Forbes: The Horror of Being Hacked in Diablo 3

[PowerYoga]

With the hackers not changing the passwords to lock users out of their accounts and with only stealing stuff from one character, it really does look like a session hack and not an account hack. Or maybe it is not a hack at all. Maybe there is a bug that is causing all your items to just disappear. So, when you log out and it saves your character it fails to save your inventory for some reason. Both of which point to Blizzard and not the user.

No its a session hack, that's the thing. They take over your session for the character you're currently playing, all they need is your battlenet id. I don't know where the authenticator comes into play in this whole scheme of things but it seems to prevent it from happening so I have one for the phone.

It's blizzard's error, plain and simple. They're pushing back real hard on it from a PR standpoint, but I bet they're frantically trying to figure out how to fix it on the backend so they can say "this never happened".

I realize it's just a game, but people have a right to get worked up about it when it's pretty much a MMORPG, gear grinding and everything included.

 

[VashHT]

It's unique to that account, and it's a fairly strong password given the limited number of characters that they allow.

My account password is longer than 10 characters, not sure where you're getting that from. But yeah the 2 recovery max thing sounds like BS, my WoW account was hacked once and they added an authenticater to it so I guess I only have one recovery left.

 

[terry107]

My assumption at this point is that people who are "hacked" had their password compromised in one of the many possible ways. You have the traditional "I downloaded something sketchy" issues. You have phishing/scam sites. You have other hacked sites where you used the same email address and password combination. You have exploits and vulnerabilities in every piece of software installed on your computer. Even if you keep everything up to date and don't visit sketchy sites, you can still get stung by flash/script/iframe ads using 0-day exploits. Even people who think they've done everything they can to protect themselves (probably most people on this forum) probably have some vulnerability on their system that will be taken advantage of if they hit the wrong site or banner ad.

Generally, I would agree with this; however, the facts presented in the OP's article do not make sense. If people's accounts are being hacked by having their passwords compromised, why would the hackers only clear out one character? In the OP's article, the guy had three characters and the one that was hit was his lowest level (but also the last one played). It doesn't make sense.

There are certainly people who are getting hacked in these more traditional manners (phishing/malware/etc.), but there is something else going on. The session ID spoof seems the most logical, but Blizzard is never going to admit that is happening. I suspect Blizzard will do something on their end and we will see fewer of these session ID hack reports coming in.

Regardless, as someone who does not have the game, it has been and will be interesting to follow.

 

[Ferzerp]

My account password is longer than 10 characters, not sure where you're getting that from. But yeah the 2 recovery max thing sounds like BS, my WoW account was hacked once and they added an authenticater to it so I guess I only have one recovery left.

Perhaps the person meant the size of the character set. Having only 36 options does not make for very good passwords. Their passwords are case-insensitive.

 

[nanobreath]

My assumption at this point is that people who are "hacked" had their password compromised in one of the many possible ways. You have the traditional "I downloaded something sketchy" issues. You have phishing/scam sites. You have other hacked sites where you used the same email address and password combination. You have exploits and vulnerabilities in every piece of software installed on your computer. Even if you keep everything up to date and don't visit sketchy sites, you can still get stung by flash/script/iframe ads using 0-day exploits. Even people who think they've done everything they can to protect themselves (probably most people on this forum) probably have some vulnerability on their system that will be taken advantage of if they hit the wrong site or banner ad.

Not to mention if you ever log into battle.net from a computer other than your own, you would be putting your information at risk. Even worse, since D3 just uses your battle.net login, your information could have been stolen many months ago, but just now being put to use. There are so many methods for being compromised it isn't even remotely funny. For this reason alone I do not believe any of the random posters on internet forums about this supposed "session" hack. Until such a time that real proof from a trusted 3rd party or blizzard themselves that this hack exists, I will believe the simplest explanation is the true one. And it is much, much, much easier to compromise a user, than it is a secure server.

http://en.wikipedia.org/wiki/Occam's_razor

 

[Gunslinger08]

Generally, I would agree with this; however, the facts presented in the OP's article do not make sense. If people's accounts are being hacked by having their passwords compromised, why would the hackers only clear out one character? In the OP's article, the guy had three characters and the one that was hit was his lowest level (but also the last one played). It doesn't make sense.

There are certainly people who are getting hacked in these more traditional manners (phishing/malware/etc.), but there is something else going on. The session ID spoof seems the most logical, but Blizzard is never going to admit that is happening. I suspect Blizzard will do something on their end and we will see fewer of these session ID hack reports coming in.

Regardless, as someone who does not have the game, it has been and will be interesting to follow.

I would assume that the "hackers" wrote scripts/bots to start a game as your first/active character (which is the last one you played), TP, run to the stash, then drop everything from the first tab and character inventory on the ground. They probably didn't think about extra characters/stash tabs or they couldn't get the script/bot working with it. One guy with a script/bot can steal a lot more gold than 10 guys doing it manually.

Can someone give me actual details of how the claimed "session ID" spoof/hack is occurring? I would have to assume that Blizzard isn't stupid and used IP hashed session IDs and they transmit auth stuff over SSL. You've also got a lot of people claiming to have never used the AH or played multiplayer. If we're saying the issue isn't on the user's side, and it can't be another player in your game/the AH, it would have to be on Blizzard's side. Do we really think someone at Blizzard/their data center/their ISP is providing a backdoor to their network that nobody has found yet?

 

[magomago]

From my understanding, Blizzard doesn't know how its happening, so the authenticator was the only way to put a stop to it.

I also had my WOW account hacked...it came out of the blue as well; I don't do anything shady, have my mal ware (things like no script) and AV up to date always, and while my passwords aren't the strongest, they are hard to pick out (think of seemingly unrelated random words) and were unique to WOW at the time.


Go figure.

 

[CU]

No its a session hack, that's the thing. They take over your session for the character you're currently playing, all they need is your battlenet id.

How do you know they take over your character and that it is a session hack? Do the hackers ever do anything strange with the characters like equip all lvl 1 stuff on a high lvl character or use potions to spell out things in your inventory. With it being the last character you played that is cleaned out it could just as easily be a bug that gets triggered when you exit Diablo and effects the last character you played. Also, if all these stolen items are turned to gold it should be easy for Blizzard to sort the accounts by Gold amount + inventory value and find out where all the stolen goods are going. Unless the wealth is spread around to alot of people very quickly.

 

[Kalmah]

One that that gets me:

With the authenticator: After several log-ins it keeps track of your IP so that you don't have to use the authenticator every time then makes you re-create your password or something if a foreign ip is trying to log in.

Without the authenticator: Blizzard doesn't track IP with logins. Why the hell not!? They could and they don't. Maybe I'm missing something? But it seems like bs.

 

[VirtualLarry]

I asked them NOT to roll back my account, given the strict policy, and instead asked them if they could update my secret question (figuring that this could be one avenue for compromises), since they don't allow you to change it yourself. They refused.
...
I'm pissed about Blizzard's ridiculous policies.
...
Worst of all, I still have no idea how my account got compromised, so I don't even know what to do to prevent it in the future. I've changed my password again, but who's to say that will make a difference?

That's really bad. I hate the fact that these companies are REQUIRING "secret questions", which in truth, are simply another challenge-response pair, essentially a secondary password to gain access to your account. And unfortunately, they are generally less cryptographically secure than the primary password, and they are also essentially permanent, based on what you are saying about Blizzard's policies regarding changing the secret question.

Then there is the issue, of pre-made questions for the "secret" question, which ask real-life things, which could potentially be learned, with a little googling, or if you are friends with the person on their Facebook account, or know the person.

It's very troubling to me. It just seems like REALLY BAD password security.

 

[smackababy]

One that that gets me:

With the authenticator: After several log-ins it keeps track of your IP so that you don't have to use the authenticator every time then makes you re-create your password or something if a foreign ip is trying to log in.

Without the authenticator: Blizzard doesn't track IP with logins. Why the hell not!? They could and they don't. Maybe I'm missing something? But it seems like bs.

I don't believe this is how the authenticator works. I know Rift had some form of security like this, where if a foreign IP logged in, they could not buy / sell / or drop any items, until you entered a security code emailed to that account.

The session hack is likely false. Having an authenticator would have no effect in deterring this type of attack. I find it funny that nobody who has been hacked has given up what their password used to be.

What is most likely happening, is there is script resuming your last game, teleporting to town, inviting someone to your game, giving them all your items / gold, and then logging off. I could do all of this with a simple keyboard / mouse recording program. I could even go as far as to log into the AH and buy a specific item.

 

[Kalmah]

I don't believe this is how the authenticator works. I know Rift had some form of security like this, where if a foreign IP logged in, they could not buy / sell / or drop any items, until you entered a security code emailed to that account.

The session hack is likely false. Having an authenticator would have no effect in deterring this type of attack. I find it funny that nobody who has been hacked has given up what their password used to be.

What is most likely happening, is there is script resuming your last game, teleporting to town, inviting someone to your game, giving them all your items / gold, and then logging off. I could do all of this with a simple keyboard / mouse recording program. I could even go as far as to log into the AH and buy a specific item.

I actually did share my password in the official d3 thread. Allow me to quote myself.

jretzbdomlk213

It's an acronym of combined shortened words that makes sense only to me.

The first 4 letters refers to a character name on an old anime I watched about 10 years ago. 'bdom' is referring to 'lake bodom' from a band called 'children of bodom'. (a band that now sucks and is not worthy of being part of my password scheme anymore) The 'lk' immediately after is an abbreviation for 'lake' and 213 at the end is the apartment number of jeffery dahmer. lol

What you say about hackers somehow resuming your last game seems the most probable to me; since everybody who seems to have gotten hacked only had their last playing character hacked and nothing more.

 

[PowerYoga]

How do you know they take over your character and that it is a session hack? Do the hackers ever do anything strange with the characters like equip all lvl 1 stuff on a high lvl character or use potions to spell out things in your inventory. With it being the last character you played that is cleaned out it could just as easily be a bug that gets triggered when you exit Diablo and effects the last character you played. Also, if all these stolen items are turned to gold it should be easy for Blizzard to sort the accounts by Gold amount + inventory value and find out where all the stolen goods are going. Unless the wealth is spread around to alot of people very quickly.

Almost all the people that have gotten hacked just have the stash and their active character stripped. An account hacker would clear out everything.

You also have a very poor understanding of how databases and data recovery works. There's no way blizzard would spare the manpower to trace where the gold is going, especially when thousands of people are getting hacked. Could they do it? Yes. Is it worth the time? No.

 

[krnmastersgt]

Well I haven't picked up D3 but in regards to Blizzard's security I must say they could use an update to their system. Few months ago I lost control of my SC2 account, I used my more or less standard gaming password (this one was a tad more secure) and one day when I felt like trying to play I was informed of my password being changed. This was preceded by my e-mail being sent at least 20 different notifications (that all ended up in Spam) that there were multiple failed log-in attempts into my account. I have to wonder why Blizzard doesn't adopt a much more secure/fierce policy with regards to multiple log-in attempts, especially from different IPs than the one that the original account has been accessing from for the most part.

 

[darkewaffle]

Having a single character affected sounds simply to me like a matter of efficiency and automation. I would guess the vast majority of players still only have one "main", and when you're breaking and entering (in essence) you don't want to be on the scene any longer than is necessary. To me it sounds more like a bot setup that goes from account to account (assuming they've compiled all the login information they've obtained) and simply performing what is most probably the most profitable series of actions possible.

Also iirc you cannot change your bnet secret question as it is intended to be your 'last line of defense' when used to verify your identity, and since it is asked for very rarely by bnet the chance of it getting keylogged is low. Though I have heard that in some cases Blizz will resort to payment detail or cd keys to verify identity as well, but those change as well.

 

[CU]

Almost all the people that have gotten hacked just have the stash and their active character stripped. An account hacker would clear out everything.

I am agreeing with you here, so I don't really understand your comment. I was asking how do we know the goods are stolen and not just lost due to a bug in the code.

You also have a very poor understanding of how databases and data recovery works. There's no way blizzard would spare the manpower to trace where the gold is going, especially when thousands of people are getting hacked. Could they do it? Yes. Is it worth the time? No.

I do understand how databases work. They don't need to trace the gold in real time or do any kind of recovery work. I would assume the gold is being collected until the RMAH goes live. As they seem to be taking the servers down regularly for maintenance, just take a snap shot of the db and sort the data on another machine. Very few man hours would be needed for this. If you see one or a few accounts that have way more gold than the other accounts, then a hack may very well be in the works. But if you don't see any accounts with tons of gold, it may not be a hack at all. It may be a bug and you may be looking in the wrong place. Thousands of people getting hacked is more reason to do this not less reason. They may waste all their time looking for a hack when there isn't one. Just because virtual goods are missing doesn't mean they are stolen. This isn't the real world goods can really just disappear.

 

[PowerYoga]

Sorry about that, it was kind hard to understand your post.

It's not a bug due to loss because people actively see the hack in progress. (character logged in, you try to log in it doesn't let you, etc). You can read the battlenet forums for more detailed information, but all signs point to a session hack and not a compromised account.

The scenario you are talking about is more of an investigation for tracing gold sellers as opposed to an active recovery process... so irrelevant to what we're talking about here.

You keep thinking its a bug but you're only partially right. The bug is on Blizzard's side which allows accounts to be compromised with just a battle.net id. All evidence points to it, but somehow the authenticator prevents it which is why I have one.

 

[gothamhunter]

Sorry about that, it was kind hard to understand your post.

It's not a bug due to loss because people actively see the hack in progress. (character logged in, you try to log in it doesn't let you, etc). You can read the battlenet forums for more detailed information, but all signs point to a session hack and not a compromised account.

The scenario you are talking about is more of an investigation for tracing gold sellers as opposed to an active recovery process... so irrelevant to what we're talking about here.

You keep thinking its a bug but you're only partially right. The bug is on Blizzard's side which allows accounts to be compromised with just a battle.net id. All evidence points to it, but somehow the authenticator prevents it which is why I have one.

Show me this evidence.

 

[PowerYoga]

Show me this evidence.

Take a quick look on general discussion on d3 battlenet forums. I can't look at it at work but most symptoms are very similar. Last I checked european and korean forms are the same way.

 

[CU]

Didn't know some people actively saw the hack in progress. Yeah that kinda makes it a session hack or a very lazy account hacker / script as they don't clear out all the characters. I thought I had read that even people with authenticators had been hacked?

Maybe I should always log into a starter lvl1 character before leaving.

 

[StinkyPinky]

Why does Blizz have such rabid fanboys? Are they the Apple of the gaming world?

 

[Lonyo]

Why does Blizz have such rabid fanboys? Are they the Apple of the gaming world?

Pretty much, only Blizz haven't even released a product which is a step forward on their own products in a long time.

I think after the giant fuckup that was Starcraft 2 in many ways, followed by the joke launch of Diablo 3 they are wearing their reputation rather thin, and people won't be quite so welcoming of future releases.

 

[gothamhunter]

Take a quick look on general discussion on d3 battlenet forums. I can't look at it at work but most symptoms are very similar. Last I checked european and korean forms are the same way.

OK, so you have a bunch of people having an issue, who most likely end up having the "mob mentality".

Again, show me the evidence.

Note, I'm not saying there isn't an issue here, but I want someone to show me the evidence that it's some sort of session hack. There are a multitude of reasons that this can be happening, including, but not limited to, weak passwords/brute force hacking, flash injections, scripting/botting, and yes possibly even session hacks.

Considering there isn't one ounce of proof for sessions hacks minus a lot of people having "similar" issues and speculating on how the sessions hacks are working, I find it hard to believe. Consider it is session hacking - you don't think someone who knows how to do it wouldn't try and sell how to do it somewhere, or that it would be findable?

 

[gothamhunter]

Pretty much, only Blizz haven't even released a product which is a step forward on their own products in a long time.

I think after the giant fuckup that was Starcraft 2 in many ways, followed by the joke launch of Diablo 3 they are wearing their reputation rather thin, and people won't be quite so welcoming of future releases.

Both of your points are complete opinion. Many of us find Diablo 3 to be a great step forward, minus some initial release issues that are sure to get ironed out and pave the way for a great gaming future for Diablo fans.

Downtime sucks, hacks sucks, unseen issues/ideas that are being exploited sucks, but all of those are issues that get fixed and then what are you left with? A great game.

 

[AMDZen]

Why does Blizz have such rabid fanboys? Are they the Apple of the gaming world?

Apparently they've become that, yes