Curse

Darkobra · Jun 28, 2008, 11:54 PM // 23:54

Well this is a predicament. Pay them MORE money, or use common sense? Hm...

GoodApollo1234 · Jun 29, 2008, 12:08 AM // 00:08

Yeah, this isn't anything special. This is just another scheme by Blizzard to bum even MORE money off of their endless legion of nerds.

Silent Coyote · Jun 29, 2008, 12:12 AM // 00:12

Interesting, though generally 2FA methods like this aren't all that useful for remote login.

http://catless.ncl.ac.uk/Risks/25.18.html#subj3
http://www.schneier.com/blog/archive...ailure_of.html

cellardweller · Jun 29, 2008, 12:21 AM // 00:21

I'd happily pay for the comfort of 2fa

-Loki- · Jun 29, 2008, 12:29 AM // 00:29

Quote:

Originally Posted by Masseur

The Blizzard Authenticator will be available at the Blizzard Store for $6.50. No release date has been announced.

Good idea, poor implementation. Security upgrades should be offered for free. But hey, most of the WoW community is too dumb to realise this.

Robbert Monga · Jun 29, 2008, 12:39 AM // 00:39

Quote:

Originally Posted by Silent Coyote

Interesting, though generally 2FA methods like this aren't all that useful for remote login.

http://catless.ncl.ac.uk/Risks/25.18.html#subj3
http://www.schneier.com/blog/archive...ailure_of.html

um ya... except instead of trivial key logger (using which 99.99% of all account "hacks" made) you would have to do some real hacking involving figuring out game's communication protocol, intercepting packets and modifying them. Thats not a trivial task at all. Doing that to some silly game is just not cost effective.

BLOODGOAT · Jun 29, 2008, 01:44 AM // 01:44

Quote:

Originally Posted by Chthon

The numbers aren't truly random. It's just a pseudo-random number generator. It produces a fixed, repeating, but very long, sequence of seemingly-unrelated numbers with an even distribution across a range, with the starting point in the sequence determined by an input, often called the "seed." The seed is hardcoded into the keyfop and also known to the server. The keyfop advances to the next number in the sequence every X sec, which you have to enter before it advances again. The server runs the same pseudo-random number generator to determine which number in the sequence that seed should have produced at the time you submitted your code. If they match, you get access; if they don't, you don't.

Weaknesses:
1. You can lose or break the keyfop. Then you're SOL unless you can get support to help you.
2. Social engineers can steal accounts by tricking the support staff who deals with "I lost/broke my keyfop."
3. Cheaply made keyfops (or keyfop batteries) may run their clock faster or slower than the server, which means it gives you the wrong code.
4. Although they are tamper resistant, the pseudo-random number generation algorithm can be extracted by (destructively) examining the keyfop hardware. With the algorithm in hand, an attacker knows the sequence of valid codes. If they can learn what your seed is or learn what your code was at a given time, then they can compute which codes will be valid when for your account. Although extracting the algorithm requires expensive hardware and numerous sacrificial keyfops, the value of stolen WoW accounts is high enough that someone's sure to do it.

And in my personal opinion, it would take a lot less time for me to actually accumulate the wealth myself than learn how to do the aforementioned activities, thus reducing the likelihood I would so much as think of attempting it.

JUST ME THOUGH

Yang Whirlwind · Jun 29, 2008, 01:51 AM // 01:51

Quote:

Originally Posted by Carinae Dragonblood

"My husband left me for a Bone Horror!"

Sorry to hear that!

Javeron · Jun 29, 2008, 06:54 AM // 06:54

I already have this for work. It's already become a corporate tool for traveling accountants and consultants.

The only problem is that it's VERY expensive to implement, and you are ****ed if you lose it.

captain_carter · Jun 29, 2008, 08:53 AM // 08:53

ok, so it is not a random number generator.
From what I see the server expects the next code in the sequence, not a previous one. What hapens if you accidentally activate the authenticator serveral times on your way home from work as it bangs against your steering column? will the sever accept any subsequent code?

Brianna · Jun 29, 2008, 09:10 AM // 09:10

Sounds neat, It might be something I'd pay for.

My mom uses this exact thing to log into her work computer, she can't get on without the key generator - that's why she gets so pissed off when she loses it.

Personally I don't see it as a scheme, but rather a good thing, some people value their accounts and possessions highly - in a sentimental and materialistic way. It is a good option for paranoid people who want to be extra sure that they won't get hacked, even if you are the most ''Secure'' person - and while common sense can prevent a lot of bad things, no one is 100% secure, so don't get your hopes too high.

And, since it isn't forced on anyone to buy it, it is all the better. I don't think they need any more money, so I doubt if anything it would be another gold mine for them.

In regards to people losing the key-generator, I am sure support would straighten that out pretty quickly, naturally there has to be good support for something like this to work out, and of course to keep rocks out of your office windows.

Oh and to add, even though everything is presumably ''hackable'' it would take a lot of effort on the hackers side to get past this, and any hacker who is smart enough / and or capable enough to do this would not be wasting their time on stupid video game accounts, they would be going for much larger greater bonuses such as bank accounts or other significant information.

Divinitys Creature · Jun 29, 2008, 10:10 AM // 10:10

LOL! Even banks don't go to these lengths AFAIK, at least not retail banks and they are doing it for an MMO! LOL Well if gaming can make something like this widespread I'm for it. I just don't play WoW. If I did I'd probably get one for the geek factor.

Dante the Warlord · Jun 29, 2008, 01:10 PM // 13:10

Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous

Fril Estelin · Jun 29, 2008, 01:16 PM // 13:16

An important comment, in particular to those that see this as a feature for "paranoid" people:

it's already a feature used by certain companies and a lot of big banks in Europe (you actually get a card reader in addition to seeding); security is always proportional to the risk, so Blizzard want to protect their business as banks do.

Now, we can't have a discussion on the principle or the idea of an authenticator token. Everyone'll have to wait until its implementation is tested by being released (people will try to crack it very quickly), to see whether or not it's the right way to fix security problems in WoW.

jackie · Jun 29, 2008, 04:07 PM // 16:07

Quote:

Originally Posted by Dante the Warlord

Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous

Yeah I bet if Anet or any other company produces similar physical object to minimize hacking to nil they'll send it to you in a silky paper box for free?

Countering stupid trolls aside, seen similar devices used in many industries & and not heard much negative about them except if you lose the actual device.. then it's a phone call to customer support.

Robbert Monga · Jun 29, 2008, 04:12 PM // 16:12

Quote:

Originally Posted by Dante the Warlord

Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous

actually token itself probably cost more than 6.50

Anarkii · Jun 29, 2008, 04:28 PM // 16:28

Quote:

Originally Posted by Chthon

Weaknesses:
1. You can lose or break the keyfop. Then you're SOL unless you can get support to help you.

They'll send replacements.

Quote:

Originally Posted by Chthon

2. Social engineers can steal accounts by tricking the support staff who deals with "I lost/broke my keyfop."

This is Blizzard, not Walmart. They ask for photo-id, secret question to your account, your original cd-key, middle 8 digits of your credit card.

Quote:

3. Cheaply made keyfops (or keyfop batteries) may run their clock faster or slower than the server, which means it gives you the wrong code.
4. Although they are tamper resistant, the pseudo-random number generation algorithm can be extracted by (destructively) examining the keyfop hardware. With the algorithm in hand, an attacker knows the sequence of valid codes. If they can learn what your seed is or learn what your code was at a given time, then they can compute which codes will be valid when for your account. Although extracting the algorithm requires expensive hardware and numerous sacrificial keyfops, the value of stolen WoW accounts is high enough that someone's sure to do it.

Both of these points are absurd. RSA tokens are used by many high-security installations. You might as well try brute-forcing the password if you're doing this.

The token itself is extremely secure. That is not a problem. The concern should be over your computer itself. If a trojan is present in your PC, you're losing your account no matter what. The token will only prevent account theft from cyber cafes and such kiddie scripters.

Chthon · Jun 29, 2008, 09:06 PM // 21:06

Quote:

Originally Posted by captain_carter

ok, so it is not a random number generator.
From what I see the server expects the next code in the sequence, not a previous one. What hapens if you accidentally activate the authenticator serveral times on your way home from work as it bangs against your steering column? will the sever accept any subsequent code?

Both the keyfob and the server advance to the next code based on time, not whether the previous code has been used. So that's not a problem.

Quote:

Originally Posted by BLOODGOAT

And in my personal opinion, it would take a lot less time for me to actually accumulate the wealth myself than learn how to do the aforementioned activities, thus reducing the likelihood I would so much as think of attempting it.

JUST ME THOUGH

To be clear, I'm not talking about individual users like you and me. I'm talking about criminal organizations that resell what they steal as RMT. After all, there is a LOT of money to be made in RMT. (See: Source, Source, Source, Source, Source.) In fact, some say that the value-to-risk ratio of stealing WoW accounts is now better than that of stealing bank accounts.

Quote:

Originally Posted by Anarkii

Both of these points are absurd. RSA tokens are used by many high-security installations. You might as well try brute-forcing the password if you're doing this.

1. High-security installations pay top-dollar for their keyfops; WoW players pay $6.50. I'd bet dollars to doughnuts (mmmmhhh doughnuts....) that a small-but-non-trivial proportion of WoW's keyfops are going to have bad clocks/batteries.

2. Tamper-resistant hardware is not really that secure. (See: Source, Source, Source. These articles focus on compromising tamper-resistant banking smartcards, but the same attack methods apply to keyfop hardware.) The equipment for the invasive attacks is too expensive for most individuals, but organized account theft rings will almost certainly be willing to make that investment.

You have to remember: brute forcing steals one account, but extracting the algorithm that generates all valid codes gets you a significant distance towards stealing every account. Think of it as AoE damage.

Quote:

The concern should be over your computer itself. If a trojan is present in your PC, you're losing your account no matter what. The token will only prevent account theft from cyber cafes and such kiddie scripters.

With this, I agree. The user's computer is usually the weakest link, and these keyfops do nothing to address that.

captain_carter · Jun 29, 2008, 09:46 PM // 21:46

Quote:

Originally Posted by Chthon

Both the keyfob and the server advance to the next code based on time, not whether the previous code has been used. So that's not a problem.

I guess you can't take it on too many high speed flights then, lets hope technological advancement of transportation systems doesn't occur.

Good place to move this to, Off-Topic and the Absurd

Arkantos · Jun 30, 2008, 08:14 AM // 08:14

Quote:

Originally Posted by Darkobra

Well this is a predicament. Pay them MORE money, or let the person you have to share your account with download a trojan without you knowing, leading to your account getting hacked? Hm...

Fixed for people who have to share a computer. Besides, it's not like paying $6.50 for additional security is in any way a negative thing.

Quote:

Wow... if blizzard really cared about their players it would have been free. But no...they are going to make a killing on money from their players, ridiculous

Blizzard releasing this shows they care about their players. If they didn't, they wouldn't have made it.

It also seems that you're forgetting Blizzard is a company. Of course they're going to charge you for additional stuff, they want more money. It's $6.50. If you're playing WoW (which means you're paying a monthly fee), $6.50 is nothing.