On Security

July 24, 2008 on 9:47 am | In Misc |

So, a while ago Blizzard came out with their Authenticators, a two-part token authentication system.  Super cool.  We have had a number of guildies hacked in the past, as I’m sure most of you have seen.  So, Cay and I got one, as did a large proportion of our guild.  And when they finally came in, we hooked them up and breathed a sigh of relief.  This made hacking our accounts much less likely.

Unfortunately, it’s apparently only “less likely,” not “impossible.”

This morning, one of our holy paladins (who bought the authenticator and tied it to her account) tried to log in.  She got an invalid password a number of times, so she went through account management to reset her password.  She logged in again, and the character selection screen popped up.

Did you spot the problem?

That’s right, it went straight to the character selection screen - without requesting her authentication code.  When she logged her character on, she was in Stormwind, in her PvP gear, with no gold and no PvE gear.

So, the fact is that this hacker somehow managed to get the security token removed from her account.  Now, this isn’t something that could be done with a keylogger - the token information is all kept in Blizzard’s system.  And from what I understand, you’re not supposed to be able to remove a token from the account without at LEAST speaking personally to customer support.  There is no “remove token” option in your account management page, so even if Blizz’s WEBSITE was somehow hacked to allow someone to bypass the need for a token to get into account management, the hacker still shouldn’t be able to remove the token to the account.

This raises two distinct possibilities.

The less likely of the two is that Blizzard’s account servers/authentication servers have been hacked directly.  Why do I think this is less likely?  Because it would mean that some hacker, somewhere, has access to EVERY World of Warcraft account in the US at least.  I can’t imagine a security hole that big, at least, I can’t imagine a security hole that big that wouldn’t quickly become public (the existence, if not the details of the exploit that let it happen) as account after account got hacked.

The more likely of the two is that Blizzard’s policy on how to handle the tokens has gaps in it.  Whether someone at Blizzard removed a token for an email request, or the hacker actually had the gonads to phone them up and somehow social engineered his way into getting the token removed from the account, this is the most likely scenario.

Either way, it doesn’t make me all warm and fuzzy about my accounts security.  I hate to say it, but I’d RATHER it be the second possibility, at least then it’s a stupid person, rather than a gaping security flaw.  But either way, it is inexcusable.  Even if our friend was infected with every keylogger known to man, those keyloggers can’t crack the token.  That has to be done by Blizzard, or someone with access to their systems.

Actually, that opens up another possibility I hadn’t thought of until now.  It could be a Blizzard employee doing the hacking.

So what about it, Blizz?  How did this happen?  How was the system compromised?  Because in this case, you can’t point to the customer.  The fault ultimately lies, incontrovertibly, with you and your system.  Whether it is your computer system or your customer support agents remains to be seen.

Believe me, I’ll be asking this on the official forums when I can post there.

As soon as I get home.  To my security key.  :/

Update 1:  The player in question has spoken to a GM. They’ve started the standard retrieval process, but the GM was unable to say how, when, or why the token was removed from the account.

28 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Having recently gone through the process of getting rid of a securtiy token myself (kids “cleaned” it) I can tell you what I needed to remove it.

    login
    secret question answer
    billing address
    email address
    my full name
    the original cd key

    apparently you can remove without the original key using the registered email and going back and forth that way, but it takes longer and would leave a trail.

    more on what happened when I did it HERE

    sorry to here it went down the way it did, please post more on what you find.

    Comment by Dechion — July 24, 2008 #

  2. Please make sure you update the RSS with any additional information you find out about this. This has the potential to greatly undermine the reliability of the tokens and could possibly lead to an unwarranted sense of security for those that have it.

    Comment by Zeus — July 24, 2008 #

  3. I will definitely keep people posted as we find out more. Honestly, that’s the main reason I posted something - I want as many people as possible asking questions about this, so it doesn’t get swept under the rug, so to speak.

    Mini-update: The player in question has spoken to a GM. They’ve started the standard retrieval process, but the GM was unable to say how, when, or why the token was removed from the account.

    Comment by Fiordhraoi — July 24, 2008 #

  4. AC has had an alarming number of people hacked recently. Is there a common link that you can assemble between all of these different people? forums, websites, etc.

    I know I use the same password for a lot of different stuff, and I wonder if the hackers are getting information and reusing it?

    Comment by Mangaras — July 24, 2008 #

  5. I’d say AC is getting targetted because they are…famous.

    It is well known that they are progressing well and have many epic geared characters. From an enemy &^%%$# bastard that needs to die right f-ing now point of view, why look around when there is a target right there.

    For an additional malicious stab, AC because they have so many bloggers, always posts about the attacks on their players. I’m betting whoever it is doing the attacks knows this and sees it as a mark of fame.

    Comment by Stupid Mage — July 24, 2008 #

  6. Authenticator fails, removed from account without user’s permission…

    Filed under: Analysis / Opinion , Blizzard , Forums , Account Security Think a Blizzard Authenticator…

    Trackback by WOW Insider — July 24, 2008 #

  7. We’ve considered that - our forums run exactly 2 javascript instances which I have put in there myself (one to call WoWhead’s script, and then WoWhead’s script itself). Both of those scripts are clean. There is no activeX or anything like that anywhere. There’s no real common website or anything like that otherwise. Theoretically, the best I can guess is that maybe, somehow, someone has read access to our SQL database and can parse out usernames/passwords. But I know at least 3 of the people who’ve been hacked in our guild specifically DIDN’T have their username/password the same on the forums as on WOW.

    Comment by Fiordhraoi — July 24, 2008 #

  8. I’m curious as to how she was able to reset her password online, because isnt the account management password the same as the game login password?

    if one is changed, doesnt that affect the other?

    Comment by BigB — July 24, 2008 #

  9. […] Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the […]

    Pingback by Authenticator fails, removed from history without user’s permission | Warcraft-News.com — July 24, 2008 #

  10. Another possibility is a Man-in-the-Middle attack.

    This would be a person, or a sophisticated program, waiting until she tries to logon, and grabbing the code/token as it is passed on (presuamably just as she was logging on), then immediately passed in on to logon itself, before that token expires.

    It’s a much harder exploit to pull than the simple key-logger fire and forget thing, but the potential was realized by anyone with a background in computer security since the authenticator was released (it’s mentioned in the BBB comments to the post where he announced it).

    I don’t think that’s what happened in this case, since the authenticator step was actively removed. My guess is a social engineering attack, possibly using an actual phone call, though an insider attack is another good guess.

    Comment by FNORD — July 24, 2008 #

  11. […] Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the […]

    Pingback by Authenticator fails, removed from account without user’s permission — July 24, 2008 #

  12. […] Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the […]

    Pingback by Games All-In-One Blogs » Blog Archive » Authenticator fails, removed from account without user’s permission — July 24, 2008 #

  13. While I agree that this is a blemish on the effectiveness of the tokens, it seems to me to be a whole other level of hack. For the hacker to know the info Dechion listed, this would be someone who knows the victim and presumably has access to their home and computer. Scary and sad and yes, Blizz is wholly in the wrong if that is what they allowed to happen.

    Comment by Triage — July 24, 2008 #

  14. @FNORD -

    Ordinarily I would agree with you, but because the user has no direct access to remove their own authentication key, even if they intercepted the traffic with a packet sniffer, etc, and immediately used that info to log into the account management, still they would not have been able to remove the authenticator from the account. The only ones who can are a customer service rep.

    Comment by Fiordhraoi — July 24, 2008 #

  15. I am asking that folks please refrain from blogging / posting / x-posting this until the investigation is complete. Until we know what happened there is no point in making accusations of what failed.. and indeed it is far more likely that it was something on my end than Blizz’s.

    Comment by Falkara — July 24, 2008 #

  16. Kara,

    I will not be cross posting this anywhere. However, since you MUST talk to a customer service rep to remove an authenticator and cannot do it from the web, there are only really three possibilities here:

    1) Blizzard’s servers are hacked.
    2) Someone got a hold of your CD, billing address, the answer to your secret question, etc. There is no reasonable way to obtain all this information with a keylogger/trojan/etc. The odds against it are astronomical.
    3) Someone sweet-talked a Blizzard employee with some sob story or whatever, and convinced them to remove the key without your information.

    If it was #2, then no, Blizz was not to blame. Any other possibility though, lays the blame squarely at Blizzard’s feet.

    Comment by Fiordhraoi — July 24, 2008 #

  17. this is ridiculous to sell these when they offer limited protection. how many times was a keylogger blamed in the past when it was really blizzs fault.

    Comment by me — July 24, 2008 #

  18. It should prove interesting to find out what happened. The main reason for posting as you said was to bring it to peoples attention, I think that has been accomplished quite well.

    Per your request I will refrain from posting more until more is conclusively known.

    Comment by Dechion — July 24, 2008 #

  19. I dont have an authenticator because I live in a different part of the world, but was just wondering — are you asked for an authenticator ID when logging in to your account online via the website as well? Because if they don’t…. that’s just pretty dumb. Two ways to log into your account and yet leave one of them vulnerable?

    Comment by Phoenix Lawin — July 24, 2008 #

  20. @Phoenix

    Yes, to log into account management, or even just the official WOW forums, you are asked to provide the token key.

    Comment by Fiordhraoi — July 25, 2008 #

  21. There is another possibility that I don’t think I’ve seen mentioned.

    Someone at Blizzard (probably low level employee, GM, ect….) who has access to the right information is selling accounts. I’m not saying this is what happened but it’s possible. They don’t make a lot of money.

    Fiordhraoi has the other options above. The one I’ve listed and the Blizz employee making a mistake are probably the most likely/easiest to accomplish.

    Comment by JdJdJd — July 25, 2008 #

  22. @me
    Yeah! Jump on the Blizzard hate train! Did it escape your attention that Blizzard didn’t “sell these when they offer limited protection”? The fault obviously lay outside the authenticator system itself. Grow up.

    Comment by Pat — July 25, 2008 #

  23. Honestly, the only way I see they could have gotten in was via Social Engineering. I’ve done Customer Service, and a lot of the time, even though its policy for Customers to fully identify themselves, some co-workers will just be lax/lazy and just go through with things without fully identifying the caller, and making sure they’re who they say they are. Part bad training, part bad employee.

    As to the authenticators.. The only way a keylogger could have used the authenticator’s password, is if the OP & the keylogger hit enter at the same time. Once you hit enter to log in, the authenticator password used becomes disabled so you CANT use it again. The only way to get around this is if you had 2 computers, typed in passwords, typed in Authenticator passwords, and hit enter on both computers the same second.

    Comment by Teresa — July 25, 2008 #

  24. Don’t get me wrong, I think that the authentication system is a great idea in theory. I wouldn’t have bought one otherwise.

    But for any security system to work, there has to be training and procedures to make sure that it is not subverted by the people who have control over it.

    THAT is why I think this story is important. The most likely scenarios are that one way or another, a Blizzard employee was mislead, tricked, or convinced to remove the authenticator from the account.

    Now, if the “theory” some people are pushing (at least on WOWinsider, etc) that someone she knew managed to get into her house and get her CD key, and knew the answer to her secret question, etc, then it is understandable and the blame doesn’t lie at Blizzard’s feet. Unfortunately, being that she lives alone, the possibility of it is rather remote - no convenient “pissed off roomate,” etc.

    That is why I think this situation should be investigated as quickly as possible. The odds are that Blizzard’s staff is not doing what they should be, and that needs to be remedied ASAP.

    Comment by Fiordhraoi — July 25, 2008 #

  25. […] post hints that a keylogger may be the culprit.  Further, the victim’s co-guildie posted more information about the attack.  Aside from the attack itself, there is the lasting effect of the authenticator […]

    Pingback by Is the Authenticator Safe? | 8 Bit Culture — July 26, 2008 #

  26. Any follow up?
    thanks

    Comment by Jack — July 29, 2008 #

  27. so what’s the latest on this? has blizzard ever admitted their responsibility in individual hacking / social engineering hacks?

    Comment by me — July 30, 2008 #

  28. I’ve activated my authenticator now….
    As I see….
    Authenticator is need for both login to play AND for web account managment…..

    To detach the authenticator you have two methods…
    If you have the authenticator and no longer want to use it…. just login in account managment and detach it

    otherwise, call customer support

    Comment by Jack — August 4, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Entries and comments feeds. Valid XHTML and CSS. ^Top^ Powered by WordPress with jd-nebula-3c theme design by John Doe(with a tiny tweak by Stephi Place). Copyright 2008 by Stephi and Jason Place.