Diablo III Hacking?

Nytegard

2[H]4U
Joined
Jan 8, 2004
Messages
3,603
i think what we need to focus on here is what blizzard has said in there blue post response.



I know there are users on this very forum that suggest they had a token on there account before it was hacked. I'm not sure what to believe other then my own XP on this. On one hand we have people saying "I had an authenticator and was hacked", and the other is saying "we have yet to investigate a compromise report in which an authenticator was attached beforehand". I personally have had an authenticator on my account since they came out with them and have had NO issues with my account. Been playing wow for 4 years, starcraft since it came out (2 years?) and now diablo.

Quite honestly, probably neither party is completely honest in this respect. There probably are people who say they have an authenticator and do not, or people who have an authenticator, yet their PC's are comprimised.

At the same time, it's not in Blizzard's interest to admit fault if there is a problem with how their security is set up. An admission of fault would cause a massive loss in trust, and cause who knows how much havoc.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
Quite honestly, probably neither party is completely honest in this respect. There probably are people who say they have an authenticator and do not, or people who have an authenticator, yet their PC's are comprimised.

At the same time, it's not in Blizzard's interest to admit fault if there is a problem with how their security is set up. An admission of fault would cause a massive loss in trust, and cause who knows how much havoc.

I see your point but banks do it all the time (admit security breach) and yet people still bank with them (you can throw any number of examples at this).

so lets say blizzard servers do have an issue. The unanswered question still remains. Why are the "hackers" not exposing every account to this exploit?
 

Nytegard

2[H]4U
Joined
Jan 8, 2004
Messages
3,603
I see your point but banks do it all the time (admit security breach) and yet people still bank with them (you can throw any number of examples at this).

so lets say blizzard servers do have an issue. The unanswered question still remains. Why are the "hackers" not exposing every account to this exploit?

It's not quite the same though. You're insured with the bank. Worst case scenario, you get your money stolen, the banks have to replace it.

You get hacked in Diablo 3 twice? Your account is closed.

It's about the panic that's generated, and trying to control the panic. Leaked worries are typically the last thing any company wants to generate, especially if it will affect their bottom line.
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,191
You get hacked in Diablo 3 twice? Your account is closed.
And probably in the EULA that you're forced to agree to that you are not entitled to any sort of compensation as a result (i.e. fine close my account give me my $60 back)
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
And probably in the EULA that you're forced to agree to that you are not entitled to any sort of compensation as a result (i.e. fine close my account give me my $60 back)

A practice becoming more and more common with all software these days. I cant remember the last time i bought software and was able to return it (minus hacked software on ebay that i got my refund for after proving it was not legit).
 

bloodhawke83

I Strike Fear into the Hearts of the Masses
Joined
Oct 8, 2010
Messages
8,382
btw, last year when I updated my smartphone and flashed the old one with a newer rom the authenticator app was also wiped. I called into Blizzard and they removed the authenticator on my account and it really didn't take to much personal info to remove it.

Hackers can just call into Blizzard and remove the authenticator.
 

Oomps

Gawd
Joined
Sep 6, 2006
Messages
789
btw, last year when I updated my smartphone and flashed the old one with a newer rom the authenticator app was also wiped. I called into Blizzard and they removed the authenticator on my account and it really didn't take to much personal info to remove it.

Hackers can just call into Blizzard and remove the authenticator.

They usually require you to fax your drivers license or something. However, someone changed mine on my WoW account before, so I guess there are some loopholes somewhere.
 

LordCalin

Gawd
Joined
Oct 5, 2009
Messages
901
They usually require you to fax your drivers license or something. However, someone changed mine on my WoW account before, so I guess there are some loopholes somewhere.

Just depends who you get on the phone it seems, i've heard of people needing cd-keys of something tied to the account, drivers licenses, other forms of id ... i've heard others who needed nothing

Myself when my phone was stolen so I called to get it removed from my account, they asked for the cd-key of an installed app .... and warned me you can only get an authenticator removed from your account once without having the serial number of the auth.

Since then i've backed up my serial number in 6 places so re-installed my phone every week doesn't matter
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
I first used the iphone software and quickly found that doing a reformat of the phone and reinstall changes the key. I had to call into there customer service to remove the app and had to provide them the classic wow cd key (this is after i answered all the security questions). It was @ that point i decided to spend the $5.00 for the authenticator.

It's very hit or miss.
 

bloodhawke83

I Strike Fear into the Hearts of the Masses
Joined
Oct 8, 2010
Messages
8,382
They usually require you to fax your drivers license or something. However, someone changed mine on my WoW account before, so I guess there are some loopholes somewhere.

They ask about your wow account and levels of some toons and classes.

With real id, can they just look up all your toons by email?
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,191
A practice becoming more and more common with all software these days. I cant remember the last time i bought software and was able to return it (minus hacked software on ebay that i got my refund for after proving it was not legit).

I'm not talking about returning software, I'm talking about getting a refund for them closing your accounts on something that is decidedly not your fault and a problem with THEIR security.
 

darkpaw

2[H]4U
Joined
May 29, 2008
Messages
2,279
This thread definitely piqued my interested, so when I got home tonight I did some testing. I have to say, it would be plausible to find a way to exploit either the authentication system or the player ID. The session is not encrypted, only encoded. Your username is transmitted in plain text. Authentication appears to use a challenge/response method, but I haven't quite figured out what yet. The most interesting bit to me is that every data packet sent has the first 9 bytes the same. This persisted across sessions so it is obviously the unique identifier for the player.

I find the complete lack of encryption to be a bit discerning personally. If someone can figure out their challenge/response protocol or how to use the player ID without authenticating at all, it would be quite easy to hijack accounts.
 

burnin8r

[H]ard|Gawd
Joined
Nov 19, 2006
Messages
1,211
my account just got locked.

I got a chat request through gmail from someone I didn't know, didn't play at all yesterday, and woke up this morning to a lockdown email from Blizzard.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
I'm not talking about returning software, I'm talking about getting a refund for them closing your accounts on something that is decidedly not your fault and a problem with THEIR security.

But you used the software. That's like asking a company to refund you for the purchase amount because there software no longer runs on windows 7 and your not willing to upgrade. It simply does not happen. I understand why they close your account. It will cost them more to pay someone to continue to restore your account then it would to simple close your account. Simple put.. If you do not like there business practice.. Don't buy.

my account just got locked.

I got a chat request through gmail from someone I didn't know, didn't play at all yesterday, and woke up this morning to a lockdown email from Blizzard.

As others have suggested.. Use different accounts. Gmail is free. I suggest you create a new gmail account and register your battle.net account information too it. Gmail will allow you to forward all email from that account to any other account for free. So in my case.. I have a separate gmail.com account for my wow / star craft / Diablo account and forward it all to my main gmail account. I also use a different password and have the authenticator. I have yet to have any issues on my account using this method.
 

Nytegard

2[H]4U
Joined
Jan 8, 2004
Messages
3,603
I have yet to have any issues on my account using this method.

One small problem with this logic is that there are many people who have yet to have any issues on their account without this method. There probably are people right now with keyloggers installed on their system who might never have any issues. A lot of being hacked involves bad luck.

I agree with a previous user though that something will need to be done in the future to protect the customers right. We may not own the software, but contracts will need to become a little less one sided.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
We may not own the software, but contracts will need to become a little less one sided.

Will Never happen IMO for the following question. Why would a company who fronted all the cash and resources put them selves at risk for giving some of there income back after the product was already used?

If you were a software developer you would want to ensure your protected against any kind of return as much as possible. that's a major driving point behind making a rocking good product the first time around.
 

Nytegard

2[H]4U
Joined
Jan 8, 2004
Messages
3,603
Will Never happen IMO for the following question. Why would a company who fronted all the cash and resources put them selves at risk for giving some of there income back after the product was already used?

If you were a software developer you would want to ensure your protected against any kind of return as much as possible. that's a major driving point behind making a rocking good product the first time around.

Now, this brings up a good point though. It really comes down the type of business. I actually a software developer, but most companies I've worked for, the customer actually draws up a contract in their favor. Anything that goes wrong and we're usually held accountable.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
Now, this brings up a good point though. It really comes down the type of business. I actually a software developer, but most companies I've worked for, the customer actually draws up a contract in their favor. Anything that goes wrong and we're usually held accountable.

I think the difference is that your not making software which will be directly marketed towards the general public. I can understand if your a resource for a larger project that will be sent out for the general public for again the company that is sinking the cash and time into the project wants protection. But when they sell the product for the general public.. that contact will change.

Hopefully i made sense here.
 

Nytegard

2[H]4U
Joined
Jan 8, 2004
Messages
3,603
I understand what you are saying. It's just that I think sooner or later the general public will come to grips that they too deserve some protection that companies get. Shareholders aren't going to invest in a company for long if it doesn't bring in any money. In a sense, we're their revenue stream. Thus, as some form of paying customer for a service, we deserve a form of protection too.
 

sfsuphysics

[H]F Junkie
Joined
Jan 14, 2007
Messages
15,191
But you used the software. That's like asking a company to refund you for the purchase amount because there software no longer runs on windows 7 and your not willing to upgrade.
Actually it's like asking the company to refund you for the purchase amount because the software no longer runs on windows 7 due to the fact that the company sent a "kill code" to the software to prevent it from running any more because they're tired of dealing with problems you're having due exploits that are a fault of the company

I've been reading across a few boards the level of hacking going on here from people who are smart about security, and it's still happening.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
I understand what you are saying. It's just that I think sooner or later the general public will come to grips that they too deserve some protection that companies get. Shareholders aren't going to invest in a company for long if it doesn't bring in any money. In a sense, we're their revenue stream. Thus, as some form of paying customer for a service, we deserve a form of protection too.

I think the nitch here is that blizzard (just using as an example to remain on topic) has a product that people want to play. As long as the want is there... there is no need to offer any protection to the customer for downtime or banned accounts. And honestly it's the want to play the game that causes the posts such as this. "I wanted to play my lvl 30 toon but i was hacked and now all the gold and gear is gone! Sure it's lvl 30 but will get killed quickly without the the gear! I have no gold to replace the gear as well! Help! "

As long as blizzard keeps doing what it does best (make games that people want/need to play)... they will continue to keep getting funded and moving along at no risk of being shut down.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
Actually it's like asking the company to refund you for the purchase amount because the software no longer runs on windows 7 due to the fact that the company sent a "kill code" to the software to prevent it from running any more because they're tired of dealing with problems you're having due exploits that are a fault of the company

I've been reading across a few boards the level of hacking going on here from people who are smart about security, and it's still happening.

http://hardforum.com/showthread.php?p=1038757719#post1038757719

Bottom line.. No one knows how this happening. Nothing is hack proof. The second you connect your computer to a network it's at risk. Firewalls, antivirus, maleware protection software is hacked every minute of every day. There is not one single person who is at fault here. Stop blaming solely blizzard and open your mind up to the fact you had a part in it.

this.
 

[Tripod]MajorPayne

Supreme [H]ardness
Joined
Jun 15, 2004
Messages
4,945
RIFT went through a similar fiasco early in its launch, whereby people were getting their accounts hacked and all of their money and items taken and their gear sold for platinum. Then they would log back in to a naked character randomly one day.

Trion remained very silent on the issue for several weeks, claiming that there was no security issue on their end, and people went crazy just like this on various forums about how security-conscious they were and how they could never have gotten keylogged or given out their passwords. Then the same other people came in and said "You must have done something wrong, Trion would admit if they have a problem on their end," and the same argument went around and around and around.

Then a random player found out that the session ID could be spoofed rather easily and that some vital information was transmitted in plain text, so hackers were getting into accounts by intercepting the session ID and using it to authenticate.

Long story short, sometimes it really ISN'T the players' fault, and sometimes the company doesn't have a security breach, but D3's situation is eerily similar to RIFT's, and it looks like it might be an elaborate man in the middle attack.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,215
as i said in another post of mine on this issue.. We need to focus on what blizard is saying. An employee has posted they are showing the "hackers" as using the username and password combo to gain access to the account.

If i understand the session stealing issue correctly.. the hacker is never being asked for username and password. To me it sounds like the opposite of what there talking about here.
 
Top