Comments

You're not logged in. Register or login to post a comment.
  1. Given the reports from around the web, and my own personal friend’s experiences. It’s pretty clear that there is a major security hole in battle.net 2.0. Looks like that real money house is a long way away.

    They don’t dare bring it live with these kinds of risks – they would get sued class-action style once people are losing their dollars and not their golds.

    • “Reports from around the web and friend’s experiences” don’t make anything clear at all.  There are reports from around the web that FEMA is going to put us all in death camps and I once worked with a couple of individuals who swore they were psychic and would regularly visit cemeteries to communicate with ghosts. 
       
      As much attention as this has gotten and as big a target as Blizzard is if the Battle.net servers were genuinely compromised we’d all know it and we’d have better evidence to support our claims than “my personal friend’s experience.”  If you have evidence or facts that would indicate what you say is true I’d love to see it, otherwise your claims are just baseless misinformed assumptions.

      • So… how many people need to say to you “I personally was hacked. My computer tested clean of viruses (and always has), and my password was strong and only used for diablo.” ? Do these people have to come to you with a proof of how to do the hack for you to believe them?

        My friend that got hacked is a technical VP at a company where network security is a big deal. There is definitely a problem on blizzard’s end.  

        (I’m sure there are also problems on the user end for a lot of people.)

        As for volume of hacking, you have to appreciate how many players there are, and the fact that in order to cash in, the hacker must log in and transfer the items manually.  That’s time consuming. Since we don’t know the details of how the hack works, it’s hard to say how long it takes to hack on a per player basis.

        • A better question is: How many people have posted this to the Blizzard forums and then had a blue poster look into it and say that their account was not, in fact, authenticated and that they were making it up? 

        • So your friend is a technical VP at a company, and yet didn’t think to attach an authenticator, which is FREE if he has a smartphone?  (which he obviously would as a tech VP)

          Can you please tell me the name of this company so I can avoid EVER investing in it?

          • You’re absolutely right. The first thing I think when I buy a video game is, where can I get an authenticator for this game to make sure my account stays secure.

            Try again.

      • Sevenfold, its posts like yours that I wish I could forfeit my next 10 recommends by recommending your post 10x. 

    • According to the vote on this site 5% of the people have been hack. If there really is battle.net problem the number should be a lot higher no matter how you see it.

      • Yup, especially considering you’re much more likely to actually respond to the poll if you had been hacked than if you had not – sample bias and all…

      • Bingo. This is just like the swine flu panic — everyone is freaking out, but the reality just doesn’t support the “threat”.
         
        Fun fact:
        More folks died from the vaccine than the swine flu.

        • “More folks died from the vaccine than the swine flu.”

          Haha, I actually worked on the swine flu vaccine at the time, so I don’t know where you’re getting this from. Source?

          It’s definitely true though that it was actually ended up being less dangerous when you got it than the seasonal flu – but as it infected many more people, more actually died.

  2. The last 3 paragraphs you wrote cleared up much of my confusion as to how this is happening. Thank you for that!
     
    The pindlebot reference made my day.

  3. It’s true that the \hacking fault\ is on the users end…. however, for 99.999% of the users that have been abused, you could NEwVER see it cumming! It’s just simple loop holes in a few known programs that allow access to your hardware on a minimal amount and key logging follows in that cat. meow Overall, no ones to blamed, and for Blizzard it’s like plugging holes in a dying dam. life’s life, kiki duedew happens outside the litterbox!
    P.S. the authenticator (mobile/physical) is truly the safest bet! It’s not theoretically 100% fool Prrrr, but darn near close! Fun game, bad story/future planning, but fun!

    • If you know that attaching an authenticator to your account virtually guarantees your account security and you choose not to use one anyway then you can’t really claim you didn’t see it coming.

      • True, then again, how many Blizzard games have people played and not experience a problem with account security? It’s happened with WoW, but alot (not sure of statistics, so I’m gonna say alot) of D3 players have a limited exposure top WoW.
        EDIT: Better wording, meow. Car insurance, never been in an accident, safe and courteous driver? Why need insurance outside of legal reasoning? Precautions? Of course!
        Why isn’t there a cat icon?

  4. I’ve never told another soul the password to my account and attached a mobile phone authenticator… incidentally, never had so much as a security scare in 5 years of playing wow and now D3.

  5. I just read the part where he said his WoW account was hacked 5 times…… how can people like this even be elegible to write stuff like this?:)
    Moving on…

  6. I guess the part that kinda has me a bit worked up is this.  If I wasn’t forced to play on BNet, I wouldn’t need an authenticator.  Now I may be wrong (happens a lot), but wasn’t one of the reasons for Blizzards online only policy security?  If so, is it wrong for a customer to be expected to pay out extra money to Blizzard for an authenticator just to play a game in single player mode (along with all the other issues that arise because of this online only mode).
     

    • Oh my… do we REALLY need to state this again: IT WONT COST YOU A NICKLE! The mobile authenticator is FREE of charge! You don’t have to use the keyring authenticator. 
       

      • Sorry I didn’t know about the mobile system, not that it effects me I have a usb authenticator. For the record, I’m not anti-Blizzard, nor anti-D3.  Light is right about knowing that the game was online only.   I’ve had to accept that, but personally I don’t like it.  I just wish there was a way of communicating with publishers outside of not buying the game or flaming forums, that such a requirement is disliked.

    • You are right about everything you said, but you missed 2 things:
      1. You can get an authenticator for free, provided you have an ipod, iphone or an android phone connected to the internet.
      2. Everyone knew, or should have learned by reading the box, that the game was online only. If you disagree with that you should not buy the game. It’s the best way to let Blizzard know that you do not support their decision.

    • adding to Kenneth answer: MOBILE AUTHENTICATOR CAN BE USED ON A EMULATOR so you dont even need a iphone or android phone and several tutorials on how to do this ar around the web

      • And then if your PC is compromised the emulated authenticator is compromised too. Poor solution.

        • It is still seems more secure…as is speculated in the article, these “hackers” are automated.  The hackers are probably not going to to take the time to run the emulated authenticator on your pc…they will just move on to the next account. IMO 

    • Well you can get away with out one if your password is strong enough and you dont get infected or something.

  7. You are so cool! I don’t believe I’ve truly read through anything like that before. So good to find somebody with a few unique thoughts on this topic. Really.. thanks for starting this up. This web site is one thing that’s needed on the web, someone with a bit of originality!

  8. Given Sony and Steam’s recent exposures (not to mention many others) .. I wonder how many people’s credentials were compromised.
    … Just a thought.

    • Didn’t they get their actual databases hacked by some comedy SQL injection vulnerability? 

      I assume you’re suggesting that people might have been using the same email/password combo for Sony and Steam as they do for D3 – otherwise I don’t see how your comment is relevant to this discussion. 

  9. 99% of those people hacked are at fault, not Blizzard. But the problem is, many people have hard time acknowledging their own failure, so instead they make up stories of how they had bullet-proof password, authenticator on account and  never shared it with someone. The problem these days is, people use universal password and username for almost everything. So then there is no wonder someone gets hacked, when he registers to porn site with same username and password as in battle.net etc.. And trust me, many people do this, this stupid they are. We live in networked era, yet 80% of internet users fail at basic identity security management and when they get hacked, they blame others and keep their low security standards anyway. This is a case of my friend, I am telling him for weeks “Get mobile authenticator, get it, you will be safer, it takes a minute”. But to this day, he did not get it. He had WoW account hacked once and yet, he did not learn.

  10. If Blizzard was serious about fixing hacking they would have implemented:

    a) Coin Locking (where you need to verify your identity if logging on from a different IP if you want to trade, buy, sell or destroy anything)

    b) Decent Gold Seller spam filtering. If players cannot see Gold Seller spam then there is no market and incentive to hack accounts is greatly reduced.

    • a) Can you explain how exactly coin locking increases the security of a machine that is compromised with a key-logger? 

      b) There isn’t that much spam at the moment – and once they tweak the settings to remember leaving General, you just won’t see it. This isn’t a fix though – that will come with the RMAH once it is open – which should, in theory, put third party gold sellers out of business.

       

      • a) In the situation where a hacker has total control of your computer then there is not a lot you can do about it. In these situations even accounts with Authenticators can be hacked. If the hacker has access to your email you are screwed but since most hackers don’t have access at this level a Coin Lock is an excellent step and easy to implement for any company except Blizzard it would seem.
         
        b) So you telling me there is no Gold Seller spam in WoW?
         

        • a) You make a fair point here, but there is a significant jump in sophistication from a keylogger which can read and send passwords, to one which captures the authenticator token, forwards it fast enough so it doesn’t expire and then logs into your account. My objection to coin locks is that it is essentially inferior to their existing security solution (authenticators) – although fair enough, it might be a pain to set that up if you don’t have a smartphone/know how to run an emulator.

          b) So you telling me there is a RMAH in WoW?

          • What does the RMAH have to do with this? The people stealing accounts are selling gold via third-party sites in both WoW and Diablo 3. They’re not using the RMAH.

          • I’m simply saying that the introduction of the RMAH in D3 will make 3rd party gold/item selling sites significantly less worth running 🙂

      • A) Seeing as people are ONLY having issues with Bnet and not everything on their machine, a coin locking system would still be entirely relevant.

        B) You obviously havn’t spent any time in trade chat.
         

        • Sorry – bored of ‘a’ and ‘b’ :/

          f) I think you mean people only noticed they are having issues with battle.net – which is pretty worrying

          z) Trade chat in WoW? Not been on WoW for a couple of months now, but I don’t remember people pasting $ prices in or exchanging bank details! 😛

  11. In general, Blizzard has a terrible record in fixing exploits and hacks, especially with the Diablo series. This only adds fuel to the flames.
     
    Although I agree that scripts are the logical explanation for only 1 character in an account been stripped, it is scary that there are so many hacked accounts that it is needs a script to do the actual stripping.

    • “In general, Blizzard has a terrible record in fixing exploits and hacks, especially with the Diablo series. This only adds fuel to the flames.”

      Not true with WoW and as for D2, that’s one of their main arguments for making it online-only – so that they don’t have to reveal the server setup to users, which makes it much easier to compromise security. 

      “Although I agree that scripts are the logical explanation for only 1 character in an account been stripped, it is scary that there are so many hacked accounts that it is needs a script to do the actual stripping.”

      I write a lot of scripts to do repetitive things at work, and the threshold for me is > 2 times and I’ll write a script. Obviously it depends on the balance of how long it takes to do the thing, and how long to write the script, but I don’t think you can say that evidence of scripting = evidence that it’s a really large number of people being hacked.

      • Are you a paid Blizzard employee? For sure you are drinking the Blizzard Kool-Aid or are extremely naive in thinking that Blizzard made D3 online only mainly for user security….
         
        About scripts. People hack accounts to make money – you really think that a hacker would tolerate leaving money on the table by stripping a level 11 character while leaving the level 60 character, just because a script is doing it – unless there are lots of accounts to hack and the sheer volume makes up for the time spent.
         
        If, for arguments sake there are only a few accounts that can be stripped then why not pause the script to allow the hacker to select the best character and continue after? Unless there are really a lot of accounts that are hacked and even this brief pause is too much of a waste of time.

        • “Are you a paid Blizzard employee? For sure you are drinking the Blizzard Kool-Aid or are extremely naive in thinking that Blizzard made D3 online only mainly for user security….”

          I love how many times people accuse me of this, just because I point things out which they don’t want to hear. It’s amazing, please continue as it makes me smile every time 🙂

          Regarding the scripting and volume of accounts, I think you underestimate how lazy people are. We can’t really get anywhere without solid numbers, including how many people actually have more than 1 character – and how many have their 60s at the top of the list – so I guess we have to agree to disagree. 

           

          • Perhaps you should stop trolling and making inflammatory remarks, and you won’t be called a Blizzard fanboi so much? Mind you if that rocks your boat then I suppose you won’t stop.
             
            I think Diablo 2 was the best game ever made and I like Diablo 3 so far with high hopes for the future. That doesn’t mean I can’t see reality, and Blizzard making single player online-only is NOT for user security, it is for Blizzard to try prevent piracy. If I wasn’t forced to be online to play I wouldn’t need their flaming security now would I? 

          • I’m not trolling – just debating. It’s up to you if you find that inflammatory.

            I didn’t think we were talking about the reasons for online only here, but I actually agree with you, it isn’t just for security. Blizzard have said that the online only is so they can provide a good ‘player experience’ which is pretty ironic as the servers are still quite unstable at times. Hopefully that will improve with time.

            What they mean by ‘player experience’ is up for discussion. I guess it includes things like matchmaking to public games, achievement tracking, and of course the auction house – real money or not – to allow for item trading. It’s the auction house where the online only thing really seems to needed though. Unless they can prevent items being duped – they can’t ensure a stable economy even for the gold auction house. When they turn on the RMAH, this becomes even more important. Basically, you couldn’t have either auction house without the restriction.

            You mention piracy – and sure, it has certainly helped prevent it being cracked on day 1, and it’s looking like it’ll be a long time before a fully function server emulator like mooege gets off the ground providing anything like the retail experience. What I think isn’t so clear though is which reason convinced Blizzard to go with online-only. Maybe you think piracy and $$$, but it’s probably the sum of all the above isn’t it?

          • @AlienBoyz:

            Sure, if you weren’t forced to be online to play you wouldn’t need any security. However, there are millions of people out there who do want to play online and have a communal experience with the game. It is the online community that has given Blizzard games their longevity and has made Blizzard a huge name in the industry, so it’s in Blizzard’s best interests to cater to that demographic. By using a server-side data model they’ve been able to do a lot of things to enhance the online experience. I think that piracy concerns were part of the reason the game is online-only, but to claim that piracy was the only reason and that the online-only structure does nothing to prevent things like maphacks and botting is just sticking your head in the sand. 

          • @Xeodus
            @MRR
             
            I agree that online-only for piracy prevention isn’t the sole reason, or perhaps not even the main reason, but it is behind the RMAH where Blizzard can make money not from selling good games but from a cut of micro transactions. I also see that online only has advantages for preventing mass duping and other exploits.
             
            However I start objecting when online only impacts my game play significantly in many areas
             
            Some other points:
            – Unlike D2 where there were significant bonuses/incentives to play with other people, there is very little incentive to play with others atm (ofc I hope that changes)
            – I now have far more worries about account hacking since hackers are incentivized by RMAH and had to spend extra on an account authenticator.
            – lag/ downtime/ disconnects etc
            – no single player mode
            – how do we know Blizzard will still be around in 10 years time when I still might want to play this game?
             
            So far I am not seeing a lot of upside to online-only and lots of issues. I know that Blizzard could have made a SP mode – the fact that they did not grates me a lot.

          • @AlienBoyz
            So we’ve gone from “online-only is NOT for user security, it is for Blizzard to try [to] prevent piracy” to “piracy prevention isn’t the sole reason, or perhaps not even the main reason”? I’m glad you’re able to adapt your point of view, but perhaps you should refrain from making such absolutist statements in the first place.

            “there is very little incentive to play with others atm”

            There is if you play with a group of friends, use group-buff skills, and share drops. Besides, this is irrelevant if what you want is offline single-player.

            “hackers are incentivized by RMAH”

            That’s debatable. Previously hackers had more of a monopoly on selling gold, and they’d get 100% of the profits. Now they’ll have a lot of market competition (from legit players) driving the prices down, and Blizzard will be taking a cut.

            ” no single player mode”

            Yes there is. Just don’t join a public game or open your own game to the public, and then de-select the “allow quick-join” option in the social options menu. Voila, single player mode.

            If you’re not seeing the upside to the online-only requirement, perhaps you a) don’t want to play online at all, b) don’t care about a fair game, or c) didn’t play much D2 online. If not, you’d know that D2’s battle.net experience was a mess, with gold sellers spamming you constantly and botted items ruining the integrity of the item-hunt. If those things don’t matter to you, that’s fine, and perhaps you should check out Torchlight 2.

          • @MRR
             
            I thought you would pick up on me saying Pirating might not be the main reason for online-only. Let me make it more clear. I feel that that Piracy Prevention IS the main reason for Blizzard going online-only, however that is my opinion and I recognize other possibilities as well. I don’t feel it is for enhancing the player experience as Blizzard claims. as I see no reason why they could not have implemented other methods and algorithms to achieve the same effect.
             
            We have been talking at cross purposes here.
             
            Note that I am talking about SINGLE PLAYER ONLY here. If you want to play on Battle.net then you kind of have to be online all the time – that is obvious. From this point of view, why on earth would Blizz need to have the game online only, I believe this is mainly explained by Piracy prevention. So no, I don’t see an upside to Single Player mode being online-only.
             
            As far as wanting to play on Battle.net with other players, sure, at some point. Keep in mind I play hardcore only and this colours my viewpoint as well. D2 had many more escape options for hardcore players if someone in your party did something stupid. I made some great friends in D2 and played with them all the time. Unfortunately none of them have come back for D3 and right now I have very little desire to risk my HC character with unknown people. I don’t have a lot of time to play this game and for me HC play is a personal challenge.
             
            I hate being forced to play online-only in single player mode.
             
             
             
             

  12. haha love the people licking blizzard’s butt

  13. I.T. security is a reasonably complex field. It’s easy to embarrass yourself if you have a partial understanding of a security topic and then over-extend yourself in a public forum.

    There seem to be a lot of people out there over-extending themselves. I would encourage them to ask themselves a few basic questions before getting too carried away. A good place to start would be: “How much networked software have I written?”

  14. Well one thing I recommend you do if you dont want to get an authenticatoris to check your password strength using one of the strength checkers on the net (BTW recommend not using your real one).
    An 8 unit password made of random lower case letters and numbers can be broken in ~3 standard PC hours, 9 4days, 10 169 days, 11 16 years, 12 600 years and 13 takes 12 thousand years of brute force computing power. Longer passwords better then short ones.
    For an 8 unit password it will take a computer ~13 mins with just letters, 3 hours  letters and numbers and it maxs out at ~57 days with upper & lower case letters numbers and symbols mixed in. So the more you use the better.
    So if you got the weakest Bnet password it only take someone seconds to break it with a password breaking program once they got your email address. With the strongest possible Bnet password that is a mixture of 16 letters numbers and symbols it will take roughly a massive quintillion (that is a billion billion) years of computing time to break your password.
     
    So here’s my advice if you dont want an authenticatoruse a 16 digit password that a mixture of letters numbers and symbols. h3r$s4nex4mpl31! < -there’s one as an example for you.

    • h3r$s4nex4mpl31 huh! *goes and hacks The Rockman’s account* 😉

      On a more serious not though, I don’t think there is evidence that people are brute forcing passwords. I’ve forgotten/mistyped mine a few times before and been locked out until I responded to an email, so I think they have systems in place to prevent this. I’m absolutely not saying people should use weak passwords though, but in this case, it might be more important to keep java/acrobat reader/browser/operating system etc up to date, and have a decent anti-virus/malware scanner installed. 

    • I hate to break it to you, but if you use one of those password strength checkers on the internet, YOU JUST COMPROMISED YOUR SECURITY!

      WTF, you type in your secure password onto a website that who knows who is running, and you don’t bat an eyelash.  Don’t claim to be secure if you have EVER used a site like that! 

  15. Ofcourse Bnet has issues but Blizzard will continue to deny until they fix it. All these people have problems, why would they lie ? 

  16. So I take it that it would be a good idea to make a character with nothing on it and use it before you log off? Might help, who knows?

    • It might protect your items, but not your gold, since that’s shared across your whole account.

      Maybe log in and out on a hardcore character if you don’t play HC, or vice-versa if you DO play HC but not normal. 

  17. This website requires an email to post, so right there you are compromised if this site is hacked.

    That being said, I should hope that the majority of people posting have an authenticator attached to their account.  The reason you are being hacked at all is that people are making REAL LIFE MONEY off of your stupidity.

    This game is real life money draining from your hands, that you worked hard possibly every day for, that you are letting some hacker get if you don’t get an authenticator! 

  18. Regarding people finding no malware on their pc’s after their accounts are compromised…I remember reading somewhere (no source) that a lot of Trojans self-delete – they detect the game being launched, collect and send the password information, then self-delete.  Not sure if this is true, but it makes sense.  Anyone know if self deleting trojans exist?

  19. the biggest issue, that i havent heard answered and is most worrying is the stories by journalists claiming that they and people they knew had been hacked and had characters stripped BUT it was a low level character last played, leaving a level 60 on the same account untouched.
     
    THAT is what needs answering as it was claimed to be happening to multiple accounts.  If its just keyloggers, why not clean out the other accounts as well?  Thats what doesnt add up.
     
    Why arent people bringing that up, that whats the conspiracy theorists ahould be after.

  20. In Guild Wars there was a simple solution that added an additional level of security to your account: in addition to your password you had to write a name of your character once during your login. Blizzard could implement this too especially since now battletags are visible on many places but character names appear only in game.
     

    • Nope – if you have a keylogger on your machine, they just log the character name also, no extra security at all I’m afraid 🙁

  21. No, no, no, this is the bear story you should have linked heh http://youtu.be/Y5C2gihnEkE

  22. “Yet, on Blizzard’s Battlenet, I have been hacked five times now. For WoW, I’ve been hacked even when my account was frozen (someone please explain that to me). How is it that there is so much hacking going on in Battlenet? I just want to know the answer to that one question. If I were to hazard a guess, I would say that they have a pretty shoddy security system. Let’s keep in mind that I got hacked even while I had an authenticator on my account.”

    My Sister account in WoW was hacked while it was frozen, Blizzard roll back it but blame her for that…. what the hell… account was frozen and there was no sign of someone unlocking it in subscription history.

    Obviously Blizzard are on too high horse to admit that there are problems on their end too.
     

  23. I just found out I got hacked. I had like 300K gold and really crappy items because I was self-found. (But that makes the loss of found items even worse for me). I am not sure how I got hacked, but I wasn’t sharing any informations about my account anywhere, haven’t opened any suspicious mail etc. Haven’t use an authenticator because I dont want to buy it and don’t have a smartphone. Now I found it can be emulated, any directions how? Anyways very sad panda here… The truth is I was enemy of the allways online thing anyways, because I play almost exclusivly single player. This su.cks 🙁

    • You called Blizzard to get your character rolled back? I’m heard from a few places that calling is the fastest way. You might end up stuck on hold for a while, but then they bump you to the top of the queue and it should be done within an hour or so. Hope you get your stuff back 🙁

      • Got my characters rerolled in 3 hours. Haven’t lost anything significant I think, just a ~5 hours of gameplay.

  24. Its always great to see conspiracy news! http://internettruth.org/

  25. I like the helpful information you provide in your articles.
    I will bookmark your weblog and check again here regularly.
    I’m quite certain I will learn plenty of new stuff right here! Best of luck for the next!

Comments are closed.