I keep seeing the following things being thrown about, so I want to try and provide information to address them and debunk them.
- "Battle.net has crappy security because they make you use your email address as your username"
-To start, the hackers need to get your username and password. Whether your username is your email address or something you just make up, they obtain it the same way they get your password. Keylogger, phishing, etc. ALL of the methods used to get the password are just as effective at also getting a username. As for the email, you have to have an email attached to your account no matter what. The fact that the email is or is not the username makes no difference and won't make less people use that email for fan sites and other public places.
In addition, please see this post by discomatt:
http://us.battle.net/d3/en/forum/topic/5271503297?page=25#489 - "Because the passwords aren't case sensitive, our accounts are less secure and people get hacked that way"
-This makes the assumption that someone is brute-forcing passwords. While it is true that currently Diablo 3 does not lock out an account after X number of attempts, it DOES appear that it limits the number of attempts via some kind of logon attempt throttling. In other words, brute-forcing needs to be able to attempt thousands of passwords a second in order to be effective. But this isn't possible if the number of attempts per second is throttled/limited.
This means that brute-forcing would really only be able to be done for "easy" passwords that you could guess like "password". The catch 22 here though is that the addition of case-sensitive passwords isn't going to suddenly make people have an epiphany about account security and change their password from "password" to something stronger. So, it's not a magic bullet. - "Session-hijacking/spoofing is how people are getting hacked."
-Blizzard made a statement that such a form of hacking was "technically impossible". From what I can see in wireshark, and from joining public games with others, in order to "session-ID hijack" like what happened in RIFT, the data to do so simply doesn't exist, far as I can tell. It doesn't even look like they use session based communication (at least that I can tell, but I admit I'm a bit weaker in this area of expertise), which would in fact, make "session hijacking" a technical impossibility. But if some other such an exploit does exist, I hope someone finds it and offers up proof so blizzard can fix it. But until then, the existence of such an exploit is nothing more than conjecture and anecdotal.
Me and a couple other users tried an experiment of joining games with "hackers" that others had said took their stuff (was on their recently played with list after being compromised). In mine I even taunted these supposed hackers in an effort to get them to "exploit" my account. As expected, nothing bad ever happened to any of our accounts. I admit though this is just anecdote, but take it for anecdotal evidence since many here seem to enjoy doing so when it comes to trying to claim blizzard is the ones who are hacked and not them. :) - "Authenticators shouldn't be necessary just because blizzard has bad security."
-Authenticators enhance END USER security. If there was a security issue on blizzard's end, the authenticators would be useless. If they were able to compromise blizzard to get your password, they'd also be able to get the information (seeds, keys, etc) needed to generate or bypass authenticator codes.
And on that note, a bit about your passwords at Blizzard. Understand that obtaining them is no easy feat. They are stored as hashes, and are not in plain text anywhere in any manner that blizzard or anyone else can obtain them. They would have to be cracked, and doing so in and of itself is not an easy feat. Credit card data is easier to obtain, because it is often stored in a form that can be unencrypted or easier to break encryption methods since there is need for that data to be available in some kind of plain text format, whereas your battle.net passwords are never in any kind of plain text format. (I'm being very basic here) - "Authenticators make your account unhackable".
-This isn't true either. There are nasty bits of malware out there that can help a hacker circumvent them, but they are incredibly rare. There was (possibly still is) one that worked for wow accounts, with a handful of accounts with authenticators being compromised and blizzard verified this. So far though blizzard has said no diablo 3 accounts with authenticators were hacked.
- "diablo 3 accounts with authenticators have been compromised"
-The only way this will really be proven is if blizzard admits it. There is no way for someone to actually prove their account was protected with a keyfob or mobile app authenticator at the time of their compromise. And in fact, it would be to Blizzard's BENEFIT to admit if such a thing occurred with diablo 3. Since such a compromise would be done via a nasty malware or virus, Blizzard would want to alert the diablo 3 community to the verified threat.
Also, most of those threads you see about this are people who used the dial-in authenticator without realizing it doesn't work for D3. - "sony got hacked, so blizzard could be hacked too"
-Sony also told everyone what information was compromised. Blizzard would do the same should they discover such a scenario. (And chances are they'd know before we would) And, you're right, NO ONE is infallible, including Blizzard. But realize that is an unlikely scenario, whereas a bunch of users falling for phishing scams and whatnot are a far more likely scenario. Especially when there is nothing but anecdote and conjecture to try and suggest otherwise.
- "there's just too many accounts being hacked for it to not be some breach at Blizzard"
-People have been claiming this for years. I have seen far more threads on hackings on wow forums in wow's heyday than what we have seen here. And this isn't unique to blizzard either. Every MMO has this stuff happen, and has threads about compromises, and there is always a big rabble about blaming the company and not the users. Blizzard is not unique to this.
- "i dont go to fishy websites and i dont have any keyloggers, so how did i get hacked"
-Read these:
http://us.battle.net/d3/en/forum/topic/5271501737
http://us.battle.net/d3/en/forum/topic/5271602204 - "this is just a conspiracy for blizzard to make even more money selling authenticators!"
-If this was a big money making conspiracy, then why would they offer the mobile authenticator for free? As for the keyfob, it's $6.50 with free shipping in the US. That is at or more likely, below cost. The authenticators are digipass go 6's made by vasco. The cost per keyfob in bulk from Vasco is around $20 typically on the cheap end, so $6.50 is a good deal. And even then, that doesn't factor in the infrastructure and backend cost. It requires at least one server to run the authentication, a database, licensing, and software to interface with battle.net, along with personnel to support and maintain all of that.
- "but nothing is free, so they have to be making money on authenticators!"
-No, it's actually reducing a calculated loss. You see, for every account compromised, blizzard has to have staff to handle it and infrastructure to provide restores, etc. So there is a very real cost to blizzard for each account that gets compromised. They try to minimize that cost with a "cheaper" cost by offering the authenticators (again free or at cost). So, the more accounts that have authenticators, the more money they will save since it reduces the chance of a compromise.
- "I'm in IT so I know I didn't get hacked"
-Most who say this are probably lying. For those that aren't lying, then they are not too good at security. Nothing is more dangerous to the infrastructure of a network than an IT guy who thinks they are infallible or they are so good that they are less likely to be hacked than blizzard. So in fact, people like that are more vulnerable to attack. Which brings me to my next point.
- "blizzard cannot be hacked"
-No one is infallible. Not even Blizzard. The difference, however, is this. No matter how good you think you are at securing your computer, Blizzard is better. They have their entire company and livelihood at stake. They are also publicly traded, and have to contend with constant audits and security scans which are designed to find flaws and failures in their security. I guarantee you don't. So again, is it possible? Of course. It's just not likely.
And there is no evidence to suggest otherwise. A bunch of anecdotes on forums with tales of black helicopters in the night simply doesn't carry weight. And if you think this is a lot of threads about hackings, then you haven't been around online gaming much. And in fact with every game it's the same song and dance. In wow's heyday people swore up and down for years blizzard must have been hacked cus omg look at all the forum threads. Or omg look at all these threads it must be an exploit of wow or battle.net. Nothing ever came to fruition. - "blizzard is a greedy corporation who would do everything in their power to cover up a breach"
-This is unequivocally false. Just like other companies that were breached (including blizzard in 2001 !) blizzard would probably notify us of a breach within a couple weeks of occurring. Because the penalty and consequence of them covering it up and being discovered later would be FAR worse than admitting it in the first place. We're talking billions of dollars lost, including the possibility of them losing their ability to be publicly traded, etc.
- "the hackers only stole my diablo 3 stuff, if it was a compromise on my end why wouldn't they have taken my banking info and paypal login, etc"
-Because, according to blues on the WOW forums, the most common form of compromise for battle.net accounts is phishing scams. In other words, keylogger compromises are more rare, and thusly why your banking and paypal info is safe. If you got hacked via one of the various methods that do not require any kind of keylogger to perpetrate, this explains why only your diablo account was hacked.