Authenticator for increased security

[HotStuff]

I presume most of you guys have noticed this.

http://eu.blizzard.com/store/details.xml?id=221003617

I can see the sense in this, my mate works for Ministry of Defence and he has one of these. When he logs on at work he first of all enters his normal password, which is essentially the 1st password. He then presses button on authenticator which gives a six digit number to be entered as 2nd password. The six digit number changes every 30 seconds and applies to his account only. This makes it virtually impossible for anyone to hack account, short of them having a gun at your head.

The only issue I see, is what happens if you lose your authenticator? Is that why they are allowing you to buy as many as you want?

Anyone buying?

If I am I will probably buy two. Will keep one on keyring and one next to computer.

It amazes me that Blizzard are now offering security technology that is being used by MOD. Just makes you realise how serious people take their wow accounts.

 

[BiG D]

I say this all the time, but the authenticator is not a replacement for good practices. It's far from impossible to steal an account that has an authenticator assigned to it, so don't use it as an excuse to be careless.

 

[Angelic]

This has been around for ages and has been preached about to the THN WoW crowd my James and everyone ever since the wave of account thefts we had.

When you lose it, there's like a week window in which you can't use your account, if I'm not mistaken, however it hasn't happened to me so I'm only using second-hand information.

 

[SwampFae]

[Response] Authenticator for increased security

• 1. An authenticator is good to have and I would recommend it.
• 1a. This does however not mean that you cannot get hacked. But it makes it harder and a little less likely. But it has happened several times that people with authenticators have been hacked. It is a vulnerability in Flash that is being exploited.

I strongly recommend reading this thread.

 

[Zaggu]

Also, the Blizz authenticator can't be used in tandem, i.e. two authenticators connected to one account, as the algorhythm is pre-generated, not inserted on demand. You may also want to check out the mobile version (Java software).

It is worth noting that a simple request to Blizzard account support containing copies of your documentation and relevant information (such as the authenticator's ID) should it break is more than enough to secure access to the account and replace the authenticator.

 

[HotStuff]

Can someone please explain how an authenticator can be hacked? I am interested and would like to know the factor of increased security before I decide to purchase or not.

 

[Windzarko]

Can someone please explain how an authenticator can be hacked? I am interested and would like to know the factor of increased security before I decide to purchase or not.

At present the only known hack that can bypass the Blizzard authenticator is one which mimicked the Wowmatrix updater program, downloaded from a fake version of the site made by hacking bastards. It sits on your PC and plugs into your WoW install without you knowing about it, and when you enter your login details, it also records the authentication key you used, and sends them off to someone ready and waiting to quickly clear out your account.

In the meantime, it prevents you from logging in (and thus dislodging the person cleaning out your shinies) by making it so that when you enter the code generated by your authenticator, it alters the last digit just as you hit enter (say for example you put in 451986, it'd just change the 6 at the end on the instant of sending), thus giving a false code and making you unable to log on until you clean the malware off your PC.

This, to date, is the one and only known bypass for the authenticator. Most anti-malware programs now recognise and cleanse the little bastard. If you use some basic internet security stuff (soup up the browser, have Spybot/Ad-Aware/AVG/Avast/whatever), keep your flash up to date, and demonstrate basic sense (ie don't go to gold-selling/power-levelling websites, don't click on google ad links for stuff related to WoW, don't EVER use Google to search for parts of the official WoW site or popular fansites (enter the URLs directly) and so on), then an authenticator is pure gold as it will make you nigh unhackable.

The little thing on its own isn't as invulnerable as many think, but paired up with some basic security and sense (nothing elaborate), you're solid and won't lose your account.

And Angelic, I preach it because it takes so very little effort on your part to make the authenticator all you need to keep your WoW account protected. The loss of account access if you lose the thing isn't an arguement against it, it's an arguement against being stupid enough to lose it.

 

[thatbloke]

It is massively increased security. Let's say your system or another system you use is infected with whatever flash vulnerability is currently around, and you want to make a post on the WoW forums.

BAM! they have your username and password. (the above is what happened to me oh so long ago - got hacked from a system that wasn't my own).

The authenticator is essentially a second password, but one that changes every 30 seconds. essentially the serial number on the authenticator is part of an algorithm at the other end that knows that at a certain time, the authenticator will be showing you a specific number. That number doesn't come in, they can't login with your account.

IT IS POSSIBLE, however, for a man in the middle attack to occur. What this means is that if a much more nasty type of virus gets on to your system, it manages to intercept the network packets that are set out containing the authenticator code you just typed in. It then redirects these elsewhere, to someone who is sat waiting to grab your authenticator code and use it to STRAIGHT AWAY login to your account management page and change your password.

All the while, the virus spoofs an "invalid code" response back to the WoW client, so you get a message saying that the code entry was invalid.

Essentially, although the code changes every 30 seconds or so, each code is valid for about 90 seconds after it's generation. If someone somewhere else is able to get this code and use it while it is still valid, you're screwed. But you have to have been infected with something particularly nasty for this particular method to work.

 

[BiG D]

It doesn't need to be a virus, though. A normal phishing site that asks for your authenticator code will suffice.

 

[Windzarko]

It doesn't need to be a virus, though. A normal phishing site that asks for your authenticator code will suffice.

You'd have to be a total moron to fall for most pishing sites, and a modicum of care will remove any threat from them. Also, the code is only valid for a very small window and it requires your username and password as well or its worthless.

 

[BiG D]

I only say it because I remember someone here entering their details into a site they thought might be a phishing site, as they assumed the authenticator made them invincible.

Also, the window of opportunity doesn't really matter. If someone has went through the trouble of setting up a site that looks legit and asks for the authenticator code, you can bet they have a system in place to use those creditials the second they receive them.

 

[Windzarko]

Also, the window of opportunity doesn't really matter. If someone has went through the trouble of setting up a site that looks legit and asks for the authenticator code, you can bet they have a system in place to use those creditials the second they receive them.

I'll definitely give you that. If it's a phishing site, it'll be nigh-instant. The malware you can get on your PC to bypass the authenticator might be a bit more hit-and-miss, though (especially since the window is 30 seconds tops).

Also, the most account damage possible is for them to get at the account management page while they still have the code; whilst some have done this, it seems that the majority go for the game first and often miss the window of opportunity to get into the account settings. Whilst this means your account is still getting violated and you're losing all your gold and shinies and such, it's easier for the GMs to recover it.

Finally; if you don't have an authenticator and you get hacked, some hackers attach authenticators to the stolen account and that makes it take AGES for the GMs to get it back. It's uncommon, but it happens, and early on there were some people who flat-out couldn't get their accounts back.

 

[Ki!ler-Mk1]

What happens when the authenticators battery expires?

 

[Gombol]

What happens when the authenticators battery expires?

Would assume It's a button battery (Like in watches.) I would reccomend getting it on your phone (And not loosing it.) though.

 

[thatbloke]

What happens when the authenticators battery expires?

The battery is supposed to last for around 5 years IIRC.

You'll need to get a new authenticator.