Knights of Other Realms
Welcome, Guest. Please login or register.
June 23, 2017, 05:16:19 PM

Login with username, password and session length
Search:     Advanced search
Applicants - Contact Bazerk if you need to have your account approved.
Members - If you cannot see the Members-only boards, contact Bazerk.
23341 Posts in 3013 Topics by 352 Members
Latest Member: kelgore
* Home Help Search Login Register
+  Knights of Other Realms Forums
|-+  General Game Stuff
| |-+  Information (Moderator: Sicro)
| | |-+  Blizzard upgrades account security!
« previous next »
Pages: [1] 2 Print
Author Topic: Blizzard upgrades account security!  (Read 2225 times)
Jaxartes
Greetings, My Minions,
Guild Member
Hero Member
*
Posts: 2978


Herder of cats


« on: June 27, 2008, 07:14:01 AM »

"Coming soon" from Blizzard, an account verification device:

http://us.blizzard.com/support/article.xml?articleId=24660&rhtml=true

It appears to be a USB dongle-type device, which they will be selling for $6.95.  it will work across multiple accounts. 

Given the incredible rash of PEOPLE I ACTUALLY KNOW what have had their accounts pillaged in the past year, I think I might bite on this one.
Logged
chemten
official /gquit machine
Hero Member
*****
Posts: 623


99645571 michael.boeckelmann@hp.com chemten10 chemten10
Email
« Reply #1 on: June 27, 2008, 08:21:19 AM »

easy way for them to make more money. 

"hey guyz, we needz to gets the more monies.  how can we do eet?"

"i know! we can offur deez 'securitees' that peeple will think they are more securez from dem haxers"

"great ideaz everyonez"

"$$$"
Logged

the official "i want to steal your phat lewts" fan club member
stealing your epics since 2004.
Jaxartes
Greetings, My Minions,
Guild Member
Hero Member
*
Posts: 2978


Herder of cats


« Reply #2 on: June 27, 2008, 09:05:05 AM »

easy way for them to make more money. 

"hey guyz, we needz to gets the more monies.  how can we do eet?"

"i know! we can offur deez 'securitees' that peeple will think they are more securez from dem haxers"

"great ideaz everyonez"

"$$$"

Nice feedback with no actual meaningful or accurate content.   I'm sure our guildies what have been hacked in the past year found it hi-larry-us.

The article indicates that the device will be registered with Blizzard.  The account will be "chained" to that particualr verification.  It'll suck if you lose the widget, but otherwise should be relatively crack-resistant.  Any actual thoughts on this?  I'm not an expert on this stuff, but a client of mine used to use similar devices to protect employees with remote computers.  They seemed pretty happy with the results.  Does anyone else have experience with devices like these?
Logged
Jaxartes
Greetings, My Minions,
Guild Member
Hero Member
*
Posts: 2978


Herder of cats


« Reply #3 on: June 27, 2008, 12:18:29 PM »

I saw a picture of the device.  It's one of those code boxes where you have to enter the ID that is showing when you log in.  The ID changes about every minute, and has the next 4-5 years of codes already stored.  It never plugs into your computer, so can't be hacked.  They are supposed to be pretty ironclad.
Logged
Nyteflower
Sr. Member
****
Posts: 430



« Reply #4 on: June 27, 2008, 12:30:56 PM »

Here's the thousand-dollar question...

Will Bliz make a new policy that you have to have had one of these things if you want your account restored after a hax?

Or will Bliz say: "nope, sorry we can't restore your account, you didn't provide the most secure connection, therefore, it's your fault you got hacked".
Logged
chemten
official /gquit machine
Hero Member
*****
Posts: 623


99645571 michael.boeckelmann@hp.com chemten10 chemten10
Email
« Reply #5 on: June 27, 2008, 01:03:20 PM »

Nice feedback with no actual meaningful or accurate content.   I'm sure our guildies what have been hacked in the past year found it hi-larry-us.

The article indicates that the device will be registered with Blizzard.  The account will be "chained" to that particualr verification.  It'll suck if you lose the widget, but otherwise should be relatively crack-resistant.  Any actual thoughts on this?  I'm not an expert on this stuff, but a client of mine used to use similar devices to protect employees with remote computers.  They seemed pretty happy with the results.  Does anyone else have experience with devices like these?

oh get off it.  if someone gets their stuff stolen, yeah, it sucks.  but i'm sorry, it's their fault.  don't give your stuff out.  don't make it easy to guess.  don't download random stuff. etc.  the fact is if an account is stolen, they did something to allow it to happen.


nyte brings up a few good points.  look for hidden changes in the next patch to the EULA when the dongle hits the market.  that would not be very helpful to the customer if they did require one to have the security dongle in order to get a character restore.

my question about it would be, how often does the 6-digit code change, i.e. are you required to press the button for a new code every login.  if so, then you have limited logins per device since it's only a 6-digit code.  and that's of course assuming that all number combinations can be used in the first place.   from the faq on the blizzard support site, this seems to be the case since it says each code is only valid once.

we use a usb-dongle device for vpn that seems like a good solution for security.  you have to setup a code yourself to the device and have the device itself to login.  something similar would be cool for WoW as a solution since it's secure in a corporate environment.

is that sufficient feedback for the paranoid kiddies?
Logged

the official "i want to steal your phat lewts" fan club member
stealing your epics since 2004.
Grynni
Ahmaj's Main Sidekick!
Guild Member
Jr. Member
*
Posts: 75

Not your average Garden Gnome


Email
« Reply #6 on: June 27, 2008, 04:51:48 PM »

From the description it sounds like a known sequence stored (or generated based on serial number) in the device but even if the generator is hacked I think it would be tough for someone to guess your "serial no" to know your sequence so it should provide decent 2-factor authentication (something you know like user name/password and something you have). 

Given that we have 4 accounts my questions would be along the lines of could we tie a device to multiple accounts and can an account have multiple devices attached to it. 

Just as a reminder should you end up with one of these, I would suggest not writing your account name on the device but use a code of some type to distinguish one from another if you have multiple accounts and end up having multiple devices - I know, obvious, but I've seen worse.  Roll Eyes

edit: whoops, looks like I'm logged in as Grynni - makes sense since I'm sitting at her laptop - so much for security Grin

Ahmaj.
« Last Edit: June 27, 2008, 04:53:31 PM by Grynni » Logged
Aniral
Hero Member
*****
Posts: 835


Forum Monkey.

matrixd00d1
Email
« Reply #7 on: June 27, 2008, 09:15:53 PM »

It sounds like the tokens I've seen used for VPN logins. You enter the number currently showing on the device, which is generated somehow, and provides you with an additional authentication mechanism. I'm given to understand they work fairly well, so if you're concerned about losing your stuff, I'd get one. It really doesn't cost much, and if you worry about getting haxxorzed, the peace of mind is probably worth it.
Logged
Nalen
Hero Member
*****
Posts: 673


Lives to antagonize Vandred. RIVS.


Email
« Reply #8 on: June 28, 2008, 05:34:12 AM »

Richt on Ani.. I work in this realm in the real world.  It sounds identical to a Secure ID FOB.  If is that then yes log ins would be more secure unless you gave out your pin for it.
Logged

Xakopane
Sr. Member
****
Posts: 370



« Reply #9 on: June 29, 2008, 08:39:22 AM »

SAIC used a SecureID FOB for some time to enable VPN access. Easy to use as part of a three-part identification system (username/password and PIN). We recently went to a smartcard system, much like what the USG uses for their employees. I applaud Blizzard's move to provide users with greater security options. Despite what some people may say in attempts to troll, even an experienced user can be hacked.

Xak
Logged
Mukaka
Class Leader
Sr. Member
*****
Posts: 281


« Reply #10 on: July 01, 2008, 08:31:39 AM »

"each number can only be used once" can be misunderstood... It very likely doesn't mean that it can only generate a million unique numbers (based on 6 digits) before it runs out. It very likely does mean that once you use the displayed/generated number to login, someone who "sniffed" or "key-logged" the number you typed, would not be able to re-use the same number. That's how most one-time-passcode generators like SecureID work. In reality, these passcode generators will repeat specific passcodes at various times in their lifetime.

The security of the device is fairly strong especially if you have to type a pin code in addition to the 6 digit generated code. So if you're logging in at an internet cafe for example, someone couldn't just look over at your code generator and use the number... first apparently they'd have to press the button on it to show the current number, and second they'd need to know your PIN as well (a number you choose, just like for your ATM card).

It is still possible to defeat all this security. For example, if there was a key logger trojan infesting your computer, it could intercept all the login data including the one-time-passcode on the way to the Blizzard login server, diverting the login data through to the cracker's WoW client. The real user would get login failed messages why the evil cracker invades their account. This is still a little tricky since the trojan must use the login info within a minute (or whatever each passcode's expiration time is).

But yes, overall this type of security basically "makes passwords stronger". Plus anyone who is using the code generator cannot easily share their accounts with remote friends. Each time you want to login to your friend's account, you will have to call them and ask them to read off the digits on their passcode generator. So if Blizzard wanted to make remote account sharing more annoying, then it would be a logical move to require the use of the device if you ever need to have a character backup restored.
« Last Edit: July 01, 2008, 08:37:37 AM by Mukaka » Logged
Frosh
I'm not as fast as Frostburn.
Guild Officer
Hero Member
*****
Posts: 1751

stevenearhart@yahoo.com StevenAtHouse
WWW Email
« Reply #11 on: July 01, 2008, 09:27:47 AM »

Plus anyone who is using the code generator cannot easily share their accounts with remote friends. Each time you want to login to your friend's account, you will have to call them and ask them to read off the digits on their passcode generator.

This is the single biggest increase in security, imo. Smiley
Logged

Jaxartes
Greetings, My Minions,
Guild Member
Hero Member
*
Posts: 2978


Herder of cats


« Reply #12 on: July 01, 2008, 11:57:44 AM »

Do you know if you'd need a separate fob for each account?  Like, could my fiance (soon wife) and myself share a fob?  Or could I use it for my own second account?
Logged
Helwin
Administrator
Hero Member
*****
Posts: 606


bradthetbird
« Reply #13 on: July 01, 2008, 12:09:53 PM »

Do you know if you'd need a separate fob for each account?  Like, could my fiance (soon wife) and myself share a fob?  Or could I use it for my own second account?

Good reads are

http://forums.worldofwarcraft.com/thread.html?topicId=7475665605&sid=1

http://us.blizzard.com/support/article.xml?articleId=24660
Logged

"I do this for Aiur"
Frosh
I'm not as fast as Frostburn.
Guild Officer
Hero Member
*****
Posts: 1751

stevenearhart@yahoo.com StevenAtHouse
WWW Email
« Reply #14 on: July 01, 2008, 12:57:02 PM »

I think it was the SecureID version that would store the next N passcodes.  The idea was that if you accidentally clicked the SecureID, you wouldn't be screwed.  I wonder what N is for this little gadget, and how many friends are going to playthe cruel joke of hitting the clicker > n times and forcing the poor kid to call Blizzard. . .

I especially see this popular amongst teenage siblings.  (Chaulmers would CERTAINLY boof Shiz in this. . . Smiley)
Logged

Pages: [1] 2 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.4 | SMF © 2006-2007, Simple Machines LLC Valid XHTML 1.0! Valid CSS!