Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.
The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.
[Via BRK]
Update: Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the user's secret question answer, usual address information, and the original CD key. If the standard for getting an Authenticator removed really is a Photo ID, it's fairly clear that Blizzard's reps aren't doing their jobs right.
More after the break.
Update 2: Please note that we are not at all saying for sure that Blizzard employees made the mistake here. If it's true that removing the Authenticator from an account requires a picture ID, and if it's true that the authenticator was removed from this account (without, obviously, a picture ID), then the odds are that there is a security hole in there somewhere.
The fact that they were using the Authenticator and were still hacked, however it happened, is why we've posted this here: You should have known this already, but just in case you thought using the Authenticator make you impervious to hacking, know that it doesn't.
Subscribe
Reader Comments (Page 1 of 6)
7-24-2008 @ 2:06PM
Chris said...
I believe that I speak for the general WoW population when I say.......
"Yikes."
Reply
7-24-2008 @ 4:52PM
Makros said...
I really wanted you to say ... "Wow."
7-24-2008 @ 4:52PM
Makros said...
I really wanted you to say ... "Wow."
7-24-2008 @ 4:53PM
Makros said...
so bad apparently that it posted twice o.O
7-24-2008 @ 11:53PM
Michael said...
What's with this site taking up fear mongering and shoddy reporting?
The author say's at the end of the post that "all you really need to get past the Authenticator is the user's secret question answer, usual address information, and the original CD key." That information is obviously not easy to come by, so like other commenters, I'm calling the author out. There's more to this story that's not being said.
Stop posting lame stuff like this, WOW Insider.
7-25-2008 @ 1:03AM
Telerion said...
Guys, it wasn't the Authenticator that failed, it was Blizzard and their support staff who made the mistake.
A chain is only as strong as it's weakest link.
I'm sure Blizzard is looking into the issue and will have much more rigid requirements about removing the Authenticator from now on.
7-24-2008 @ 2:07PM
RanWitScissorz said...
Makes you wonder how they got the CD-Key, I have no idea what/where my key is.
Reply
7-24-2008 @ 2:27PM
Hank said...
It would be the key you needed to input to Blizzard to activate your account. If you don't know what it is, I suggest you contact the person who sold you your account.
7-24-2008 @ 2:31PM
RanWitScissorz said...
I know what a CD Key is and I don't care what it is... that was not my point. I was stating that some of us don't even know what our cd keys are or where they are, so how did some guy in China found out what it was.
7-24-2008 @ 2:59PM
Runstadrey said...
I don't have a CD key because I don't have a CD. I downloaded the trial version and upgraded. Now, got anymore smart assed comments Hank?
7-24-2008 @ 3:23PM
Elder said...
Ni Hao! .. err, I mean Hello!
You have been chosen to participate in the stealing of your... err, Wrath of the Lich King Beta!
To proceed please fill out the following form...
Name
Account name
Password
to prove you are the lawful owner of this account we must confirm the following:
Your Address as listed on your account
Secret question
secret answer
Your Original CD key
Thank you for being hacked, 10 minutes after you mail this to 25 other people you will see something really cool pop up on your screen. Click it and you'll join the WOTLK Beta AND Bill gates will send you 200 bucks!
...
What, am I no good at this?
7-24-2008 @ 4:01PM
Badger said...
Elder: I like it so far, but it lacks that really authentic *feel.* Add a few lines about herbal remedies, third-party African investors, or natural enhancement, and you'll be good.
7-24-2008 @ 2:07PM
pudds said...
The human factor - the weakest line of defense. Whenever you have a human involved, social engineering will always be an option.
Reply
7-25-2008 @ 9:11AM
wyrd said...
Human Engineering... Because there is no patch for human stupidity.
7-24-2008 @ 2:08PM
Faerun said...
I thought Blizzard kept your CD keys online in a database somewhere when you registered your game.
Reply
7-24-2008 @ 2:11PM
Lucas said...
I never owned the original game in hard copy form... I downloaded it, and then bought the physical form of BC.
And.... I have *no* idea what my CD keys are. lol
7-24-2008 @ 2:09PM
Michael said...
Why would the reps have access to CD keys? That doesn't sound right; this sounds very fishy, and you can't blame a Blizzard employee with no evidence to back it up.
Reply
7-24-2008 @ 2:26PM
Clevins said...
Agreed. There's no way a hacker off on the net somewhere just happened to get the CD keys for that specific account. And the secret question is supposed to be.. um.. SECRET.
So, sorry, but I don't believe the original complainant. Not until they can come up with a credible story for how some random person got that info. Or until they fess up that it was someone they know who had access to the key and the question/answer pair.
7-24-2008 @ 2:11PM
Jack Spicer said...
Getting their hands on your password is one thing, but how did the hackers get a hold of this user's CD Key, address information, and the answer to their personal question?
Was her computer riddled with spyware when she registered it?
Or was this an inside job? An angry spouse, partner, sibling, roomate?
Reply
7-24-2008 @ 4:09PM
Worcester said...
I'm also guessing the "hacker" is more of an "acquaintance" than the OP is letting on.
Are CD keys even stored in your online profile? I've never seen where, if they are.