The account hacking has been a hot topic since the game launched and there are many players quite rightly upset at the loss of items or gold, whether it is their fault or not. Over the past 48 hours, Forbes.com have been covering the topic and the comments in the articles have become rather heated.
In the first article the author explains his experiences being hacked without an authenticator in place and questions whether it is entirely the fault of the users after noticing that only some characters on an account are being stripped. To follow-up, he looks at the source of the problem and whether Blizzard are doing enough.
Blizzard has urged everyone to be super careful and advised that players should use an authenticator which costs a little extra, but as the author points out, is that really enough? There has been a discussion on the authentication methods used such as case insensitive passwords and some kind of alert to users when a character suddenly loses everything in one swoop, both of which seem quite logical measures for Blizzard to add.
I will cite a recent example from the MMO world which is very similar.
RIFT Account Coin Locked
When TRION were experiencing hacked accounts with RIFT they implemented a safeguard called ‘coin-lock’. If your account was logged into with a suspicious IP (one far removed from your own) the account would become ‘coin-locked’.
The only way to unlock the account was to click the button on-screen which would send a string of randomly-generated numbers to your account’s email address. You could then go back in-game with the number, paste it into the unlock box in-game and your account would unlock. This process would take literally a couple of minutes, if that.
During ‘coin-lock’ you could still play the game, (questing, killing) but could do nothing with your inventory (no removing items, no selling, no dropping of items, no removing gold). This proved very successful and stopped the problem overnight. TRION had this up and running in around 48 hours after the initial reports.
Obviously if a hacker had access to your email and you used the same password for mail as your Battle.Net account (which would be really silly) they could retrieve the coin-lock password. However, this would, if anything alert you to the fact that your PC had definitely been compromised (if they’re accessing your personal email account too).
Subsequent investigation revealed a hole in TRION’s authentication system which they plugged thanks to a community member who found the problem and alerted the development team privately (never making the method publicly known). The point is however, TRION acted fast to find a solution for the users and worked to get it in place to protect them very quickly, and to be honest, it did wonders for their PR and community team.
Whether the user is to blame or not, the Forbes article suggests it does not appear that Blizzard are doing enough and aren’t being pro-active at all. As TRION demonstrated, they took action, accepting that users could be lax with security, but still wanted to make sure players were being protected from their end.
The hacked accounts discussion is not going away any time soon unless more is done. Users are likely at fault in most cases, but should Blizzard add something like “coin-lock” to at least put a stop to it and show the community they are looking at every angle to help protect customers from losing time and money?
Thanks Softshack for the Forbes links.
Should Blizzard Implement a "coin-lock" type system
- Yes as soon as possible (69%, 1,640 Votes)
- Yes. But not for people with Authenticators on their account (19%, 444 Votes)
- No, it's a user's responsibilty (13%, 302 Votes)
Total Voters: 2,386
Loading ...
This is a good article. Just because blizzard’s servers are technically secure (According to them) does not mean that they can’t offer an additional layer of protection for their customers. If TRION did it in 48 hours, I’m already a little disappointed big blue hasn’t come up with something similar.
And one rich in irony… a hack psuedo-journalist got hacked. While playing a game made by a bunch of hacks. 😆
That’s just a pun, it isn’t irony.
He messed up should of left at “a hack got hacked.” (hack is slang for a journalist)
I dont see how anyone could trust Blizzard with their paypal account with all of this negative activity going on. Something needs to happen, that’s for sure.
The “negative activity” is almost completely fabricated. Yes, there is hacking going on, but is in no means massive or wide-spread. A small, very small percentage of people are getting hacked due to their own stupidity (untill it is proven that there is a hole in Blizzard’s security, I’ll go with the much likelier scenario), and now haters, trolls and idiots across the entire battle.net have joined up in an effort to make everyone believe that something like 99% of people are being hacked and that it is either Blizzard’s fault and they are doing nothing, or that Blizzard is in fact doing the hacking and are disguising it. Have I mentioned how much I despise battle.net forums?
This. This. A thousand times THIS
I wouldn’t want Blizzard to block the system unless they know there is a problem on their own end. I bought an autentificator for this reason. See I’m (was) a wow player. Players getting hacked I have seen this for 6 years straight and among my close friends. Players then say they don’t understand why and there are no reasons for the hack. But wow players kinda got used to it being a risk and those concerned already had an authentificator.
Time will tell whether or not it was a mistake by Blizzard, I’m pretty sure they are investigating since hacked accounts cost them a lot in CS and reputation. They are also obligated to declare a breach if they find one in their system, not doing so would have unimaginable consequences.
Meanwhile change your password to something unique and get an autentificator, mobile one is free and other one is cheap.
And you will be able to use it for all your Blizzard game.
You hit the nail on the head.
A lot of people don’t believe what you’ve stated is true – that they have an obligation to their customers. many write it off has false information. If anybody is interested or attempting to refute that fact, please follow this link to brush up on common business law in the United States regarding confidential information and how businesses must comply:
From the Bureau of Consumer Protection:
Safeguard Act: http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule
Identity Theft: http://business.ftc.gov/documents/bus66-businesses-must-provide-victims-and-law-enforcement-transaction-records-relating-identity
I thought the mobile one didn’t work with D3
and I already paid $60 for an online only game
now I have to pay more to make the online game secure ?
😆 😆 😆 😆
Trion didn’t charge anything for their fix
The dial-in authentication does not. The mobile app does. I’m not entirely sure how this wasn’t clear, but it seems that many are predisposed to point at a cash-grab for authenticators as the reason for this confusion rather than use misinterpretation of their explanation (a difference that has been clear in their FAQ’s for almost a year)
Oh wells.
Mobile one works just fine. I use and have had no issues.
Dude you’re just trolling like always.
Get your fact straight, mobile one is free and works, other one is 6$ (in the US) and works for ALL your Blizz games.
REALITY CHECK: Blizzard is already doing everything possible. The conspiracy theories are stupid; Blizzard was founded by passionate gamers and no one is more irritated by hacks than they are. Look at Warden and their litigation efforts against groups which try to circumvent Battle.net.
Think about it. 12 years of development, countless hours away from family, hundreds of artists, programmers, designers… do you really think they’re going to hold back, as malicious individuals try to ruin the game/launch?
They have made it so abundantly clear that an Authenticator is the best way to stay safe. Seriously, if you don’t have an Authenticator have you been on Mars? They’ve been including them with the BlizzCon swag for years. What do gamers want, an animated slap in the face if they log in and no security has been added?
You miss the point of Elly’s article. Regardless of who is responsible, a system to protect everyone can be added quickly if more time is required to investigate. At least users would have that added protection right away.
I am sure Blizzard’s systems are secure like they say, but it would be good PR if anything to implement a system like this now to protect everyone, and it would alert users who have got compromised PCs to deal with their security issues.
Authenticators are the obvious choice and good on everyone who has purchased one. But until everyone has one, people could do with another layer of protection. If you have an authenticator you should not be coin-locked anyway.
I understand what she’s saying about TRION, but that would be a band-aid, not a cure. There is already a system available to protect everyone. What stops someone from logging into your Battle.net account via the web, and wreaking havoc there? Nothing. The Authenticator does though.
EDIT: I do have to admit, they could have thrown one in the box, at the very least.
Agreed, however, to protect users NOW until they sort out their own PCs (or other issue is found with Bnet) etc, this would be an easy solution that is no real hassle to players.
Just to add, I got caught a few times with ‘coin lock’ in RIFT myself. Not sure why.
The first time I panicked and assumed that would be locked into countless hoop jumping and it would be like pulling teeth. I had hopped on to do some auctioning which I wouldn’t be able to do if I was ‘coin-locked’ so was doubly frustrated.
However, it literally took 1 minute from clicking the button you see in the image above to getting the email, alt tabbing out to copy the code and pasting it in game. It unlocks instantly. No need to log out the game, it was all there on screen. It was wonderfully a simply solution.
I agree it seems simple Elly, but I think it’s a bit naive. I think we’re all in agreement (apart from the odd tin foil wearer) that the people getting hacked have keyloggers of some description installed on their PC/Mac, or fell for a phising scam. If this is the case – the coin-lock style system offers significantly less extra security than an authenticator because if you can record someone’s battle.net password, you can record their email also, even if they were smart and used a different one for each service.
In this case it also wouldn’t really alert the user at all, at the hacker would just log into the game, click the coin, log into the email, authorise it, and then just delete the message – no trace at all. I’m not against Blizzard implementing more security, but this system seems like minimal extra protection for the possibility of serious inconvenience – especially if you play on the move a lot like me.
By this logic, paramedics shouldn’t have bandages. All that bleeding can be stopped at the hospital!
An irrelevant logic analogy is always the most pathetic form of argument.
Blizzard had decided that best method to secure an account is something that is independent from your computer, a physical authenticator or a mobile app. If a hacker has keylogged your battle.net account then he as also most certainly has you email account and password as well. Blizzard is not going to replace their current security system that they spent probably spent $100Ks to implement with one that is less secure. Diablo 3 players are going through the same QQ that WoW players went through 4 years ago. Nowadays most WoW players happily type in their authenticator code once a week and enjoy the game and peace of mind.
“Blizzard is already doing everything possible.”
This is innacurate – they could very easily do the same thing Elly mentioned in the article above. As another example, every bank website has (or should have) a security measure where logging in from a different computer and/or IP requires some extra authentication step – be it email or answering a security question. That’s not difficult to implement.
I agree that people should get authenticators, and in fact, all of this has led me to get one as of 2 days ago. However, if you’re not reading online forums, you’re never going to know about the authenticator or hacking problems. THOSE are the people who deserve some sympathy, and the people that Blizzard really ought to be trying to protect.
Bottom line is that Blizzard CAN do more – arguably quite easily, and I believe they should.
It’s easy to look at the situation and say they could do more… but I say give them the benefit of the doubt, assuming they have security researchers who know a heck of a lot more than I do about network packets and keyloggers.
They have made in the area of 1/2 billion dollars revenue on D3, They claim to care about security and that they want to do everything possible. … Heres the important part **THEY LEAVE OUT A FEATURE THAT HAS BECOME ESSENTIALLY STANDARD ** and would clear up the whole security situation instantly.
Trion isn’t the only company to implement a feature like this. Others have as well, go look that up.
Blizzard accounts have been the most targeted game accounts for years now, and yet blizzard are lagging behind in the security department .
Trion implemented the fix within two days… and the problem essentially went away. There are many simple solutions blizzard just don’t care to implement.
Actually – the problem was just a lot less visible in Trion case, and honestly – no-one cares that much about hacking RIFT account – the characters and items have so much less value than WoW so even this weak security change would be enough to make it just not worth it.
Things are different in D3, especially with the RMAH on the horizon.
There is actually a significant downside to putting this all on Blizzard though – if you’ve got a keylogger on your machine, you have much more serious problems than your battle.net account being hacked. What about online shopping? Email?
I love Blizzard too, but you forget to mention the Bobby eyes….
Also, there is no way in hell I would spend extra money to buy their damn authenticator, nor do I wanna associate my cell phone number with an online game. The idea of “coin-lock” is brilliant and should be implemented ASAP.
If D3 where an MMO they’d act quickly too. Because losing subscriptions in that genre is a no-no. But with D3 they have our money. So if a player stops playing, it doesn’t affect Blizzard one bit.
^ the same problem applies to WoW as well, they both use the same protection methods.
Blizzard is obviously NOT doing everything possible
did they implement a FREE authentication system as Trion did ?
No
It took Trion 48 hours to put in the fix
48 hours !
I already paid $60 for an online only game
now I have to pay more to make the online game secure ?
what a joke
IMO Blizzard is doing nothing because they want to force players to use the authenticator and possibly the ones that cost money.
It amazes me how someone voted in the option “it’s the user responsibility”, it clearly shows the fanboysm level from the Blizzard players these days. An inventory lock would bring only advantages for the players, I really can’t see how accessing your email to unlock the inventory can be so annoying in the rare event your account was suspiciously accessed from a different IP. This already happens when you try to access your battlenet account from a different place than usual, why not implementing the same thing in D3?
“It amazes me how someone voted in the option “it’s the user responsibility”, it clearly shows the fanboysm level from the Blizzard players these days”
Really? Wanting to hold people accountable for their own actions is fanboyism? Tell me then, if these people aren’t getting hacked because of trojans/keyloggers (which are quite easy to avoid in the first place), then HOW are they being hacked?
Blizzard is losing money per authenticator sold because they are selling them significantly below price. The reason why they chose to lose money on the authenticators is because they lose even more money per hacked account, hence, lesser of two evils. So, no, Blizzard is not hacking their own users in an attempt to make money from selling authenticators. But I’m sure there will be some (crazy) conspiracy theory around how Blizzard is still the guilty one in the end.
“did they implement a FREE authentication system as Trion did ?
No”
Actually, yes, they did. Did you actually look for the answer to that question yourself, or do you just believe what all the angry people say? I find it amusing how big a deal people are making out of all this. I NEVER saw this big of a deal in all my years of WoW combined. Until it’s proven that people are getting hacked because of blizzards servers, and not someone just being an idiot, I’ll just keep laughing at all of this.
keyword = WAS founded
90% of the Blizzard BoD from their glory years (Phinney, O’Brien, Wyatt, Roper, Brevik, Schaefers, Adham) has been gone for a decade.
METZEN! We still have Metzen. 😀 He counts for 50%.
I really like Blizzard and all, but Metzen and Knaak need to be fired. As soon as possible. And, yes, I do know that he had and active role in D1 and D2’s story, but I imagine, back then, he wasn’t the one who was calling the shots, hence the distinct lack of mary sues and similiar cliches. As much as I love D3 and think it a master piece, the story, not background story and not lore, those are both mind-blowingly amazing, but the story itself is rather dissapointing.
Actually they don’t ship Authenticator worldwide, only to the limited number of countries.
And if you mobile is not apple or android stuff you have zero protection.
Blizzard do not provide good coverage for users and reacted poorly. This attitude: “only noobs are hacked” will last only until you will be hacked yourself.
Most people that know how to play diablo games can hack so it’s no fun when people get all angry because they can’t hack. In diablo 2 everyone had map hack and you are a filthy liar if you say you didn’t know how to map hack. I truly think everybody wines` to much in diablo 3 when it’s gonna happen no matter what u gonna do! peace!1 😉 😯 😮
You are a filthy liar if you think everyone is a cheater like you. Not everyone used maphack. I can point to hundreds of people that never used it.
When OP said hacks he was referring to account theft and not maphacks, dupes etc. Dafuq? Learn how to read please…
EdwardMcHater: “In diablo 2 everyone had map hack and you are a filthy liar if you say you didn’t know how to map hack.”
*Who* can’t read?
You admited to cheating so your opinion doesnt count bro
Good lord!! Do you even know how the reply system works? My first message wasn’t addressed for you TPJ, it was addressed to EdwardMacHater.
But anyway, you guys were arguing about maphacks etc, but that’s not the point of this article. When OP wrote about hacking it meant account hacking and not maphacks….
Seeing situations like this makes me want to quit trying to discuss anything related to D3. 75% of people writing things are fanboys irrationally defending Blizzard and the other 24% of them don’t know how to argue and use a forum…
I think coin-lock is a great idea.
Great stuff Flux, it is not the first time that I hope that Blizz checks this site regularly 😉
My name is Elly 🙂
Are you really?
If authenticators are such a neccesity, they should have shipped with the game. You can’t tell me this isn’t a security breach on blizzard’s end, there’s far more valuable information to hack into on computers than Diablo III accounts. I’m not angry about getting hacked (it sucks having to find new equipment, but big deal) but there’s an obvious security breach and something needs to be done. So far all I’ve seen that’s been done is \buy our authenticator\. Really? If I sent a flawed product to the customer and then had the balls to ask them to pay for the solution I’d get sued.
You may have a point. TRION didn’t think they had a hole either, they couldn’t find it, but a user did.
It’s not flawed because Blizzard can’t control your PC. That’s like saying Microsoft should be sued because their operating systems have flaws which are exploited.
Obviously, if there is some massive breach going on, they should tell the public, but they can’t be expected to hold your hand while you install Windows Updates.
/facepalm
They hack only your D3 accounts and not more important stuff because thats the target of the hack. The hacker is not scanning manually your computer and picking things one by one. The method emplyed just gave him your login/password with thousands of others and then he just uses them one by one.
I read somewhere several years ago that a blizzard account was actually worth more than the average credit card. This was due to the way Blizzard security vs financial/credit security was set up.
They could essentially sell all of your wow things/character, and would end up making more in the long run, and never be caught, than if they stole your credit card information.
I imagine that this has gotten worse since then, as banking security has improved and blizzards security has essentially stayed the same
This: ships with game. Period. End of discussion. Unforgivable for a game with this much potential for…
I have an authenticator (mobile) and support it 100%. I do believe it solves 99% of all problems we see reported. That said, a coin-lock like feature would all-but stop the problem altogether. You see, it gets to the root of the problem: authenticators are optional, so there will always be a percentage of the user base that is vulnerable to social engineering and other tricks employed by gold selling sites.
If you strip away their ability to access items of value in the game entirely, they lose all incentive to even bother. Does anyone have any knowledge of whether this feature all-but solved Trion’s problems in Rift? If so, why NOT implement coin lock? It’s very rare that PC gamers login from different IP’s (and in those cases, this doesn’t sound like too large an inconvenience).
At the time, it stopped it right away. Players were very pleased with the results.
As above – the fact this this worked for RIFT is simply because items in RIFT are of such dubious value in the first place that even this weak security was enough to tip the balance over to not being worth the hassle.
This is not the case for WoW, and it’s for D3 now – and especially not when the RMAH launches.
What does the coin lock add to a machine already infected with a key-logger? Nothing.
I agree what would a coin lock do if Blizzard is not at fault ?
It would piss players that aren’t hacked and once its unlocked everybody that got their password stolen would be hacked again.
how would a player who’s not hacked get coin locked in the first place ?
and why would players get “hacked again” ?
inventories become locked, you can’t trade or drop anything of sell anything
what’s the point of hacking ?
Trion’s coin lock put an end to the problem over night
people didn’t continue to get hacked
did you even read the article ?
Apparently he didn’t.
It would be annoying if every player had to unlock their inventory every time he accessed his account, but this is not the case. The lock only happens if the password was compromised and if the real account owner noticed he was locked then he will know he was almost hacked and he must change his password ASAP to fix the problem.
Misread nevermind then.
also, in relation to what synch said. For the first week or so after coin lock was implemented, non hacked users had to unlock their accounts a number of times due to them working out the kinks in their programming.
No one complained, as they were doing it for piece of mind.
Their accounts were secure, and a few extra mouse clicks were worth that trouble
Blizzard has already done something similar to Trion’s coin lock system, and they did it before Rift was ever released – it’s called an authenticator. We all have access to an optional second layer of security that is as close to 100% secure as can be, and certainly more secure than something like coin lock. Blizzard has no responsibility to force additional superfluous security measures on everyone in order to protect those users who choose not to make use of the most obvious and most effective security measure available to them. Besides, the entire argument presented here is flawed based on the information given. Trion’s coin lock was a system designed out of desperation to address a server vulnerability, something they were clearly responsible for. Blizzard, on the other hand, can’t be held responsible for users who refuse to use an authenticator and can’t keep their PC free of malware.
Yes, but TRION didn’t need to add coin-lock, they could have left it up to users to get an authenticator instead.
Your car company didn’t have to put a car alarm on your car, you could get one aftermarket instead.
Microsoft doesn’t have to give you free AV/firewall tools with their computer, you can get 3rd party solutions.
The bottom line is that it’s simply GOOD customer service for Blizzard to implement something easy, such as “coin-lock” – rather than relying on the user’s to go get something that they might not even be aware that they need.
Don’t get me wrong, i love Blizzard’s games, and it’s not really their fault that people are getting hacked, but Blizzard is in a position where they can fix the problem quickly and easily.
Sup, bro.
“Blizzard has already done something similar to Trion’s coin lock system”
😆
authenticator costs money
coin lock free
yes, I can see the similarity
🙄
“Trion’s coin lock was a system designed out of desperation to address a server vulnerability, something they were clearly responsible for. Blizzard, on the other hand, can’t be held responsible for users who refuse to use an authenticator and can’t keep their PC free of malware.”
big assumption you’re making there boy
How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?
you must be a fanboy !
I’m sure Rift fanboys were saying the samething about the Rift players who got hacked, “Its your own fault for having malware.”
But they were wrong. It wasn’t the players’ fault. It was Trion’s.
And that could be same thing here.
It could just as easily be a problem with Blizzard’s servers as it could be a problem with the users.
and as for “Blizzard, on the other hand, can’t be held responsible …”
why should they be held responsible ?
when they can just SELL authenticators
🙄
“How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?”
There are several attack vectors that don’t require a users pc be infected with anything. Social engineering and phising attacks don’t require the pc be infected with anything. If the user has used the same user/pass combo anywhere else then that other location could have been breached.
“authenticator costs money
coin lock free
yes, I can see the similarity”
Authenticators prevent unauthorized access to your account. Coin lock prevents unauthorized access to your account but in a significantly less foolproof manner. I said they were similar, not identical. Do I need to provide you the definition of “similar” or can you Google it for yourself?
“big assumption you’re making there boy
How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?
you must be a fanboy !”
I’m not fanboy, I’m just a fan of people taking responsibility for their own actions and inaction. If you can’t secure your PC and choose not to use an authenticator then it seems fair for you to take responsibility for the consequences. Blizzard’s comments on the issue have repeatedly made it clear that the people being “hacked” are actually the victims of keyloggers or other forms of malware.
“It could just as easily be a problem with Blizzard’s servers as it could be a problem with the users.”
But there’s no evidence anywhere to indicate that’s the case. It could also be aliens. I mean, clearly it isn’t aliens because there’s no evidence that aliens exist or that they would care to attack Blizzard’s servers but apparently evidence isn’t something you value very highly.
“why should they be held responsible ?
when they can just SELL authenticators”
Authenticators are available for free if you have a smartphone and sold at cost if you need to purchase the hardware version. Yes, I can see the conspiracy here. Oh, wait.
There’s no conspiracy no, but
Authenticators are sold at cost. Sold, as in they cost us money.
PC software authenticators are sold too, but at an even higher price than the real ones
And not everybody has or even wants a smartphone
authenticator costs moneycoin lock free
bad troll, using such obviously false info.
What a clever and simple solution. A note to all gaming companies, imitation is the sincerest form of flattery. 😀
I don’t really get this particular problem. You can put an id property on a gold class so the reciever is automaticly identified.
I doubt Blizzard really bothered in doing something like that.
well – when I logged into diablo 3 on my laptop “another IP” then I normally use, My account got locked and I recieved an email from blizz with a warning etc, and the only way to re activate my account was through phone support or with my secret quistion 🙂 so – if you login with another ip, that you normally do not use, it will lock the account until you confirm that ip with the option I just stated above.
Really Flux, really? I post a two thousand word essey/rant and you remove the news item. Why did you remove it in first place? It seemed fine to me.
wat? Elly posted this one.
If you mean you put a comment on a later news item, I meant to time code it to go up a few hours later, and missed the click on teh time, so delayed it a couple of hours to give this article time to breathe. any comments made in the few minutes it was live are preserved and show up when it goes live again a bit later.
So add coin-lock/SteamGuard style system as well? Sure, whatever, I’m always happy with more security.
If Trion had any sense, they would have patented this and then licensed the idea out for $$$.
They aren’t the first to have it. Many japanese/chinese games have had that system for years. The most recent example I can find is Battle of the Immortals and War of the Immortals. Pretty much all of Perfect World’s games (aside from Torchlight) have this feature.
I remember talking with Elly about this on the 1st or 2nd Diablo Podcast we ever did, and we just assumed Bliz could copy coinlock into WoW, and put it in all of their other games going forward. Seems such an obvious and useful tool, to help their customers and save them all the trouble of restoring hacked items and rolling back accounts, etc.
While a coin lock system would help with the issue, the authenticator is better. Coin-lock is essentially a conditional authenticator while the authenticator is always required. Always > GEOIP data conditional
Authenticator is free for your phone. If no phone buy it for $6.5. $6.5 should be nothing to someone that spends significant time playing an online game and is worried that their virtual gold will be stolen. If it is too much to you then perhaps you should revisit your priorities in life.
Despite the cost to the user, Blizzard does not make money from the authenticator. If you would prefer that Bliizard subsidize the cost I canunderstand that in light of the recent amount of “hacking”.
Anything to curb the amount of QQ threads about getting hacked.
There seems to be a lot of chatter about hacking and the like – the hacking or compromising of people’s account is not the main issue here, because if I cannot log in to play neither can any hacker, I cannot see nothing on incgamers about the issues lastnight and more of it today about Error 37 about the Euro server, for two days solid there has been Error 37 galore and now that issue has faded, there is now another, the login screen is now stuck at ‘Retrieving hero list’ for me and it just hangs for minutes.
The guys at NCsoft had the right idea with Aion. Once you log in and select a character, you have to put in a pin via a pop-up number pad with your mouse ONLY. Sounds like a simpler solution to end this problem, in my opinion.
That’s an interesting approach.
It would help for those getting keylogged (but not for getting click-logged and/or packet sniffing).
I think I like coin-lock or a similar IP-based verification better, and obviously the authenticator is better than both, but it’s a feasable solution.
Some banks have tried much more intricate solutions than that. To break the simple version, you really just need to detect the popup, then log mouseclicks and screenshots at the same time.
There is a ton of things Blizzard could do, beginning with limiting the number of login tries. But Blizzard doesn’t care about security, just getting your money.
Can someone please tell me what extra security a coin-lock style system actually adds for a player already compromised with keyloggers etc on their machine – able to read all their other usernames/passwords?
People who get compromised like this have bigger worries than their battle.net account. Getting hacked in D3 might actually be a blessing in disguise if it stops their bank details being stolen next, or prevents them from falling for a phising scam in the future.
Just get a damn authenticator…they’re SO much better security wise and free if you have a smartphone. I actually bought a physical one years ago and it’s still going strong – best $6 I spent for a while.
Also… turn on the option to request Authentication EACH TIME you logon. I think it’s worth the extra few seconds. It’s in Bnet prefs.
My account was stripped last night of 1.25 mil gold, lvl 57 rare crossbow, gems , etc. Pretty much anything of value. I currently have nothing to show for the 63 hours played other than the XP. I should not have to setup an authentication system to keep it safe. I guess it has come to this. I never have an issue with any other sites like my bank, gmail, steam, facebook, etc. I have never had my password compromised until I played D3. I did not go to any phishing sites or tell anyone what my password is. My mom, brother, dad, girlfriend, sister does not know what it is. My password according to Blizzard was “fair”. It included numbers and letters. I have now changed it and it is much harder to figure out. I feel I am someone who keeps things well protected. I do have an SMS setup with gmail but I could not set it up with Blizzard because its a prepaid phone. My service is with Straight Talk. Its just like any service but without a contract. We pay a monthly bill like any other service requires. Yet Blizzard feels its not a legit number. Google lets me use it. I see no reason why Blizzard wouldn’t. I just set up the dial-in authentication system for my phone. Hopefully it triggers any foreign IP addresses because this is the only PC I log into bnet with. Any IP address other than the one I currently have should have had a red flag.
I have good pc security. I scanned it this morning with Microsoft Security Essecntials, Malware Bytes and HiJackThis. All came up with nothing. My pc is fairly new and is clean.
This game has over millions of users. They need a much better system to prevent this. This ‘coin lock’ system would be a great step in better protection. I really hope they implement something similar.
#FailBlog
– Miraged
Why did you sign your name to your own post? You were probably hacked for similar reasons.
Can I have your stuff? Oh wait, I already have it all.
Get back to work noob haha.
This is how to reply, noob.
If anybody can prove beyond a shadow of a doubt that purchasing an authenticator would cause significant financial duress in their life, I will gladly purchase one for them with my own funds.
sorry 🙁 just assumed, should’ve checked. Great job anyways though 😉
I voted no, not because it’s the user’s responsibility (which it is, but it still costs Blizzard money so they want a solution), but because anything that can break the authenticator can break this. For instance, if suspicious IPs flag it, there’s not really anything (for most users) stopping someone who has malware on your PC from turning your PC into a proxy and logging onto your account from your IP.
I personally think it’s the user’s responsability. I’ve been playing wow since day 1, d3 since day one, same for a few of my friends. The only security I have is norton internet security. Haven’t been hacked ever. Really it’s not that hard to keep your eyes open for all the rather obvious scams. I fix pc’s as a job. You wouldn’t believe the crap you find on people’s pc’s even though they claim they never did anything wrong. Friday someone turned in their brand new pc. Bought it for d3 and was running slow. he kept claiming he never did anything wrong and only played d3 on it. Turned out he clicked on a pop-up he thought was from his av. I checked it out and the pop-up generated was indeed rather similar to his av solution. Also people are rather fast to click the biggest and brightest download button on websites rather then the button they actually need to press and then come whining their comp is fucked up. He luckily didn’t suffer from account loss but it shows how easely people are lured into stuff without their knowledge. Personally I don’t think blizz is responsible for your own stupidity, and if you can’t handle the internet they can provide you an authenticator at low cost or a free mobile app. not the sms junk mind you. Diablo 3 has it’s flaws, some major ones to. But I wouldn’t say blizzard not holding your hand while handling the internet is a flaw on their behalf.
Personally I don’t have the authenticator. cause I’m to lazy to make the additional step to log in. I do have rather impossible passwords. which helps great against brute force attacks. My passwords look like this (lXLqc3nwrTMt) 12 characters, at random, generated from a random pw generator or my own imagination. I never generate the password on my home system. Allways at work. And I don’t use the passwords it actually generates. For example I let it generate 100 paswords 24 long and I pick a diagonal string somewhere on the page. Allways 12 characters to prevent brute forcing. 8 characters can be brute forced in about 10 days if your password is strong. 12 characters might be brute forced within your lifetime but highly unlikely.
Blizzard already has this exact same thing implemented, and has had so for a long time. If you login with an IP adress you do not usually use, the account is locked for that address, and you have some options for unlocking it again, for that address, which requires additional information. Exactly the same thing. It’s a great idea, but it’s already there. (See what I did there?)
It won’t matter what Blizzard do. Hackers will always find a way around any and all security measures…