WoW players, you probably know this, but just in case....

Mull3t said:
I like your idea, but its not possible its far complicated than just 'stealing the key code'.

If it was so easy as writing a program/logger to do this, then it would have been done by now, as more or less every big business's use them, such as banks etc.

Even if they did sync with the code and log it, they then would have a 30 second time frame to log in, change the password etc.

Also, when changing your password, dont you need to give blizzard your sercurity answers as well?
Click to expand...

LoL - EXCELLENT point - you need to use the authenticator to get into password management. By the time that dog of a screen on secured browser session comes up the authenticator will likely have ticked over to the next number.

So long as you know the account, password, and have an authenticator you don't actually need any more info to get into account management. I haven't changed my password just recently and can't remember what checks, if any, are built into password management.
 
Last edited:
Mull3t said:
I like your idea, but its not possible its far complicated than just 'stealing the key code'.

If it was so easy as writing a program/logger to do this, then it would have been done by now, as more or less every big business's use them, such as banks etc.

Even if they did sync with the code and log it, they then would have a 30 second time frame to log in, change the password etc.

Also, when changing your password, dont you need to give blizzard your sercurity answers as well?
Click to expand...

Im a bit confused - even if you changed the password would you have to then disable the extra authentication, or order a new one?

Otherwise you would also be locked out of the account?
 
You don't actually need to be able to "crack" or generate the code, that is an impossible task like you have said.

I just mean the actual number the device gives you, its just a short string of numbers that you type in - so it can be keylogged.

You are definately correct about only having a 30 second window to log in and change the password.

You guys are right though, I guess what i'm going on about is pointless. For the purposes of WoW, Online Banking, Corporate Computers etc its basically 100% secure as no one is going to go through all of that anyway. I wouldn't secure a millitary system with it though :p
 
Last edited:
Im not knowledgeable on such things, but I think if you plugged it in, there is a risk the device itself could be compromised.

unless it worked like a dongle, but I dont know of those are more or less secure than one of these keys.
 
Aekeron said:
You have to type the code? So it doesn't just plug in to a usb port or whatever and automatically use it?

Rather odd.
Click to expand...


It syncs every 30seconds or so, so you basically have 30 seconds to type it in (dunno how works on WoW)

for example, the code will refresh

JHD9273898J

then 30 seconds later it will change

HDGB18871G

and so on. (all random)

edit: even trying to attempt to guess it would be impossible, be like trying to guess someones credit card number, or a game card number, phone top up voucher etc.
 
I think the WoW one is the same. I would get one if I still played WoW, my account was stolen when I logged in at a LAN centre with it. This would stop that kind of theft totally.
 
Strife212 said:
I just mean the actual number the device gives you, its just a short string of numbers that you type in - so it can be keylogged.
Click to expand...

Keyloggers work by inserting themselves into the "chain" of programs that monitor the keyboard therefore being informed by the os and keyboard hardware anytime a key is pressed.

It would be perfectly feasible for the wow client to put itself at the very front of the chain (all other programs to receive keyboard input *after* it) get the keycode and NOT pass the keystrokes back to the rest of the chain.

This would thwart whatever keyloggers are out there.

Its a sod of a task to program and get right without interferring with other programs, but I suspect anyone who can write World of warcraft to start with would be quite capable of this task.

Coupled with the keyfob would make capturing account information *nearly* impossible, and certainly not worth the effort. Hackers will merely concentrate their efforts on the accounts of people who don't use a keyfob - which alone makes it invaluable.
 
Aekeron said:
You have to type the code? So it doesn't just plug in to a usb port or whatever and automatically use it?

Rather odd.
Click to expand...

You seem to thinking of dongles which expensive software used to use to see if it was going to run - ie the software could be put on any number of PCs but the hugely expensive dongle could only be physically used on one machine at a time. Licence control at its finest - till some idiot loses the dongle in an office move.

This isn't quite like that - Blizzard aren't trying to stop you or anyone else running their software, they are managing their network security by only allowing valid users with correct user accounts, passwords, and blizzard physical security keys entry.

You wouldn't want the device plugged in and machine readable all the time anyway - that would make cracking it massively easier. A valid user has to physically have the device, press the button, read the number, and manually key it in within a very short timeframe.
 
Strife212 said:
I think the WoW one is the same. I would get one if I still played WoW, my account was stolen when I logged in at a LAN centre with it. This would stop that kind of theft totally.
Click to expand...

Same this happened to me. Thinking of starting up soon though so when I do, I think ill be picking up on of these.
 
Keyloggers work by inserting themselves into the "chain" of programs that monitor the keyboard therefore being informed by the os and keyboard hardware anytime a key is pressed.

It would be perfectly feasible for the wow client to put itself at the very front of the chain (all other programs to receive keyboard input *after* it) get the keycode and NOT pass the keystrokes back to the rest of the chain.

This would thwart whatever keyloggers are out there.

Its a sod of a task to program and get right without interferring with other programs, but I suspect anyone who can write World of warcraft to start with would be quite capable of this task.

Coupled with the keyfob would make capturing account information *nearly* impossible.
Click to expand...

You could make your virus replace the WoW exe with one that did nothing except have an identical login screen, you wouldn't even need to intercept anything then as pressing the submit button would send all the info directly to you :p :p :D
 
EffBee said:
You seem to thinking of dongles which expensive software used to use to see if it was going to run - ie the software could be put on any number of PCs but the hugely expensive dongle could only be physically used on one machine at a time. Licence control at its finest - till some idiot loses the dongle in an office move.

This isn't quite like that - Blizzard aren't trying to stop you or anyone else running their software, they are managing their network security by only allowing valid users with correct user accounts, passwords, and blizzard physical security keys entry.

You wouldn't want the device plugged in and machine readable all the time anyway - that would make cracking it massively easier. A valid user has to physically have the device, press the button, read the number, and manually key it in within a very short timeframe.
Click to expand...

Yeah...Looks like I did get things a little mixed up ;)

It's still a reasonable piece of kit I guess.
 
Strife212 said:
You could make your virus replace the WoW exe with one that did nothing except have an identical login screen, you wouldn't even need to intercept anything then as pressing the submit button would send all the info directly to you :p :p :D
Click to expand...

That sounds like my college days. Fun times :p
 
Strife212 said:
You don't actually need to be able to "crack" or generate the code, that is an impossible task like you have said.

I just mean the actual number the device gives you, its just a short string of numbers that you type in - so it can be keylogged.

You are definately correct about only having a 30 second window to log in and change the password.

You guys are right though, I guess what i'm going on about is pointless. For the purposes of WoW, Online Banking, Corporate Computers etc its basically 100% secure as no one is going to go through all of that anyway. I wouldn't secure a millitary system with it though :p
Click to expand...

I don't care if a keylogger harvests the account, password and 6 digit authenticator code now, because this info is only of any use for a maximum of 60 seconds, and at the moment there is no chance that info will be picked up and used in less than a minute by anyone .

I await with interest the first reports of people getting hacked with the authenticator system in place though.
 
Thinking about it, if they operate the code to log into WoW through the .exe, wouldnt they implement the same thing on the website. This meaning even if someone did get the code, by the time they get to the website to change the password you would have to put the code in again and chances are it will be a different code?

I could be wrong, but I dunno how it works on WoW...
 
You must log in or register to reply here.
Back
Top Bottom