Cram wrote on May 29, 2012, 16:22:
A blue post, if to be believed, recently stated not one "hacked" account was one with an authenticator.
Actually, and this is a nitpick, they stated that not one "hacked" account
they investigated was one with an authenticator. In other words, they have not yet verified that every case where an account has been hacked did not have an authenticator.
The dirty secret about the authenticators though is that the codes they generate are valid for a large enough period of time, that if a PC is actively compromised, someone could monitor the access codes being typed and have just enough time to login use the authenticator code just typed and clean a person's account out.
Yes, yes, if a PC is compromised, all bets are off, but still, the point is that an authenticator only significantly reduces the chance of a compromised account; it does not eliminate it. (Blizz is careful to point this out in their posts as well by subtly saying it's not a 100% guarantee.)
However, I think others here have a real point. Blizzard hasn't done enough to reduce hacking attempts. For example, if you regularly login from a cable modem connected up somewhere in California, and suddenly you're seen to be logging in from China, Kansas, or some other geographically unlikely location, ask the user to provide some extra information to verify the account before allowing access.
As far as I can tell, Blizzard doesn't do any of those things; they solely rely on users having an authenticator.
So yes, even those that don't have an authenticator should feel justified in saying that Blizzard isn't doing enough. They could do more; and they better do more before the launch the RMAH.