Keyloggers, what to know, what to do (READ)

Discussion in 'Offtopic' started by Joyma, Jun 6, 2007.

  1. Ayu

    Ayu You need help. Just contact Smaj, it's faster.

    Joined:
    Aug 26, 2005
    Messages:
    14,269
    Likes Received:
    542
    I am not really sure what your argument is. :V
    You refuse to get an Authenticator because an additional layer of protection is useless to you. Yet here you are arguing for us to change our passwords because.... it's an additional layer of protection? <_<

    You can try and twist things as much as you want but an Authenticator is still more reliable than just a strong password. You have to supplement all with a good Firewall/AV combo anyway.
     
  2. Keubad

    Keubad Member

    Joined:
    Oct 5, 2009
    Messages:
    87
    Likes Received:
    0
    I don't think he refuses because it's useless. He refuses because he doesn't believe the trade-off of time vs security is worth it.

    I take the same approach. While I agree that an authenticator would probably make my account more secure, I have faith in my own ability to keep my account safe.

    I also accept the consequences of my decision: I don't have access to the guild bank. Fair enough. I have a higher chance of having my account stolen. To be honest I don't care that much but my circumstances are different to most others.
     
  3. Chirrad

    Chirrad Member

    Joined:
    Sep 29, 2009
    Messages:
    143
    Likes Received:
    0
    I also agree with this. I don't use an authenticator because:

    * It complicates the process of logging in
    * Has no gain for me (I don't care about guild bank access either, and Blizzard will return all my items should I fail to protect my account and get hacked)
    * Gives you the possibility of preventing yourself from logging in - I can think of certain guildies who've missed raids due to going back to/home from Uni and leaving their authenticators behind ;) and before anyone mentions the mobile authenticators, I wonder how many people have missed a raid because they've lost their phone or had it stolen.

    It's not exactly difficult to run a server which would listen for these codes being transmitted so that someone can log onto your account. I wouldn't regard this as something which requires you to be hated by someone - I'm surprised there haven't been more cases of this yet! I believe the codes are valid for 30/60 seconds which is plenty of time for someone else to log onto your account!
     
  4. Merlijn

    Merlijn Shadow Master

    Joined:
    Mar 11, 2009
    Messages:
    2,284
    Likes Received:
    57
    Couldn't have said it better myself
     
  5. Merlijn

    Merlijn Shadow Master

    Joined:
    Mar 11, 2009
    Messages:
    2,284
    Likes Received:
    57
    And this :D
     
  6. Braque

    Braque Member

    Joined:
    Dec 14, 2005
    Messages:
    2,250
    Likes Received:
    7
  7. Keubad

    Keubad Member

    Joined:
    Oct 5, 2009
    Messages:
    87
    Likes Received:
    0
    I'm sure I could find a link on wikipedia that describes your post too. It wouldn't necessarily contribute anything but I guess that's not what you're attempting either.
     
  8. Croga

    Croga Says funny things =)

    Joined:
    Sep 9, 2008
    Messages:
    892
    Likes Received:
    0
    The kind of man-in-the-middle attack you're suggesting here actually is very difficult. Not just because it's very hard to set up a server that can intercept anything going from me to the Blizz servers (that would already be a very strong feat of itself) but also because the data being sent is encrypted. The kind of encryption that you can't hack in 30-60 seconds. And last: As soon as I enter a code and it reaches the server, it's invalidated.

    All in all: Yes, it is exactly difficult.

    I still do keep referring to the case of CosmosUI where everyone using it was absolutely sure it was absolutely safe. It wasn't. Yet everyone here seems to fully trust CurseUpdater enough not to use an authenticator.
    Results from the past may not give guarantees about the future but they should definately be taken into account.
     
  9. Lonei

    Lonei Shitpenis

    Joined:
    Aug 7, 2008
    Messages:
    499
    Likes Received:
    0
    Typing 6 numbers after your password hardly complicates the login process. And if you're scared of losing it then just glue it to your desk, if you're that paranoid about security you shouldn't want to be logging in anywhere other than your home pc anyway.
     
  10. Keubad

    Keubad Member

    Joined:
    Oct 5, 2009
    Messages:
    87
    Likes Received:
    0
    A man-in-the-middle attack wouldn't work that way. What would probably happen is that the key-logger would send your auth code and password to a remote server/user which would then immediately log in with those details. If the attack program could prevent you logging in and thus using up the one-time key (and also prevent you logging in later) they can then do what they like with your account (within the limitations imposed by only have one key). It's clearly not ideal for the attacker and given the current prevalence of non-authenticator owning users, it's probably not even economic to bother. Of course the situation changes when all/most the population has authenticators. At that point, if they want to try and steal accounts/gold they do need to go to this much effort. (So stop telling people to get authenticators! You're just making it worse for yourselves:p )
     
  11. Keubad

    Keubad Member

    Joined:
    Oct 5, 2009
    Messages:
    87
    Likes Received:
    0
    Here are 3 positions:

    1. I don't use an authenticator.
    2. I use an authenticator but keep it in my pocket.
    3. I use an authenticator but glue it to my desk.

    Apparently 3 is very paranoid. Presumably more so than 2. I would think 2 is more paranoid than 1.

    So I don't really see how someone who chooses not to use an authenticator because they think they might lose it, can be more paranoid than you. Or is this some escher shit?
     
  12. Lonei

    Lonei Shitpenis

    Joined:
    Aug 7, 2008
    Messages:
    499
    Likes Received:
    0
    You buy an authenticator to quell the paranoia of "what if someone doesn't have state of the art virus protection".
    Yes this adds another level of what if I lose my authenticator paranoia, but it lowers the security paranoia.
    Glueing it to the desk removes the losing paranoia and you can play WoW without giving a fuck.
     
  13. Chirrad

    Chirrad Member

    Joined:
    Sep 29, 2009
    Messages:
    143
    Likes Received:
    0
    I currently play wow without an authenticator, and also without giving a fuck. And I'm not paranoid either.
     
  14. Jazende

    Jazende Sacred vines, entangle the corrupted! Just contact Smaj, it's faster.

    Joined:
    May 12, 2008
    Messages:
    4,791
    Likes Received:
    230
    Takes 3 more seconds to log in with an authenticator, if you log in every day for a year thats 1095 seconds. Wow's been here for 5 years? Comes to a total of 5475 seconds or less than 2 hours. If you were to get hacked that'd cost you more than 2 hours to get back on track. Easily a timesaver, in my eyes, because you know, you're never save (bla bla paranoia or I don't get hacked QQ).
     
  15. Mystara

    Mystara Master of Elements

    Joined:
    Dec 4, 2009
    Messages:
    1,128
    Likes Received:
    20
    I don't think there is a huge amount of paranoia involved. I have an authenticator myself and just have it resting in a gap on my keyboard so not too worried about losing it.

    Good internet security and such is just common sense to be honest and I'd recommend having a strong password if you have trouble remembering more than a few important passwords (e.g. pin number, bank password and email accounts should all be very different so I can understand maybe your email and wow passwords would be the same/simular).

    Most passwords are either stolen via keyloggers or plain old physically by somebody you know - I learned all the laptop passwords of the people in my house last year just by looking over their shoulder enough times to "record" what key they pressed 1st/2nd/3rd and so on until you have the full password. Protip: The name of your 1st dog and the numbers 1 and 6 is rubbish. Then one evening when they all went drinking I changed everybody's password to Ilovedonuts and purposely talked about how I loved donuts all the next day until finally one of them clicked that was the new password when I brought a huge box of donuts into the house and told them they should love donuts too.

    At the end of the day I don't think 6 euro was a huge amount to pay even if it never saves my account from being hacked.

    Each to their own so I'm not going to give a lecture on the pros and cons of having one since their are benefits and drawbacks to almost any product/method in the entire world and it seems we've covered them all for this product :p

    But please stop bitching about it because the major drawback right now is me having to re-read this sodding thread endlessly seeing the same debate ¬_¬
     
  16. Chirrad

    Chirrad Member

    Joined:
    Sep 29, 2009
    Messages:
    143
    Likes Received:
    0
    But it's fun baiting all of the authenticator evangelists!
     
  17. Ayu

    Ayu You need help. Just contact Smaj, it's faster.

    Joined:
    Aug 26, 2005
    Messages:
    14,269
    Likes Received:
    542
    !
     
  18. Arly

    Arly Non-Shouter

    Joined:
    Oct 3, 2007
    Messages:
    1,733
    Likes Received:
    0
    You could always, you know, stop paying for the account. ;-)
     
  19. Joyma

    Joyma Administrator Just contact Smaj, it's faster.

    Joined:
    Aug 26, 2005
    Messages:
    10,183
    Likes Received:
    17
    Haven't read everything, since this discussion has been brought up many times before.

    The main reason there is even a discussion about this, is that even though the authenticator only secures your own account, it's partly a concern for the group as a whole. I for one could care less if people got their Pacman account hacked and couldn't play that for a week. However, when people in our raidgroup are lax with their security, it affects us all. It's happened several times before, even with people who "trust in their ability to keep my account secure". They get hacked, we lose a critical raider for a week, and a raid gets cancelled because of it.

    I just feel it's such a silly "pride" thing for people. The fact that using an authenticator someone diminishes your PC-security-penis-size, the feeling of being "too good" for some cheap extra security. And this is assuming the authenticator isn't used to REPLACE common security sense!

    The argument regarding losing your authenticator is ironic. I'd like to meet the person who generally loses items they care about, or are important, but that are ALSO somehow experts on computer security. People that are careless with their keys, phone and/or authenticator, generally will be careless with their security. Prove me otherwise.

    It's even more ironical when you start about not being able to raid when you lose your authenticator. What about getting hacked, it's not like Blizzard instantly restores your items. I'm pretty sure it's faster to get your authenticator disabled over the phone, than to get your gear restored.

    Also realize Blizzard is considering making the authenticator required for WoW and other Battle.net games, so may as well get used to it.
     
  20. Ayu

    Ayu You need help. Just contact Smaj, it's faster.

    Joined:
    Aug 26, 2005
    Messages:
    14,269
    Likes Received:
    542
    The Druid solution.™