Blizzard Authenticator: New Tool for Bad Guys

The Blizzard Authenticator is one method of making your World of Warcraft more secure.

Rather than depending on just user name and password to keep your account secure, the authenticator provides a code, which changes every 30 seconds, to put in as part of the logon process.  You just press the button, get your six digit code, enter it, and complete logging on.  Even if somebody has a keylogger on your account, the code is only valid for a very short period of time, so breaking into your account is made just that much more difficult.

Some Blizzard Authenticators

This is all good news for you, if you opt for the authenticator, either the key fob version or the mobile authenticator that can run on your phone. (It is not just for iPhones any more.)

On the other hand, if you don’t use the Blizzard authenticator, the hackers now have another tool in their arsenal to help them take over your account.

One of the stickied responses over in the Blizzard Support forum relates to how to request the removal of an unauthorized authenticator.

It seems that the hackers have bought into the authenticator scheme and now, when they hack your account they lock you out by putting their authenticator on your account.  Now you’re really stuck, since you cannot do anything with your account without the authenticator once it has been enabled.

And judging from the number of requests in the forums, this is happening quite a bit.

So beware of phishing email scams and the like, there are a lot of them going around.  I get at least one a day and often more.  Blizzard has a their own page on account security that lists out the only legitimate sites where you should enter your password.

As they say, two steps forward, one step back.

16 thoughts on “Blizzard Authenticator: New Tool for Bad Guys

  1. pockie

    This is exactly what happened to my account, which had been inactive for a year. I somehow got hacked (still not sure how that happened, since the first indication I had was an email from Blizzard telling me my password had been changed and was banned for exploiting the economy). The hacker paid for a month’s subscription and put an authenticator on it.

    Makes me wonder how much profit they make from the gold, which admittedly I had a lot of (about 100k). On the bright side, Blizzard GMs were great and managed to restore my characters, and I got a free Core Hound Pup pet out of it too, plus free game time although I’m not making use of it.

    Like

  2. Higgs

    This happened to me in april, i still cant login after a month an a half.
    Blizzard restored my characters and guild vault items, but they didnt remove the Authentificator locking me out :(

    Still waiting on support.

    Like

  3. pitrelli

    This actually happened to my brother in law last month and blizzard sorted it out pretty quickly, he did however end up getting hacked again the next again week and his account has now been cancelled :(

    I did warn him to get an authenticator himself as he has been hacked several times however he didnt listen, now unfortunately he has paid the price and has lost all his toons.

    Like

  4. stargrace

    I picked up an authenticator last week for myself, and love it. Can’t go wrong for the price ($6.50? why not) and knowing my account is secure is incredibly important to me. Plus those mobile versions are just as nice.

    Like

  5. Morph

    This has been going on for a while now. I read about this some time ago. Best thing would be to make every body use an authenticator, though I guess Blizz would have to supply them for free, and they’re not going to do that.

    Like

  6. pitrelli

    I actually expected Blizzard to announce Cataclysm will launch with an authenticator as part of the extras. Lets face it they would like everyone to have one and in the long run it will save them money if peoples accounts are more secure.

    Like

  7. Wilhelm2451 Post author

    @sid67 – No, it is not a dongle. Those are generally in place to prevent software piracy. Not that they couldn’t be used for account security, but I have never seen them used for that.

    Blizzard’s authenticator is the same thing that a lot of companies used to add a level of security to things like remote network access schemes. Having spent time working with financial institutions at my last job, we had a pile of those things around for logging into test systems.

    What Blizzard wants, and what financial institutions are working towards more broadly, is something called multi-factor authentication, which is intended to keep accounts secure even if your name and password are compromised.

    I actually spent quite a bit of time in the last decade working with speaker verification technologies. Voice print matching can be very accurate, however it seems that consumers feel, or can be easily convinced, that it is too much like 1984, so we never had any big, long term, consumer level implementations, though we sold quite a bit of it and continued to do so.

    Like

  8. rowan

    I got hacked in January (never having fallen for a phish), and promptly bought an authenticator after my account was restored. I still blame Blizzard for the increase in phishing attempts, because they insisted on everyone using email addresses to log in. So they only have themselves to blame for the increased costs of account investigation.

    Two steps backward, one step forward.

    Like

  9. rav4ge

    Had this happen to me a while ago, even though my account had been inactive for around 4 months. The sucky thing was I never checked the email linked to the account. So, when I logged in and it prompted me for an authenticator you can imagine how suprised I was.

    Even though I have no idea how it happened, lesson learned. Added an authenticator of my own right after I resubbed.

    Like

  10. rubleep

    I got hacked after this past maintenance and the hacker put a authenticator on it. Haven’t had a problem in months. Bought a new comp recently and BAM! Got hacked? I’m gonna kill Dell if they sold me a reburbished comp as new.

    Like

  11. WhiteKnight666

    Given the number of accounts being compromised, especially those that have been inactive, I have reason to suspect that there’s a corrupt person somewhere in blizzard’s staff. I myself tried logging in today for the first time in this system’s life (New hard drive, OS, and about 60% new parts, Even RAM), only to find out my account suddenly has an authenticator. Either that, or I suspect blizzard could be doing this to boost authenticator sales. Either way, I have to send an e-mail to blizzard because I can’t post on the forums.

    Like

  12. Starscream

    your best option is to call blizzard’s accounts and billings. they pulled the authenticator that was added to my account off as soon as i explained the problem. i don’t think i was keylogged either. i’ve never fallen for a phishing scam so i’m almost 100% certain it’s using something else.

    i’ve told a bunch of people this, blizzard makes more money from people getting hacked and then buying authenticators. i was just reading about someone that got hacked that had an authenticator so it isn’t even full proof. it doesn’t make that much of a difference. it’s just a false sense of security.

    Like

  13. Legolas

    I got hacked twice in a row, first time in June, then the following month, few days ago. I have sent several e-mails to account and billing support but no response at all. However, I managed to change my password, but I am not quite sure if it safe enough.

    Blizzard usually blame the keylogger which is very unlikely for my case, especially for the second time. I scanned my machine using both Antivirus and Spybot and couldn’t find anything suspicious. Moreover, I did change my password one weekly basis.

    I hate to say this, but I personally suspect someone would be able to exploit the authenticator at the main system. I take a look into their technical support forum everyday, looks like thousands of account got hacked.

    Anyhow, I don’t want, but I have to buy an authenticator for myself. Just can’t afford to have this kind of incident happened again.

    Like

  14. Kaitam

    I had been hacked and locked out by the authenticator for the last 2 weeks… once I emailed Blizzard (as I was out of town/country during the time brother notified me I was doing some farming and I wouldnt answering him) it took less then 24 hours to unlock my account.. Now I am just trying to get all my items, gear and gold replaced… Although it seems to have happened on only 1 character on the server(mulitple servers with other toons under 25 not worried about) I hope that anything out of place will come to light. As with Legolas I dont want to buy an authernitcator however, this is the first time and I would really not like to have these kind of issues again.

    Like

  15. Elumine

    Eek. How long ago did the hackers start using this ‘technique’?

    (I found this blog from googling authenticators, btw.)

    I bought my Authenticator back when it first came out (the original one that had just the blue Blizzard logo printed on it!) – heard lots of praise for the thing, and no reports from anyone I knew in-game of it being used by hackers. It’s been over a year since my WoW subscription ran out, though… I’m glad I secured my account when I did. Hopefully that means that if/when I resub for Cataclysm, all my characters and gold will be intact.

    I really don’t understand why more game companies haven’t started providing authenticators for their games/accounts. Lord knows NCsoft sorely needs it. (Their account management page has a security flaw that makes it possible for anyone to brute-force hack accounts.)

    Like

Voice your opinion... but be nice about it...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s