*Copied and pasted the following post from here*
We interrupt your regularly scheduled blog for a Public Service Announcement. This is a post I put up on my guild forums a while back, but with the recent report of a supposed account hack to an authenticator-enabled account, I figured I’d repost here for mass consumption. In regards to the above link, I’m calling BS until I see more about it, and this post should explain why I feel that way. I’m far more likely to believe that the account was compromised by some manner of social engineering (be it a Blizzard look-alike phishing site, an irl “friend” theft, a shared account, or some other manner – any and all of which involve user error) than I am to believe that one of the most widely-considered secure systems in the world, used by banks, casinos, credit bureaus, government agencies, and high-profile data security firms has been circumvented by Chinese wow hackers to be used for in-game gold theft rather than, say, nearly any other possible use of such technology/cracking ability. I just don’t buy it. Read on, and be informed.
How the Blizzard Authenticator works, and why it improves security.
The Blizzard Authenticators are once again in stock!
On 26/06/08, Blizzard announced the Blizzard Authenticator, a device that provides your WoW account with an extra layer of security. They sell this device in their Blizzard Store for $6.50. You may consider buying it, but is the extra security really worth the money? How much more secure does it make your account? This post will explain how this device works, and exactly why it makes your account more secure.
===How the authenticator works===
The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.
This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won’t be able to log in.
A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn’t there any way for them to know which number the authenticator is going to display? The answer is no, and here’s why.
Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole’s birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can’t extrapolate that into what number will be showing next.
The hacker also can’t hack into the device itself to find out it’s key, because it doesn’t connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.
So, if the hacker can’t know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.
Even if the time on your authenticator doesn’t exactly match the time on blizzard’s server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.
If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. One of my good friends, who is a VIP services lead at Mohegan Sun, saw me log in once and went “wow, *I* use one of those to get into secure areas at work.” This is a tested method that has proven itself to be secure.
===Is existing security not already enough?===
While the authenticator provides an extra security layer strong enough to make your account virtually unhacklable, you can already secure your computer a lot. Is the authenticator really needed?
If you’re running Firefox with Noscript, Flashblock, adblockers, 5 different virus and spyware scanners, a NAT router with it’s ports strictly regulated, using Linux/MacOS X or another operating system, and other security measures I can’t think of at the moment, you are probably really secure. The danger is hackers finding a new way to enter your system that isn’t being guarded yet. Until the vulnerability is patched, or instructions to disable the exploited software are issued, you could potentially get infected with a virus or other malicious software during that short time. The more security measures you take, the lower the chance you will be vulnerable. But security is an ever-changing thing. You have to keep things up-to-date constantly in order to stay secure.
Using an authenticator is completely optional, but it does solve the problem by taking another approach. Instead of preventing keyloggers from getting onto your system, it makes you virtually immune to them. They can try, but with a login code that is always changing logging your keystrokes won’t be any good.
If you wish to better secure your system without buying an authenticator, instructions are given in stickies on the WoW forums, links to which are provided at the end of this post.
Then there is the issue of cost. Blizzard is offering these for $6.50, but should they? It would be a lot better if they provided them for free right? Well, I doubt Blizzard is making money on these. The manufacturing and distribution of these tokens costs them money, and $6.50 is actually pretty cheap. Market prices for these devices can be around $50.
I myself have been playing for over five years, so that’s roughly $900 this game has cost me already, and I’m not even counting the money I payed for the original game and the expansions (or my second account, or name changes, or transfers). I’m not going to mind another $6.50, especially since it provides me the peace of mind of never risking account theft. I purchased one the day I took Guild Leader, because the security and safety of my guild is far, far more important to me than $6.50 or the three seconds extra it takes me to log in every day.
As an aside, there are to date no known account hacks1 to an authenticator-enabled account. There’s really no reason not to have one.
If you wish to learn more about this authentication technology, most of the information for this post was obtained from the Security Now podcast. All episodes are freely available for download on http://www.grc.com/securitynow.htm. Transcripts are also available. The particular episode that deals with the authenticator technology is #90: Multifactor Authentication, the part which covers some of the information above starting 20 minutes into the episode.
More information about the Blizzard Authenticator:
Support page: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24986]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24986
FAQ page: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660
Activating your authenticator: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24987]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24987
Links for securing your system against keyloggers (no authenticator required):
Protect your PC guide: http://forums.wow-europe.com/thread.html?topicId=273198555]http://forums.wow-europe.com/thread.html?topicId=273198555
Avoid getting hacked: http://forums.wow-europe.com/thread.html?topicId=102690401]http://forums.wow-europe.com/thread.html?topicId=102690401
Account security: http://forums.wow-europe.com/thread.html?topicId=35983697]http://forums.wow-europe.com/thread.html?topicId=35983697
How to recover a compromised account: http://forums.wow-europe.com/thread.html?topicId=17191745]http://forums.wow-europe.com/thread.html?topicId=17191745
*this post shamelessly stolen/paraphrased from Ysgarth. (I’d link directly, but I honestly lost the original)
Not only does having an authenticator save you trouble, it saves your guild leader trouble. You see, every time a member gets hacked, each of their toons steals items/money/whatever they can get from the gbank. When the hacked accountholder goes through their restoration process, GMs only help with THEIR account. The gbank is considered to be an extension of the Guild Leader’s account/responsibility, and as a result, *they* have to put in a ticket, too. This makes GLs like me die the little death every time. Don’t make us pay for your negligence!
1Again, a unsubstantiated report arises now and then, as I mention above. Until I see an official report from Blizzard or some tech industry standard saying keyfobs aren’t as secure as we thought, I don’t buy it – the science just isn’t there. Most importantly, though, it is still important to remember that although authenticators do, to the best of our knowledge, make your account hack-proof, they do not, in fact, make them doing dumb stuff-proof. In order to have your authenticated account compromised, you have to fall for a phishing/fake site; you have to give your account info/keyfob/unused current number out to someone; you have to be gullible enough to do exactly what Blizzard has said to never do – NEVER GIVE OUT YOUR INFO. Never! Don’t enter your account info into a linked site, ever. Go to what you know to be the real login site, always. Don’t tell anyone your account name, your password, your keyfob serial number, anything.
I’ll repeat – never trust another player, and never trust a link. Ever.
And get an authenticator.