WoW players, you probably know this, but just in case....

Broken Hope said:
It's an RSA key, good luck with that.
Click to expand...

Realtime interception of the key with a trojan, prevent it from going to the authentication server, send the key to a remote system, use it to log in within 30 seconds, job done. If your system is compromised it adds no security whatsoever does it?
 
Last edited:
EffBee said:
Have to say I am at the same time angered, saddened and amused at the arrogance, ignorance and stupidity of some of the posters in here.

I have been in IT since 1983, supporting PCs and networks in a wide variety of roles since 1989, and i can assure you few people have a PC as clean and secure and carefully looked after as mine - and yet back in late 2005 my original WoW account was hacked and wrecked and I gave up playing......
Click to expand...


noob tbh.

i r l33t.
 
The more I think about it the less effective it is, all you require is a slightly more complex keylogger that stops the key from being sent to blizzard and instead sends it to a 3rd party.
 
So then they can only log on within 30 seconds of you trying to login.

There's a reason hardware like this is used in secure environments...
 
Strife212 said:
Realtime interception of the key with a trojan, prevent it from going to the authentication server, send the key to a remote system, use it to log in within 30 seconds, job done. If your system is compromised it adds no security whatsoever does it?
Click to expand...


Keyloggers are what frighten me most - and this kills keyloggers effectiveness stone dead.

Then there is always the possiblility of an "inside job".

However the fact remains that there is far greater security on an account with the device than without it. Further - crooks will tend to focus on easy pickings, ie those without the added layer of security. This means I am actually protected by the vast majority of WoW players who won't bother with this device.
 
Strife212 said:
The more I think about it the less effective it is, all you require is a slightly more complex keylogger that stops the key from being sent to blizzard and instead sends it to a 3rd party.
Click to expand...

I just did a little test - the number seems to change every 40 or 50 secs.

Thank you for bringing this up. I can be even more secure if I wait for 30 secs after a number change before I key it in :)
 
I appreciate the fact that there will likely be no one who will bother to crack this and instead they will go for the unprotected accounts.

You could write a program that automatically logs into the game as soon as it recieves the password and key from the trojan and then changes the password though.
 
Strife212 said:
The more I think about it the less effective it is, all you require is a slightly more complex keylogger that stops the key from being sent to blizzard and instead sends it to a 3rd party.
Click to expand...

From Wikipedia "SecurID authentication server tries to prevent password sniffing and simultaneous login by declining both authentication requests, if two valid credentials are presented within a given time frame."
 
Strife212 said:
You would intercept the key so that the authentification server never got it in the first place if you were to do it
Click to expand...

The system seems to be good enough for the biggest organisations in the world. If it's so easy to beat, perhaps you could break into all their networks and make yourself a billionaire :p
 
:p Perhaps I should try!

The system is 100% bulletproof against people telling other people their passwords, leaving passwords written down on paper and stuff like that so it is useful, but if your actual system is compromised it seems wide open.
 
Strife212 said:
Realtime interception of the key with a trojan, prevent it from going to the authentication server, send the key to a remote system, use it to log in within 30 seconds, job done. If your system is compromised it adds no security whatsoever does it?
Click to expand...

That is a very hypothetical situtation and highly unlikely.
 
lol, its not as easy as just writing a program and and then hack it that way.

Nothing is impossible, but with these tokens, it virtually is.

When I contracted in IT we had tokens (VPN) which could gain us access to any of the servers from over 80 different locations over the world.

If these were hackable, then it would have been done by now, and im sure no one is gonna go throught the effort of even trying for a wow account.
 
Strife212 said:
:p Perhaps I should try!

The system is 100% bulletproof against people telling other people their passwords, leaving passwords written down on paper and stuff like that so it is useful, but if your actual system is compromised it seems wide open.
Click to expand...

Agreed - but what more can the man in the street do with his home network than sit all his gear behind a network address translation router & Firewall, run quality non-shareware internet security suites/virus checkers on all family PCs, scan at least weekly and even daily, and try to stay off dodgy websites.

There is no such thing as complete security - but again I stress simple cheap measures can give you massive increases in security compared to what you used to have.
 
By the way, don't get me wrong, I don't meant to say this is useless.

Used with a firewall and antivirus, yes, it's almost 100% secure and is really good, it adds a fair bit to security.

What I'm trying to say is that a system secured with ONLY this is not secure, some people are saying its unbreakable. If your computer is compromised enough that your regular password was stolen, its compromised enough to have your secure key stolen as well.
 
Last edited:
Strife212 said:
By the way, don't get me wrong, I don't meant to say this is useless.

Used with a firewall and antivirus, yes, it's almost 100% secure and is really good, it adds a fair bit to security.

What I'm trying to say is that a system secured with ONLY this is not secure, some people are saying its unbreakable.
Click to expand...


Agree completely. In the real world as it stands now though - even on the worst maintained and dirtiest system imaginable - this little device would probably save most people's accounts from hackers. What technology can create, technology can break. With enough cleverness and resources the system will be breakable. Will anyone actually do it though? Vasco's website points to some major national/international banks using this system. I'd go for the banks, not poor old EffBee's WoW account, if I was a multi-million pound hacking outfit.

Never believe anyone who says something is unbreakable. They are the same kind of people who said the titanic was unsinkable :)
 
Strife212 said:
By the way, don't get me wrong, I don't meant to say this is useless.

Used with a firewall and antivirus, yes, it's almost 100% secure and is really good, it adds a fair bit to security.

What I'm trying to say is that a system secured with ONLY this is not secure, some people are saying its unbreakable. If your computer is compromised enough that your regular password was stolen, its compromised enough to have your secure key stolen as well.
Click to expand...

I like your idea, but its not possible its far complicated than just 'stealing the key code', and is it really worth it for a WoW account? I know if I was writing a program I would have it set upon all those bankers who use it, steal some digits and cash in on millions :D (then I wake up and smell the coffee)

If it was so easy as writing a program/logger to do this, then it would have been done by now, as more or less every big company's use them, such as banks, law firms, IT companys. etc.

Even if they did sync with the code and log it, they then would have a 30 second time frame to log in, change the password etc.

Also, when changing your password, dont you need to give blizzard your sercurity answers as well?
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom