Lessons learned today: Buy authenticator

[camorra]

Long story short:

I came home from work and after diner I wanted to log in for a daily. The game told me that my password was wrong and after a few tries I checked the EMail adress I use for my accounts. Ooops one of my toons is banned for "online trading". I never did anything like that but it was the account my aution house chars were on (roughly 300k cash + a few items) so I thought blizzard suspected that the money came from illegal sources. I tried to call them but in europe the phone support seems to be out of order at the moment. Filled in some web page with my complaint and went to watch a movie.
Later tonight I thought that even if one account is banned I can still do my daily on the other accounts. I logged in to find that 2 other chars were robbed basically of everything that is sellable including an empty guild bank.
I contacted a GM and must say that I was very pleased: I was contacted within 5 minutes. He heard my story and understood that I am multiboxing. He promised me that my stuff on all my chars will be back within a day. I just hope he'll be right wenn I log in tomorrow.
First thing I did after logging out was to order 2 authenticators. Until today I never thought that this could happen to me...

Multibox safe - use strong passwords and an authenticator and don't click on every website you come across.

camorra

[Bollwerk]

I'm amazed there are still people who play without authenticators.

[Drommon]

/Facepalm

[Shodokan]

I'm amazed there are still people who play without authenticators.

I don't frequent porn sites or any non-safe site.

My "visit" list includes

here
d2jsp
wow forums
shoryuken
deviantart
warcraftmovies
elitist jerks
arenajunkies
mmo-champion
wowhead
my school's e-mail
hotmail and never get spam there.

I don't think i need an authenticator. I will eventually get one though. My password includes letters, numbers, ascii characters and is the max character length. It would take most brute-force years to get in.

[Souca]

I don't think i need an authenticator. I will eventually get one though. My password includes letters, numbers, ascii characters and is the max character length. It would take most brute-force years to get in.

Or just one second with a trojan or man in the middle attack. Do you know if your network connection is secure? You sure everyone at your ISP is legit and there isn't a temp willing to make a change to a router to get passwords as they stream by?

Just saying, it isn't just being careful that is enough.

- Souca -

[Powerwar]

I don't frequent porn sites or any non-safe site.

As a porn site webmaster I feel a bit offended by that, but I see your point.

Just in case someone here tries to freeload on porn sites, if you go to password trading sites or search around for pay sites passwords for free you are very likely to get a free virus/trojan/spyware/malware/alien too. This is how paysite passwords trading sites make money since lots of years ago, just now they push bad things even more. Unfortunately some old time clean sites are also moving to pushing viruses and trojans because the bad guys pay more money than legitimate sponsors.

In short... if you want to surf porn safely, either pay for it as you pay for other services or go to the well known big tubes that are usually clean sites... and use an antivirus.

[zenga]

It's a contradiction in terminis when people that use windows as their operating system talk about taking security measures. Moving away from windows is the best security upgrade you can make.

I don't frequent porn sites or any non-safe site.

My "visit" list includes

...
wow forums
shoryuken
deviantart
warcraftmovies
elitist jerks
arenajunkies
mmo-champion
...

I don't think i need an authenticator. I will eventually get one though. My password includes letters, numbers, ascii characters and is the max character length. It would take most brute-force years to get in.

MMO champ got hacked just a couple of weeks ago. Basically a virus searches for FTP logins on ones computer, then edits web files on the ftp server with javascript, and whenever that file (ie. website) is being accessed, the javascript tries to run an applet that installs the virus on the machine of the visitor. And besides reproducing itself such a virus could install other nasty stuff as well.

Same story with the flash exploit where 'legit' sites that run flash based ads have infected users beyond their knowledge.

My point being: trusting the website owners might give you a false 'im safe' feeling. There are other things you can do on your side to minimize troubles (disable java applets, flash, ...)

[Souca]

Another thing to keep in mind, while they can log in with your auth code if they do a man in the middle attack, they can NOT remove your auth without having physical access it to read the serial number printed on the back of it. While they do get one log in with this method, once you request the password be reset (even if they have changed it), they no longer have access until they steal your code in real-time again.

This pattern will set off alarms very quickly and the account will get locked. It's all a matter of degrees of safety. Without an auth, they will get your account, put an auth on it, and then YOU MUST PROVE IT IS YOUR ACCOUNT while they ransack it. With an auth, they mere get your login session, not your account. When you call in, if you can give the phone techs an authenticator code, things go much quicker.

In summary, having an auth makes the hacker's job so much harder and your job of recovery that much easier. Add up the time you will spend getting everything back after a hack and divide it by 10 seconds; that's how many logins you have to make between hacks for it to be quicker to not have an auth in the long run. It took about a week to get everything back on my one hacked account, and that was fast.

Go here and save yourself a week or more.

- Souca -

[heyaz]

I'm amazed there are still people who play without authenticators.

some of us don't want that hassle for a technology that is still defeated by keyloggers

[MiRai]

I don't got an authenticator and it's been proven several times that people with authenticators get hacked just as hard. There are just fewer people with them then without, so it's a smaller percentage.

As posted earlier in this thread...please back this statement up with some real proof please.

some of us don't want that hassle for a technology that is still defeated by keyloggers

It is called a Man in the Middle Attack. It's not some simple keylogger. If you would've had an authenticator on your accounts you may have not been hacked in the first place.