Forbes: The Horror of Being Hacked in Diablo 3

[gothamhunter]

Nothing for you, just more people with a mob mentality fear mongering.

No need to be snarky. I want to know what he's referring to, since he doesn't mention it in his post.

 

[gothamhunter]

I value my battle.net account so I do whatever is necessary to protect it. It's definitely not 'just a game' for me. I poured thousands of hours of my life over the past eight years for progressing my characters in WoW. I really don't want my account compromised, so I spent the $6.50 or so for an authenticator as soon as they were out a couple of years ago.

This is a very simple concept, no?

I might have misunderstood the intentions of your OP - I thought you were questioning why you haven't been hacked or something.

 

[PowerYoga]

No need to be snarky. I want to know what he's referring to, since he doesn't mention it in his post.

but it's friday. ;(

Was referring to this:

"Battle.net locks me out and disables my login, requiring me to change my password if it detected me logging in from a different IP address than usual, even with the correct password entered and authenticator attached. How's that?"

Mainly because Blizzard pretty much LOCKS your account if you try to login and authenticate using a different IP (happened to me when I tried to play SC2 at a lan party in a different city. Had to call support to get it unlocked), the only way the owner would NOT get notified is if this was a session hack.

Because in a normal account compromising scenario, you'd get an e-mail about your account being disabled due to "suspicious behavior", not to mention not just your main character, but all your mules and alts would have been cleared out as well. Referring to a few posts back, you can see "new" people in your recently played with list as well.

Again you can take all the hacking stories with a grain of salt, but you should protect your account regardless of what he-said-she-said. I always assume the worst and that the game is already compromised, but i have already applied the most security I could to my account and there's nothing else I can do to make it more secure (short of making a 20 character password that I can't remember).

 

[zinfamous]

I hate it when people say that.

NO, it's NOT just a game. It stops being "just" a game when someone dedicated many hours of their life to this, sometimes days... months.. years... Money, physical and mental effort, etc etc. People "pay" for this with their health and days of their life... Health and time that will never come back. IMO, that's a lot more valuable than any amount of money.

...and none of that changes the fact that it is, indeed, just a game.

what some choose to do to their lives, to "just play a game," is completely independant of the fact that this product has a physical identity of "just a game;" and it could just as easily be an untouched piece of plastic stuffed inside a box on some store shelf throughout its existence.

 

[TakeNoPrisoners]

I was hacked on my old WoW account. Nobody believed me either, the fanboyism for Blizzard is utterly stupid. They hang off their neither regions in the hope that somehow the almighty Blizzard will reward them handsomely while looking like tools in the process.

Doesn't suprise me that a game as popular as WoW or Diablo has this problem, shouldn't suprise anyone really.

 

[DAGTA]

but it's friday. ;(

Was referring to this:

"Battle.net locks me out and disables my login, requiring me to change my password if it detected me logging in from a different IP address than usual, even with the correct password entered and authenticator attached. How's that?"

Mainly because Blizzard pretty much LOCKS your account if you try to login and authenticate using a different IP (happened to me when I tried to play SC2 at a lan party in a different city. Had to call support to get it unlocked), the only way the owner would NOT get notified is if this was a session hack.

Because in a normal account compromising scenario, you'd get an e-mail about your account being disabled due to "suspicious behavior", not to mention not just your main character, but all your mules and alts would have been cleared out as well. Referring to a few posts back, you can see "new" people in your recently played with list as well.

Again you can take all the hacking stories with a grain of salt, but you should protect your account regardless of what he-said-she-said. I always assume the worst and that the game is already compromised, but i have already applied the most security I could to my account and there's nothing else I can do to make it more secure (short of making a 20 character password that I can't remember).

I guess the IP check is not in play for compromised accounts. If my account was 'hacked' because someone else obtained my username / password, why didn't the IP check kick in and notify me / lock them out?

 

[CurseTheSky]

My account password is longer than 10 characters, not sure where you're getting that from. But yeah the 2 recovery max thing sounds like BS, my WoW account was hacked once and they added an authenticater to it so I guess I only have one recovery left.

Perhaps it's more than 10 characters, but I do know that it stopped accepting input after a certain number (maybe 12?). My normal passwords are around 20 characters, and with Blizzard and their games being as popular as they are, I can't fathom why they would employ such a limitation. I'd be just as shocked if Google did the same thing with their user accounts.

On the other hand, the Blizzard rep that I talked to make it sound like limited recoveries applied to Diablo III only. So, WoW recoveries are probably handled completely separately (since users are paying monthly for that game). Just a hunch.

That's really bad. I hate the fact that these companies are REQUIRING "secret questions", which in truth, are simply another challenge-response pair, essentially a secondary password to gain access to your account. And unfortunately, they are generally less cryptographically secure than the primary password, and they are also essentially permanent, based on what you are saying about Blizzard's policies regarding changing the secret question.

Then there is the issue, of pre-made questions for the "secret" question, which ask real-life things, which could potentially be learned, with a little googling, or if you are friends with the person on their Facebook account, or know the person.

It's very troubling to me. It just seems like REALLY BAD password security.

No kidding. Once again, I can't fathom why Blizzard would make such an archaic policy. It's like the account security dark ages or something.

Your post was good, except that I don't think a 10 character password is "ridiculous" - it's plenty secure (assuming they don't allow brute force password attacks).

I do. Provided, I'm sure they have limits in place to prevent brute-force attacks, but in this day and age, I expect more, ESPECIALLY from a company / product as large as Blizzard and their games. If this was Torchlight or Titan Quest I wouldn't say much, but Blizzard should know better, and they should have the cash to easily provide good security measures and practices.

Similarly, as I said above, if Google had account security policies like this, I'd quickly move away from Gmail.

 

[thujone]

So, I got "hacked" a few days ago. I just set up a brand new computer / fresh OS install, I just installed the game for the first time, I updated my account password (what is it, 10 characters maximum or something like that? ridiculous), I don't share my account with anyone, and I don't visit any unscrupulous websites or download anything questionable.

Anyway, I contacted Blizzard to see what could be done. The informed me that there are a LIMITED number of account recoveries that can be performed per account, per LIFETIME. Basically, two recoveries and you're SOL.

Furthermore, they can only recover to a state that was previously saved for recovery purposes, meaning that they may have to roll back significantly further than you want. In my case, I'd be losing several levels, items, etc., despite having played for several solid days before being hacked, and then waiting a couple of days after being compromised (I took a three-day break from the game, and came back to find everything gone).

Finally, they informed me that once you hit your account recovery limit, your account will be permanently banned from the cash auction house. That makes some sense to me - it stops people with poor security practices from constantly causing Blizzard and credit card companies recurring headaches - but it also means that if you just so happen to get hacked twice for no apparent reason, you're SOL once again.

I asked them NOT to roll back my account, given the strict policy, and instead asked them if they could update my secret question (figuring that this could be one avenue for compromises), since they don't allow you to change it yourself. They refused.

Overall, I'm pissed. I'm not pissed about the items and gold that I lost - no big deal. I'm pissed about Blizzard's ridiculous policies. Their games are popular, accounts are tied to other games like WoW, and there's even real life money involved (cash auction house - soon). That makes each and every account a tantalizing target for idiots out there.

Worst of all, I still have no idea how my account got compromised, so I don't even know what to do to prevent it in the future. I've changed my password again, but who's to say that will make a difference?

i had a similar situation once. i used to play wow super hardcore back when it first came out. up until about the time of Black Temple. was actually on a server first kill. shortly after that i decided to take a break for real life matters.

i came back and quit off and on for a while and finally quit for good after about 4 years of playing.

while my account was inactive, i somehow got hacked. i didn't notice it at frist... it was a good week or 2 before i noticed something show up in my email and contacted customer support. one of the questions they ask is place of birth. MY BIRTHPLACE IS A VERY COMMONLY NAMED CITY.

as soon as i tell the CSR the answer, he scoffs and says "OK" in the most sarcastic tone possible. i've never wanted to nerd rage on a person so hard as this guy. i couldn't believe that they'd actually doubt me considering all the other info i had to give to them. it was ridiculous and reminded me of an overbearing mall cop.

totally solidified me in not going back to wow at all.

 

[PowerYoga]

I guess the IP check is not in play for compromised accounts. If my account was 'hacked' because someone else obtained my username / password, why didn't the IP check kick in and notify me / lock them out?

I highly suspect the IP check is from the login screen, and it doesn't occur automatically or on a fast enough basis for the lockout to matter. I played SC2 at a friend's house and the account didn't get locked until a few days later. Which is why an authenticator being able to prevent a session hack is so strange to me, but that's a different discussion altogether I think.

 

[Fox5]

Meh, people are complaining that the Internet is insecure.
Blizzard offers a solution, the authenticator, a 2-factor system. It's out of band since it requires a time-based code from your phone, making it much harder to a hacker to get both pieces of information.
People bitch that this is too hard.

The Internet is inherently insecure, and any site you use that only requires a password to login is also insecure to a determined and capable attacker. Blizzard is a big target and has real hacking problems, so they offer the next stage in security to deter those. There's not really much else they can do; security is hard. No software is free of bugs, most protocols are susceptible to a man in the middle attack with enough effort, and they certainly can't do anything about your passwords being compromised by other means (ie, flash exploit on a website, a database where you reused a password being compromised, etc).

Accept the realities of the world, because no one has figured out a better system of ease v security than what blizzard is offering, and even security companies frequently get it wrong.

 

[Wreckem]

Meh, people are complaining that the Internet is insecure.
Blizzard offers a solution, the authenticator, a 2-factor system. It's out of band since it requires a time-based code from your phone, making it much harder to a hacker to get both pieces of information.
People bitch that this is too hard.

The Internet is inherently insecure, and any site you use that only requires a password to login is also insecure to a determined and capable attacker. Blizzard is a big target and has real hacking problems, so they offer the next stage in security to deter those. There's not really much else they can do; security is hard. No software is free of bugs, most protocols are susceptible to a man in the middle attack with enough effort, and they certainly can't do anything about your passwords being compromised by other means (ie, flash exploit on a website, a database where you reused a password being compromised, etc).

Accept the realities of the world, because no one has figured out a better system of ease v security than what blizzard is offering, and even security companies frequently get it wrong.

I think the point some are trying to make is, hacking would not be an issue if a single player game didn't have to be connected online to servers. There is absolutely no reason for the requirement, other than ActivisionBlizzards greed when it comes to the real cash auction house.

 

[DAGTA]

There are a few points I think should be considered:

a) Blizzard can, and should, improve the security of their login system. Passwords should be case sensitive. Email addresses should not be used as account names. IP addresses should be tracked and partial account lock down (inability to sell items, trade items, etc) should occur when a new IP recorded at login that is very different from the previous.

b) the authenticators should either ship with the game or be very strongly suggested during install

 

[I4AT]

This is sort of interesting but my Skype account was recently compromised. I received roughly 4-5 e-mails within a few minutes for invites to join a Skype manager which I guess is like a way to share Skype credits with people in a group. I logged into my account and noticed someone was making calls to Taiwan. I don't have a credit card or PayPal account attached to my Skype account so there wasn't really any damage to be done, I think maybe every account gets a certain amount of free credit so they're just doing mass transfers to make calls?

But anyways, one of the invite e-mails had a name listed that I recognized as a really old member of these forums, who I believe was also a member at HardOCP. The other e-mails were all in Chinese. I use about 3 different levels of passwords, one that's strictly for financial stuff, another for mid level stuff, and a low level password for forum logins and other crap I don't really care about.

My Skype password was a low level one, same I use here and also at HardOCP. I think I use the same e-mail address at Hardforum as I do for my Skype account. The e-mail address associated with my Anandtech account is different, therefore, I think Hardforum having been compromised is more likely, but it's possible AT was as well? Given the unusual amount of members that have come forward and said their D3 account was compromised, I'd be interested in hearing how many of them are also members of the Hardforums, and honestly how many of them used the same password for Battle.net as their Hard and/or Anandtech logins.

Other possible candidates include slickdeals.net, cheapassgamer.com, heatware.com, fatwallet.com, shoryuken.com.

Just to clarify, I personally do not own Diablo 3, although I do have a Battle.net account associated with the same e-mail address, but thankfully using my mid-level password.

 

[diesbudt]

I have played WoW for 5 years, totaled way too many hours.

I got D3 day of release. Played it for a good amount of hours.

No authenticator.

Still have not been hacked.

Me thinks, its peoples browsing habbits (as my game computer rarly if ever goes to the web browser/internet, and has 3 virus/malware/keylogger protections that are constantly updated)

 

[DrunkenSano]

It was already revealed that a chinese gold farming group had hacked multiple websites and forums where D3 and WoW people congregated. The same people who had their accounts hacked also had the same e-mail password for battle.net. The gold farmers just used a script or something to attempt a log in with each account they compromised from the forums and had a low percentage rate of success. But the amount of data retrieved was really high so even a low percentage netted quite a few accounts.

So in the end, some of our assumptions were right. it's not Blizzard getting session hacked or database hacked, it's people using the same info for forums that are much easier to hack.

 

[darkewaffle]

Yea, no troubles here either. I did finally get an authenticator though (RMAH 10 more auction slots was too good to pass up lol).

 

[PrincessFrosty]

I don't think it's been demonstrated yet that any of these hacks are directly against blizzard which means the account "hacking" is more or less the fault of the end user.

However, it does seem unreasonable to expect the average user to have enough security knowledge in this day and age to fully protect their own account, Blizzard acted irresponsibly with a combination of both:
1) Making players a target by monetising their virtual items.
2) Creating a system where all accounts (even singleplayer) are vulnerable to attack.

IMO they should have shipped a free authenticator with every copy of the game and made them mandatory, most banks will force this for online banking now for similar reasons.

 

[thespyder]

1) Making players a target by monetising their virtual items.
2) Creating a system where all accounts (even singleplayer) are vulnerable to attack.

I think this is close to the root of the issue. In so much as there is a potential monetary gain to be made, people will always try to get "Their Due" (and wherever possible, more than their due).

So Blizzard got greedy and wanted to create virtual property and sell it. Now, there is a lot more reason for would-be thieves to be interested in hacking. And considering the cost/benefit is heavily incented on the benefit side (Current legal structure is ill equipped to deal with this type of theft), even more so. I think that Blizzard (and by default any other publisher who pursues this model) is acting irresponsibly in attempting to create a market where appropriate checks and balances are not in place prior to roll out.

 

[railven]

IMO they should have shipped a free authenticator with every copy of the game and made them mandatory, most banks will force this for online banking now for similar reasons.

Agree, Blizzard should have definitely included the authenticator - even put a cute Diablo 3 skin on it. I know when the WoW hacking was rampant they were giving them away for free, the buyer just paid shipping.

They should have had the forsight to see this coming, ESPECIALLY, after they saw it on WoW.

 

[exdeath]

Blizzard is really going down the toilet. Whether it is Activision's poor practices towards the consumer having a trickle down effect

This is all that needs to be said. They already destroyed WoW with their endless meddling, nerfing, patching, and casualizing everything in the name of maximum profits.

That whole practice started when Activision took over.