MrWizard6600
Supreme [H]ardness
- Joined
- Jan 15, 2006
- Messages
- 5,791
Na the authenticator is not BS. It is a test and proven security protocol that is used in large enterprise corporations know as Two-Form Authentication. But again if the hacker is on your system or has somehow already hacked your server. Then the Two-Authentication is worthless because the hacker is already bypassed it. The weakest link in any network security infrastructure is always the user.
Multi-factor authentication is generally a good idea, but it solves a problem that isn't the problem thats causing all these peoples accounts to go missing.
One of the ways we did things for a long time was have clients start off by logging on securely, over TLS (such that their credentials were completely unreadable by anyone other than the destination, including your ISP, Wi-Fi observers, and any other malicious 3rd party, if you think I'm full of it read this and this). We'd then drop the secure session and return the original client a cookie, which was used as session state from then on, meaning for the server to know who the client was and that he had properly authenticated we would simply as him for this cookie.
The brain-dead vulnerability this creates is whats called a "Session Hijack": you intercept that cookie and use it, which fools the server into believing you're the original client.
If this is in fact blizzards problem, as per http://us.battle.net/d3/en/forum/topic/5149539239#4, thats, for a game company thats been running one of the largest online communities for 8 years, pretty astonishing.
Theres a long list of well documented and widely deployed solutions to this problem, most enterprises now (including the one I work for), simply never drop the secure connection. Youd have to be using an ancient framework or have made some painful architecture decisions for the change from an unsecured to a secured connection to cause any real problems aside from dealing with the certificates themselves, which can be tedious.
Having an authenticator doesn't remove you from being hacked when there is some kind of infrastructure problem going on. You are still logging into a service , you are not without an eco-system that is isolated but in fact shared by millions. There will always be a way to hack something like this.
I see where youre coming from, and I think its a good idea to always be on your toes and to always suspect somebody else knows a vulnerability in your codebase that you never thought of. But there are some architectural decisions you can make to limit those openings.
Session hijacking is a vulnerability derived form a mistake most commonly made by newbie developers, thats why Im so surprised to see Blizzard fall victim.
...
Hearsay.
It is, but I too once had my WoW account stolen from me (lucky for me Im terrible at that game so I didnt have anything anyways). I think Im about as security conscious as a windows user can get:
- I've never given any of these passwords away, knowingly at least.
- I very seldom visit any of Blizzard's sites, and when I have I've never done so by following a link
- My passwords are random numbers and letters, the shortest being 12 characters long, and, in the case of blizzards domains, never used across domains.
- I use ESET's nod32 AV
- All of my software is current (and I verify that with Secunia's PSI --a fantastic utility, I encourage everyone here to use it.)
I'm fairly certain theres something rotten in blizzard's authentication codebase, and its been lingering for a while.