Lessons learned today: Buy authenticator

[Kalros]

Well, I was in the "I dont need an Authenticator" crowd until about 2 months ago. I have always been a security freak. Anti-virus, Anti-spyware, always only use Firefox and always keep it up to date, no suspicious websites, and I NEVER gave out my email address.

Yet after all this, I STILL had one of my accounts compromised. And this has been happening to alot of my friends lately as well. No unsafe practices and you still get hacked.

I have no idea how the hell they do it, but they do. I now have an authenticator tied to all 5 accounts, and though it takes a couple of extra minutes to log in, I feel so much safer with it now.

[MiRai]

I don't got an authenticator and it's been proven several times that people with authenticators get hacked just as hard. There are just fewer people with them then without, so it's a smaller percentage.

As posted earlier in this thread...please back this statement up with some real proof please.

some of us don't want that hassle for a technology that is still defeated by keyloggers

It is called a Man in the Middle Attack. It's not some simple keylogger. If you would've had an authenticator on your accounts you may have not been hacked in the first place.

[ElectronDF]

I was against an authenticator for quite a while. But now I am for it. Almost to the point, where I want to blame the people getting hacked if you don't have one. People are telling you they get hacked. People aren't complaining, "I have an authenticator and I got hacked." It has only been the people without them. I don't care about .0001% of the people that can still get hacked with an authenticator. You can't stop everything, but how much time and effort did you put into keeping your stuff? Again, how much time and effort did you put into keeping your stuff? If you put in 3% by not going to a bad website, fine. But don't complain when an add on that good website gives you a keylogger and you get hacked.

I really don't feel bad for the people that heard so many people get hacked, that then say, "I don't need an authenticator" and then get hacked themselves. It sucks that the OP got hacked and that isn't fair, but everyone else has fair warning, get an authenticator even if you are a safe person.

I don't need anti-virus, I use magic-safe-browser.
I don't need an airbag or seatbelt, I drive safe. What about the other idiots that don't.
I don't need to stop smoking or excessive drinking. There isn't 100% proof they are bad. Keep saying that to the people that do die from it.
I don't need to use a condom. I can time when to be careful. Say that to the all the surprise babies or diseases.

People are telling you over and over you need more than just being careful. If you don't listen. Don't expect any suprise on our part if you get hacked.

[zenga]

It's a contradiction in terminis when people that use windows as their operating system talk about taking security measures. Moving away from windows is the best security upgrade you can make.

I don't frequent porn sites or any non-safe site.

My "visit" list includes

...
wow forums
shoryuken
deviantart
warcraftmovies
elitist jerks
arenajunkies
mmo-champion
...

I don't think i need an authenticator. I will eventually get one though. My password includes letters, numbers, ascii characters and is the max character length. It would take most brute-force years to get in.

MMO champ got hacked just a couple of weeks ago. Basically a virus searches for FTP logins on ones computer, then edits web files on the ftp server with javascript, and whenever that file (ie. website) is being accessed, the javascript tries to run an applet that installs the virus on the machine of the visitor. And besides reproducing itself such a virus could install other nasty stuff as well.

Same story with the flash exploit where 'legit' sites that run flash based ads have infected users beyond their knowledge.

My point being: trusting the website owners might give you a false 'im safe' feeling. There are other things you can do on your side to minimize troubles (disable java applets, flash, ...)

[Souca]

Another thing to keep in mind, while they can log in with your auth code if they do a man in the middle attack, they can NOT remove your auth without having physical access it to read the serial number printed on the back of it. While they do get one log in with this method, once you request the password be reset (even if they have changed it), they no longer have access until they steal your code in real-time again.

This pattern will set off alarms very quickly and the account will get locked. It's all a matter of degrees of safety. Without an auth, they will get your account, put an auth on it, and then YOU MUST PROVE IT IS YOUR ACCOUNT while they ransack it. With an auth, they mere get your login session, not your account. When you call in, if you can give the phone techs an authenticator code, things go much quicker.

In summary, having an auth makes the hacker's job so much harder and your job of recovery that much easier. Add up the time you will spend getting everything back after a hack and divide it by 10 seconds; that's how many logins you have to make between hacks for it to be quicker to not have an auth in the long run. It took about a week to get everything back on my one hacked account, and that was fast.

Go here and save yourself a week or more.

- Souca -

[Acidburning]

I don't got an authenticator and it's been proven several times that people with authenticators get hacked just as hard. There are just fewer people with them then without, so it's a smaller percentage.

Personally i don't think you can do anything against it, but you can do stupid things to make the odds you get hacked bigger.

Even blizz posted somewhere on the wowforums that it's not hackerproof.

IIRC, its not 100% safe if you have a jailbroken iphone and using the authenticator. So, if you have jailbroken your phone, just order a reg authenticator.

Wasn't there a Trojan/ virus on some NFL playoff website that targeted WOW accounts a few years back, similar to the MMO-champs thing?

[jinkobi]

There's no reason not to have an authenticator. I bet they even throw them in with the new expansion for free in the box. Would be a smart thing for Blizz to do imho.

But for right now they're like 7$ US with free shipping and you get a free pet to boot if you care about that sort of thing. A small fee to protect your 100$'s invested and 100's of hours of time. Might take an extra minute to login but it takes a hell of a lot more time to recover a stolen account.

If you open yourself to a man in the middle attack in the first place. That person is probably not computer savy in the least and would end up hacked no matter what. Despite claims that these man in the middle attacks are going on I have yet to see one post on the Blizz Forums backing this up. Every post on the Blizz/Customer service forums of a person being hacked none had an authenticator.

I mean I've scoured the Blizz forums over with searches and see not one claim of being hacked WITH an authenticator attached.

[MiRai]

Despite claims that these man in the middle attacks are going on I have yet to see one post on the Blizz Forums backing this up. Every post on the Blizz/Customer service forums of a person being hacked none had an authenticator.

I mean I've scoured the Blizz forums over with searches and see not one claim of being hacked WITH an authenticator attached.

http://forums.wow-europe.com/thread....Id=12730404058

[heyaz]

It is called a Man in the Middle Attack. It's not some simple keylogger.

Thanks for the clarification, and the link too

[Souca]

http://forums.wow-europe.com/thread....Id=12730404058

Thanks for the link. I'm kind of sad that one of the methods I mentioned got used. I still say the authenticator is worth it having. You'll notice the OP spent a lot less time re-securing their account, so clearly they still saw a benefit in having one. Had they not had an authenticator, they'd have wasted a couple of days on the phone trying to prove to Blizzard they were the account owner. Some people do get VD from toilet seats, but I still think more people get it by not wearing a condom when they should.

- Souca -