Authenticator fails, removed from account without user's permission
by Mike Schramm 
Jul 24th 2008 at 2:00PM
Think a Blizzard Authenticator will keep your account from being hacked? Think again -- we've got our first known report of someone who was protecting their account with one of Blizzard's keys, and still got their character hacked down to their undies. Someone in this forum thread apparently logged out one night and logged on the next morning to find her account stripped of everything but PvP gear, and her Authenticator no longer connected to her account.Supposedly, to deactivate an Authenticator from an account, you need to get in touch with Billing services, and reportedly they'll then ask for a notarized statement with a picture, like a driver's license, just to remove the Authenticator. But obviously, this one was removed even without that, and we're being told that all you might need to remove the Authenticator is the answer to the user's secret question and a CD key (or even less). In other words, the fault isn't with the technology, it seems to be with the support reps on Blizzard's side of the phone line -- if they can be convinced to remove the Authenticator, the account can then be hacked.
The little keys have been selling like hotcakes since they were released -- almost everyone has figured that $6.50 was cheap for peace of mind. But while an Authenticator still does provide an extra step in security, the sad truth is that it hardly makes an account impermeable.
[Via BRK]
Update: Married IRL has more analysis, including a comment that confirms all you really need to get past the Authenticator is the user's secret question answer, usual address information, and the original CD key. If the standard for getting an Authenticator removed really is a Photo ID, it's fairly clear that Blizzard's reps aren't doing their jobs right.
More after the break.
Update 2: Please note that we are not at all saying for sure that Blizzard employees made the mistake here. If it's true that removing the Authenticator from an account requires a picture ID, and if it's true that the authenticator was removed from this account (without, obviously, a picture ID), then the odds are that there is a security hole in there somewhere.
The fact that they were using the Authenticator and were still hacked, however it happened, is why we've posted this here: You should have known this already, but just in case you thought using the Authenticator make you impervious to hacking, know that it doesn't.
Filed under: Analysis / Opinion, Blizzard, Forums, Account Security
Get a WordPress.com Blog
Reader Comments (Page 1 of 6)
Chris Jul 24th 2008 2:06PM
I believe that I speak for the general WoW population when I say.......
"Yikes."
Makros Jul 24th 2008 4:52PM
I really wanted you to say ... "Wow."
Makros Jul 24th 2008 4:52PM
I really wanted you to say ... "Wow."
Makros Jul 24th 2008 4:53PM
so bad apparently that it posted twice o.O
Michael Jul 24th 2008 11:53PM
What's with this site taking up fear mongering and shoddy reporting?
The author say's at the end of the post that "all you really need to get past the Authenticator is the user's secret question answer, usual address information, and the original CD key." That information is obviously not easy to come by, so like other commenters, I'm calling the author out. There's more to this story that's not being said.
Stop posting lame stuff like this, WOW Insider.
Telerion Jul 25th 2008 1:03AM
Guys, it wasn't the Authenticator that failed, it was Blizzard and their support staff who made the mistake.
A chain is only as strong as it's weakest link.
I'm sure Blizzard is looking into the issue and will have much more rigid requirements about removing the Authenticator from now on.
RanWitScissorz Jul 24th 2008 2:07PM
Makes you wonder how they got the CD-Key, I have no idea what/where my key is.
Hank Jul 24th 2008 2:27PM
It would be the key you needed to input to Blizzard to activate your account. If you don't know what it is, I suggest you contact the person who sold you your account.
RanWitScissorz Jul 24th 2008 2:31PM
I know what a CD Key is and I don't care what it is... that was not my point. I was stating that some of us don't even know what our cd keys are or where they are, so how did some guy in China found out what it was.
Runstadrey Jul 24th 2008 2:59PM
I don't have a CD key because I don't have a CD. I downloaded the trial version and upgraded. Now, got anymore smart assed comments Hank?
Elder Jul 24th 2008 3:23PM
Ni Hao! .. err, I mean Hello!
You have been chosen to participate in the stealing of your... err, Wrath of the Lich King Beta!
To proceed please fill out the following form...
Name
Account name
Password
to prove you are the lawful owner of this account we must confirm the following:
Your Address as listed on your account
Secret question
secret answer
Your Original CD key
Thank you for being hacked, 10 minutes after you mail this to 25 other people you will see something really cool pop up on your screen. Click it and you'll join the WOTLK Beta AND Bill gates will send you 200 bucks!
...
What, am I no good at this?
Badger Jul 24th 2008 4:01PM
Elder: I like it so far, but it lacks that really authentic *feel.* Add a few lines about herbal remedies, third-party African investors, or natural enhancement, and you'll be good.
pudds Jul 24th 2008 2:07PM
The human factor - the weakest line of defense. Whenever you have a human involved, social engineering will always be an option.
wyrd Jul 25th 2008 9:11AM
Human Engineering... Because there is no patch for human stupidity.
Faerun Jul 24th 2008 2:08PM
I thought Blizzard kept your CD keys online in a database somewhere when you registered your game.
Lucas Jul 24th 2008 2:11PM
I never owned the original game in hard copy form... I downloaded it, and then bought the physical form of BC.
And.... I have *no* idea what my CD keys are. lol
Michael Jul 24th 2008 2:09PM
Why would the reps have access to CD keys? That doesn't sound right; this sounds very fishy, and you can't blame a Blizzard employee with no evidence to back it up.
Clevins Jul 24th 2008 2:26PM
Agreed. There's no way a hacker off on the net somewhere just happened to get the CD keys for that specific account. And the secret question is supposed to be.. um.. SECRET.
So, sorry, but I don't believe the original complainant. Not until they can come up with a credible story for how some random person got that info. Or until they fess up that it was someone they know who had access to the key and the question/answer pair.
Jack Spicer Jul 24th 2008 2:11PM
Getting their hands on your password is one thing, but how did the hackers get a hold of this user's CD Key, address information, and the answer to their personal question?
Was her computer riddled with spyware when she registered it?
Or was this an inside job? An angry spouse, partner, sibling, roomate?
Worcester Jul 24th 2008 4:09PM
I'm also guessing the "hacker" is more of an "acquaintance" than the OP is letting on.
Are CD keys even stored in your online profile? I've never seen where, if they are.