Scary stuff if they can actually get past an Authenticator now.


Post from Blizzard Customer Service Rep. Syndri:

http://forums.worldofwarcraft.com/thread.html?topicId=23425467207&sid=1

As a part of our ongoing security awareness efforts, we wanted to share some information about a trojan we've found to be involved in a small number of recent account compromise cases. Computers infected with this type of trojan allow a third party to view account credentials as they're entered into the game during login. Due to how this particular trojan functions, both those with and without Battle.net Authenticators are vulnerable to possible compromise.

How It Works:
This type of trojan is often referred to as “Man-in-the-Middle,” and it circumvents security measures on the user’s machine by intercepting information (including account name, password, and temporary Authenticator passcode) in between the player's input and the World of Warcraft client. Once the information is intercepted, the compromised account is accessed, and often the password is changed to prevent the account owner from quickly reclaiming it. This process can take place in the short window before the temporary Authenticator passcode expires.


What to Do:
Should you feel you have been compromised, getting in touch with our Customer Support team as quickly as possible is crucial. Either use the support web form to send us an email, or contact us by phone. You can find all relevant contact information on our support website (http://us.blizzard.com/support/article/contactbilling).


Further Information:
It’s important to remember there is no "silver bullet" guaranteeing 100% protection against account compromise. The Authenticator offers players a highly valuable layer of added protection, but is not intended to replace the need for end-user computer and network security.


It's important that you educate yourself on all forms of account and computer security. You can find out more information on our recently launched account security page here: http://us.battle.net/security/

That's scary.

I know this came from Blizzard, but it doesn't make sense. The codes you get from the authenticator are one time only codes. Once they are used you can not use the same code to log back in. So unless this trojan is actually blocking the transmission of the data to Blizzard it shouldn't matter if anyone sees it. It also means that Blizzard is not encrypting the user name/password/authenticator information, which would be insanely silly. If they were encrypting, and you save your user name in the game client, all a key capturing trojan would get is your password and an authenticator code, no user name.

Real "man in the middle" attacks do work because they rely on tricking you into putting your authenticator code directly into their fake website not into the actual game client.

Agreed Tom. I'm kinda confused by that too.

If they are intercepting the code and relaying it...it would have to used immediately (to log onto your battle.net account and change the password). Of course...then you'd be locked out next time you tried to log in. Hrm.

Actually, reading that thread, that's exactly what they're doing. The trogan blocks the code from going to the authentication server and the MitM intercepts it and logs in with it in that short window of time.

#2328317 Cyntaria wrote:

Actually, reading that thread, that's exactly what they're doing. The trogan blocks the code from going to the authentication server and the MitM intercepts it and logs in with it in that short window of time.

Standard safty practices will still prevent this.

IE not going to complete unknown websites, especially exploit and cheat sites dealing with Blizzard, not clicking links in weird emails, not using gold seller sites.......etc.

Keeping your security up and running and current is also especially important.

As for how this beats your authenticator, once they have control of the Battle.net account page......they remove it.

Simple solution on the Blizzard end, though. any MAJOR changes to your battle.net account requiring email confirmation from the email originally listed. No confirm in 48 hours, it reverts back to prechanged condition. the account is locked out durring this period. That way people only have a 48 hour play lock, if not confirmed from the original email account earlier, and the changes don't let people run rough shot over your account in the mean time. Inconvenient, but red tap ftw.

There are 3 ways to remove the authenticator from the account. One is through the WoW account management page in which you have to have the serial number for the authenticator. Two is to call Billing and provide enough info to prove you are the account owner (sq/a, etc.). And the third is to fill out a form, and provide a copy of your ID and fax it in.

In most cases of account compromise through keylogger, if they were able to get your WoW account info they've also got your email info and that is also compromised. That's why Blizzard recommends a completely unique email address used only for your wow account.

#2384738 Cyntaria wrote:

There are 3 ways to remove the authenticator from the account. One is through the WoW account management page in which you have to have the serial number for the authenticator. Two is to call Billing and provide enough info to prove you are the account owner (sq/a, etc.). And the third is to fill out a form, and provide a copy of your ID and fax it in.

In most cases of account compromise through keylogger, if they were able to get your WoW account info they've also got your email info and that is also compromised. That's why Blizzard recommends a completely unique email address used only for your wow account.

ah, so they have even more annoying red tape I like that.

Yeah I use a seperate account for all things WoW related, just easier to sort my mail that way. I actually use that email HERE.....but I trust you guys......and know where most of you live

#2385087 Chaosforge wrote:

#2384738 Cyntaria wrote:

There are 3 ways to remove the authenticator from the account. One is through the WoW account management page in which you have to have the serial number for the authenticator. Two is to call Billing and provide enough info to prove you are the account owner (sq/a, etc.). And the third is to fill out a form, and provide a copy of your ID and fax it in.

In most cases of account compromise through keylogger, if they were able to get your WoW account info they've also got your email info and that is also compromised. That's why Blizzard recommends a completely unique email address used only for your wow account.

ah, so they have even more annoying red tape I like that.

Yeah I use a seperate account for all things WoW related, just easier to sort my mail that way. I actually use that email HERE.....but I trust you guys......and know where most of you live

You may trust us, but what about all those lurkers that might be visiting our forums? hehe

#2385244 Cyntaria wrote:

ah, so they have even more annoying red tape I like that.

Yeah I use a seperate account for all things WoW related, just easier to sort my mail that way. I actually use that email HERE.....but I trust you guys......and know where most of you live [/quote_post2385087]

You may trust us, but what about all those lurkers that might be visiting our forums? hehe

THOSE people shouldn't be lurking. They should be joining in on the whacky.

Those people can't see into the important forums...well..that's not to say this forum isn't important...just not where we put the juicy bits