Bliz could also just cache a valid pass on a number from a given keyfob for 50-150 ms to allow the other 1-39 requests that hit right around the same time to clear on it's coat tails.Quote:
Originally Posted by mmcookies
Printable View
Bliz could also just cache a valid pass on a number from a given keyfob for 50-150 ms to allow the other 1-39 requests that hit right around the same time to clear on it's coat tails.Quote:
Originally Posted by mmcookies
The reason I mention the per keyfob serial override option is because I know it exists on some keyfob security architectures, therefore possibly requiring almost no extra work and testing on Blizzard's part.Quote:
Originally Posted by aboron
I'm really not sure if the scant multiboxer population would warrant any additional development resources unless you guys can pull some higher-up strings.
Wow, I must really be out of it. I've been flirting with the idea of coming back to WoW, but after reading this thread I think I must have missed something. I have no B.Net accounts - do you have to have one now to play WoW? And I don't care about "security" this is a video game, not my stock portfolio. I don't install keyloggers on my computer - I've played since November of 2004 and never had my account hacked - so is it even possible to avoid security garbage like this?
Finally, why doesn't Blizzard just do smart cards with USB smart card readers? You need to insert the smartcard, type a PIN and as long as that card is connected to that PC your account can authenticate. No additional numbers to type etc. MS (and several other large companies) use that method - very secure and much more user friendly.
On Nov 11th, you will need to have each wow account associated/merged with a B.Net account in order to log into the game. Prior to the 11th, there is no restriction.
It is free to merge accounts, you just need one valid email per B.Net account you create. Each B.Net account can have up to 8 wow accounts merged into it.
If you don't use the Authenticator, then one or multiple B.Net accounts is the same thing. Enter the B.Net email address (in the place of the wow account name) and then the password.
With an authenticator for increased account security, there are log in issues to be aware of for multiple wow accounts on the same B.Net account.
What about moving toons? Why would they put restrictions on moving toons once they are associated with a bnet account?
My understanding is that you cannot move toons on to (or off of) a B.Net account for 60 days after merging an account onto it.
Once all the accounts are on a single B.Net account, you can move toons from one account to another very easily and quickly. Moving toons between B.Net accounts will work fine (as it currently does), once you get beyond the 60 day window.
I can confirm all of this is correct and I have done all of it several times. I can also confirm there is an 8 Account Limit for WoW Products per Battle.NEt Account for all you 10 boxers out there.Quote:
Originally Posted by Ualaa
So if I were to move all of my accounts to a BNet, but not get the dongle, I would not be impacted except for changing the account name on the login? How does WoW know which account I am trying to log into?
This is correct. Once you have multiple accounts the first time you login to the battle.net account and have SAVE ACCOUNT INFORMATION ticked - it will display a popup box and let you pick the old account name you used to use from the list.Quote:
Originally Posted by Ghallo
Once you login once, next time it will show your e-mail address in the account name box and a small drop down box with the one you used last saved.
I think the problem you're experiencing here is that if the Authenticator Code box remains up too long. Maybe 60 seconds or two minutes, not sure of the exact time, but the password that was previously entered becomes invalid. You have to cancel the authenticator box and re-enter the password and then new authenticator code.Quote:
Originally Posted by Oswyn
According to the last page of this post made by a WoW player, the change makes sense to stop the keyloggers from getting access to your account with your authenticator code within 60 seconds:
http://forums.worldofwarcraft.com/th...sid=1&pageNo=2
Maybe it is for some other security reason that Blizzard has in place but with a ton of accounts like I have, this battle.net authenticator change really causes me a long time to login now. Apparently the change made with battle.net accounts and the authenticator was made on purpose to stop the keyloggers from gaining access to accounts within 60 seconds. That is, a different code for second login was necessary from the same authenticator to login to the battle.net account. It makes sense to me as this could cut down on support calls to Blizzard when someone loses their account with authenticator access to a keylogger. Multiboxers are in a far less number than the normal 1 account login with battle.net. So it would make sense from Blizzards perspective to reduce unauthorized access at the expense of a small number of players inconvenience.
There is one way around all of this. Create multiple battle.net accounts. I've confirmed the same authenticator attached to multiple battle.net accounts allows the same code to be used at the same time. So if you have 5 WoW accounts for example, instead of creating just one battle.net account and merging all of those to the one battle.net, create 5 battle.net accounts. Merge each WoW account to each battle.net account and the authenticator that was attached to each WoW account will automatically be attached to each battle.net account. When Keyclone, Octopus or whatever you use to start WoW up with, you enter the account name with the separate battle.net account logins. The issue of having the same authenticator code used at the same time goes away because you have separate battle.net accounts. I've confirmed this. However, Blizzard could possibly change this is in the future but for now it works by logging in at the same time without any issues.
A friend of mine had his account seized by a hacker using an exploit.Quote:
Originally Posted by Dor
They managed to get a keylogger onto his machine and got his username and password.
From there they made a b.net account and merged his wow account with it. They then proceeded to sell off all his good sellable items and because he was a miner was flying him all over the place grinding mining.
He called me on the day he lost access to his account and was asking me about it. He told me that he had received an email from Blizzard saying that they had merged his wow account with his b.net account and told him that the new login id was some email address from yahoo in Croatia.
Unfortunately for them, I was on the phone to my mate talking about his lost access to his account, when I logged my solo main into the game and while I was chatting to him I pulled up my friends list and there he was online...
I opened a ticket then and there to report it. Also talked to someone who knew a GM IRL (because I did a /y looking for a GM... got a couple of arseholes /w'ing me laughing about it).
His account got locked that night or the following day and he got an email from Blizzard about it all. They unlinked his account from the b.net account and reset his password.
He had all his gear they sold restored to him, minus gems and chants. He wasn't complaining about it all... he managed to come out of it with a profit... about 100 stacks of saronite and 30 stacks of titanium.
Straight after he told me about it, I did some checking and found a few people had been done over like that and decided then and there to create my own b.net account there and then and merged all my accounts with it. I also downloaded an authenticator for my iPhone and for a while, I was able to log in all of my accounts with the one code from the authenticator.
While it is inconvienant for me to enter 1 number per login, the security side of things is a lot better (apart from the fact that this gives the hackers 2 sequential authenticator numbers for removing the authenticator)
I'm going with 5 battle net accounts, one per wow account.
Each will use an email to log in, and will have the same password.
Essentially this is no change from my current set up, which is a username per account and a shared password.
I already have two authenticators, because I wanted an extra for when the battery in the first (linked to all 5) dies way down the road. In anticipation of Blizzard eventually changing it so an authenticator in only valid for one code, even if associated with different B.Net accounts, I've ordered three more authenticators. Basically PiP swap from one account to another and pressing a button once per account, but not having any delay (needing to wait for the next number) won't be too bad. I'll of course wait until the last day to merge the accounts, so one password (broadcast) along with one authenticator code (also broadcast) gets me into the game.
The extra authenticators are a gamble, but really 6 bucks per authenticator isn't all that much. If this is an intended change for security purposes, I'm betting its a bug in that you can still use one authenticator across multiple B.Net accounts, when you cannot use one authenticator across multiple accounts within one B.Net account. Worst case scenario, I'm wrong and am out 20 bucks plus shipping, but then have 5 authenticators and can give two away to real life friends who also play wow but don't have authenticators.
I also bought 4 more authenticators with the same idea. One B.net account then just use pip. I will probably put them all on a keychain in a certain order or attach them to a peice of cardboard or something.
Simple post: I don't care. I pay to play, if I can't play without unreasonable actions, I stop playing. Will not be renewing canceled accounts for Halloween and likely Icecrown. The remaining account is going to get canceled as well.
Long post: They fucked up, plain and simple. Just like the AV "oops" the rushed a change in and either ignored the people that brought up the possible problem or never even considered it. Either way, I don't care. They make things a pain in my ass, I move my ass, I don't try and find a pillow and sit back down on the broken beer bottle.
To those of you who still enjoy the game, I truly am sorry they do this kind of stuff. It sucks to just want to play a game for enjoyment and have to jump through hoops because suddenly things change without notice or explanation.
The justification for forcing OTP instead of time window tokens is BS. If they can get the token on the first try they can already block your login and get into your account. The security that is being used is not safe against man in the middle attacks, and the changes they made do nothing to change that. A simpler and more effective solution would be to disallow the same token to be used from different IPs, but even that isn't perfect.
Yea, I'm bitching, I figure after all the money I've paid and all the BNet crap I've had to do with minimal benefit to me, I'm entitled.
- Souca -
Simple Post: Can I have your stuff?Quote:
Originally Posted by Souca
Longer Post: Last time I checked, no one is forcing you to use an authenticator. If the additional account security isn't worth the trouble to you, remove the authenticator. But it looks like you are looking for a reason to quit, so well...
I had a strange issue come up. I called Blizzard for a support issue and the guy asked for my authenticator serial number right after he asked my name and the answer to my secret question. I felt weird about it but gave it to him because he was a blizz employee. Does this mean he or someone he passes the info on to can hack the accounts?
As of last night I can still use my authenicator with all my accounts at the same time. I HAVE NOT CONVERTED MY ACCOUNTS TO BATTLENET. Reading this thread I am not going to transfer over until they fix this problem. I think it is a minor bug that they will eventually fix.
I really like using the authenticator. I don't know how many times I have accidently /said my password on slaves. I don't really care since having a password isn't any good without the authenticator.
On a different note, my iPhone got hosed when I tried to update to 3.12.
I had to recover with a full wipe :(
To my surprise, after reinstalling the Mobile Authenticator it automatically had my serial id for generating the correct access codes and I was able to log right in.
Supposedly this was how it was supposed to have been working all along, and they FIXED what they considered a bug and not introduced one.
As Souca stated, this doesn't completely negate the possibility of a man-in-the-middle attack, but it reduces the window of opportunity from 30 seconds down to how ever long it takes for you to press enter after typing the last digit of the code. More security for 99% of authenticators vs 2 minutes of hassle for 5-boxers... it's not too hard to see why Blizzard made the choice they did in fixing the bug.
Guys,
I have been out of it for some time. With the battle.net account, can you long into each Wow account on 5 differernt hardware. I mutlibox the old way (5 pcs) swtich box. So can I link all my WOW accounts to on battle.net account and have it work from 5 different PCS (or more have 7)
Thanks
Quote:
Originally Posted by Jaws5
Yes you can. the issue here is that each login will require a unique authenticator code if the accounts are attached to the same battle.net account.
No one is forcing me to do anything. I have an authenticator I'd been happily using for over a year before this change. Nice to see trolls are even on the DB forums now too.Quote:
Originally Posted by Klesh
- Souca -
If they are in the middle, they will just prevent you from even logging in. If it's been a bug for over a year, it's now called a feature. Ask MS how many bugs they have to keep in their versions of Windows because software counts on it working the same way. It adds no security for those 99% of the people in this scenario.Quote:
Originally Posted by kadaan
- Souca -
Yeah it's a pain, but in the scale of things it's a minor inconvenience. Heck, my ritual now is to login while I'm catching up on emails or doing other productive things. If anything, the game is waiting on me to put in the code. Not a big deal.
IMO, if they wanted to ensure security, they wouldn't have decided that tying every single Blizzard product a person owns to one single e-mail address and password instead of multiple userids was a great way to do things.
I see your point, Khat.
However, to guess my (up to) 14 letter/digit/symbol username and then my (up to) 14 letter/digit/symbol password is pretty strong security. Passwords should be case sensitive, but unfortunately they're not.
Unless I'm keylogged, its not at all likely they'll randomly guess a username and a password.
If I am keylogged, then one account or five accounts, they'll have the information as it is entered, or whenever it transmits the logged info.
True the authenticator login is a pita, but having been hacked on numerous occasions I don't mind the extra hassle, I'm just wondering hopw long the batteries last given I'm now pressing the button 5+ times >.<
It's not exactly guessing if, as the majority of users do, you use the same email address for everything. It's all well and good when dealing with smart people who use good userids and passwords...like mine USED to be, but we're talking about people who repeatedly fail at their own security.
People who look at a post like "lol, so funy! look for self sexleg hot! omg.kennylogginsyourkeys.here/ufackinnewb.exe " and post back "i went like 4 time???? i din't see nuthin? lawlz?"
People who make an account name like HoserMcLuvin and troll all over Curse, WoW, MMOChampion, anywhere WoW related with the avatar name...HoserMcLuvin...with links to their armory and facebook and Twitter and anything else that has their e-mail address {HoserMcLuvin-at-gmail, of course, same password as they use for everything} and random WoW info.
People who will get their butt keylogged over and over again because they don't run anti-virus and don't scan all the random crap they download and don't even know what anti-spyware is or how to format, and share their account with thier friends who are just as stupid.
Blizzard didn't do anyone any favors by moving to e-mail address form. Especially considering how much some of these sites just LOVE to sell e-mail addresses.
Definitely see your point there too.
I get 10 email addresses through my service provider.
I'm planning to use 5 of them for B.Net accounts.
They won't be used for any other purpose ever.
I'm not sure how many characters you can have in a B.Net email address, but I'll want close to the maximum.
The usual mix of numbers, letters and symbols, without more then 2-3 of one type in a row.
Chances are I won't be able to remember the email long term.
But will have them entered into IS as my user names, and saved somewhere for copy/paste if needed.
Most likely, they'll be a tad harder to get (without a keylogger) then someone who clicks a link like the one you posted above. I really like the logger name you picked, it unfortunately shows the mentality of a lot of the player base...
Nice to see WoW general forum whiners are even on DB forums now too. Your post I've quoted one page ago is full of QQ.Quote:
Originally Posted by Souca
On topic:
Yes, the change kinda sucks for multi-boxers who got used to login with all accounts at the same time. Am kinda sure they didn't change it to annoy multi-boxers or cause of some man in the middle attack, such attacks are just not worth it for WoW accounts. Maybe it's been possible to automate the hacking of authenticator secured accounts, I don't know or really care. They've changed it for whatever reason and you got to adapt.
What most seem to forget is blizz is running WoW to make profit. Lots of profit. If players wouldn't be stupid and get hacked all the time (keeping your OS, browser+plugins up to date and NOT visiting stupid sites is hard), they wouldn't have to waste lots of manpower (aka profit) to block, investigate and restore hacked accounts.
They could have said, well, it's your fault for getting hacked so we are charging 100$ to restore an account. That would have been even more QQ, so they keep paying the bill for hacked accounts while trying to go with the best possible security for their "normal" (1 account) users.
Love (or at least accept) it or leave it.
Regardless of whether or not you are "kinda sure they didn't change it because of some man in the middle attack", it is vulnerable to that, so that's as good a reason as any to believe that they chaged it. Your assertion that wow isn't serious enough to warrant a change like this is silly considering that the discussion we are having is regarding a rotating token security system already implemented for wow, which isn't just thrown around for the fun of it. Somebody (both at Blizzard, and their customer base) clearly thinks security is important here, so yeah, they should fix vulnerabilities.
My biggest gripe is the email thing. I don't want my wow subscription email associated with anything else in my life. Call me paranoid, but I know where it can lead and I want no part of it. So, I'm going to have to create one or more new ones just for this, and it irks me - primarily because there's no good reason they couldn't let your bnet account be whatever you want, just like your current wow account. If they are so serious about security, they should hire a good security consultant who would tell them so.
BTW, one thing to keep in mind everybody...creating multiple accounts may get you around the this issue *for now*, but they've been talking about things like allowing heritage items to be passed around all your bnet accounts, so you would lose out on future features like that. Just thought I'd mention it.
I missed your point. Your E-mail is already tied to an account. Making your Email into your account name, what changes? WoW players still only know toon names not account names. No one can get your account name except Blizzard, nothing changed. In my case, it will help as I set up account on different Emails so they could be problems. Bnet will fix them.
Is it just me or did they change something with the authenticator? I used to be able to log on with all five accounts at once, now it seems the code is only accepted by two windows at most, then I have to enter a new code for two others and so on. Very annoying.
The point is e-mail addresses are shown on tons of websites, easily found and bought and sold to lists every day. If someone got the e-mail address associated with one of my wow accounts before, all I had to deal with was spam. Now someone gets ahold of it, they've got my userid for all 5 of my accounts. Basically, half of your account information is now for sale, not just for WoW, but any past or future Blizzard product that will be force-tied to Battle.net.Quote:
Originally Posted by alcattle
Just because some people are smart enough to realize that you should go out and register an entirely new e-mail account that will never, ever be used for anything but logging into WoW doesn't make this secure. Most people are stupid and would think nothing of registering for random new fansite promising beta invites when they only want your e-mail address. Just ask any of those people that were waiting around for thier "free new beta mount testing Blizzard is would having!" the BIizzdevjtiwyr told them to go register for when they got booted off and couldn't get back on. Most people will probably use the same address they've been using since they started playing WoW because that's where all their notifications for WoW crap goes.
Thank you. I see the point now. I have so many accounts and use different Emails and name, I will know where they got that set of information. But you are right, we are talking about smarter then your average (feral) bear on DB.com, and I have to remember the 50% of WoW users that have trouble spelling their names.
On the plus side, you can change the battle.net e-mail address, which is a luxury you don't have with the old userid, so if you signed up with an address that you've used elsewhere, find spam in a new one or have another reason to believe it may be compromised, you can just get a new address and change over.
But still, it's an e-mail address and I dread the weeks following the full changeover. It's going to be back to 10 spam whispers a minute from compromised accounts.
That is the whole point of this post. You should read it. It has drama, suspense, even a little comedy.Quote:
Originally Posted by mebben
I'll get some popcorn and see if someone posted a summary somewhere.Quote:
Originally Posted by Coltimar
I have been using an authenticator for about 6 months now and it NEVER let me login with more than one character at a time.