Tuesday, May 22, 2012

Blizzard Confirms a Rise in Diablo 3 Hacks

Diablo 3 account compromises are currently happening and there are a string of accusations kicking around from the victims of these attacks.  Fingers are being pointed at Blizzard and at each other.

The vast majority of these incidents, in fact close to 100%, are occurring where the victim not having an authenticator attached to their battle.net account.

Blizzard has published a lengthy statement on the issue and have confirmed that they are seeing an increase in account compromises:

LYLIRRA: We'd like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III. 

While they don't explicitly say that they have not had their own systems compromised, they go on to say that their authenticator is the best form of defense against these attacks and that everyone should go and pick up either the hardware token or one of the (free) mobile authenticator apps.

While I can't comment on Blizzard's internal security status, I can certainly comment on the value of the authenticator. For those that may be new to the concept of authenticators, let me take a quick moment to explain how they work.

The authenticator is a device (either a hardware token or a mobile application) that has a built-in clock and algorithm that generates codes every 30 seconds. These codes are in a unique sequence that is tied to a "seed" that is contained in the device/application.  This seed is paired to the serial number of the device.   When you attach it to your battle.net account, you tell battle.net what the device's serial number is and the battle.net server can then derive your unique "seed" and generate it's own stream of codes that should match yours.

When you login to battle.net via Diablo 3 or WoW you will need to grab your authenticator/mobile app, generate the code and enter it in. Meanwhile the battle.net server is doing the same code generation on its end to validate your code.

This adds an extra layer of security by requiring you to be in physical possession of the authenticator - in the security world we call this 2 factor authentication and the authenticator becomes "something that you have".  (You are also required to enter your battle.net password - we call this "something that you know")

In asking for a code, the authenticator virtually eliminates the effectiveness of a dictionary attack on your password.  Additionally, with its rolling number sequence, the authenticator also drastically limits the opportunity to brute-force the authenticator code itself. Phishing attacks become useless unless they capture the authenticator code as well - and even if they do - they have a very limited time in which to use it before it expires.

I have worked with around 30-40 people that have had their battle.net accounts hacked over the years and all of them had no authenticator.  I am yet to find someone that has been hacked when they have had an authenticator attached to their account.  Now, I am not saying that it can't happen - it can - but I would estimate that having an authenticator will improve your security and reduce your chance of getting hacked by a factor of 50 to 100.  It is not 100% safe - no security mechanism is - but it will add a very solid security layer to your gaming account.

Here are my ten simple steps you can do to reduce the chance of your battle.net account being compromised:

  1. Don't share your game password with anyone and pick a password that is not easily guessed 
  2. Don't use the same password for subscribing to fan sites 
  3. Keep your operating system, browser and other software fully patched - start with Windows Update 
  4. Run a reputable antivirus product, preferably a full internet security suite with a firewall and keystroke encryption 
  5. Don't click on email attachments, especially when you don't know the sender 
  6. Don't download and run executable files from web pages 
  7. Don't enter your game password into any web site other than the official game sites 
  8. Don't enter your game password to a legitimate Blizzard web site from a PC that may be compromised 
  9. Be very suspicious if an addon requires some form of install package to be run 
  10. Invest in a Blizzard authenticator or install the Battlenet authenticator application on your phone
Follow these steps to help protect your most valuable asset - your gaming account.  There are a lot of bad people out there trying to get into your account so make it hard for them and don't become a statistic.

No comments:

Post a Comment