Forbes: The Horror of Being Hacked in Diablo 3

[DrunkenSano]

I never played WoW. My battle.net account was created two weeks ago when I bought Diablo 3.

It was an old email / password combo that I had used years ago, so my guess is that was somehow compromised, but that would mean someone sat on that information for a long time.

But the security loopholes, compromised ad banners, etc, have always been there. The gold sellers would just do a huge sweep once D3 opens to see what their malicious programs netted and start using a script to loot unsafe accounts. The stuff doesn't happen after you buy D3, it's already there.

Gaming is a hobby like many things. So while saying "it's just a game" is understandable to some, I can say "it's just a car, who cares about a little scratch or a scrape" to someone else and they'd get offended.

It depends on how much people value something. People value cars in their cash value, which means many, many hours of work to pay it off. Where as a video game, for some, especially one without a monthly fee, is only double digits and a couple of hours a day.

 

[gothamhunter]

There's no such thing as a "complex password" on battle.net.

There is if you use special characters and numbers.

Also, FWIW, they offer an unlimited number of chances to login - I don't think they have a "you attempted to login too many times, so now you're account is disabled" thing, so a brute force attack is entirely possible.

 

[crownjules]

There is if you use special characters and numbers.

Also, FWIW, they offer an unlimited number of chances to login - I don't think they have a "you attempted to login too many times, so now you're account is disabled" thing, so a brute force attack is entirely possible.

They do have some sort of throttling on attempts after so many failures. I can only imagine there would be so many people inconvenienced because Blizzard accounts are so popular.

Out of curiosity, do any MMOs do account lockouts after failed attempts?

 

[I4AT]

Plenty of people use a global e-mail/password combination for pretty much everything. With the number of accounts being compromised in Diablo 3 it would be easy enough to database all the stolen information and run it against PayPal/Amazon/Ebay accounts. Clearly the target is cash through in-game gold. If I'm after cash the first thing I would do is try to sniff out those other accounts before I make the user aware they've been compromised, rather than going through some convoluted method of piling up virtual gold and hoping I can find buyers to make it worth my trouble.

Also this is Anandtech, I'm not saying everyone here is a guru, but users here are much more tech savvy and conscious of security vulnerabilities than your average Windows user, and I have never seen this many members come forward and say they've been hacked in any sort of game, website, or what have you.

Anyone that thinks this is just a case of PEBKAC should probably take Blizzard's unicorn out of their rainbow. Seems pretty clear to me the problem is on their end.

 

[AMDZen]

Also this is Anandtech, I'm not saying everyone here is a guru, but users here are much more tech savvy and conscious of security vulnerabilities than your average Windows user, and I have never seen this many members come forward and say they've been hacked in any sort of game, website, or what have you.

Anyone that thinks this is just a case of PEBKAC should probably take Blizzard's unicorn out of their rainbow. Seems pretty clear to me the problem is on their end.

Exactly.

All the evidence you need was already posted around the net if you look. Its a Daisy chain affect where person "A" gets hacked, and a person from there recently played list becomes the next victim, followed by a person from that players recently played list, and so on and so forth.

Its obviously nothing to do with login information, emails/passwords, etc. As it is ridiculous and nonsensical to think that they just happen to have hacked players from each consecutive users recently played list.

 

[Gunslinger08]

Plenty of people use a global e-mail/password combination for pretty much everything. With the number of accounts being compromised in Diablo 3 it would be easy enough to database all the stolen information and run it against PayPal/Amazon/Ebay accounts. Clearly the target is cash through in-game gold. If I'm after cash the first thing I would do is try to sniff out those other accounts before I make the user aware they've been compromised, rather than going through some convoluted method of piling up virtual gold and hoping I can find buyers to make it worth my trouble.

As others have stated, this is probably because stealing virtual currency and items isn't going to get tracked by the FBI. They aren't going to be arrested.

Also this is Anandtech, I'm not saying everyone here is a guru, but users here are much more tech savvy and conscious of security vulnerabilities than your average Windows user, and I have never seen this many members come forward and say they've been hacked in any sort of game, website, or what have you.

First off, you see this many people coming forward because:
1. There are a lot more people playing D3 than most games.
2. It's pretty obvious that something has gone wrong when you have no equipment or gold. Most hacks/intrusions aren't that obvious.
3. Gamers are notoriously whiny.

Even with all of the tech savvy in the world, you can still get hit with 0 day exploits or other hacked sites/servers/games where you used the same password.

I'm not saying Blizzard is perfect. They could do a couple of things for security:
1. I personally dislike email address as username, since it's not something most people have more than 1 of. At least with a personally chosen username, I can vary it between services and prevent potential hacks when other systems are compromised.
2. Implement a system like Steam Guard, so that new systems have to be verified.
3. I don't think brute force is a huge issue, but implement a failed login cooldown period.
4. Require the authenticator for play. Include it in the box. This isn't very likely though.

 

[Achilles97]

I didn't read every single post, but I think it should be stressed that people should not only just have an Authenticator, but also configure your account settings to always challenge for an Authenticator code when logging into the game. Someone may say that regardless of the settings, the game will challenge for an Authenticator code if the IP address is unrecognized. BUT, keep in mind that it's possible, although far-fetched, that if someone is using a some type of video-capable RDP exploit they would be able to login from a known IP. Also, the extreme scenario of video-capable RDP exploit means that it you are logged in to the game but AFK, a hacker would just drop your stuff on the ground and another character grabs the stuff.

I honestly have no idea what is going on, but I feel safe with the Authenticator set to prompt at every login AND keeping my computer clean from exploit.

Good luck to everyone affected and good luck to everyone else to remain safe.

 

[cronos]

They do have some sort of throttling on attempts after so many failures. I can only imagine there would be so many people inconvenienced because Blizzard accounts are so popular.

Out of curiosity, do any MMOs do account lockouts after failed attempts?

Battle.net locks me out and disables my login, requiring me to change my password if it detected me logging in from a different IP address than usual, even with the correct password entered and authenticator attached. How's that?

It's actually quite a hassle when I was just stand-by on-call in my part time job and wanted to login to WoW quick on my laptop to check the AH or something like that.

 

[PingSpike]

I'm glad I didn't rush out to buy this game, looks like it would have just been a lot of frustration.

 

[PowerYoga]

Which is another reason why it points to this whole thing being a session hack, not an actual compromise of the accounts.

Needing more levels of security to log on a kill an internet dragon than me accessing people's personal information on a server is pretty silly.

 

[crownjules]

Which is another reason why it points to this whole thing being a session hack, not an actual compromise of the accounts.

Needing more levels of security to log on a kill an internet dragon than me accessing people's personal information on a server is pretty silly.

It's not silly at all. As has been mentioned several times, the risk of a hacker being caught and prosecuted is negligible. Law enforcement agencies have much better things to concern themselves with then gaming nerds getting angry because their digital item (but it's worth $50 IRLZ!!!!) was stolen from their account. So clearly Blizzard has determined this a valuable security measure to offer it's customers.

If you don't care for the additional level of security then you are by no means forced into using it.

 

[PowerYoga]

Don't get me wrong, I have all the stuff enabled on my account and I do network security at work.

But expecting Joe or Jim from high school bio class to understand network security, figure out what an "authenticator" is and why they should give blizzard their personal phone number to call when someone is logging in to their account is silly. They're buying a game, what they think they should be doing is installing it and playing it instead of worrying about hackers. That's Blizzard's job and their online DRM isn't helping at all.

 

[power_hour]

I wonder if the Flame virus or some variant is at play here. That is more likely than a session hack. My recommendation is to change your passwords using a Live CD (linux browser session).

Of course if the game interface is compromised than well your screwed until Blizzard can fix it.

Glad I never got into the Diablo thing and quit WOW long ago. But I do feel for people who are being victimized. Thats not cool.

 

[I4AT]

As others have stated, this is probably because stealing virtual currency and items isn't going to get tracked by the FBI. They aren't going to be arrested.

First off, you see this many people coming forward because:
1. There are a lot more people playing D3 than most games.
2. It's pretty obvious that something has gone wrong when you have no equipment or gold. Most hacks/intrusions aren't that obvious.
3. Gamers are notoriously whiny.

Even with all of the tech savvy in the world, you can still get hit with 0 day exploits or other hacked sites/servers/games where you used the same password.

I'm not saying Blizzard is perfect. They could do a couple of things for security:
1. I personally dislike email address as username, since it's not something most people have more than 1 of. At least with a personally chosen username, I can vary it between services and prevent potential hacks when other systems are compromised.
2. Implement a system like Steam Guard, so that new systems have to be verified.
3. I don't think brute force is a huge issue, but implement a failed login cooldown period.
4. Require the authenticator for play. Include it in the box. This isn't very likely though.

Well more people use Facebook than play Diablo 3. More people use Ebay and PayPal, but I never saw 20+ people come forward at once and say they or someone they knew had those accounts compromised. I don't recall this many people posting about being hacked during the first few weeks of WoW being launched, or any other MMO for that matter.

Stolen merchandise is stolen merchandise, virtual or otherwise. I think messing around in digital is even more dangerous. Go into Wal-Mart and steal a handful of CD's. How liable are you if you get caught? Look at the fines record companies were able to impose on end users for downloading a handful of songs online (and not even distributing/profiting). There's a lot of room for theoreticals to come into play, Blizzard can start naming off "damages" that on paper look much worse than they actually are, but still hold up in courtrooms and board meetings. In the end you can be as liable as a company wants to make you out to be, as opposed to with actual currency or physical goods.

In the infancy stages of the game you're probably getting what, 100K in gold per account? If the going rate is $30 per 1 million gold, and I think that's being a little generous as far as averages, you're generating less than $5 per every compromised account with diminishing returns the more gold you sell because you're driving down the value of your own product. You also have a limited number of accounts to make your transfers through given everything has to go through Blizzard's servers, whereas you can nick PayPal accounts for whatever amount and spread the money through as many zombie machines/accounts as you can generate e-mail addresses for.

If I have that many e-mail addresses and passwords I'm definitely going through PayPal/Amazon/Ebay over Diablo 3, and I think it's far less traceable that way as well. I still think all the signs point to this being Blizzard's issue and not the fault of this many end users at the same point in time.

 

[Craig234]

It's unique to that account, and it's a fairly strong password given the limited number of characters that they allow.

Your post was good, except that I don't think a 10 character password is "ridiculous" - it's plenty secure (assuming they don't allow brute force password attacks).

 

[gothamhunter]

Battle.net locks me out and disables my login, requiring me to change my password if it detected me logging in from a different IP address than usual, even with the correct password entered and authenticator attached. How's that?

It's actually quite a hassle when I was just stand-by on-call in my part time job and wanted to login to WoW quick on my laptop to check the AH or something like that.

You have an authenticator attached, that's why. No one who has an authenticator attached has been hacked - Blizzard has called them all out and you can easily find those posts.

 

[gothamhunter]

Which is another reason why it points to this whole thing being a session hack, not an actual compromise of the accounts.

Needing more levels of security to log on a kill an internet dragon than me accessing people's personal information on a server is pretty silly.

What points to it?

 

[gothamhunter]

Your post was good, except that I don't think a 10 character password is "ridiculous" - it's plenty secure (assuming they don't allow brute force password attacks).

Unfortunately, they do. This is their security flaw.

 

[darkewaffle]

Well more people use Facebook than play Diablo 3. More people use Ebay and PayPal, but I never saw 20+ people come forward at once and say they or someone they knew had those accounts compromised. I don't recall this many people posting about being hacked during the first few weeks of WoW being launched, or any other MMO for that matter.

Just because you can't see something doesn't mean it's not there.

You hear more about it given the forum you frequent and in a way it's more 'tangible' because it's so easy to log in and immediately notice your character stripped of it's equipment and your zero gold. Short of extremely brazen, out of the ordinary spending compromises on the others are not so quickly recognized. Hell short of having your Facebook appearance changed, you might very well never know it's been compromised.

 

[I4AT]

Just because you can't see something doesn't mean it's not there.

You hear more about it given the forum you frequent and in a way it's more 'tangible' because it's so easy to log in and immediately notice your character stripped of it's equipment and your zero gold. Short of extremely brazen, out of the ordinary spending compromises on the others are not so quickly recognized. Hell short of having your Facebook appearance changed, you might very well never know it's been compromised.

Of course accounts are compromised on all of the aforementioned websites and games everyday, my point is people on these forums use them as well, and in this specific pool of users, I have never seen so many come forward at one time and say they've been compromised anywhere else. Meaning user error is user error, and there's no reason that so many people here should be affected in one place only and not others, the common denominator here is Diablo 3.

 

[PowerYoga]

What points to it?

Nothing for you, just more people with a mob mentality fear mongering.

 

[railven]

Tell you right now if I get hacked I know exactly why: because I got desperate for an AA-Fix that Radeon user's can use and downloaded something called Radit 0.4:

http://www.google.com/url?q=http://...EQFjAA&usg=AFQjCNHLFxsq16KwXKxitbmzQh_SZohthw

After stumbling across a german article discussing it and reading the forum about I figured I'd give it a whirl.

So, yeah, I got 4xSSAA in D3 last night - find out today when I get home if I've been hacked haha.



My only time being hacked in WoW I caught the person since I logged into another account and saw myself online. The hack came AFTER my GF got hacked after she was using some Guild Website mod that collected your toon's info and created a file you could upload to a guild website so it could track your progress. I got hacked most likely because I logged on my account on her PC and thus entered my log-in info to a possible malicious program.

Fast forward a few years and an authenticator, no more issues. And I haven't had issues in D3, then again I'm not a power user with gold under my belt or items worth selling. If a hacker/script kiddie/whatever stumbled across my level 19 barb or 23 monk and they probably might have had a good laugh and left me my gear out of pity haha.

 

[DrunkenSano]

Back then, WoW players were also hacked because one of the often used WoW database websites had one of its banner ads compromised. No one had to click anything, just visit the site and if the ad was up, they were compromised.

 

[cronos]

You have an authenticator attached, that's why. No one who has an authenticator attached has been hacked - Blizzard has called them all out and you can easily find those posts.

I value my battle.net account so I do whatever is necessary to protect it. It's definitely not 'just a game' for me. I poured thousands of hours of my life over the past eight years for progressing my characters in WoW. I really don't want my account compromised, so I spent the $6.50 or so for an authenticator as soon as they were out a couple of years ago.

This is a very simple concept, no?

 

[railven]

Back then, WoW players were also hacked because one of the often used WoW database websites had one of its banner ads compromised. No one had to click anything, just visit the site and if the ad was up, they were compromised.

I remember a guild I belong to everyone got hacked (and this sort of stuff was all that I read in Guild chat, "Blizzard sucks/Blizzard blah/Blizzard is ruined") and my GF, my best friend and I (relatively new members) weren't hacked - turns out we never bothered to sign up to the guild website or forum.

I might be exagerrating by saying all the members, but a large chunk of it definitely was. Then someone who didn't get hacked said they did and tried to get in on the recovery process - they got banned. Haha.