I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit thisOriginally Posted by Fenril
Guys, let's not kid ourselves. Having authenticator is not 100% protection from being hacked.I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this
If the attacker has something installed on your PC, like a keylogger with a tunnel, the attacker can simply hijack WoW when you try to log in, while locking you out of it, and at that point it's mostly irrelevant whether or not you have an authenticator... You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.
An authenticator is NOT to protect you against a competent attacker who already has access to your compromised PC. You're already fucked if that's the case. Blizzard's software scanning (Scan.dll specifically, which runs some scans when you launch WoW) IS to help protect you against this type of attack, along with other anti-[virus/malware/spyware/etc] solutions.
Your authenticator helps protect your account against brute force and dictionary (and harvesting, etc -- say if someone with a wow-related site expects you to use the same password on your wow account that you used on their site) types of attacks, not the man in the middle you are describing.
With that said, brute forcing is unlikely to come from your own PC and I heartily agree with the trade-off made here. You were doing a lot of work when you log in to protect yourself from these specific attacks, when it doesn't solve the man in the middle problem. They have removed the work for YOU, and left it for the attacker it protects against.
But I would also agree that people who want to have to enter it in should be allowed to, I guess
Last edited by Lax : 06-18-2011 at 01:54 PM
I already replied why at the top of this page. It doesn't matter how safe others feel or think this is, why can't
Blizzard respect my decision to not want to automatically opt into something they believe is the best thing
security-wise? People who don't want to use Real ID get to opt out, why can't I get a simple check box under
my account settings to "always require authenticator code"?
10 - 11 minutes was from my initial testing of how long auth codes lasted. Now, an auth code is valid for
approximately 2 minutes to use on the website and approximately 30 seconds to use to log into the game.
Posting Rules
Reply With Quote
Connect With Us