Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
People need to get sense of what they are doing. Hell, the Chinese farmers themselves call those people out in the video. Those who risk it, are not too keen on security and don't care. IMO, those people have no one to blame but themselves if they use the same information across services. Basic security here folks and I find it hard to take someone who has been compromised in this fashion seriously when they deny it, and troll the community like what is happening ("it just has to be a breach it can be no other way!" *sigh*)
In my opinion, Blizzard does what they can as a business. They shouldn't be acting as peoples Internet security advisor or monitoring accounts for authenticators. It's the users responsibility and it should stay that way.
In terms of using location and authenticators, they use a method like that. If I log on somewhere that is not my home, it requires an authenticator.
I'm not going to dig around this entire thread or the one in the PC Hardware for my answer so I'm just going to get straight to it...
Dude wtf is your problem? Do you have a stick up your ass?
The guy is right though. Most users use simple passwords and share them across services. It's not a good idea. When one site gets compromised and a hacker finds your password, all of the other sites you use that password on are compromised as well. Some guy could hack a site you haven't used for 10 years, but if that site had the same password you use on Diablo 3, you're fucked. Blizzard did nothing wrong in that example.I'm not going to dig around this entire thread or the one in the PC Hardware for my answer so I'm just going to get straight to it...
Dude wtf is your problem? Do you have a stick up your ass?
http://www.examiner.com/article/diablo-iii-an-authenticator-still-gets-you-hacked
Article on Examiner where the author claims to have been hacked with an authenticator.
People need to get sense of what they are doing. Hell, the Chinese farmers themselves call those people out in the video. Those who risk it, are not too keen on security and don't care. IMO, those people have no one to blame but themselves if they use the same information across services. Basic security here folks and I find it hard to take someone who has been compromised in this fashion seriously when they deny it, and troll the community like what is happening ("it just has to be a breach it can be no other way!" *sigh*)
In my opinion, Blizzard does what they can as a business. They shouldn't be acting as peoples Internet security advisor or monitoring accounts for authenticators. It's the users responsibility and it should stay that way.
In terms of using location and authenticators, they use a method like that. If I log on somewhere that is not my home, it requires an authenticator.
Wow that dude has been hacked a lot. However, just as a devil's advocate, he never states what type of authenticator he has. There is a lot of mistaken identification going on since Blizzard has 4 types of authenticators. Would be nice to say which one he has as well as for Blizzard to change their naming schemes on their "authenticators".
You can download Winauth instead. It's like the smartphone authenticator app written to run on your PC. It was created for WoW 2 years ago. Fairly easy and it works great.I use an algorithm for my passwords, figuring that it's possible that I cycled back around for my hacked b.net password to one that had been used previously on a message board. Would be at least 5-6 years back, thinking what gaming related forums I might have been using back then, either freelancer or simcity 4 modding. Not unreasonable to think a couple of those might still be sitting abandoned somewhere, especially if they are using old versions of phpbb with known exploits.
I haven't been rehacked in the interim despite not adding an authenticator, have switched to a longer more obtuse new password. Have also updated my algorithm so cycling won't occur, at least not within my lifespan.
Still think automatic account lock-down with an email unique hash release upon login from a new IP, as an option within the account control panel would be a nice add-on for people.
Or just remove the absurd shipping charges on authenticators for non-us customers. Just had a 135mm f2.8 lens shipped from the Ukraine for less than Blizzard wants to ship a tiny plastic lump to Alberta.
The guy is right though. Most users use simple passwords and share them across services. It's not a good idea. When one site gets compromised and a hacker finds your password, all of the other sites you use that password on are compromised as well. Some guy could hack a site you haven't used for 10 years, but if that site had the same password you use on Diablo 3, you're fucked. Blizzard did nothing wrong in that example.
You would probably be safer by having a different password for every site you ever visit and write it on a piece of paper hanging above your computer, than using the same password on every site you visit and not writing it down. You can control who see's your list, you can't control what sites get hacked.
Bottom Line:
Your Battle.net username and at least password, as well as the email account attached to it, should have a 100% unique password and not used on any other site, ever. Also make sure your security reset question is not stupid easy like "What's my dogs name? Hint: Spot", like I mentioned earlier.
Blizzard actually refused my rollback because there was no evidence anyone had logged in, even myself, when my stuff was lifted. There are also limitations in what they can steal, if they were phishing people and logging in they wouldn't be limited to a single character and a single stash page.
He'd be right if phishing was how they are accomplishing this act. Unfortunately for the majority, it's not.
It sounds like a bot to those who haven't seen the aftermath. It's hard to explain, but when you see how things are moved, what's left behind, it doesn't give the impression that's what they're using. This is part of the problem, it's hard to accurately convey to those who haven't seen it. I probably should have captured some video so I could show people but since they denied my rollback I went back to playing after finding an authenticator workaround.This leads me to believe that this may be a bot of some sort. Of course it could be data loss (if that's the case, oh boy am I more nervous than a hacking).
If you believe the posters from the early information gathering threads, there are lots of them. Blizzard seemed to start giving benefit of the doubt as the numbers increased and stopped denying rollbacks. I think as time went on the calm people moved on though, most of what we see now are the crazy exploding complaints instead of calm information collection. Part of that is probably because Blizzard kept locking the posts. Since there was an official response from Blizzard they decided our issues were addressed and there was no need to keep discussing the problem.I've only seen your case where Blizzard had no way to explain or comprehend what happened in your situation. Are there others? How do we know it's the majority? How do we know this isn't just phishing?
Maybe me concluding it to be a majority is premature, I can't really verify that without Blizzard letting me poke around their stuff. From a profiling standpoint though, it seems highly unlikely that every post I've seen (that wasn't obvious phishing) would have the same properties, and then two different causes. It doesn't seem likely to me that standard account compromise would look exactly the same as a weird 10% access exploit. I could be wrong, but I've been managing server security a long time and it just doesn't seem logical.But what we do know (coming from someone who actually is in the "scene", the gentlemen from that interview I posted) is that there are a small minority that have been hacked in an entirely different manner. I think he said maybe 90% of hackings are a result of data mining from game community sites. The other 10% could really be anything, including exploits. It's odd that there seems to be some weird correlation between what Blizzard is saying and what that guy, whom Blizzard considers an enemy, is saying. It's quite comedic.
Totally agree. I think that making passwords case-sensitive and instituting a password expiry condition in there is all that is needed. That isn't really a lot of things to add, and it will shore it up.
Just have your account text message you when something weird happens, such as login from a foreign location or maybe they should do it how steam does it. They require you to enter a code when the location is questionable from the normal locations you log in from.
http://www.examiner.com/article/diablo-iii-an-authenticator-still-gets-you-hacked
Article on Examiner where the author claims to have been hacked with an authenticator.
Yet, on Blizzard’s Battlenet, I have been hacked five times now.
Making them case sensitive alone would massively increase the potential password entropy.
If my math is right, using a 12 letter character password as an example with numbers and letters, just allowing upper case would increase the hack time, assuming brute force at 100 fucking TRILLION attempts per second... from roughly 13 hours to over a YEAR. I used a password in the double digits, unique to the battle.net. Since they needed to be online to even attempt it, that probably enormously limits the speed. Even if they somehow smashed the login with at 10,000 per second, the password would may as well outlive the actual human species existence on Earth.
Brute force is likely an impossibility if your password had any semblance of strength, I'd guess there's another exploit in play. There's no timely way they could have guessed my password. I ran multiple scans afterwards and came up 100% clean with everything. I'm pretty sure my machine is clean outside of somehow contracting some brand new, hilariously sophisticated piece of work that is currently under the radar from basically everything and exists solely to attack battle.net accounts.
There has to be something else at play, because I don't see how it could make sense otherwise.
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.
Luckily it has not happened to me
No authenticator, and don't plan to get one because it doesn't seem they help this matter.
Hoping i don't get hacked! /roll
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.
Are you talking about the general chat when you first login with the gold spam websites? That's completely normal.
Or are you talking about some gold spam website emailing you directly?
Well few weeks after playing this with the authenticator... I have yet to be hacked. Played in both private and public games. Basically playing it normally.
So if you do get hacked, you're not going to rage, right? Just going to make a post saying "aww shucks, guess I should have bought an authenticator?"
Another markeedragon video:
http://www.youtube.com/watch?v=8NUQTATy5dc&t=23m57s - link to the hacking portion
Diablo 3 Gold farmer. User is communicating with a text-to-speech program so "flow" is broken often. Stream from the farmer is included.
In addition, he explains how people are getting hacked.
1. "They do not hack people's computers. The passwords."
When they say they don't hack the computers, do you mean players or Blizzard?
"They hack forums and such, take the same e-mail and password and test it on Blizzard."
2. Specifically mentions certain websites. "It's easy."
3. Uses Facebook and other various websites, even non-Blizzard sites. Testing for "combo" lists use PayPal or Bank information and then can resell that information out. In short, these hackers hack the Blizzard sites and then can sell the other accounts.
4. What about Blizzard, are you able to get anything out of there? "No, Blizzard is bulletproof, logically."
5. Up to a million accounts phished in this way.
6. A lot of these forums that are getting compromised, are they getting compromised over and over again? "Yeah"
Most of the video is about farming. Figured I'd highlight what I heard.
I've read a few pages of this forum but have yet to see any single person mention that any other character besides their main was hacked. Looking at this logically, if the hacker had your log-in credentials.. why would they not take everything from every character on your account? (replies to this one should be amusing
I think the single best thing you can do to protect your account:
Set up an email account specifically for this game. Never use it to send mail, but only to receive replies from blizzard. Also, use a password that is unique to battle.net only, and not some sports website that you happen to be a part of as well. If you play another battle.net game, set up another unique email address and password.
I've read a few pages of this forum but have yet to see any single person mention that any other character besides their main was hacked. Looking at this logically, if the hacker had your log-in credentials.. why would they not take everything from every character on your account? (replies to this one should be amusing )
While the authenticator can provide a good deal of protection, I think in the majority of cases people are experiencing, it would have been useless. People that tell you the authenticator is the salvation are sheep just regurgitating what they have read somewhere else.
I suspect that when you 'quit a game' there is a network packet that is sent to kill your session that is being intercepted. The user then spoofs the credentials of the user that has logged off.. effectively becoming that character. They have access to that character and the stash of that character.. but do not have the ability to log off, and switch characters. My main was hacked, but my lvl 40 was not.
Seems to have died down quite a bit. The last couple weeks seems like a few people a day were getting hacked, now not so much.