All good demons go to... um... sequel? - Diablo 3 Announced.

[Angrycoder]

Through a few contacts in security firms. These are guys I know and trust, so I don't think they are steering me wrong. They're seeing a lot of activity in various groups that indicate that they are gearing up to take on the RMAH and step up Battle.net account stealing. Of course, they can't be definitive about any of it, but better safe than sorry when it comes to your online accounts.

Besides, as stusser points out, WoW accounts are already high on the target list for these dudes. Logically, the opportunity to directly access money through D3 accounts will make them even more high-value targets.

The authenticator is free for iOS and Android users. Shipping is free if you buy the physical device from Blizzard. I can't think of a reason to not have one.

Unless things have changed, the most common way wow accounts get hacked is via keyloggers. If you've got a keylogger on your system, you've got much bigger problems than someone stealing your battle.net account.

You are much better off putting your efforts into running some virus scanning software and more importantly, using something like lastpass or 1password to ensure the passwords for all your accounts are different/random.

[Murbella]

While i agree that it is true that the vast majority of "hacking" cases are from keyloggers, what about the people who haven't played wow for years and come back only to find their account cleaned out?

Having a wow account or a battle.net account these days is certainly not something you do without worrying about potentially losing it, even if you take steps to make sure you system is (reasonably) secure (anti virus, firewall, firefox with noscript/adblock, not going to any obvious trap site linked to from official forums).

Also, I haven't tried it, but i don't think you can login to a game using 1password. Maybe if you copy and paste each time, but that would be a huge pain. I am a huge fan of 1password though and use the random password thing for the vast majority of my website accounts.

[FieryBalrog]

While i agree that it is true that the vast majority of "hacking" cases are from keyloggers, what about the people who haven't played wow for years and come back only to find their account cleaned out?

Sometimes it's by hacking your email, in which case (if you don't have an authenticator) they can presumably change your password.

Sometimes, they just have the PW but lay dormant until you no longer are active so they can hack it without being noticed for a long time.

[Starlight]

I can't think of a reason to not have one.

Because either the "Battle.net Mobile Services & Alerts" or the "Dial-In Authenticator", which gets you to SMS a code or call in and enter a code when important changes are made to the account is just as good for all practical purposes?

[Enidigm]

Hmm, thanks for the heads up. I've never bothered with the authenticator since i don't play WoW, but i'd hate to deal with the hassle of losing my Diablo/Starcraft access and accounts.

Well, i had to order the CE from Best Buy as Amazon and Gamestop had sold out (i had it in the shopping cart at Amazon several months ago but forgot to finalize the order :/). And according to BB it shipped yesterday. Should be here by Tuesday!

[BleedTheFreak]

Thanks for some unforseen luck at the casino (which is probably third time my wife and I have ever gone there in the last decade) I had enough to pick up not only a few cigars, but the collector's edition strategy guide from Gamestop - they had a few left and I reserved one (they weren't selling them yet, which is fine with me, I like the idea of getting that big hardcover book and the CE box at the same time).

C'mon, Monday (well, midnight Tuesday, I suppose)!

[stusser]

Midnight PST, sadly.

[BleedTheFreak]

Midnight CST is when my local gamestop is selling them (midnights sales with GS are always midnight local time), though it will be 2 hours later (2am CST) when I can play. I'll be in bed though (in theory) but I do want to get it installed and ready before I call it a night, so I can play fresh Tuesday when I wake up (after I get the kids off to school, I suppose).

[FieryBalrog]

Thanks for some unforseen luck at the casino (which is probably third time my wife and I have ever gone there in the last decade) I had enough to pick up not only a few cigars, but the collector's edition strategy guide from Gamestop - they had a few left and I reserved one (they weren't selling them yet, which is fine with me, I like the idea of getting that big hardcover book and the CE box at the same time).

C'mon, Monday (well, midnight Tuesday, I suppose)!

Haha, good for you :)

[rhinohelix]

Midnight CST is when my local gamestop is selling them (midnights sales with GS are always midnight local time), though it will be 2 hours later (2am CST) when I can play. I'll be in bed though (in theory) but I do want to get it installed and ready before I call it a night, so I can play fresh Tuesday when I wake up (after I get the kids off to school, I suppose).

After all of my crying about not getting it until 5/17, Amazon just upgraded me unexpectedly to release-day shipping, so at some point on 5/15, I will be playing. Yippeee!

[John Reynolds]

The strat guide arrived yesterday. I'm doing my best to avoid the section on the acts, focusing mainly on the class skills and equipment lists. I did, however, glance through act 1 a bit to see how much content was cut in the beta, and it was a good bit. Which I was glad to see.

I didn't know there were passing skills up to level 60 for the classes. All other categories end by 30, but there are quite a few more passives for each class as an additional incentive to play the higher difficulty levels (as if players needed more reason).

[FieryBalrog]

You get new rune unlocks at 30-60 too.

[BleedTheFreak]

The strat guide arrived yesterday. I'm doing my best to avoid the section on the acts, focusing mainly on the class skills and equipment lists. I did, however, glance through act 1 a bit to see how much content was cut in the beta, and it was a good bit. Which I was glad to see.

I didn't know there were passing skills up to level 60 for the classes. All other categories end by 30, but there are quite a few more passives for each class as an additional incentive to play the higher difficulty levels (as if players needed more reason).

You can actually go to Diablo3.com under game guide, they have a nice layout of the progression for all the classes by level. Lots of unlocks every level past 30, sometimes as many as four "things" unlock.

http://us.battle.net/d3/en/class/barbarian/progression

[Budvar]

Through a few contacts in security firms. These are guys I know and trust, so I don't think they are steering me wrong. They're seeing a lot of activity in various groups that indicate that they are gearing up to take on the RMAH and step up Battle.net account stealing. Of course, they can't be definitive about any of it, but better safe than sorry when it comes to your online accounts.

Yeah, "better safe than sorry" is the catch phrase of security theatre. In the absence of facts, hand-waving often suffices.

Besides, as stusser points out, WoW accounts are already high on the target list for these dudes. Logically, the opportunity to directly access money through D3 accounts will make them even more high-value targets.

In which case, the contention that it is a target because of the RMAH is misguided, since WoW doesn't have a RMAH. A more correct claim would be that hackers are targeting the game because it's going to be huge and insanely popular.

[KevinC]

By that logic, they should be hacking Call of Duty accounts like no other.

[Budvar]

Ummm, they do....trawl through the Xbox Live forums and you can see all the people banned for hacking (and they're pitiful attempts to escape such action).

Of course, CoD doesn't really have gold or rare items that can be traded, so the goal and outcome of the hacking is obviously different

FIFA (probably one of the most popular games on Xbox) is also a huge hacking target as well, for the tradable/purchasable player cards.

[charmtrap]

Yeah, "better safe than sorry" is the catch phrase of security theatre. In the absence of facts, hand-waving often suffices.

Are you saying people shouldn't have authentication?

[Budvar]

No I'm saying that you shouldn't be spooked into obscure rumours by security companies. Especially since by their nature these companies rely on the hype surrounding the threat for their very existence. I take the "Bruce Schneier approach" to security that favours facts and clarity to vagueness and obscurity.

Two-factor authentication is certainly useful and you should probably use it, but it also has it's limitations. "Better safe than sorry" to me suggests a type of vague and uncritical approach that I just disagree with.

[charmtrap]

I'd agree with you, except that Battlenet accounts being hacked isn't theoretical, it's rampant. Shit happens daily. I'm not sure how many times Drop Bears members have been hacked, but it's not a small number.

Two-factor authentication has it's place, and this is it.

[KevinC]

Of course, CoD doesn't really have gold or rare items that can be traded, so the goal and outcome of the hacking is obviously different

The goal is what I was referring to. :) Let me put it another way, though... if this were set up the same way Diablo 2 was, I'm sure there'd be hacking to steal loot / characters / whatever. You have to admit, though, the fact that you can now convert that loot into Euros or USD has to make a really tempting target. That seems to me to be a better target than the usual "hack WoW account to steal gold and sell for USD" that takes place.

[John Reynolds]

You can actually go to Diablo3.com under game guide, they have a nice layout of the progression for all the classes by level. Lots of unlocks every level past 30, sometimes as many as four "things" unlock.

http://us.battle.net/d3/en/class/barbarian/progression

Heh, had no idea that info was available online.

[Tony M]

Strange for me, as a non-WOW player, to hear everyone so concerned about security. I resent having to type a password in any time I play Starcraft 2. Every time I think "For fucks sake its just a game, let me check a box a save the password".

Tony

PS: not a judgment on you guys, I understand the amount of effort and emotional investment that goes into a high level WOW character.

[Budvar]

I'd agree with you, except that Battlenet accounts being hacked isn't theoretical, it's rampant. Shit happens daily. I'm not sure how many times Drop Bears members have been hacked, but it's not a small number.

Two-factor authentication has it's place, and this is it.

My understanding, and correct me if I'm wrong, is that most hacking occurs due to fishing, os-side malware, and browser-side exploits. In which case two factor authentication as a form of prevention like the kind provided here is useless. Even as a form of identification it is problematic

[Murbella]

Strange for me, as a non-WOW player, to hear everyone so concerned about security. I resent having to type a password in any time I play Starcraft 2. Every time I think "For fucks sake its just a game, let me check a box a save the password".

Tony

PS: not a judgment on you guys, I understand the amount of effort and emotional investment that goes into a high level WOW character.

I feel the same way, but i have been exposed enough to mmorpgs to know that companies cannot do that anymore.

There is big money in stealing accounts and that is of course why it is so common. It is really a lot like identity theft, but smaller scale, smaller reward and no risk since i don't think it is even illegal, even if the person who does it is in the same country as you (unlikely unless you live in China).

It is very common for mmorpg fan sites to be compromised in order to plant keyloggers on players. Very common for there to be fishing links on official forums. Very common for fishing emails. Even if you avoid all of those things, it is very common for accounts to be compromised.

Blizzard officially sanctioning and including a real money Auction House, a stupidly stupid stupid idea, is only going to make this problem MUCH MUCH MUCH worse.

Most people wouldn't be thrilled if they spent 200 hours restoring a junk bike to like new and then someone steals it. The same is true with spending 200 hours leveling your wizard in diablo 3.

[Armando Penblade]

Strange for me, as a non-WOW player, to hear everyone so concerned about security. I resent having to type a password in any time I play Starcraft 2. Every time I think "For fucks sake its just a game, let me check a box a save the password".

Tony

PS: not a judgment on you guys, I understand the amount of effort and emotional investment that goes into a high level WOW character.

Well then I'll judge it. Having to login to my fucking Starcraft II account is ludicrously annoying. . . especially that I have to do it everytime I start it up. Can it *really* not remember that shit and log me in upon startup? AIM has been managing that for more than a decade and it seems to work pretty well.

[charmtrap]

My understanding, and correct me if I'm wrong, is that most hacking occurs due to fishing, os-side malware, and browser-side exploits. In which case two factor authentication as a form of prevention like the kind provided here is useless. Even as a form of identification it is problematic

As I understand it, two-factor is vulnerable to a man in the middle attack. But that's a relatively sophisticated attack that requires the user to be really careless by following a phishing link and allowing malware root access. If the user is that stupid, nothing is gonna stop them from being hacked.

If you're even mildly careful, two-factor is pretty good security.

[Budvar]

The goal is what I was referring to. :) Let me put it another way, though... if this were set up the same way Diablo 2 was, I'm sure there'd be hacking to steal loot / characters / whatever. You have to admit, though, the fact that you can now convert that loot into Euros or USD has to make a really tempting target. That seems to me to be a better target than the usual "hack WoW account to steal gold and sell for USD" that takes place.

Well it is an interesting question. In some sense, it's like any discussion on the economics of prohibition.

In the WoW systmem, RMTs are illegal. There is obviously huge demand (if we take as given that WoW accounts were trading for more than credit card info) for gold and rare items, but also limited supply. Only a select few (those with the skills and networks needed) can be suppliers, and the black market is the sole provider of the service. Naturally it has high value, and thus, hacked accounts, the most economic way to provide gold and rare items, have high value.

Now under RMAH everyone is potentially a supplier. People wanting gold or rare items can go through the RMAH, and don't need to use the black market. Of course, hacked accounts still are the easiest way to provide gold and rare items, but they compete with the items being sold by legitimate users. If the overall price of the sold items is relatively low, it may just not be worth hacking accounts.

I'm not saying that will or won't be problematic. I'm just suggesting that any claim that it the RMAH WILL be problematic is overly simplistic.

[Budvar]

As I understand it, two-factor is vulnerable to a man in the middle attack. But that's a relatively sophisticated attack that requires the user to be really careless by following a phishing link and allowing malware root access. If the user is that stupid, nothing is gonna stop them from being hacked.

If you're even mildly careful, two-factor is pretty good security.

Well, what account hacks are there that don't actually involve the installation of malware, phishing, or a combination browser vulnerabilities and an infected website?

MiTM doesn't prevent any of these attacks, which I would suggest (and once again, correct me if I'm wrong) make up the majority of WoW account hacks

[ShivaX]

A lot of accounts get hacked because people tend to use the same password on the internet. So when Pointless Website X gets hacked, they roll over to WoW, throw in your email address and password and get in. Which is why its always a good idea to use a different password for forums and whatnot and things that actually matter.

[charmtrap]

Well, what account hacks are there that don't actually involve the installation of malware, phishing, or a combination browser vulnerabilities and an infected website?

MiTM doesn't prevent any of these attacks, which I would suggest (and once again, correct me if I'm wrong) make up the majority of WoW account hacks

Like I said, sure, if you're not careful (by not running as administrator, and not following phishing links, and not elevating unknown software that tries to run to admin) then yes, you can be hacked. Two-factor authentication at that point just makes the hacker's job a bit harder...the hacker has to intercept your key, block you from using it (since each key is single-use), and then use it themselves to log in within the 30 or 45 seconds (I forget) that the key is valid. If they fail anywhere along those points, then they still can't get in.

I'm not saying it's unhackable, it just makes it harder. It's like having an alarm on your house...sure any alarm is beatable, but most smart burglars will just go down the street to look for another house without an alarm.