Diablo III

[Chris]

So far out of all of my real life friends who play this game, which is around 8 of my friends, only one of them and myself haven't been hacked. I know none of then have been at sketchy sites so the chances of them all getting keyloggers is pretty low considering they all played WoW for years and none of them have ever had an account hacked. I have an authenticator on my account, but a couple months ago my WoW account was hacked (after being deactivated well over a year ago) so I don't know how much it helps.

What is the basic process by which this happens? Why is it so common with Blizzard games specifically? Is it brute forcing?

[toblix]

I'm guessing Diablo 3 is super-duper-unprecedently targeted because of the real money action house.

[toblix]

Also, I'm sure they're blocking obvious brute force attempts – my bet is that most account hacks are due to keyloggers, passwords stolen from elsewhere, and account sharing.

[Korax]

I've got my account linked to an authenticator, and haven't had anything happen to me yet, but a friend using Blizz's call-in authentication had his account broken into, and then found out that the call-in one apparently doesn't link to Diablo 3 in some way. So, heads up, maybe.

[Gormongous]

Several articles I've read mention that attacks occasionally occur while the player is logged in and that Blizzard's servers often have no record of the incursion. This has been repeated way too many times for user error to explain all cases, I think. Rumor has it that Blizzard's credentials structure does encourage brute forcing with no case sensitivity and unlimited retries, though.

[youmeyou]

I heard avoiding public games is a wise strategy but obviously that's not substantiated in any way.

[dibs]

I read that some of the hacking has been through theft of the persons Id specific to that session. The hacker boots the real user off and takes over the Id the we're playing on. This can be done without having the users login name, password or authenticator. Other than that, not haveing an authenticator leaves you open to key loggers which have been the bane of the wow community since wow began. You can get it for free for iPod/iPad/iPhone. I have mine still attached since my wow days. It actually has only asked me to authenticate twice or three times s once launch though.

[Gormongous]

I heard avoiding public games is a wise strategy but obviously that's not substantiated in any way.

I'm reminded of the superstitions about health and cleanliness that were spawned in the wake of the Black Death, in a way.

[toblix]

I think the authenticator resets once a week. Also, yes, session-jacking is probably a possibility. Before Diablo 3 I regarded Blizzard with almost Valve-like respect, mostly due to the stories of long dev cycles and them throwing away finished work that doesn't cut it, in pursuit of perfection. Now, I'm wondering what the Hell they're doing.

[Twig]

Blizzard is the one hacking people so when they roll out Authenticator 2.0, they can make the big bucks.

yeah i know the authenticator is free shut up

[dibs]

Blizzard is the one hacking people so when they roll out Authenticator 2.0, they can make the big bucks.

yeah i know the authenticator is free shut up

authenticator 1.0 is free just to get you hooked

[Lork]

There are rumors all over the internet, but so far I've seen no actual evidence that it's anything more than the usual keylogging/phishing attacks scaled up for the popularity and money making potential of Diablo 3.

[Twig]

That seems mostly true, except for the people with authenticators. Keylogging wouldn't help against whatever magical algorithm Blizzard uses for generating the random keys.

[Gormongous]

There are rumors all over the internet, but so far I've seen no actual evidence that it's anything more than the usual keylogging/phishing attacks scaled up for the popularity and money making potential of Diablo 3.

I'm sincerely curious here, not being passive-aggressive. What exactly would constitute evidence in this situation? All I've seen so far is anecdotal evidence on both sides.

[Forbin]

Keylogging had cracked the authenticator seeds in the past. It's part of the reason that blizzard trusts your machine for a limited time after entering a valid key. If you're constantly entering an auth key and it's logged, then the hackers can accumulate all those keys and the time stamp they were entered on, and attempt to crack the seed. It takes a long time and basically shouldn't happen since auth entries are far less common now, but it has happened.

[Chris]

Where would the potentially keylogging be happening? Through malware that gets somehow installed on the user's PC?

[Hero Protagonist]

Welp... my hardcore monk just died. Hell Belial + brief moment of latency.

The question now is whether I should brush myself off and try again, or stick to normal.

[Hero Protagonist]

Where would the potentially keylogging be happening? Through malware that gets somehow installed on the user's PC?

In almost all cases, yes.

[Lork]

That seems mostly true, except for the people with authenticators. Keylogging wouldn't help against whatever magical algorithm Blizzard uses for generating the random keys.

That would be a cause for concern if it was the case, but at least according to Blizzard there have been no documented cases of Diablo 3 accounts with authenticators being hacked. There has also been malware that managed to beat authenticators for previous games by keylogging the code and using it to log in within seconds of the user typing it.

I'm sincerely curious here, not being passive-aggressive. What exactly would constitute evidence in this situation? All I've seen so far is anecdotal evidence on both sides.

A demonstration of this so-called session id hack being used to gain access to someone's account without the use of their password would be solid proof. I don't really know what else would count as evidence, but so far it has just been people on the internet saying that they are absolutely sure that the problem was not on their end so it must be Blizzard's fault, and so on, which means nothing. I'm not sure what anecdotal evidence for there not being a security flaw would be either because that's asking to prove a negative.

[Twig]

Keylogging had cracked the authenticator seeds in the past. It's part of the reason that blizzard trusts your machine for a limited time after entering a valid key. If you're constantly entering an auth key and it's logged, then the hackers can accumulate all those keys and the time stamp they were entered on, and attempt to crack the seed. It takes a long time and basically shouldn't happen since auth entries are far less common now, but it has happened.

Man. I mean I know that kind of stuff is possible, and have sort of dabbled in a BIT of it during my academic computer science career but it still kind of blows my mind, I guess. Thank god I have no plans to delve into the cryptography side of computer science.

Also my little authenticator dongle is magic. How is it always perfectly synced with Blizzard's servers? What happens if its battery starts to die and the processing slows down and my thing is now out of sync? HUH?!

[Gormongous]

I'm not sure what anecdotal evidence for there not being a security flaw would be either because that's asking to prove a negative.

As far as I understand it, there have been no documented cases of a session hijack according to Blizzard, even though the very nature of the exploit would not easily be documented unless an interested party was made aware of one while it was still in progress. It seems like people are saying they're being careful, so it can't be their fault, while Blizzard is saying the same thing. I'll be curious to see if this question is ever resolved.

[TheLastBaron]

I don't know if it makes any difference but I went into my account setting and set it so that I have to use the authenticator on every log in. A kid I went to school with played WoW and was super paranoid about having his account hacked so he had his passwords in a text document he had someone else write and email to him and he would copy and paste his password. He must have known this qwas coming and was trying to warn us all.

[Lu]

I think I'm kind of done with the game. I really like what they did with the design (i.e. the skill system), but beyond that there doesn't seem to be a whole lot there for me. I honestly thought I was going to like it more than I did, but I'm right back to ambivalence. From what little I had seen, I honestly thought it'd be more skill based than it really is and that the higher difficulties would have added value with new content (beyond loot). Instead, it was the exact same thing, except this time monsters have more health and do more damage. Hoorah. And if you're not strong enough to take them on? Get better equipment! I guess I'm just kind of done with loot games. I get it; I understand the feedback loop and I seem to hit my saturation point quicker and quicker with these kinds of games. Story hooks would alleviate that for me, making me care about what is going on, but we know how that went. I couldn't care less and it's all so very irritating. All I can see is the grind, the minor increases and decreases in stat points and texture swaps. It makes me feel empty and disconnected. It makes me feel like a monkey pressing a button that may or may not give me a peanut at some point. NO THANKS.

[Twig]

Man up. Play hardcore! Doesn't seem like it'll fix things for you, but I can say that I was utterly bored of D3 before I even beat act 2. Then I started playing hardcore and am enjoying myself a lot more.

Also I beat normal with my HC wizard. I seem to be having a harder time than I did with my WD, but I think that's largely because I don't have as much gold to spend on the AH to gear up. Think I'll farm act 4 normal for a bit. U:

Man Izual or whatever his name is... ugh rehgurheghu ugh. Diablo was much more difficult this time around. MAN.

[Scrobbs]

If it's purely w/out authenticator, then it's might be a keylogger, i.e. simple password theft.

If you're using one, then it might be session theft using ARP Poisoning and session capture/replay. The actual replay part of it would depend on how BZ's servers behave when setting up a session; for example, if the session mgt on server end is cack, and you get the same session ID each time you log in (a la Steam), then once you have captured a user's session, it would be trivial to log in as them and steal everything. If the session ID changes every time you log in, then it would have to be done while the user is online. Not sure how this would play out. At this point, the server would be receiving the same session ID from 2 machines. How the attacker would make sure it's theirs, I'm not sure. It could be luck.

Thoughts: Steam doesn't change session ID unless you change your password. So, if this was the case with BN, then it's easy to see how it happens. Perhaps BZ use the authenticator to 'trick' the servers into thinking you've changed your password (i.e. a bodge), and therefore give you a new ID. If that is the case, those who have got authenticators attached, but only require it every so often, would only receive a new ID when an authenticator code is requested, and be potentially vulnerable for that period. Accounts set to require authenticator code each login would therefore have better protection.

This is all conjecture, of course. BZ are understandably remaining tight-lipped. Would require testing.