As far as getting around an authenticator, it *still* requires the client to be compromised, so that the login credentials can be redirected to the hackers, and the authenticator data is used in real time.
That actually happened in WoW for a while. I think it was a DLL hooked to the exe or something.
That said, I'd suggest turning off the option so that it actually asks you to authenticate every time. I'm sure it's secure, but why risk it when it's such a minor inconvenience?
I remember when that happened, and there was a simple fix implemented. Each code is now only good once. So even if a hacker gets your code, your password and account name and uses it within the 30-45 seconds that the code is good, if you logged in with that code, they won't be able to.
Well, if your machine is compromised, Blizzard never gets *your* data. The hackers get it by redirection, then they use it to log in. But again, that's a lot of trouble to go to when there's all those no-authenticator accounts out there ripe for the picking. Still a client-side issue, though, not server-side. The connection is only as secure as the weakest part.
As far as getting around an authenticator, it *still* requires the client to be compromised, so that the login credentials can be redirected to the hackers, and the authenticator data is used in real time.
That actually happened in WoW for a while. I think it was a DLL hooked to the exe or something.
That said, I'd suggest turning off the option so that it actually asks you to authenticate every time. I'm sure it's secure, but why risk it when it's such a minor inconvenience?
I remember when that happened, and there was a simple fix implemented. Each code is now only good once. So even if a hacker gets your code, your password and account name and uses it within the 30-45 seconds that the code is good, if you logged in with that code, they won't be able to.
Bottom line, if you don't have an authenticator, you're making a mistake. Get the app for Android/iOS, or if you don't have a smartphone, get one of the physical ones from Blizz, they are dirt cheap, and it's a VERY small price to pay for peace of mind.
there's even the FREE phone based dial-in authenticator that uses a pin #. There's no excuse for not having one besides laziness / stubbornness.
I just read the bnet forums and it just amazes me how many people have no clue how the authenticator works. I keep reading "HE HAS AN AUTH BRO ITS BLIZZ FAULT."
First off, when you log in, Blizzard stores your IP address so that when you have the "authenticate every time" option unchecked, it won't bother you every time. I think once a week is the frequency it will require you to authenticate.
When you log in from another computer or someone tries to hack you from China, the authenticator kicks in immediately, regardless of the option you have checked. It senses a different IP and stops you from logging in unless you authenticate. I sometimes play at my PC, and then go to my laptop later at night. When I try to play on my laptop, I have to authenticate every single time, then authenticate again on my PC. That's the design of it for your protection.
Last year I tried to play WoW in Mexico while on a work trip, and Blizzard sensed a different IP and immediately locked my account and required me to go to bnet to authenticate and change my password for proof.
Blizzard just won't let these people waltz into your accounts without any protection, so I have no doubt that the people claiming they were hacked with an authenticator really did not have one.
it actually goes further than just IP address. It checks your ip address, MAC address and probably some SID's or hardware ID's. If you so much as reformat your computer, it will think its a new login location and ask for the authenticator again even if your IP and MAC addresses and hardware ID's are the same. So when people claim they get hacked with an authenticator because of the "don't ask every time" option, I just dont believe it, because theres so much more involved than some people realize.
I dont get why people don't just use an authenticator. a good antivirus, strong password, and solid web browser are all good ideas, but the authenticator gives 100x more protection then anything else ever will. Multi-factor authentication is the way to go.
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
PEBKAC
I remember when that happened, and there was a simple fix implemented. Each code is now only good once. So even if a hacker gets your code, your password and account name and uses it within the 30-45 seconds that the code is good, if you logged in with that code, they won't be able to.
there's even the FREE phone based dial-in authenticator that uses a pin #. There's no excuse for not having one besides laziness / stubbornness.
it actually goes further than just IP address. It checks your ip address, MAC address and probably some SID's or hardware ID's. If you so much as reformat your computer, it will think its a new login location and ask for the authenticator again even if your IP and MAC addresses and hardware ID's are the same. So when people claim they get hacked with an authenticator because of the "don't ask every time" option, I just dont believe it, because theres so much more involved than some people realize.