement in your account.

This is alot better than what I had hoped for!

I think some one needs to start a thread on this!

 

[NastyNative]

There is a FREE mobile App fyi.

I know the Android App is free.

I think the others are not free!

 

[Litfod]

Instead of going all out with hardware fobs, SMS, phone calls, and custom programs for authentication, why doesn't Blizzard just send an auth code to the email address that the account registered to?

Well it took about 15 minutes for me to get the verification email when i registered the authenticator, I wouldn't want to be waiting for that every time I wanted to play. Although it could at least be an option I suppose.

 

[robble]

I know the Android App is free.

I think the others are not free!

I think you should do a little research before making blanket statements that are false.

 

[Dallows]

Diablo is being hacked with Authenticators from what I have been reading!

They can hack your account through public games.
The hacker can some how ping your location and set up a virtual environment of your computer.
Now this is the part that is a bit sketchy to me and peeps that own
Authenticators can clarify this.

Does the Authenticator only force the system to ask for the key 1 time?
for example;
Your at the log on screen and you put in your User name + password
then look at your Authenticator and put in the key provided.
Now for some reason 2 mins after you log in you get disconnected.
Your back at the log in screen, does the system ask for the Authenticator
key again or because only a short period has passed it bypass's
the Authenticator?

If it bypass's the Authenticator on a second log in then its the perfect
time to get past the Authenticator.
Ping location through a public game, make a virtual environment of your
preys location. Some how mess with his connection to disconnect him.
Have a short time to log in and changes his password.

Now how the hell are they getting people's User Names and Passwords?

You can set the authenticator to prompt every time you log in. You can also set it to prompt once a week randomly. However, with that, it will also prompt IF YOU LOG IN FROM A DIFFERENT COMPUTER.

So yeah, it's pretty secure.

 

[NastyNative]

I think you should do a little research before making blanket statements that are false.

Well the only reason I made this statement is because I own a Android Phone and not
an Iphone or blackberry to test the theory.
My android phone app was free if thats what your getting at!
Unless I won the AUTH lotery!

The reason I think the other apps might be worth $$ is because there is a Q/A section.
One of the questions is "Why are Auth app different prices?"

 

[Orddie]

Well it took about 15 minutes for me to get the verification email when i registered the authenticator, I wouldn't want to be waiting for that every time I wanted to play. Although it could at least be an option I suppose.

Not really. Most people use the same password for there email as there WoW game. So if bliz sends an email to your email account.. all the hacker has to do is login to webmail and there off and running. The whole point is too setup a process where only one person can login. that person being the holder of a single piece of changing information... authenticator.

You can set the authenticator to prompt every time you log in. You can also set it to prompt once a week randomly. However, with that, it will also prompt IF YOU LOG IN FROM A DIFFERENT COMPUTER.

So yeah, it's pretty secure.

Not 100% true. The system should prompt you once a week regardless. I thought i read about some battle.net updates they did a year + ago where they changed the authenticator generated numbers to be valid for ONE successful login. Meaning if someone had the numbers and tried to login after you already logged in.. It would deny the request.

Well the only reason I made this statement is because I own a Android Phone and not
an Iphone or blackberry to test the theory.
My android phone app was free if thats what your getting at!
Unless I won the AUTH lotery!

The reason I think the other apps might be worth $$ is because there is a Q/A section.
One of the questions is "Why are Auth app different prices?"

i just did a search on the app store located on my iPhone. The battle.net app is free. To my knowledge.. It has always been free.

 

[Breath_of_the_Dying]

Blizz should just require an auth or one time email codes activated to use the AH (not to use the AH every time, just the account is activated with it). That'd probably generate enough awareness so a majority of people would pick one up.

 

[Orddie]

Blizz should just require an auth or one time email codes activated to use the AH (not to use the AH every time, just the account is activated with it). That'd probably generate enough awareness so a majority of people would pick one up.

and what about those have use the same password for their battle.net account as they do for there email?

without an authenticator... I do not see an email auth helping.

 

[Dallows]

Not 100% true. The system should prompt you once a week regardless. I thought i read about some battle.net updates they did a year + ago where they changed the authenticator generated numbers to be valid for ONE successful login. Meaning if someone had the numbers and tried to login after you already logged in.. It would deny the request.

That's what I meant. Sorry if it wasn't clear, I did just wake up.

Far as I remember there are 2 options for the authenticator.

1. Prompt for every login.

2. Prompt once a week at random, also prompting if the account is logged in from a different computer.

I'm not sure how Vasco (I think that's the company doing the tokens) operates normally, but with RSA the token code has always only been valid for one login. That's the whole point of the security/authentication.

 

[Orddie]

That's what I meant. Sorry if it wasn't clear, I did just wake up.

Far as I remember there are 2 options for the authenticator.

1. Prompt for every login.

2. Prompt once a week at random, also prompting if the account is logged in from a different computer.

I'm not sure how Vasco (I think that's the company doing the tokens) operates normally, but with RSA the token code has always only been valid for one login. That's the whole point of the security/authentication.

This is not RSA tech so we can not compare the two. The licensing would be way to much for blizzard and there would be no such thing as a $7.00 authenticator.

 

[Oomps]

Now let me say something without it being taken the wrong way.

I have no reason to believe you based off that statement. You haven't provided any sort of proof, story, information, etc. Nothing to back up your claim.

That's the problem. Nobody is going to believe it until it happens to them.

Anyway, I had stopped playing my WoW account for a few months after Wrath came out and I left the mobile authenticator tied to my account. When I went back to play around 6 months later, I found out that someone had replaced the linked authenticator with another one and that my characters had been transferred(Blizzard support told me the authenticator had been replaced a few months before this).

I had to fax in my drivers license showing that my name matched the one on the account to get the other person's authenticator removed from the account.

After all that they then told me that I could protect my account by using an authenticator and offered to mail me one for free...which made me slightly angry.

So either there was a way to get around the authenticator or they just called up support and got them to remove the authenticator without sufficient verification.

 

[Dallows]

That's the problem. Nobody is going to believe it until it happens to them.

Anyway, I had stopped playing my WoW account for a few months after Wrath came out and I left the mobile authenticator tied to my account. When I went back to play around 6 months later, I found out that someone had replaced the linked authenticator with another one and that my characters had been transferred(Blizzard support told me the authenticator had been replaced a few months before this).

I had to fax in my drivers license showing that my name matched the one on the account to get the other person's authenticator removed from the account.

After all that they then told me that I could protect my account by using an authenticator and offered to mail me one for free...which made me slightly angry.

So either there was a way to get around the authenticator or they just called up support and got them to remove the authenticator without sufficient verification.

People will believe if credible evidence is provided.

And that's a completely different scenario. That's not what's happening here.

Someone still got enough information by other means to be able to do that. I don't know exactly what they need however. I've never done extensive testing or much to see what is needed to login. I can't even remember off the top of my head if it prompts you for an authenticator when you log into the battle.net website. I bet it does though.

A long time ago I had issues with my mobile authenticator. Forgot what happened exactly but I had to call in and get it removed. It was not an easy task and they required verification as you said.

The only thing on your scenario that I can say is it would be nice if Blizzard kept ticket records so they could see "okay so and so called in on may 15th and had the authenticator removed/changed/etc."

Not sure if they do or not as I've never asked or hear either way.

Also, Wrath came out almost 4 years ago. So a lot could've changed in Blizz security. Looks like the token was released about June of 2008, Wrath in Nov of that year. So it's very possible that in the year or so following that, even shorter, they could've made a bunch of changes to their systems and security policies. Know what I mean?

 

[Orddie]

People will believe if credible evidence is provided.

And that's a completely different scenario. That's not what's happening here.

Someone still got enough information by other means to be able to do that. I don't know exactly what they need however. I've never done extensive testing or much to see what is needed to login. I can't even remember off the top of my head if it prompts you for an authenticator when you log into the battle.net website. I bet it does though.

A long time ago I had issues with my mobile authenticator. Forgot what happened exactly but I had to call in and get it removed. It was not an easy task and they required verification as you said.

The only thing on your scenario that I can say is it would be nice if Blizzard kept ticket records so they could see "okay so and so called in on may 15th and had the authenticator removed/changed/etc."

Not sure if they do or not as I've never asked or hear either way.

Also, Wrath came out almost 4 years ago. So a lot could've changed in Blizz security. Looks like the token was released about June of 2008, Wrath in Nov of that year. So it's very possible that in the year or so following that, even shorter, they could've made a bunch of changes to their systems and security policies. Know what I mean?

Yes the battle.net site requires the authenticator every time to login (as long as you have one on your account).

I had had to remove authenticators several times in the past. Sadly there are several ways to get this done and really depends on the rep.

There are ticket history in your battle.net account... Under support. I have everything listed under this account including phone conversations.

 

[qwertyaas]

Funny how people have more security on their Battle.net account than for their own bank accounts...

Yep, nothing wrong here. Just holding it wrong I would assume.

 

[Orddie]

Funny how people have more security on their Battle.net account than for their own bank accounts...

Yep, nothing wrong here. Just holding it wrong I would assume.

to date I know of no one who has been charged with hacking a battle.net account. Banks are regulated to have security and protection in place to track and charge each user who "hacks".

Lets all remember that blizzard is a game company. They are "regulated" to do nothing but gain $ for there stock holders.

 

[qwertyaas]

to date I know of no one who has been charged with hacking a battle.net account. Banks are regulated to have security and protection in place to track and charge each user who "hacks".

Lets all remember that blizzard is a game company. They are "regulated" to do nothing but gain $ for there stock holders.

But an issue does arise when they now have CC and Bank/PP accounts linked to 'game' accounts.

The issue is, Blizzard should step up security as hacking has been an issue since WoW. Adding a RMAH is only going to make it worse.

 

[fps4ever]

It amazes me how Blizzard fans think their servers are not susceptible to hacking when banks and big companies get hacked all the time. The constant can't be Blizzard must be you is getting pathetic...just look around on the Internet, jeeezz....in these forums alone your getting new people posting daily about being hacked and everything stolen?

 

[Dallows]

Funny how people have more security on their Battle.net account than for their own bank accounts...

Yep, nothing wrong here. Just holding it wrong I would assume.

But an issue does arise when they now have CC and Bank/PP accounts linked to 'game' accounts.

The issue is, Blizzard should step up security as hacking has been an issue since WoW. Adding a RMAH is only going to make it worse.

My bank doesn't offer 2-factor authentication. If they did, of course I would use it. I would be stupid not too.

I still don't think we're seeing the full story. And I don't know the intricacy of Blizzard's security, nor do I think anyone here really does either.

All we have to go on is people posting about being "hacked" and Blizzard's responses. I'm sitting in the middle. Don't know anyone who's been hacked, especially with an authenticator. I also have to somewhat rely on what Blizzard tells me. I have no real reason to not believe them. Even if they knew of some security flaw they wouldn't announce it. That would just spread the fire further.

I can only hope that they're working to resolve whatever issues they may have discovered and continue to hope the authenticator stays secure.

 

[Draxanoth]

But an issue does arise when they now have CC and Bank/PP accounts linked to 'game' accounts.

The issue is, Blizzard should step up security as hacking has been an issue since WoW. Adding a RMAH is only going to make it worse.

The fact that the RMAH isn't operating yet is probably why they haven't divulged anything past the standard boilerplate "you were phished" line. Which makes no sense when they follow that up with "records show no one else has logged on your account". So unless it's a bug wiping people's stuff out instead of hackers, they likely aren't required by law to mention any loopholes/breaches that may have/be occuring since there is no financial risk to anyone.