The Glade 4.0

To expand on this a little more, one of the problems with single-factor, "something you know" authentication is that in one form or another, the things you know are all typically stored in the same database. For passwords, generally only hashes are stored, but I'm skeptical that the answers to "security questions" are hashed rather than being stored raw in the database. Either way, hashes are usually non-issue for a competent cracker unless your passwords/answers are sufficiently complex. For many ... no, most users, this is not the case.

What's my point? If an attacker can compromise the database, they can dump the answers to your security questions just as easily as they can dump your password (hash). This is a big weakness for single-factor authentication, and one that should be of particular concern to e-commerce sites and the like, which are particularly susceptible to injection-style attacks.

I won't name names, but a couple years ago, I found an SQL injection in a sizable e-commerce site. It wasn't a huge one like, say, amazon or ebay, but big enough that most of you have at least heard of it. I was able to dump passwords, email addresses, CC numbers, the whole nine yards. Given that many of these people were likely to use the same password on the e-commerce site that they use for the email, I could have followed up by accessing thousands of email accounts, which in turn would have given me access to all kinds of things from the inside -- password resets on other sites, etc., etc. And, I should point out, I'm not even a cracker -- just a bored geek who spent 30 minutes or so reading up on SQL injection.

The moral of this story is two-fold:

1. two+ factor authentication would have shut down all of these attacks. Keeping all of your eggs in one basket is never as secure as splitting them up.
2. You shouldn't overestimate the security of 3rd-party databases, even if they have a "big name" behind them.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

http://bash.org/?244321

Humans are the weakness in any good security system.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself

Personally, I find the dongle a million times less annoying than having my account hacked.

_________________
Les Zombis et les Loups-Garous!

I wasn't making any claim as to reliability. In the case of WoW, the second of those is almost certainly the way it was stolen. Therefore, if it isn't entered in the same way it should, at the very least, slow down hackers and phishers if only by making them expend more effort to get both passwords.



That would mean Blizzard's database was compromised and the whole game was in jeopardy. When I was talking about this, I was envisioning the security questions being stored on their end.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

Count me among the compromised.

Not sure what did it.

Using my e-mail and password for WoW (not the e-mail) on WoW sites like WoWHead, WarcraftPets?

Really don't think keylogger as I never log into WoW on Windows. I do WoW Beta on OS X and SC II on OS X only also.

What is odd is I got the e-mails and it said my account was locked almost instantly.

Then I tried to login and I could... so I was like 'What the hell... valid headers, but my password is mine and I am not locked?'

Decided to focus on other tasks... a few hours later, another password change e-mail... and then I reset and what do you know, bam...

Trinkets, emblems, and more gone. Not sure why some gear escaped the purge when others did not but c'est la vie.

We'll see what, if anything, Blizzard will do.

Of course, both wife and I now use authenticators on iOS. Stupid of me not to except sometimes I need to log her in for X and we don't work the same shift anymore.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself

Condolences,

People do suck, not all of them, but enough to make it hard to trust anyone.

_________________
The U. S. Constitution doesn't guarantee happiness, only the pursuit of it. You have to catch up with it yourself. B. Franklin

"A mind needs books like a sword needs a whetstone." -- Tyrion Lannister, A Game of Thrones

You used the same password for a internet site as your WoW account? Yeah, that could have something to do with it...

Did your password have mixed case, alpha and numeric characters and used more than 8 characters? Was it a dictionary word?

_________________
In time, this too shall pass.

Katas,

I believe you can use the same authenticator on multiple accounts? Would that help your situation?

Task,

7 characters, no upper.

Midgen: It would except during times when we are actually playing. She hasn't logged in in months.

Essentially, her account held my alt who became my main.

My account held her alt who became her main.

My old main and my mage are still with her main.

My new main and my alt with tons of heirloom is the one affected.

I am relatively numb about the whole thing.

Since we don't WoW much, I have been lax in my security stuff.

Ah well... a password changing I am going.

_________________
Once, I was a ranger
Then, I was a warlock
And a mage
And a paladin
Now, I seek to be myself

Weird, I just got an email that someone changed my battle.net account email address. I didn't even know I had a battle.net account since I haven't bought a Blizzard game since Warcraft III

_________________

If you ever played WC3 multiplayer, you had a battle.net account.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

Nope, never got into MP RTS.

_________________

Maybe if you registered it, then? Depending on how you patched, that might have done it, too.

Oh, or Diablo 1/2?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

It would have to be registering WIII. I never played D1 or D2. Oh noz... someone haxxored my 10 year old account? I don't even have any of the same credit cards or bank accounts from that long ago.

_________________

Could be phishing. Oh no your email changed, log in using this handy link to check and correct ...

Yeah, check the headers of the email and see if it's actually from blizzard or battle.net.

My old email address is still bombarded by emails from "blizzard" and "battle.net" saying that I am in the cataclysm beta, that my account has changed, that someone stole my account, and a ton of other things. 1. The headers always show the truth of the matter. 2. Blizzard doesn't use that email anymore. At this point, I find those emails quaint and humorous.

_________________
Les Zombis et les Loups-Garous!

Shel got these phishing emails today, I haven't yet. We both have authenticators and I'm very happy with them. $6.50? Trivial compared to the time and hassle it would be for me if my account got hacked. And I got an ingame pet, too.

Given how slick and polished the phishing messages I received were, I think it's safe to say it's best not to click on links you find in any email that appears to come from Blizzard. I got a "your battle.net account information has been updated" message and moused over the link it contained. The display text was a legit Blizzard address, but the link itself was not. Apart from that, the only other obvious clue that this was a scam was a single grammatical error that could easily be overlooked.

_________________
Go back to zero, take a pill, and get well ~ Lemmy Kilmister