A Bliz tech guy named Kaltonis made several very candid and informative replies to a number of player questions about all the account “hacking” we’ve seen lately, and I’d strongly recommend that everyone concerned about this issue read it. The whole thread is quoted on the click through, but here is my summary of the key points and an excerpt to draw you in.

…There’s absolutely nothing shameful about getting compromised, these companies are good at what they do. Heck, the former head of Blizzard Customer Service had his account compromised. It’s because of how devious and high-tech the gold-selling companies have gotten that we implemented the physical and mobile authenticators. We can’t physically go to everyone’s computer and make it safe, so we’ve provided a tool that does it for you.

If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I’ve personally examined the MSInfo files of nearly all of the handful of people who have truly been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

The “hacking” (“compromising” is probably a better word, since no real “hacking” is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, than essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed; they strip one player to sell to another. Unfortunately, they make a lot of money off of the practice and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.

As understandably bitter as some players are about having their accounts hacked, it seems clear that Bliz is doing all they can to stop it. Even aside from them wanting their fans to have a good gaming experience, hacked accounts are terrible publicity, upset fans to the point of quitting, and cost Blizzard thousands of man-hours in support. There is no upside to Blizzard in their customers getting ripped off, and they’d very much like it not to happen.

Here’s the full thread.

Hack Refund My refund is being processed, thank you blizzard. And if you all are correct, and it is the players fault for being hacked (and SMS authentication / Dial In Authentication is useless to prevent it), then congratulations to the hackers for orchestrating the worlds most efficient high profile hack / exploit against an online game that I have ever seen. Great hack! Take responsibility and collect your glory, because whoever claims this one will enjoy a pretty high profile.

The “hacking” (“compromising” is probably a better word, since no real “hacking” is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, than essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed; they strip one player to sell to another. Unfortunately, they make a lot of money off of the practice and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.

If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I’ve personally examined the MSInfo files of nearly all of the handful of people who have truly been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

Again, compromising game accounts is a big business in some countries. They have people on their payroll who spread false rumors of “hacked through my authenticator” just to try to discourage people from using them. We charge $6.50 for the physical authenticator, because that’s exactly what it costs us to make them. The mobile one is free because we don’t have to pay a factory to build them. Use them, and enjoy your gaming without someone mucking with your stuff.

The post on the main page said that NONE of the hacking victims had authenticators. Are you saying that there were hacked accounts with an authenticator? If that is the case maybe you should have the security post updated to avoid BLATANTLY LYING to your customers.

Sorry for not being more specific on that. The hacks I was referring to were from the last five years of WoW compromises, not the current D3 compromises. None of the D3 compromises that we’ve checked have actually had authenticators, despite their claims.

I don’t buy gold or items. I don’t run unsafe programs. I bought a new computer exclusively for D3. I have the authenticator. I have Norton [email protected] edition and scan daily. I dont click links. I don’t read spam email. I don’t download questionable content. I don’t buy anything from 3rd parties.

I got hacked 2 days ago. How’d that happen, bliz?

I just checked your account, and it has never had either the physical or mobile authenticator attached to it. You did have the dial-in authenticator attached, but it’s level of security is far below the physical and mobile. It’s meant to be used in addition to the main authenticator, not in place of.

Hmmmmm.

I’ll bring up the idea of renaming the dial-in authenticator to my management. At the very least, maybe remove “authenticator” from its name so that people do not get it confused with the main authenticator (physical or mobile).

The authenticators my bank hands out are completely f.r.e.e.

That’s definitely cool. You should commend your bank then as some of them charge waaaaaaay too much in my opinion.

What is the concrete cause of the hackings? I can’t believe that there are so much cases, i highly doubt most of those can be attributed to the victim’s downloading apps and stuff.

Well, the cause is people desiring a shortcut in their games by buying gold. If you mean the technical cause, as I mentioned previously the gold selling companies use a vast array of methods. A good friend of mine is a long time network admin (and a very good one at that), who had decided to not use an authenticator because he’d never had any security issues with his computer over the years. Well, an Adobe Flash vulnerability popped up a couple years ago, and he procrastinated applying the update by a whole week. As you can probably guess by the fact that I’m relating this anecdote, his WoW account was compromised and stripped because of that one week window.

There’s absolutely nothing shameful about getting compromised, these companies are good at what they do. Heck, the former head of Blizzard Customer Service had his account compromised. It’s because of how devious and high-tech the gold-selling companies have gotten that we implemented the physical and mobile authenticators. We can’t physically go to everyone’s computer and make it safe, so we’ve provided a tool that does it for you.

I’ve been a computer tech for a long time, and I’ve never had a single malicious security breach on any of my computers that I’m aware of, but I attached one of the very first batches of physical authenticators to my account. Why? Because no matter how good I am, sooner or later they were going to get me. But now, they can’t.

Are you claiming that I did not have both the dial in auth and the SMS auth?

No, you had those. But neither of those are the physical or mobile authenticator, the main line of protection that is being referred to. The Dial-In and SMS are just nice additional layers of security to add to the physical or mobile.

It’s becoming pretty apparent that our naming scheme might be causing some confusion, and I apologize for that. I’ll bring the subject up with my management, so can we review both how the devices are named and how they are presented. If you have only one authenticator on your account, you want it to be the physical or mobile, not the dial-in or SMS.

You might want to reconsider implying that people with compromised accounts are buying gold with real money.

That’s definitely not what I’m saying, and I apologize if it came across that way. I meant that gold selling companies exist and compromise accounts because some players buy gold. If there was no market, there would be no companies dedicated to the market. Most people who are compromised have never bought gold.

I asked the same question earlier, however with it being a holiday weekend, and so many account compromises occurring I wouldn’t count on a quick turnaround.

We’re a 365/7 support center, so thankfully the holiday weekend shouldn’t add much of a delay.

What I don’t know is if you can play a character while a restoration is occurring. May I have a response regarding the playability of the account during the process of character restoration? (Obviously, you cannot be playing the same character you are restoring)

You don’t want to play your characters on the same realm (US, EU, ASIA) that will be rolled back, as the whole set gets rolled back at this time. However, to the best of my knowledge your characters on the other two realms are unaffected unless those realms needed to be rolled back as well.

So, let’s say you’ve been playing on the US realms only and you were compromised. You definitely shouldn’t touch the US characters until the process is complete on our end. However, since you’ve never played on the EU realm you should be completely safe in creating a character on that realm without the fear of it getting rolled back. The downside of course is that you can only play the EU character on the EU realm. Still, I wanted to point out the option. : )

I THINK it’s a java exploit

There definitely could be some Java exploits. That’s the thing though, they use everything they can, in tandem. I wasn’t aware of even half of the keylogging methods that are in use until I started working this job. We’ve been monitoring WoW compromises for years now, and while a particularly nasty vulnerability (like the Adobe Flash one I mentioned earlier) might result in a surge of compromises, the truth is that there’s never just “one thing” that’s resulting in compromises. It’s compromise by a thousand cuts, if you get my paraphrasing.

This is why we made the physical and mobile authenticators. After awhile, we realized that passwords weren’t just being stolen because of bad computer habits or poorly thought out passwords (although that happens as well). They were being stolen because of the sheer quantity of methods that the gold-selling companies were flooding the Internet with. No matter how careful you are, they may still get your password eventually, and that’s why we have the authenticator. It’s why I have one on my account right now. We even priced the physical model at cost ($6.50) so that no one could rightfully claim that we were making any money off of them.

Bottom line: We hate seeing people compromised, and having to deal with compromises also costs us a lot of money in support costs. We need either everyone to use an authenticator (physical or mobile), or no one to buy gold. Should that day come, we won’t have to worry about this anymore.