Remove Advertisements

Anyone else not need an Authentcator this morning to log in?

Anything, including off-topic posts

Moderators: Fridmarr, Worldie, Aergis, Sabindeus, PsiVen

Re: Anyone else not need an Authentcator this morning to log

Postby halabar » Fri Jun 17, 2011 8:45 am

Sabindeus wrote:
Shathus wrote:could someone spoof your IP to make their servers think it's your logging in from your PC and the authenticator code wouldn't be needed?


Spoof? No. There's plenty of potential man in the middle attacks that can be done against simple 2 way communication, but in general the shared secret authentication that Blizz uses with the authenticator is fairly strong against that sort of thing. The usual points of failure on that would be on either end of the connection, so for example if someone has control of your PC while you log in, then you can pretty much forget it.

Basically: If your computer is compromised then you can pretty much expect that your shit is forfeit whether Blizz asks for a token or not.


A few things here....

First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.

Second, they are likely doing this to alleviate some of the load on their authentication servers, since that appears to have been an issue lately, and especially with a patch coming soon.

Third, the authenticators are not as secure as you think. Read up on RSA's recent troubles. Lockheed Martin got hacked because they trusted RSA, so now about 20 million government and defense workers in the US are gonna get new authenticators.
Amirya wrote:... because everyone needs a Catagonskin rug.

twinkfist wrote:i feel bad for the Mogu...having to deal with alcoholic bears.
User avatar
halabar
 
Posts: 9376
Joined: Fri Jun 08, 2007 8:21 am
Location: <in the guild that shall not be named>

Re: Anyone else not need an Authentcator this morning to log

Postby Teranoid » Fri Jun 17, 2011 8:56 am

I'm pretty sure after the nightmare of having to restore tons of accounts due to hacks they would have never gone through with this if they weren't completely sure it would work.

I personally like it if anything because they still haven't solved the login bug where when you switch characters you immediately get dc'd and have to punch in codes every 20 minutes :\
User avatar
Teranoid
 
Posts: 2156
Joined: Thu Jul 30, 2009 8:56 pm

Re: Anyone else not need an Authentcator this morning to log

Postby halabar » Fri Jun 17, 2011 8:58 am

Teranoid wrote:I'm pretty sure after the nightmare of having to restore tons of accounts due to hacks they would have never gone through with this if they weren't completely sure it would work.

I personally like it if anything because they still haven't solved the login bug where when you switch characters you immediately get dc'd and have to punch in codes every 20 minutes :\


That login bug seems to happen more for DKs or toons in major cities.. dunno why.
Amirya wrote:... because everyone needs a Catagonskin rug.

twinkfist wrote:i feel bad for the Mogu...having to deal with alcoholic bears.
User avatar
halabar
 
Posts: 9376
Joined: Fri Jun 08, 2007 8:21 am
Location: <in the guild that shall not be named>

Re: Anyone else not need an Authentcator this morning to log

Postby Sabindeus » Fri Jun 17, 2011 9:06 am

halabar wrote:First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.


One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.
Image
Turn In, an NPC interaction automator - http://wow.curse.com/downloads/wow-addo ... rn-in.aspx
User avatar
Sabindeus
Moderator
 
Posts: 10472
Joined: Mon May 14, 2007 9:24 am

Re: Anyone else not need an Authentcator this morning to log

Postby Fetzie » Fri Jun 17, 2011 9:12 am

Sabindeus wrote:
halabar wrote:First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.


One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.

The following posts were made on the BlizzardCS twitter:

#Authenticators still offer the same level of protection while making it more user-friendly; this will NOT up the chances of getting hacked.

source: http://twitter.com/#!/BlizzardCS/status ... 8242651136


Our system is not making a decision to ask for the Authenticator solely based on your IP address.

source: http://twitter.com/#!/BlizzardCS/status ... 7147727872
Fetzie | Protection Paladin | EU-Kazzak
Author of the TankSpot Protection Paladin Guide
Image
Sagara wrote:You see, you need to *spread* the bun before you insert the hot dog.

bldavis wrote:we are trying to extend it as long as we can...it just never seems to last very long
User avatar
Fetzie
 
Posts: 2180
Joined: Sat Feb 07, 2009 9:43 am
Location: Karlsruhe, Germany

Re: Anyone else not need an Authentcator this morning to log

Postby Worldie » Fri Jun 17, 2011 9:24 am

I for one quite like this change. I often swap between WoW and SC2, and using the authenticator had become more of a nuisance than something welcome. I would never remove it as I got hacked already 2 years ago and don't plan to lose everything I've done in the last 7 years to hackers.
theckhd wrote:Fuck no, we've seen what you do to guilds. Just imagine what you could do to an entire country. Just visiting the US might be enough to make the southern states try to secede again.

halabar wrote:Noo.. you don't realize the problem. Worldie was to negative guild breaking energy like Bolvar is to the Scourge. If Worldie is removed, than someone must pick up that mantle, otherwise that negative guild breaking energy will run rampant, destroying all the servers.
User avatar
Worldie
Global Mod
 
Posts: 13343
Joined: Sun Sep 02, 2007 1:49 pm
Location: Italy

Re: Anyone else not need an Authentcator this morning to log

Postby halabar » Fri Jun 17, 2011 9:33 am

Sabindeus wrote:
halabar wrote:First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.


One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.


Certainly. Was just pointing out that that authenticators are not the magic boxes that people tend to think they are.
Amirya wrote:... because everyone needs a Catagonskin rug.

twinkfist wrote:i feel bad for the Mogu...having to deal with alcoholic bears.
User avatar
halabar
 
Posts: 9376
Joined: Fri Jun 08, 2007 8:21 am
Location: <in the guild that shall not be named>

Re: Anyone else not need an Authentcator this morning to log

Postby Holyblaze » Fri Jun 17, 2011 10:58 am

sherck wrote:Don't touch my junk!

Cheers,



haha BAM! This!
"Take what you know of the Light...when you walk in darkness." - Mom
Holyblaze
 
Posts: 735
Joined: Mon Aug 17, 2009 7:55 am
Location: Alaska

Re: Anyone else not need an Authentcator this morning to log

Postby Hrobertgar » Fri Jun 17, 2011 11:47 am

Aerron wrote:
Was having this discussion on another forum. I'll just cut and paste my comments from there over here:

If I had to guess, I'd say they're taking this "log in location" cue from RIFT, which does the same thing.

RIFT's is very specific as to where you log in from. I tried to log in to my wife's account from my computer. She normally plays on her comp which sits right next to mine, both connected to the same router. When I logged into her account, it totally locked me down.

Ask me, that's pretty specific.

Most likely it uses some way of defining the hardware as its way of defining 'location'. Whether that's as simple as MAC address, or as complex as building a hash from your CPU/motherboard/video card/etc, it would disallow what you tried.



One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.



I normally play on my desktop so I can comfortably use my 32" LCD TV as a monitor, but I do have a laptop that only has HDMI output which causes an overscan issue. The actual point is that the two computers ahve different 'names' for my network setup. It is possible that they could use computer name as well or instead of hardware profile. But I am aware that they do actually check hardware profile currently, as I get messages sometimes that Blizz wants to collect non-user information about system hardware/OS for compatibility purposes.

Also, I frequently get the login bug switching between my alts. I only have 1 DK, abandoned on an old server, but I keep most of my toons in major cities next to a mailbox close the an AH.
Never Pug a random Troll Heroic, always wait for the guild group.

Hrobearina - 85 Healer - space goat
Hrobertgar - 85 Tank - human
Hrobernia - 85 Arcane - human
Hrobanka - 85 BM - elf
Hrobertgar
 
Posts: 704
Joined: Wed Jan 19, 2011 2:42 pm

Re: Anyone else not need an Authentcator this morning to log

Postby Shoju » Fri Jun 17, 2011 1:11 pm

I think I have an idea on what it is taking into account, as I was able to use my wife's comp and log in sans authenticator, but using another comp in the house created the need for an authenticator.


Will post more when I do a little more research.
User avatar
Shoju
 
Posts: 6349
Joined: Mon May 19, 2008 7:15 am

Re: Anyone else not need an Authentcator this morning to log

Postby Sabindeus » Fri Jun 17, 2011 2:27 pm

I gotta say, the discussion thread on the official forums for this topic just makes me mad.
Image
Turn In, an NPC interaction automator - http://wow.curse.com/downloads/wow-addo ... rn-in.aspx
User avatar
Sabindeus
Moderator
 
Posts: 10472
Joined: Mon May 14, 2007 9:24 am

Re: Anyone else not need an Authentcator this morning to log

Postby Amirya » Fri Jun 17, 2011 3:27 pm

How so?
Fetzie wrote:The Defias Brotherhood is back, and this time they are acting as racketeers in Goldshire. Anybody wishing to dance for money must now pay them protection money or be charged triple the normal amount when repairing.
Amirya
Maintankadonor
 
Posts: 3935
Joined: Tue Dec 18, 2007 2:59 am

Re: Anyone else not need an Authentcator this morning to log

Postby Sabindeus » Fri Jun 17, 2011 3:30 pm

Because almost every post is a knee-jerk reaction based on straight up wrong information, or people using their authenticators improperly.
Image
Turn In, an NPC interaction automator - http://wow.curse.com/downloads/wow-addo ... rn-in.aspx
User avatar
Sabindeus
Moderator
 
Posts: 10472
Joined: Mon May 14, 2007 9:24 am

Re: Anyone else not need an Authentcator this morning to log

Postby culhag » Fri Jun 17, 2011 3:56 pm

How do you use it "improperly" ?
User avatar
culhag
Maintankadonor
 
Posts: 1728
Joined: Wed Aug 06, 2008 7:50 am
Location: France

Re: Anyone else not need an Authentcator this morning to log

Postby Sabindeus » Fri Jun 17, 2011 4:18 pm

culhag wrote:How do you use it "improperly" ?


Here's some examples:

And if I have a child whom I share the account with, and use the authenticator to monitor their playtime?


Please, no. I don't care if it "thinks" its me, could be my sister or my brother-in-law logging into my account. Then what?

Yea, I don't think so. Just because its the same location, won't necessarily mean its the same person if there are multiple people under one roof. I'd rather have it ask me every single time to log in the game.

Freaking lazy people
Image
Turn In, an NPC interaction automator - http://wow.curse.com/downloads/wow-addo ... rn-in.aspx
User avatar
Sabindeus
Moderator
 
Posts: 10472
Joined: Mon May 14, 2007 9:24 am

PreviousNext

Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron

Remove Advertisements

Who is online

In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 380 on Tue Oct 14, 2008 6:28 pm

Users browsing this forum: No registered users and 1 guest