Support NeoGAF

[Glix]

Regardless. Once the authenticator was added, it should have prompted anyone for a code. Remember: It has no valid locations on memory. He wouldn't have been logged out of D3, but nobody should have been able to get in.

The hack was coming from.....

INSIDE THE HOUSE!


(also, if someone spoofs your IP, maybe the authenticator doesn't trigger?)

 

[Themacabre]

Also, his story doesn't make total sense:

It doesn't matter what that option is set to, logging on from a new location would have asked for a code regardless....

...unless it didn't.

 

[Sophia]

Yes, and this is precisely the point that is debatable.

If he is relaying correct information, then the authenticator SHOULD HAVE required authentication from anyone, but he got hacked, so that implies that it DIDN'T.

And that's what I've been saying from the very beginning: His story is fucking sketchy as hell. It should not be tossed around as proof that authenticators are not secure. At least until he clarifies.

...unless it didn't.

If it didn't, it's a genuine security flaw in Blizzard's security. There is no evidence to suggest however that the facts of the story are 100% truthful.

 

[Ferrio]

I'm in Canada, actually. There's pretty variable security here for the banks (one has 6 character numeric passwords ugh), but they all have severe rate limiting at least, locking out the account if a very low failure threshold is reached.

As much as I see the benefit of lockout like that... it's very inconvenient, less so than authenticator. You fuck up your password 5 times gotta call someone up to unlock. Or if some asshole tries to guess your password and locks it up for you... gotta call someone up.

 

[Wallach]

Seriously, you people who are apologetic about this must believe every computer on the planet is completely compromised from the moment it's turned on. No other service seems to have this degree of problem, and a lot of them have a hell of a lot more at stake than D3 does (pre-RMAH, at any rate).

Again, if keyloggers were so prevalent the entire internet banking system would have collapsed by now.

Besides the fact that you know really fuck all about the severity of this problem to compare them to other services properly, it has absolutely nothing to do with the online banking system. They aren't even comparable situations.

First off, to actually do something with a compromised bank account you have to send the money somewhere. Even ignoring the fact that step one already places you into a serious federal crime, you've engaged in a system that is designed to be one of the most traceable in the world. Moreover, when you can directly steal money from someone through this system using much easier information to steal like they're fuckin' credit card number, it becomes a questionable thing to want to stick your very obvious hand directly into someone's bank account.

Yes, most of these online banking accounts have better password systems, but the vast majority aren't any more secure against keystroke recording than any other online account. The actual difference entirely comes down to the ecysostem. Very few people even want your online banking login information to get to your money because it's a terrible way to get to your money; everyone that wants to get into your Battle.net account absolutely wants your login information.

 

[blame space]

i really don't understand how this authenticator business works but i'm stupid. i got the app and now sometimes it asks me for a number when i log in. i guess i'm safer now. i don't even know why i'm writing this post.

just beat act 3 i suck at this game

 

[SnakeswithLasers]

I think the moral of the story is you can piss and moan about blizzard security all you want, but until they take action your best bet for security is the authenticator.

They should of been more vocal about it, but whatever it's the cards we've been dealt.

Not faulting you, but I think that a lot of people keep trying to punctuate this story as though it is over. ("The moral of the story is...")

But the situation is ongoing, and is disappointing, much like a lot of other aspects of the online game. I think some of the "outrage" comes from the decision early on to make the game online only, yet Blizzard didn't have the foresight to work this stuff out (despite having what is arguably the most successful MMO on the planet).

It just makes Blizzard ("It'll release when it's finished") look very amateur, and that isn't how they've carried themselves in the past, hence the disappointment.

 

[dimb]

I think the moral of the story is you can piss and moan about blizzard security all you want, but until they take action your best bet for security is the authenticator.

They should of been more vocal about it, but whatever it's the cards we've been dealt.

I got dealt the lose your Staff of Herding on rollback card. And I've kind of just not wanted to play ever again.

 

[Lost Fragment]

I like how all the items that are clogging up my auction list because they wiped the ah listings have lost so much value since I put them up :/

On the bright side, I haven't seen any spambots since it came back up yesterday. Wonder if Blizzard did something, or I'm just getting lucky.

 

[Sophia]

Not faulting you, but I think that a lot of people keep trying to punctuate this story as though it is over. ("The moral of the story is...")

But the situation is ongoing, and is disappointing, much like a lot of other aspects of the online game. I think some of the "outrage" comes from the decision early on to make the game online only, yet Blizzard didn't have the foresight to work this stuff out (despite having what is arguably the most successful MMO on the planet).

It just makes Blizzard ("It'll release when it's finished") look very amateur, and that isn't how they've carried themselves in the past, hence the disappointment.

They haven't carried themselves like that in years. Since about half way through the first World of Warcraft expansion. Something changed in that company big time.

 

[Glix]

Not faulting you, but I think that a lot of people keep trying to punctuate this story as though it is over. ("The moral of the story is...")

But the situation is ongoing, and is disappointing, much like a lot of other aspects of the online game. I think some of the "outrage" comes from the decision early on to make the game online only, yet Blizzard didn't have the foresight to work this stuff out (despite having what is arguably the most successful MMO on the planet).

It just makes Blizzard ("It'll release when it's finished") look very amateur, and that isn't how they've carried themselves in the past, hence the disappointment.

They aren't Blizzard anymore, they are Activision. The marriage has not been good for them.

 

[BigJonsson]

Someone go buy my auction stuff

 

[Sophia]

They aren't Blizzard anymore, they are Activision. The marriage has not been good for them.

To be more accurate, they're Vivendi. The results is the same however.

 

[Jira]

All this time I thought Blizzard used case sensitive passwords...FFS. WHO IN THE HELL IS RUNNING THE SECURITY THERE?!?

 

[Aptos]

Besides the fact that you know really fuck all about the severity of this problem to compare them to other services properly, it has absolutely nothing to do with the online banking system. They aren't even comparable situations.

First off, to actually do something with a compromised bank account you have to send the money somewhere. Even ignoring the fact that step one already places you into a serious federal crime, you've engaged in a system that is designed to be one of the most traceable in the world. Moreover, when you can directly steal money from someone through this system using much easier information to steal like they're fuckin' credit card number, it becomes a questionable thing to want to stick your very obvious hand directly into someone's bank account.

Yes, most of these online banking accounts have better password systems, but the vast majority aren't any more secure against keystroke recording than any other online account. The actual difference entirely comes down to the ecysostem. Very few people even want your online banking login information to get to your money because it's a terrible way to get to your money; everyone that wants to get into your Battle.net account absolutely wants your login information.

Eloquent Contradictory Gaffer: claims they aren't comparable, compares them eloquently and logically.

 

[Wallach]

All this time I thought Blizzard used case sensitive passwords...FFS. WHO IN THE HELL IS RUNNING THE SECURITY THERE?!?

It's pretty stupid. People have brought this up in the past with them and they've sat on it forever.

Eloquent Contradictory Gaffer: claims they aren't comparable, compares them eloquently and logically.

Indeed, comparable was a poor choice of word. Similar is what I was going for.

 

[Sothpaw]

Any witch doctors having trouble killing the Act II boss on inferno? This should help you out. Will probably help out other classes as well.

http://www.youtube.com/watch?v=LcV8iKXgNT8

 

[Sophia]

All this time I thought Blizzard used case sensitive passwords...FFS. WHO IN THE HELL IS RUNNING THE SECURITY THERE?!?

You want a real goldmine? Just read this.

Yes, a community manager for Blizzard actually suggested that passwords being case sensitive doesn't add to the account security at all.

Unsurprisingly, he appears to have shut up after making that post and getting called out on it.

 

[Glix]

Any witch doctors having trouble killing the Act II boss on inferno? This should help you out. Will probably help out other classes as well.

http://www.youtube.com/watch?v=LcV8iKXgNT8

That mask is totally boss.

 

[Shouta]

Why hello there, Act 2 Inferno drop.

 

[SnakeswithLasers]

You want a real goldmine? Just read this.

Yes, a community manager for Blizzard actually suggested that passwords being case sensitive doesn't add to the account security at all.

Unsurprisingly, he appears to have shut up after making that post and getting called out on it.

What that implies is that Blizzard has absolutely nothing in place to limit brute force attempts.

Or that they believe every case is the result of a key-logged password.

Or both!

 

[Hero]

The authenticator always asks for a code when you login from anywhere once you activate it. One dude's sketchy sounding story doesn't mean much.

 

[Ferrio]

Why hello there, Act 2 Inferno drop.

Damn, jackpot. Someone earlier sold gloves like that for 7 mil.

 

[Sophia]

What that implies is that Blizzard has absolutely nothing in place to limit brute force attempts.

Or that they believe every case is the result of a key-logged password.

Or both!

Nah, it just implies that Zarhym is and has always been somewhat of a moron and not really all that fit to be a community manager. =P

 

[Wallach]

What that implies is that Blizzard has absolutely nothing in place to limit brute force attempts.

Or that they believe every case is the result of a key-logged password.

Or both!

From what I understand, the only deterrent against brute force is a request throttle.

 

[LordCanti]

Anyone know what the plans for "Exalted Grand Crag Hammer" might be worth?

 

[Macattk15]

Thanks Act 3 Inferno mobs!

 

[TommyT]

Alas I was not yet ready for Belial!

 

[nilbog21]

Done with this game. Blizzard restored my character (Hacked) to a time before I got the sickest parts of my gear so I lost all my shit. Tried to go back and farm for more items, but I'll probably get hacked again because I'm not dishing out another 10$ for security, so fuck this.

 

[BigJonsson]

Done with this game. Blizzard restored my character (Hacked) to a time before I got the sickest parts of my gear so I lost all my shit. Tried to go back and farm for more items, but I'll probably get hacked again because I'm not dishing out another 10$ for security, so fuck this.

You lack ios and android?

 

[Sophia]

Done with this game. Blizzard restored my character (Hacked) to a time before I got the sickest parts of my gear so I lost all my shit. Tried to go back and farm for more items, but I'll probably get hacked again because I'm not dishing out another 10$ for security, so fuck this.

You can't be bothered to get one of the many free options for authenticators? No iOs? No Android? Not even WinAuth which can be run from any PC?

 

[Jira]

What that implies is that Blizzard has absolutely nothing in place to limit brute force attempts.

Or that they believe every case is the result of a key-logged password.

Or both!

Their old forums had nothing in place to prevent brute force attempts and it wouldn't surprise me if their new ones don't either.

 

[LuchaShaq]

As someone at level 38 should I be saving/selling random crappy blues/yellows that just happen to have some sort of resistance stat?

 

[Sophia]

Their old forums had nothing in place to prevent brute force attempts and it wouldn't surprise me if their new ones don't either.

I still remember when people could psuedo-spoof community posters. That was a fun time (if harmless because thy had no real power.)

As someone at level 38 should I be saving/selling random crappy blues/yellows that just happen to have some sort of resistance stat?

You'll have to judge it on a case by case basis. Single stat-resistances have some pretty good use to Monks, and Arcane/Fire resist are always valuable.

 

[Yoshichan]

Okay so I finally come home and the first thing I hear is that EU's still fucking up.

Any truth to this?

the sun misses you.

People should stop assuming that I don't go out. It's getting old by now.

 

[BigDug13]

Blizzard really needs to start doing some damage control. Do a ton of PSA's, letting people know that they NEED to get an authenticator. Point everyone to the direction of the FREE authenticator options/applications.

 

[Torraz]

Done with this game. Blizzard restored my character (Hacked) to a time before I got the sickest parts of my gear so I lost all my shit. Tried to go back and farm for more items, but I'll probably get hacked again because I'm not dishing out another 10$ for security, so fuck this.

No need to pay even if you dont have a smarthphone.....

http://code.google.com/p/winauth/

 

[oktarb]

A word of advice for hardcore players!

If you rebind you keys be careful after a patch, Blizzard resets your binds to default. That life saving potion just might not be where you thought it was.

 

[Yoshichan]

Riggs, are you okay man? Haven't heard from you all day :/

Had difficulties to join for the past few hours, but at least there was no lag when I finally got in.

Okay good.

 

[Rokal]

What that implies is that Blizzard has absolutely nothing in place to limit brute force attempts.

Or that they believe every case is the result of a key-logged password.

Or both!

Or that their password was lifted from another source, such as a compromised game forum where they used the same username/password.

Case sensitivity helps prohibit brute-force login attempts, but that's undoubtedly not how most D3 accounts got hacked.

You'd be surprised how many people use the same username/password everywhere they go and never bother changing it. Taking steps to block brute-force attacks isn't going to stop accounts from getting hacked if your users are that negligent.

 

[BigDug13]

As someone at level 38 should I be saving/selling random crappy blues/yellows that just happen to have some sort of resistance stat?

38 is still basically Nightmare, Act 3 or 4. You don't need any of that. People still mostly care about dps, their damage stat, and vit at that stage.

Probably not worth keeping/selling unless it has those stats usable by one of the classes. Didn't really pursue resistance gear until halfway through Hell. And by then I'm looking for items at level 55, not level 38.

 

[Rickenslacker]

You can't be bothered to get one of the many free options for authenticators? No iOs? No Android? Not even WinAuth which can be run from any PC?

Neat. Didn't know about Winauth and got recently hacked myself, but they only ran off with some weapons and some stuff from my stash. Gonna attach this to my account and contact Blizz support.

 

[Yoshichan]

Reaching Inferno: Hardcore
http://www.youtube.com/watch?v=D_lhsaXKS1E&feature=g-u-u

 

[Jrmint]

Any witch doctors having trouble killing the Act II boss on inferno? This should help you out. Will probably help out other classes as well.

http://www.youtube.com/watch?v=LcV8iKXgNT8

Really helpful video for any class really.

 

[Wedge7]

Is WinAuth just as good as a normal authenticator?

Dont have a Iphone/android phone, considering just buying a authenticator for $8 or whatever, but if the online one works well, I'll just grab that now.

 

[Opiate]

I've ignored the AH so far, and will continue to do so until I hit a brick wall and stop playing altogether. The AH just isn't Diablo to me, its pure greed, and it leaves a bad taste in my mouth. No thanks.

Personally I love it, but I'm also someone who made hundreds of (Real) dollars on D2JSP. If that doesn't appeal to you, that's fine, but the popularity of D2JSP indicates that I'm not the only one who likes playing a free market.

 

[derwalde]

bought a fucking helm for 750k by accident.....




FUCK THIS SHIT!

 

[Sophia]

Is WinAuth just as good as a normal authenticator?

Dont have a Iphone/android phone, considering just buying a authenticator for $8 or whatever, but if the online one works well, I'll just grab that now.

No, it's not as good as a normal authenticator. It is however significantly more secure then not being authenticated at all. You'd be protected from all phishing attempts, for example. It's also more secure than the "Dial-in Authenticator", which doesn't work at all for Diablo 3.

 

[TheIronChancellor]

Anyone have any idea how much this thing is worth?

 

[SnakeswithLasers]

People should stop assuming that I don't go out. It's getting old by now.

Relativity is getting old too, doesn't make it any less true.