authenticator change

[Bobby79]

Ok so a couple of days ago i was only asked for an authenticator code for my main and not for my slave accounts, so i searched and found they had made some changes to the system so now if you log in on the same pc all the time it wont ask you all the time for an auth code which is great because i never liked having to wait for 5 different codes to log in

[RavingNoah]

I hear what you're sayin'. Me, myself...apart from what Tim has said is an ability for someone who wants bad enough to circumvent the authenticator's protective capabilities...I would really love to be able to opt-out of Blizzard's changes to the system.

This is mostly due to my ignorance, I imagine, of how the whole system works...but it seems to me it must rely on a computer ID and an IP address or established series of addresses that certain ISP's have for their clients. But, couldn't someone just mask their real IP with yours if they acquired it? I dunno...I would still prefer the semblance of control...

Getting around security systems just seems to be a huge pain in the ass.

[Drarkan]

I don't think it works like that Raving. I think it has something to do with your computer identification the same way pwnboxer recognizes your computer as unique from other computers. I'm sure if you reinstalled windows or changed a peice of hardware you would have to do the authenticator again. This will prevent hackers from phishing your authenticator code like Tim said they would do with a keylogger and messaging system to block your input so they could do it themselves with the number you just tried with. Since the system remembers your computer as the station you use, why would you need to keep using the same authenticator.

This will reduce the hacking by 90% IMO. Since hackers would phish your pass and login info, they don't have your authenticator so they get blocked while you log in safely and your gear and gold will be protected. Its not a bad thing. I logged in my laptop, had to enter it the one time. did the same on my home desktop, did the authenticator again. Should a hacker get some of your info, they would not be able to log in unless they physically had your authenticator with them to enter the correct code which changes every minute. Now they cannot guess, or phish it from your computer, making the authenticator system bulletproof now, with kevlar cladding. They would have to copy all your unique PC info and clone that to their PC that they hack on. Alot more work to be worth the trouble to get 6$ of gold per 1k. Get a job hackers, that doesn't fcuk up people's computers!

[Tim]

The authenticator isn't related to your PC at all really, so yea, it is very easy to bypass. Unfortunately it just isn't that helpful, yet it is being marketed as a way to stop hackers (which it is not).

[Drarkan]

Yes but your argument you had before was that when you download a keylogger by visiting a link on a website for gold buying, gear, leveling services, etc..., when you next log in this keylogger will copy down your information, login, pass, and authenticator. The keylogger to bypass the authenticator that you described was that it would give you an error at which point the code is sent to the system used to hack.

That code that is valid for 60 seconds (it isn't 5 mins as you previously stated, I tested it and it wouldn't work after 60 seconds) at which point to a hacking bot its plenty of time to copy that information into their own hacked wow client which then proceeds to farm your account cleaning all bags, gear, gold, etc... and sending it to various wow accounts to bypass any tracing which then gets sent to susan, and gold sellers alike.

However, the new system doesn't require you to enter your authenticator each time now, as it remembers your computer as a unique system as being a safe workstation, as the hacker would then need to come break into your house and log in that way to hack you. Not going to happen, unless you are stupid enough to give the hackers your address and they happen to be in the neighborhood and break into your house as you are at work, or away on vacation.

Since you don't need the code to log in each time, and the method you stated Tim that hackers use to bypass the authenticator, is now thwarted since they can't log in without your authenticator code, but the wow client on your home computer you have already marked as safe, can. So they don't get your code, they get the authenticator prompt, while you log in safely. They get stopped and frustrated they can't screw you over.

They changed the system Tim, the old method will not work, they will need to get smarter now and figure out a way around that, needing to steal your computer I imagine would be the way.

May I say again... I HAVE NEVER BEEN HACKED! AND I USE AN AUTHENTICATOR!

[Tim]

The code is actually valid for 10 minutes. The authenticator only shows you it for 60 seconds.

However, the systems these gold farmers use is automated. I imagine it probably only takes a handful of seconds for them to log into your account, teleport hack your character to a vendor, sell all your loot, trade window the gold, etc. You get the picture.

Also, you don't have to visit a gold farming site to get infected. There are plenty reports of people being infected from Wowhead, Curse, etc., of which I've explained many times.

You did bring up a new point. You mentioned a "new system" that doesn't require you to enter your authenticator. I have no idea what this new system is, however, I already know it is flawed. The reason simply is due to the security model. ANY security model in PC computing that uses the "What I have" model which utilizes the computer as the supplier of the "What I have" is flawed. The reason is simple: A compromised host provides unlimited opportunity for the compromise to duplicate the "What I have" form of authentication. This means that, inherently, this layer of security has a gaping flaw. I imagine that it would only take a handful of hours for a person skilled in information security to work with a developer to bypass this new method.

I'm glad you haven't been hacked yet, hell yea. However, security through obscurity is in fact no security at all

[Drarkan]

Posted June 16th 2011 on the Battle.net forums

Battle.net Authenticator Changes - Forums - World of Warcraft

And if you read my whole post I explain what the "New System" is.

[Drarkan]

Oh and no its not valid for 10 mins, like I said, I have tested it... I wrote down the code, waited for 3 mins, it wouldn't work. I waited for 2 mins, didn't work. You may be thinking of an old system when it first came out. You should update your information as there have been many changes.

[Tim]

The time the authenticator code is valid for really doesn't matter though, even if it was only valid for 5 seconds, that would be enough time.

I just read the authenticator change. Sure enough, that will only take a couple hours of coding max to sidetrack. In fact, the coding is already done and present in one of the most prevalent trojans around - botnets, it just needs to be adapted to cause the infected Host to be the tunnel (botnet) endpoint for a remote WoW login to be launched.

It probably has been created already anyway. It is just a matter of time before all the infection entry points (eg, banners) to be retooled for the change. If a company was making cash off these compromised accounts, I imagine that it would only take a few days for that retooling to happen, at a cost of probably just a couple hundred dollars.

[RavingNoah]

So...do I drop the seven bucks for the condoms, or not? Or, do I just leave this chick in the taxi...

...just sayin'.