I signed up and started getting spam. So I do nothing and I risk my account being hacked; I sign up for protection and get subjected to spam. Thanks Blizzard.
Verno wrote on May 28, 2012, 12:17:Unfortunately Blizzard accounts have been getting hacked left, right and centre and when you sign up for the authenticator it recommends using the SMS security to avoid getting locked out of your account. I signed up and started getting spam. So I do nothing and I risk my account being hacked; I sign up for protection and get subjected to spam. Thanks Blizzard.
I long ago accepted that anything I gave to a company would be sold to marketing firms. Now I simply provide them with misinformation whenever possible and use trackable numbers/addresses so that I can determine who I can satisfy my curiosity of who is selling what. Google Voice and Gmail are handy for this.
Slippy wrote on May 28, 2012, 11:16:Seems incredibly coincidental, considering that I only changed my number a couple of months ago and don't give it out.
I received my first sms spam the other day on my BlackBerry. This was one or two days BEFORE I signed up for the mobile auth though... maybe just a coincidence?
The "hacking" ("compromising" is probably a better word, since no real "hacking" is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, then essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed. They strip one player to sell to another, because it's much more efficient than "farming" gold. They still farm some of course, but they do it purely with compromised accounts.SOURCE: http://us.battle.net/d3/en/forum/topic/5149542352?page=1#6
Unfortunately, these compromisers make a lot of money off of the practice (because players buy gold) and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.
If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I've personally examined the MSInfo files of nearly all of the handful of WoW players who have actually been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.
Again, compromising game accounts is a big business in some countries. They have people on their payroll who spread false rumors of "hacked through my authenticator" just to try to discourage people from using them. We charge $6.50 for the physical authenticator, because that's exactly what it costs us to make them. The mobile one is free because we don't have to pay a factory to build them. Use them, and enjoy your gaming without someone mucking with your stuff.
Prez wrote on May 23, 2012, 23:33:
Not that it really matters in the long run, but what's to say it isn't just server/database errors that are causing a lot of the item losses and unexplained leveling being reported?
LaxerFL wrote on May 23, 2012, 20:45:
I had my account hacked last night, about 10 minutes after I used the Auction House for the first time. I run antivirus that updates and scans every day. I run 2 spyware/malware programs that I update and scan with every week. I use Firefox with noscript and adblock. I've never typed my b.net account info on any website or email other then battle.net itself. I do not share the account. There are no children in my house and I am the only one who uses my computer. My password was mixed case, alpha numeric, random characters. No one guessed or brute forced my password. I've never played in a public game. I have no one on my friends list and have never played with anyone in a private game. I have soloed my whole play time.
The first time I use Blizzard's Auction House, 10 minutes later I get disconnected from the game with a message that another computer was logging into my account. I tried to log back in and my password had been changed. I did the password recovery bit through b.net, reset my password and when I logged back in, my guy was naked and penny-less.
Blizzard restored my account to about 5 or 6 hours prior to the hack. I lost over 5 levels. I went from one boss into act 3 back to before I killed Zullten Khulle in act 2. I lost countless gems, and one of the best runs of rares I've had since the game came out. I had more then doubled my life and damage in that time. I'm so dejected I don't even want to login and play now.
I had the smartphone authenticator attached to the account. I had the SMS Alerts enabled. I never got a text telling my the password was being changed and obviously the authenticator did nothing.
And to top it all off, Blizzard BANNED me from the forums and deleted all my posts when I called them out on the exploit. Yes, I used some choice words but there is a filter, no one could actually see the "dirty" words I used.
I have always supported Blizzard. I LOVE the game Diablo 3. But this has just sucked all the enjoyment out of it for me.
And now I've been on hold with blizzard phone support for 1 hour 29 minutes. What I really want to know is WHY when I was already logged in and playing would they boot me to allow a second login attempt access? Why didn't the SMS alerts ALERT me when the password was trying to be changed? How did they login without my Authenticator?
I know I'll never get the levels and gems and rares back. Now, I just want ANSWERS! I'll never use the Auction House again because that is obviously how they gained access to my account.
I'm just so disappointed in Blizzard right now, I'm actually sad about this whole ordeal
Mr. Tact wrote on May 23, 2012, 10:35:
Ok, what I'm reading/hearing is that packet sniffing the session ID makes it relatively easy to hack the authenticator. Is that what you are attempting to say?
My coworker (btw, I am a Systems Security Engineer for the govt (CISSP), and have been doing security for decades) started up Wireshark, and then D3.. he was telling me how easy it was to hijack his session..the session ID floating around out there.. and then we got into the 2 step process it took to reverse engineer his authenticator.
ColoradoHoudini wrote on May 22, 2012, 20:53:Interesting. I'm a bit of a network guy myself and I'd be (and I'm sure others would too) interested in hearing a little more about what he saw that made him stop playing. Are you saying that Blizzard is making some basic mistake that invalidates the security normally achieved by the tokens?
While everything is hackable, what's going on with D3 right now is rather troublesome. --for the record, he stopped playing last night after witnessing what he saw.