+ Reply to Thread
Page 2 of 5 FirstFirst 1 2 3 4 ... LastLast
Results 21 to 40 of 81

Thread: WoW Account Security - How not to get hacked.

  1. #21
    Join Date
    Jul 2007
    Location
    Canadia
    Posts
    3,523
    The authenticator has a serial number, with a secret key* and accurate clock inside the box. When you press the button, it uses the key, possibly the serial number, and the current time (rounded to the minute usually), as parameters to a DES, 3-DES, or AES encryption algorithm to generate a number (a digital signature, basically). What comes out of the algorithm is a hexadecimal (0123456789ABCDEF) number, so there is an additional step to clean that up into the 6 decimal numbers you see in the window.

    When you try to log in, the server at Blizzard's end looks up the serial number of the authenticator registered to the account to get the secret key* out of its own database then uses it with the current time to generate the number independently. If the numbers match, you win.

    *this could be a public/private key pair or just a simple shared secret
    Last edited by Satrina; 01-15-2009 at 01:42 PM.
    Got a question? Try here: Evil Empire Guides and here: Tankspot Guides and Articles Library first!

  2. #22
    Join Date
    Jan 2009
    Posts
    2

    VPC simple

    Read on if you want to be super secure with your wow account info(and other log in info).

    If you are going to go so far as have a 5 minute routine to log in to wow, then I might suggest doing a clean install of your OS + WoW. After that has been done Get Virtual PC 2007 (from microsoft downloads) or VMWare (there are others also, but these are 2 of the better supported ones and they are free) and install your OS again to this virtual PC for all your surfing + Downloading needs.

    Now, you are going to have to Download some things to your host OS for wow patches, add-ons, OS patches, etc... but the point is that your "real" PC has very little contact on the net. You can Download add-ons through the VPC and then transfer them to you host OS.

    You wont be able to play any "Demanding" games on the virtual pc, but it is well suited for surfing un-safe sites and downloading questionable content. As long as it stays on the VPC hd it will never affect your Host OS (ie. your your Real PC). Personally I use a VPC for most of my surfing these days due to the simple fact if I get a Virus/Trojan/Worm or spyware it doesnt matter becuase I can reset the VPC to its base install at anytime.

    Now this only works in protecting your account info from key loggers as long as you never use your account info to log in on the VPC (same goes for any log in info that is important to you). So if you are a forum troll on the wow Forums you should still do that from your Host OS or make sure you reset your VPC to a clean install. Just dont follow any links away from the site.

  3. #23
    I highly recommend everyone installs a Farady cage around their WoW play area. This will ensure that the black helicopters will be unable to to sniff your authentication details using transient electromagnetic Van Eyck technology.

  4. #24
    Join Date
    Apr 2008
    Posts
    1,399
    Quote Originally Posted by Dagna View Post
    Read on if you want to be super secure with your wow account info(and other log in info).

    If you are going to go so far as have a 5 minute routine to log in to wow, then I might suggest doing a clean install of your OS + WoW. After that has been done Get Virtual PC 2007 (from microsoft downloads) or VMWare (there are others also, but these are 2 of the better supported ones and they are free) and install your OS again to this virtual PC for all your surfing + Downloading needs.

    Now, you are going to have to Download some things to your host OS for wow patches, add-ons, OS patches, etc... but the point is that your "real" PC has very little contact on the net. You can Download add-ons through the VPC and then transfer them to you host OS.

    You wont be able to play any "Demanding" games on the virtual pc, but it is well suited for surfing un-safe sites and downloading questionable content. As long as it stays on the VPC hd it will never affect your Host OS (ie. your your Real PC). Personally I use a VPC for most of my surfing these days due to the simple fact if I get a Virus/Trojan/Worm or spyware it doesnt matter becuase I can reset the VPC to its base install at anytime.

    Now this only works in protecting your account info from key loggers as long as you never use your account info to log in on the VPC (same goes for any log in info that is important to you). So if you are a forum troll on the wow Forums you should still do that from your Host OS or make sure you reset your VPC to a clean install. Just dont follow any links away from the site.

    Wont do you any good against DNS attacks. Thats why things like the authenticator as still so necessary. It is the closest to physical security you can get without being intrusive or hard to use/manage.

  5. #25
    Join Date
    Jan 2009
    Posts
    2
    I guess I should of specified that this only "secures" it vs attacks against the machine itself and not networking equipment along the way... I've seen some pretty good spoof sites from Host file manipulation, never had an issue yet with my DNS cache being poisoned on my VPC or my Host OS. Once again this will protect your host OS from any attack on the VPC. If your VPC gets its cache poisoned, it will not affect your Host OS. Ive only had my router hacked once and it was just to trash it, not redirect traffic.

    And yeah, it might seem like a bit much "security" to the average user but honestly I dont use it for security anymore, I just like being able to surf anywhere on the web. I dont even worrying about having an Anti-Virus software installed on my VPC, as after im done surfing and DL'ing everything I wanted but dont intend on keeping, I reset the VPC to its clean install state.

    Oh and, ALWAYS use an Anti-Virus/spyware detection software on your system...

    Nothing will ever replace "knowing" common sense practices while surfing the web to keep your info safe. The one thing you cant protect another person from is Social Engineering attacks, except of course with the auth key or some other from of physical auth.

  6. #26
    Join Date
    Apr 2008
    Posts
    1,399
    Quote Originally Posted by Dagna View Post
    Nothing will ever replace "knowing" common sense practices while surfing the web to keep your info safe.
    Actually thats exactly what this key does for your wow security. You could run wow on a machine with 1000 keyloggers 1000 backdoor programs, no firewall no anti virus and your wow account would still be secure. Thats what makes this key so powerful is even in worst possible case, they would still have to rob the key from you to get into your account

  7. #27
    Join Date
    Feb 2009
    Location
    nyc
    Posts
    1
    i am and still pretty secure ,,


    but guess what after 4 years of wow my account was taken over and looted i later found a crackspider on my office pc and my gaming pc...

    i have no idea where it came from but spybott found and ripped it out ....i have an authenticater coming and i am still uneasy untill it arrives..

    beware of what ever you do it hurts when you finally get your account back and your toon are empty..

    shark

  8. #28
    Join Date
    Jan 2009
    Posts
    103
    Quote Originally Posted by Lore View Post
    A thousand times this. You pay $15 a month for your account. You've spent anywhere from $120 to $210 for WoW and its two expansions. Even if you've only been playing for a couple months, that's $150 or so of an investment you've put into your account. Dropping $6.50 plus S&H on a Blizzard Authenticator to secure that investment is trivial. It effectively makes you immune to everything hackers can throw at you.

    Of course, it only seems to be available for US customers. =\
    Why do people seem to insist on suggesting that anyone who doesn't have an Authenticator is too cheap to buy one?

    I've been trying to buy one for months. Suggesting this as the "only" security option is like saying that roaming the forest looking for diamonds is a good way to make money.

  9. #29
    Join Date
    Dec 2008
    Location
    The Netherlands
    Posts
    109
    The Blizzard Authenticator has already been passed by by hackers. Even with all the fancy coding you still only need the user's secret question answer, usual address information, and the original CD key. I'm not saying that buying an Authenticator is a bad move, not at all. I use one myself, but it will not make you impervious to hacking. Not at all.

    Good security means you use several ways of protecting your system. I personally use Firefox, but not Noscript, I have Avast running always, I got Spydoctor and I use the authenticator, but I know damn well that it's not safety. I do know, from people who have been hacked, that it's usually their own mistake. I know that there's people who'll just press 'yes' on any prompt which they see on their screen. -That's- where your biggest security feature lies. Use your brain, be smart.

  10. #30
    Join Date
    Jan 2009
    Location
    Karlsruhe/Germany
    Posts
    4,016
    The Blizzard Authenticator has already been passed by by hackers. Even with all the fancy coding you still only need the user's secret question answer, usual address information, and the original CD key. I'm not saying that buying an Authenticator is a bad move, not at all. I use one myself, but it will not make you impervious to hacking. Not at all
    Any "hacker" in possession of the CD key, question and answer and your address got them by phishing, not by loading a virus onto your PC.

  11. #31
    Join Date
    Dec 2008
    Location
    The Netherlands
    Posts
    109
    Quote Originally Posted by Pyrea View Post
    Any "hacker" in possession of the CD key, question and answer and your address got them by phishing, not by loading a virus onto your PC.
    I'm dying to hear the point of your comment. I don't see how it affects the point about the Blizzard Authenticator as having been compromised before. The comment about the CD key and additional info is just an example of how relatively easy it can be bypassed.

  12. #32
    Join Date
    Jan 2009
    Posts
    103
    Probably doesn't need to be stated but Blizzard are now allowing a software version of the Authenticator to be run on the iPhone and iPod Touch. This is a step in the right direction, though sadly no help for me personally. Hopefully they port to some other platforms ASAP.

  13. #33
    Join Date
    Jan 2009
    Location
    Karlsruhe/Germany
    Posts
    4,016
    I'm dying to hear the point of your comment. I don't see how it affects the point about the Blizzard Authenticator as having been compromised before. The comment about the CD key and additional info is just an example of how relatively easy it can be bypassed.
    Quite simply, I was trying to make the point that even if you have an authenticator, if you respond to the phishing emails you will still lose your account. It protects you from spyware that can discover your password, but if you give people the information to change your account (remove the authenticator for example) the layer of security the authenticator gave is gone.

  14. #34
    Join Date
    Dec 2008
    Location
    The Netherlands
    Posts
    109
    Oh, I agree most definatly in that case. As I said in that post

    Quote Originally Posted by Eide View Post
    I do know, from people who have been hacked, that it's usually their own mistake.
    People responding to fake emails, or generally accepting prompts that ask them to accept downloads etc. are a much more common reason why accounts get compromised. As I pointed out above, your brain is your best security feature, all those other things are etrxa to assist you and to make the threshold so high it's not worth it to a potential "hacker".

  15. #35
    Join Date
    Feb 2009
    Location
    AZ (Zonie)
    Posts
    376
    There's a rather clever hack scheme that has hit my guild, and probably others, in the last week or so. Someone posts an in-game email, with a name that's very similar to one of your guildies name, asking you to check out a new promo video, for the guild, at a certain site. The "site" in question ends with a .exe extension, and if you are fooled into attempting to surf to that site, a Trojan is introduced to your computer. Then, someone comes along, takes over your character...I wasn't fooled, because I spotted the .exe, but I didn't get the word out, in time, for others, and a couple of our members have been hacked, and cleaned out. We were able to kick the name, before they got to the guild bank, but it'll probably be quite a while, before it gets straightened out.

    So, all, be on the lookout for this...FYI

    As for the Authenticator, I like the idea, but wasn't there recently a problem with them? Can't remember the specifics, but weren't they compromised in some way? I'll have to research that...
    -"Just like a buzzin' fly, I come into your life, I'll float away, like honey in the sun..."--Tim Buckley

  16. #36
    Join Date
    Sep 2008
    Posts
    1,909
    thats not clever at all, it is incredibly easy to spot and anyone who fell for it deserves it.

  17. #37
    Join Date
    Jul 2008
    Location
    New England
    Posts
    3,394
    i agree war.. a few members got this in game mail from a member in the "guild"... it was slightly changed in that it was a special character i. like what i dont understand is.. in game mail? any funny stuff is usually posted on most guilds or forums or in gchat... how could you actually fall for that?


  18. #38
    Join Date
    Apr 2008
    Posts
    1,399
    The only "compromise" that the authenticators have ever had is if the "hacker" gets physical access to the authenticator or your CD Key from your initial install. As a note, if the "hacker" has physical access to your machine, there is nothing you can do to stop them from stealing your account. If they have access to your machine and your authenticator and your original cd key, they could just beat you up and take the said authenticator...

    Also as a side note, if you give out your password, your security answer, your personal info and your CD key, the person is not a hacker, they are a social engineer and you are an idiot

  19. #39
    Join Date
    Apr 2009
    Posts
    19
    People are placing way too much trust in the authenticator. From a theoretical stand point it adds basically no security at all compared to simple username/password. It is only another password that can be captured just as easily as a normal password. The only difference is that it is good for only a few minutes and the server will accept it only once. All you need to do to hack an account is get the information exactly the same way they're getting it now, and then prevent the password from getting to Blizzard and use it yourself fast. Preventing it from getting to Blizzard is totally trivial for malware operating in your machine so basically the only hindrance is to use it in the short window it is valid. Now, the people hacking accounts are part of a business where having people sit in front of computers and farm drops 24 hours a day is profitable. Do you think it would be far fetched for them to have someone use the stolen account details in real time as they come in?

    But don't take my word for it. There are plenty of cases where similar systems have been hacked.Maybe it's because banks use it that people think that it must be safe. Well banks have been hacked too, the only difference is that you get law enforcement after you pretty fast if you go do that. As long as only a small percantage of WoW user base uses the token the hackers probably won't bother jumping through additional hoops. But if Wotlk had had a token in the box or if the mobile phone token becomes popular, I'm sure that they'd start cracking those accounts very fast.


  20. #40
    Join Date
    Apr 2008
    Posts
    1,399
    The problem with your hypothetical, while yes it can technically happen, your looking in the realm of impossibility before it would. The Authenticator password is good for a time period of 10-15 seconds. After this time they would have to completely disable your connection to the wow servers permanently while they cleaned out your chars. Also doing it in real time as you say would be do able for a small number of accounts a day, but the way these account theives make money is by doing it to a lot of people not just a few people.

    Also keep in mind these are not the best "hackers" in the world that are writing the key loggers. They are people being paid marginal wages in china most of the time. If you have a best in world hacker team working non stop to hack your wow char, nothing you do will keep you 100% safe, but the authenticator is still the best security you can have against having you account compromised..

    As a side note for Man in the middle hacker attempts, and thats what has "compromised" the security token system, there is Nothing in the entire universe of computer security that can be done to prevent yourself from falling victim to it if they hack the DNS servers, otherwise for an application like wow they would have to reroute the closed loop of the game client to their servers decrypt it and recrypt it back to log in themselves as you, and this requires them to first have a way to redirect your wow data to their servers in the first place. If you read about the previous "compromises" it was people responding to a phishing email and the "hackers" using idiots too stupid not to click links in it to be compromised.

    When the hackers release a proof of concept that will change the data from my wow client and send it to a different server, then i will believe that there is a real threat from that in WoW

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts