Diablo III Hacking?

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
There sure seems to be a lot of people complaining about hacking in Diablo III. Have any of you had any issues?

A bunch of threads on the Diablo III forums from players who've experienced unauthorized access to their accounts suggest their may be a security issue with the action/RPG sequel or that the game's future support of real-money auctions has attracted more hacking attempts than one would consider normal.
 

beowulf7

[H]F Junkie
Joined
Jun 30, 2005
Messages
10,433
No I haven't had any issues. Then again, I don't have D3, so maybe that's why. :p
 

triarii3

Gawd
Joined
Jul 24, 2010
Messages
777
I use the authenticator app from bliz. The authenticator will remember your computer. It will only prompt for an authenticator password if you attempt to login from another computer.
There has been two instances since last Monday night where my authenticator password reprompted – which meant someone else on another computer had attempted to access one of my Blizzard games. Since I never had a problem with SC2. It could have been D3 heckers.
 

night_2004

2[H]4U
Joined
May 31, 2007
Messages
2,223
I wonder if that is related to the complaints I've heard from friends about Blizzard rolling their characters back to an earlier timepoint?
 

naninani

Limp Gawd
Joined
Jun 14, 2010
Messages
350
I highly suggest to use the authenticator and set the account to prompt for it on EVERY login.
 

Hornet

Supreme [H]ardness
Joined
Oct 4, 2005
Messages
6,625
There have been several claims on Blizzard's forum that they had this authenticator thing and still got hacked.

Also some rumors that the attack is through packet interception starting from list of users in the "Recently online players" in public games. They don't actually steal login credentials from Blizzard's system. There are certainly many claims that we should stay away from public games for the time being.
 

Sovereign

2[H]4U
Joined
Mar 21, 2005
Messages
3,098
I use the authenticator app from bliz. The authenticator will remember your computer. It will only prompt for an authenticator password if you attempt to login from another computer.
There has been two instances since last Monday night where my authenticator password reprompted – which meant someone else on another computer had attempted to access one of my Blizzard games. Since I never had a problem with SC2. It could have been D3 heckers.

This. I added the smartphone authenticator when I bought D3 because I figured with a (pending) real-money auction house, there would be a greater incentive for security shenanigans.
 

Langly

Supreme [H]ardness
Joined
Dec 23, 2002
Messages
4,492
Always use an authenticator on games like this. I've used one in all the mmo's that offer it now and its a great solution for two factor authentication. After my cancelled WoW subscription was renewed with a stolen CC and my buddy texted me "you playing WoW again?" I put an authenticator on all my accounts I could and I've never had a problem since.

Quit being lazy and do it
 

Cruiza

[H]ard|Gawd
Joined
Mar 17, 2008
Messages
1,701
Yep, had my WoW account hacked years ago, and since then I've always used an authenticator. No reason not to if you have a smartphone.
 

ktk_ace

Limp Gawd
Joined
Apr 10, 2005
Messages
446
no online saves, no problems.

I'll laugh my ass off if one day they pull a sony server side blooper (ie BZ's servers gets hacked)
 

weebling1

2[H]4U
Joined
Aug 31, 2002
Messages
2,233
great

So i'm off to figure out the authenticator!

( it's not like the P2P downloader running from 2mb/s to 1 b/s then back and forth hassle and then trying get it thru my thick head that my account name was my email and NOT my battlenet name was enough rage....:rolleyes:)
 

Trimlock

[H]F Junkie
Joined
Sep 23, 2005
Messages
15,228
Figured with it being online only would pose some problems with hacking, but the authentication process getting bypassed too? Mind blowing!
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303
There are plenty of people on the Diablo 3 forum who have the authenticator and have also been hacked also.

That's all bullshit. The ONLY way to get hacked with an authenticator is for them to HAVE the thing in their hand. I have the key fob auth, and it works wonders.
 

Sparky

2[H]4U
Joined
Mar 9, 2000
Messages
3,345
dont all popular Blizzard games get hacked?
I dont have a WoW account and keep getting spoofed emails about my battlenet account has an unauthorized login and I need to login to fix it. I suspect that is 1 way they get your passwords.
 

InternationalHat

[H]ard|Gawd
Joined
Aug 13, 2004
Messages
1,481
That's all bullshit. The ONLY way to get hacked with an authenticator is for them to HAVE the thing in their hand. I have the key fob auth, and it works wonders.

There are a number of ways to hack a system like this. If you can steal the session, forge a certificate service (if encryption is uses), or redirect traffic such as you appear as blizzard's server to the client and quickly forward the correct credentials to the server from a malicious client.

Most of them would rely on beneficial network topology or your local machine being compromised but it's still feasible.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
There are two versions of the authenticator.

1) the digipass key chain & the smart phone app.
2) The phone call method.

Is it possible that those reporting getting hacked while having an authenticator, have the phone call authenticator?
 

metril

Limp Gawd
Joined
Jun 3, 2007
Messages
414
Someone tried to hack me. I have the smart phone app authenticator. How do I know? I got dc'ed from the game. Logged back in and everything was still there and a random letters guy happened to join my non-public game. Wasn't even on my friends list. I got dc'ed again and when I went back, I got a warning about incorrect password attempts.

Luckily, I was paranoid enough the first time to make my password even longer and change the authenticator to ask every single time.
 

MrWizard6600

Supreme [H]ardness
Joined
Jan 15, 2006
Messages
5,779
There are a number of ways to hack a system like this. If you can steal the session, forge a certificate service (if encryption is uses), or redirect traffic such as you appear as blizzard's server to the client and quickly forward the correct credentials to the server from a malicious client.

Most of them would rely on beneficial network topology or your local machine being compromised but it's still feasible.

And none of them work if blizzard was properly asserting the signatures and keeping the TLS connection alive.

No, there's some crippling vaulnerability in their infrastructure, more alarming because they havn't made a public statement I'd have to assume they havn't found it.
 

SGTGimpy

Limp Gawd
Joined
Oct 7, 2009
Messages
233
The Authenticator only helps to prevent unauthorized logins with your account. If the hacker is already on the server and they have somehow hacked past the two-form or found a hole to the server. Then once you login they have free access to your account. This is the same for any network servers using Two-Form Authentication. If the hacker is on the server then the two-form authentication is useless because they are already in your house, sitting on your couch, drinking all your beer.

This is what sounds like what is happening because it seems to only happen to people that is playing online or public games.
 

Trepidati0n

[H]F Junkie
Joined
Oct 26, 2004
Messages
9,237
Someone tried to hack me. I have the smart phone app authenticator. How do I know? I got dc'ed from the game. Logged back in and everything was still there and a random letters guy happened to join my non-public game. Wasn't even on my friends list. I got dc'ed again and when I went back, I got a warning about incorrect password attempts.

Luckily, I was paranoid enough the first time to make my password even longer and change the authenticator to ask every single time.

That probably means your machine is already hacked...you just didn't know it. Otherwise...how did they DC you ;)
 

Langly

Supreme [H]ardness
Joined
Dec 23, 2002
Messages
4,492
Also be careful guys if your account does get hacked. I had cancelled my WoW sub and it had been de-activated for 6 months. Account got stolen by a gold farmer, called blizzard support and got them to restore the account to what it was 6 months ago. They somehow restored my CC info and started billing me without telling me. I ended up calling fraud on the charges with my bank cause googling where it came from showed fraud, then blizzard called me saying they disabled the account lol :)

Still havent gotten it re-enabled yet since I don't care
 

SGTGimpy

Limp Gawd
Joined
Oct 7, 2009
Messages
233
Na the authenticator is not BS. It is a test and proven security protocol that is used in large enterprise corporations know as Two-Form Authentication. But again if the hacker is on your system or has somehow already hacked your server. Then the Two-Authentication is worthless because the hacker is already bypassed it. The weakest link in any network security infrastructure is always the user.
 

saitei

n00b
Joined
May 8, 2012
Messages
55
I've been playing MMOs and online games for years upon years and have never been hacked. I always attribute it to user stupidity.

Claiming that your computer is a sterile environment, is complete BS. Once you connect it to the internet, you have the HIV. When my parents get spyware, they claim they never clicked on any links, or downloaded something bad. I don't trust my parents when it comes to computers, so why should I trust a stranger on the internet that claims to be a rank 58 security specialist with a NSA developed firewall and perfect browsing habits?
 

SGTGimpy

Limp Gawd
Joined
Oct 7, 2009
Messages
233
I just did a quick Google search on this issue and all saying it is affecting users that play public on-line games. Which makes since, there is probably a bug or hole in the public games that hackers have found that allows them to see you info. My suggestion, don't play open public games till Blizzard gets its head out of it's ass. Then again that might be a very long wait. :D
 

Pieter3dnow

Supreme [H]ardness
Joined
Jul 29, 2009
Messages
6,784
It is rather weird but on RIFT it was the problem with the password buffer, overflow happened and people could log in with just grabbing the username/email .
I don't like blizzards attitude in games regarding security.
When i see the next PR piece on how they banned 25 billion hackers from their game and so on, it makes me sick ........
 

StryderxX

[H]ard|Gawd
Joined
Jun 22, 2006
Messages
1,452
Damn hackers fuck everything up. I just added the smartphone authentication and SMS alerts. Last thing I want is to put 30 hrs into D3 and have some a-hole take all my loot.
 

metril

Limp Gawd
Joined
Jun 3, 2007
Messages
414
That probably means your machine is already hacked...you just didn't know it. Otherwise...how did they DC you ;)

Not necessarily. A good example is WC3. There was a hack going around where you could disconnect people from your games as long as you were the host. Now, it could be related to the port scans that my router logged starting from a day after D3 was launched.

Not impossible that my machine was hacked. Just, very unlikely considering that I never connect to public networks and even when I was on campus, I ran my own firewall with custom configured ip tables and in/out bound enterprise grade antivirus on the firewall machine. I have a comparable setup at home.
 

Zomoa

Limp Gawd
Joined
Nov 28, 2011
Messages
242
I've been playing MMOs and online games for years upon years and have never been hacked. I always attribute it to user stupidity.

Claiming that your computer is a sterile environment, is complete BS. Once you connect it to the internet, you have the HIV. When my parents get spyware, they claim they never clicked on any links, or downloaded something bad. I don't trust my parents when it comes to computers, so why should I trust a stranger on the internet that claims to be a rank 58 security specialist with a NSA developed firewall and perfect browsing habits?

First you need an account worth hacking.
Second you need to play a blizzard game that has RMT involved (WoW or D3).
Third, wait long enough and get hacked. Most WoW accounts that get hacked are inactive accounts because there is a higher chance that the farmer will get away with it.

Blizzard has massive security problems and has for years. Before the authenicator was introduced, I've had several WoW accounts hacked multiple times when they were inactive. And to act all high and mighty with your judgment calls about my security is amusing.

The security problem is on Blizzard's server side. Period. I doubt anything meaningful will come from this.
 

saitei

n00b
Joined
May 8, 2012
Messages
55
First you need an account worth hacking.
Second you need to play a blizzard game that has RMT involved (WoW or D3).

I've had an account since Vanilla.

Blizzard has massive security problems and has for years. Before the authenicator was introduced, I've had several WoW accounts hacked multiple times when they were inactive.

You can still be phished for inactive account details.

And to act all high and mighty with your judgment calls about my security is amusing.

Ok.

The security problem is on Blizzard's server side. Period. I doubt anything meaningful will come from this.

Hearsay.
 

JosiahBradley

[H]ard|Gawd
Joined
Mar 19, 2006
Messages
1,791
So you're telling me the whole "Always online connection" DRM scheme (which Blizzard says isn't DRM) and is supposed to be the salvation from hacking and cheating isn't working!! So I can't play the game because I don;t have an always on internet connection and If I do goto a cafe or something to play I now have to worry about hackers?

Why not just give me SAFE and EASY offline single player mode??? OR LAN play for when I want multi-player.
 

Godmachine

[H]F Junkie
Joined
Apr 7, 2003
Messages
10,472
And none of them work if blizzard was properly asserting the signatures and keeping the TLS connection alive.

No, there's some crippling vaulnerability in their infrastructure, more alarming because they havn't made a public statement I'd have to assume they havn't found it.

This is what I believe is going on. This has been a growing problem for years. I've already posted my experience in the PC Gaming and Hardware thread about this very topic.

Having an authenticator doesn't remove you from being hacked when there is some kind of infrastructure problem going on. You are still logging into a service , you are not without an eco-system that is isolated but in fact shared by millions. There will always be a way to hack something like this.

And yet all we hear is this from Blizzard GM's (really all we've heard for years) :

Hey guys,

We are very aware of these reports and are taking them very seriously. Please keep an eye on the General Discussion forums as Community members will be posting something soon.

If you have been hacked, please contact Customer Service as soon as you can. In addition, using an Authenticator can help secure your account even more.
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303
There are a number of ways to hack a system like this. If you can steal the session, forge a certificate service (if encryption is uses), or redirect traffic such as you appear as blizzard's server to the client and quickly forward the correct credentials to the server from a malicious client.

Most of them would rely on beneficial network topology or your local machine being compromised but it's still feasible.

You'd have to of really pissed someone off to get them to go through all that effort. For gold farmers, or other gear/gold sales websites, this wouldn't even be feasible for them, as they'd have better luck, and more gain effort to time wise hacking non-auth'd accounts. Not only that, but if that where to happen, if you punched in your account info, pw, and auth number on a server that has fooled the client side machine into thinking its blizz, it'd fail as a log in attempt, once failed, the key used in that attempt is invalid. So if they took that info they now have, and tried to get into my account, the auth key they have wouldn't work regardless. Hacked accounts with authenticators has not happened, there have been no posts with proof, just "OMGZ I was hacked and I has an authenticatorsz!" nonsense. The company that makes these fobs also makes an extremely similar system for bank vaults. It isn't hacked that easily, if it was, these people wouldn't be hacking blizzard accounts.

People are posting this "I have an auth and was hacked" nonsense just to bash blizzard or start flame wars or any other bullshit reason on the list. I refuse to believe that on all the forums/msg boards out there, there isn't a post with cold hard proof they where hacked with an auth on their account. It simply hasn't happened.
 

Oomps

Gawd
Joined
Sep 6, 2006
Messages
789
You'd have to of really pissed someone off to get them to go through all that effort. For gold farmers, or other gear/gold sales websites, this wouldn't even be feasible for them, as they'd have better luck, and more gain effort to time wise hacking non-auth'd accounts. Not only that, but if that where to happen, if you punched in your account info, pw, and auth number on a server that has fooled the client side machine into thinking its blizz, it'd fail as a log in attempt, once failed, the key used in that attempt is invalid. So if they took that info they now have, and tried to get into my account, the auth key they have wouldn't work regardless. Hacked accounts with authenticators has not happened, there have been no posts with proof, just "OMGZ I was hacked and I has an authenticatorsz!" nonsense. The company that makes these fobs also makes an extremely similar system for bank vaults. It isn't hacked that easily, if it was, these people wouldn't be hacking blizzard accounts.

People are posting this "I have an auth and was hacked" nonsense just to bash blizzard or start flame wars or any other bullshit reason on the list. I refuse to believe that on all the forums/msg boards out there, there isn't a post with cold hard proof they where hacked with an auth on their account. It simply hasn't happened.

Uh, what kind of proof are you looking for? I don't think anyone has set up a video and say 'watch me get hacked'
 
Top