Close
Showing results 1 to 10 of 41

Threaded View

  1. 06-18-2011, 01:42 PM #9
    Lax
    Lax is offline
    Keeper of the Zoo Lax's Avatar
    Join Date
    Oct 2008
    Posts
    1836
    Blog Entries
    2

    Default

    Quote Originally Posted by Daeri View Post
    I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this
    Guys, let's not kid ourselves. Having authenticator is not 100% protection from being hacked.

    If the attacker has something installed on your PC, like a keylogger with a tunnel, the attacker can simply hijack WoW when you try to log in, while locking you out of it, and at that point it's mostly irrelevant whether or not you have an authenticator... You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

    An authenticator is NOT to protect you against a competent attacker who already has access to your compromised PC. You're already fucked if that's the case. Blizzard's software scanning (Scan.dll specifically, which runs some scans when you launch WoW) IS to help protect you against this type of attack, along with other anti-[virus/malware/spyware/etc] solutions.

    Your authenticator helps protect your account against brute force and dictionary (and harvesting, etc -- say if someone with a wow-related site expects you to use the same password on your wow account that you used on their site) types of attacks, not the man in the middle you are describing.

    With that said, brute forcing is unlikely to come from your own PC and I heartily agree with the trade-off made here. You were doing a lot of work when you log in to protect yourself from these specific attacks, when it doesn't solve the man in the middle problem. They have removed the work for YOU, and left it for the attacker it protects against.

    But I would also agree that people who want to have to enter it in should be allowed to, I guess
    Last edited by Lax : 06-18-2011 at 01:54 PM
    Lax
    Author of ISBoxer
    Video: ISBoxer Quick Start
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules