The Blizzard Authenticator - not 100% secure

[tekstorm]

With the current rumors going around that Blizzard is planning on shipping cataclysm with an authenticator and making it mandatory to use you may be thinking, "I don't have to worry about my account ever being hacked with my handy authenticator!"

Wrong.

Why you ask? Most scammers are adapting to the use of authenticators. These scammers would just pray that you download their keyloggers or malware and download the logs from your PC at a later time. The days of the lazy scammer are over. These individuals are now using massive botnets to infect for not only your wow accounts but your financial information as well.

How does it work? A botnet is a collection of compromised boxes that can be collectively used to launch attacks and infect even more computers. These botnets use IRC (Internet Relay Chat) to gather data from malware and keyloggers.

Here is how they get your WoW account, the hacker sits in an IRC channel let's say on undernet's network and from there his botnet has logged into the channel as well and is sending him streams of data. First he sees you log in and he gets your account name and password. He already has battle.net loaded up on another screen waiting for you to log in again. The next time you log in he steals your new authenticator code and immediately copy pastes it into battle.net.

Authenticator codes are valid for 30 seconds!! That is all the time they need to get into your wow account and change the password, plus remove your existing authenticator.

This same method can be used with banking accounts. Several banks use authenticators as well.

Don't give in to a false sense of security. Never enter your account e-mail address on a gold selling site or account trading site. Even if just for a quote! All they need is your account name and they can run a cracker to figure out the password. If not they can just use some social engineering with blizzard to get it.

Free Software tools to use:
malwarebytes
AVG anti virus
hijackthis - learn how to use this!! there is many guides available on google.

One last thing! Don't login to battle.net on a public network, like free wifi at a cafe or restaurant. SSL encryption is not that secure, I can strip ANY SSL encryption on ANY public network. In a day I can have every customers banking information or other personal information if I wanted to.

I know this is a long read but I hope this information helps you in protecting your WoW account and your personal information.

[milonix]

This all false the code only last's for 15 seconds i have one there is really no way to get i myself tried to hack my own and my brothers its not happening...

With the current rumors going around that Blizzard is planning on shipping cataclysm with an authenticator and making it mandatory to use you may be thinking, "I don't have to worry about my account ever being hacked with my handy authenticator!"

Wrong.

Why you ask? Most scammers are adapting to the use of authenticators. These scammers would just pray that you download their keyloggers or malware and download the logs from your PC at a later time. The days of the lazy scammer are over. These individuals are now using massive botnets to infect for not only your wow accounts but your financial information as well.

How does it work? A botnet is a collection of compromised boxes that can be collectively used to launch attacks and infect even more computers. These botnets use IRC (Internet Relay Chat) to gather data from malware and keyloggers.

Here is how they get your WoW account, the hacker sits in an IRC channel let's say on undernet's network and from there his botnet has logged into the channel as well and is sending him streams of data. First he sees you log in and he gets your account name and password. He already has battle.net loaded up on another screen waiting for you to log in again. The next time you log in he steals your new authenticator code and immediately copy pastes it into battle.net.

Authenticator codes are valid for 30 seconds!! That is all the time they need to get into your wow account and change the password, plus remove your existing authenticator.

This same method can be used with banking accounts. Several banks use authenticators as well.

Don't give in to a false sense of security. Never enter your account e-mail address on a gold selling site or account trading site. Even if just for a quote! All they need is your account name and they can run a cracker to figure out the password. If not they can just use some social engineering with blizzard to get it.

Free Software tools to use:
malwarebytes
AVG anti virus
hijackthis - learn how to use this!! there is many guides available on google.

One last thing! Don't login to battle.net on a public network, like free wifi at a cafe or restaurant. SSL encryption is not that secure, I can strip ANY SSL encryption on ANY public network. In a day I can have every customers banking information or other personal information if I wanted to.

I know this is a long read but I hope this information helps you in protecting your WoW account and your personal information.

[wowpew]

Authenticator codes are one-off. As soon as one is used it can't be used again. Try logging in with an incorrect password and a correct authenticator code, and then login with the correct password and the same authenticator code. It won't work because the authenticator code has been used once.

Basically the hacker would have to not only eavesdrop on your traffic, but stop the authenticator code from reaching Blizzards servers.

[DragoHorse]

To remove an Authenticator, you need to fill in 2 Authenticator codes...

[SpaZMonKeY]

To remove an Authenticator, you need to fill in 2 Authenticator codes...

This is correct. Maybe the OP should have read my detailed post about Blizzard's Authenticators before posting: http://www.mmowned.com/forums/world-...-security.html

[machaa]

Basically the hacker would have to not only eavesdrop on your traffic, but stop the authenticator code from reaching Blizzards servers.

I'm sure if someone is that determined to hack your account that they would go to such lengths as to record what authenticator code you put in, they would be able to stop WoW.exe from accessing the internet.

[Grymsko]

As said, Authenticators are not 100% safe, but it's usually a "Man in the middle attack" Here's a thread about it.

World of Warcraft (en) Forums -> Hacked with authenticator

[4L3X]

This is a fail. Firstly, if you want to remove the authenticator, you need to enter 2 more. Additionally, it's only about 15 seconds, maybe 20 and even so that's only when it's just fresh. Sometimes you'll get your authenticator and it's half way for the new code. Also, someone can easily recover their account by asking blizzard to restore it, and proof that they had the authenticator by telling blizzard the authenticator serial number. And if they know that they got keylogged, they just phone blizzard instead. I doubt by now the hacker, however lazy they are will tap into the phone convo for a GAME account...

[AmyW]

Authenticator codes are one-off. As soon as one is used it can't be used again. Try logging in with an incorrect password and a correct authenticator code, and then login with the correct password and the same authenticator code. It won't work because the authenticator code has been used once.

Basically the hacker would have to not only eavesdrop on your traffic, but stop the authenticator code from reaching Blizzards servers.

This is incorrect.

Me and my partner have (and still are) shared one single authenticator since the start of last year. We sometimes logs in with the same code as we usually start WoW at the same time. Also I can re-use the same code if I fail to login (mistyped password). The code might however be locked to a certain IP for a few min after it's been used though allowing this IP to use the code again.

[Duplicity]

Necro posting is necro.

Anyways. Blizzard has a new authentication option: Call in authenticator.
I'm not 100% sure about how long the code works. Maybe it's the same thing. But it's much safer because you can only call with a designated number to get the code. The only possible way someone can actually remove the authenticator or anything is to hold you at gun point for a WoW account.

[AmyW]

Necro posting is necro.

Before I posted in this topic this was one of the top topics on the page. This is not a very active sub forum and most posting in here would then be considered "necro posting". So you may as well just shut this place down or nobody will be able to post anything..

[Pancrazio6689]

This is a fail. Firstly, if you want to remove the authenticator, you need to enter 2 more. Additionally, it's only about 15 seconds, maybe 20 and even so that's only when it's just fresh. Sometimes you'll get your authenticator and it's half way for the new code. Also, someone can easily recover their account by asking blizzard to restore it, and proof that they had the authenticator by telling blizzard the authenticator serial number. And if they know that they got keylogged, they just phone blizzard instead. I doubt by now the hacker, however lazy they are will tap into the phone convo for a GAME account...