Keyloggers, what to know, what to do (READ)

Ayu

You need help.
Staff member
Aug 26, 2005
15,256
I am not really sure what your argument is. :V
You refuse to get an Authenticator because an additional layer of protection is useless to you. Yet here you are arguing for us to change our passwords because.... it's an additional layer of protection? <_<

You can try and twist things as much as you want but an Authenticator is still more reliable than just a strong password. You have to supplement all with a good Firewall/AV combo anyway.
 

Keubad

Member
Oct 5, 2009
87
I don't think he refuses because it's useless. He refuses because he doesn't believe the trade-off of time vs security is worth it.

I take the same approach. While I agree that an authenticator would probably make my account more secure, I have faith in my own ability to keep my account safe.

I also accept the consequences of my decision: I don't have access to the guild bank. Fair enough. I have a higher chance of having my account stolen. To be honest I don't care that much but my circumstances are different to most others.
 

Chirrad

Member
Sep 29, 2009
143
I also agree with this. I don't use an authenticator because:

* It complicates the process of logging in
* Has no gain for me (I don't care about guild bank access either, and Blizzard will return all my items should I fail to protect my account and get hacked)
* Gives you the possibility of preventing yourself from logging in - I can think of certain guildies who've missed raids due to going back to/home from Uni and leaving their authenticators behind ;) and before anyone mentions the mobile authenticators, I wonder how many people have missed a raid because they've lost their phone or had it stolen.

Ded said:
You must have made some real enemies if they've gone that far

It's not exactly difficult to run a server which would listen for these codes being transmitted so that someone can log onto your account. I wouldn't regard this as something which requires you to be hated by someone - I'm surprised there haven't been more cases of this yet! I believe the codes are valid for 30/60 seconds which is plenty of time for someone else to log onto your account!
 

Merlijn

Shadow Master
Mar 11, 2009
2,284
I don't use an authenticator because:

* It complicates the process of logging in
* Has no gain for me (I don't care about guild bank access either, and Blizzard will return all my items should I fail to protect my account and get hacked)
* Gives you the possibility of preventing yourself from logging in - I can think of certain guildies who've missed raids due to going back to/home from Uni and leaving their authenticators behind ;) and before anyone mentions the mobile authenticators, I wonder how many people have missed a raid because they've lost their phone or had it stolen.

And this :D
 

Keubad

Member
Oct 5, 2009
87
I'm sure I could find a link on wikipedia that describes your post too. It wouldn't necessarily contribute anything but I guess that's not what you're attempting either.
 

Croga

Says funny things =)
Sep 9, 2008
892
The Hellmouth
It's not exactly difficult to run a server which would listen for these codes being transmitted so that someone can log onto your account. I wouldn't regard this as something which requires you to be hated by someone - I'm surprised there haven't been more cases of this yet! I believe the codes are valid for 30/60 seconds which is plenty of time for someone else to log onto your account!

The kind of man-in-the-middle attack you're suggesting here actually is very difficult. Not just because it's very hard to set up a server that can intercept anything going from me to the Blizz servers (that would already be a very strong feat of itself) but also because the data being sent is encrypted. The kind of encryption that you can't hack in 30-60 seconds. And last: As soon as I enter a code and it reaches the server, it's invalidated.

All in all: Yes, it is exactly difficult.

I still do keep referring to the case of CosmosUI where everyone using it was absolutely sure it was absolutely safe. It wasn't. Yet everyone here seems to fully trust CurseUpdater enough not to use an authenticator.
Results from the past may not give guarantees about the future but they should definately be taken into account.
 

Lonei

Shitpenis
Aug 7, 2008
499
Typing 6 numbers after your password hardly complicates the login process. And if you're scared of losing it then just glue it to your desk, if you're that paranoid about security you shouldn't want to be logging in anywhere other than your home pc anyway.
 

Keubad

Member
Oct 5, 2009
87
The kind of man-in-the-middle attack you're suggesting here actually is very difficult. Not just because it's very hard to set up a server that can intercept anything going from me to the Blizz servers (that would already be a very strong feat of itself) but also because the data being sent is encrypted. The kind of encryption that you can't hack in 30-60 seconds. And last: As soon as I enter a code and it reaches the server, it's invalidated.

All in all: Yes, it is exactly difficult.

I still do keep referring to the case of CosmosUI where everyone using it was absolutely sure it was absolutely safe. It wasn't. Yet everyone here seems to fully trust CurseUpdater enough not to use an authenticator.
Results from the past may not give guarantees about the future but they should definately be taken into account.

A man-in-the-middle attack wouldn't work that way. What would probably happen is that the key-logger would send your auth code and password to a remote server/user which would then immediately log in with those details. If the attack program could prevent you logging in and thus using up the one-time key (and also prevent you logging in later) they can then do what they like with your account (within the limitations imposed by only have one key). It's clearly not ideal for the attacker and given the current prevalence of non-authenticator owning users, it's probably not even economic to bother. Of course the situation changes when all/most the population has authenticators. At that point, if they want to try and steal accounts/gold they do need to go to this much effort. (So stop telling people to get authenticators! You're just making it worse for yourselves:p )
 

Keubad

Member
Oct 5, 2009
87
Typing 6 numbers after your password hardly complicates the login process. And if you're scared of losing it then just glue it to your desk, if you're that paranoid about security you shouldn't want to be logging in anywhere other than your home pc anyway.

Here are 3 positions:

1. I don't use an authenticator.
2. I use an authenticator but keep it in my pocket.
3. I use an authenticator but glue it to my desk.

Apparently 3 is very paranoid. Presumably more so than 2. I would think 2 is more paranoid than 1.

So I don't really see how someone who chooses not to use an authenticator because they think they might lose it, can be more paranoid than you. Or is this some escher shit?
 

Lonei

Shitpenis
Aug 7, 2008
499
You buy an authenticator to quell the paranoia of "what if someone doesn't have state of the art virus protection".
Yes this adds another level of what if I lose my authenticator paranoia, but it lowers the security paranoia.
Glueing it to the desk removes the losing paranoia and you can play WoW without giving a fuck.
 

Chirrad

Member
Sep 29, 2009
143
Glueing it to the desk removes the losing paranoia and you can play WoW without giving a fuck.

I currently play wow without an authenticator, and also without giving a fuck. And I'm not paranoid either.
 

Jazende

Sacred vines, entangle the corrupted!
Staff member
May 12, 2008
4,997
Takes 3 more seconds to log in with an authenticator, if you log in every day for a year thats 1095 seconds. Wow's been here for 5 years? Comes to a total of 5475 seconds or less than 2 hours. If you were to get hacked that'd cost you more than 2 hours to get back on track. Easily a timesaver, in my eyes, because you know, you're never save (bla bla paranoia or I don't get hacked QQ).
 

Mystara

Master of Elements
Staff member
Dec 4, 2009
1,463
I don't think there is a huge amount of paranoia involved. I have an authenticator myself and just have it resting in a gap on my keyboard so not too worried about losing it.

Good internet security and such is just common sense to be honest and I'd recommend having a strong password if you have trouble remembering more than a few important passwords (e.g. pin number, bank password and email accounts should all be very different so I can understand maybe your email and wow passwords would be the same/simular).

Most passwords are either stolen via keyloggers or plain old physically by somebody you know - I learned all the laptop passwords of the people in my house last year just by looking over their shoulder enough times to "record" what key they pressed 1st/2nd/3rd and so on until you have the full password. Protip: The name of your 1st dog and the numbers 1 and 6 is rubbish. Then one evening when they all went drinking I changed everybody's password to Ilovedonuts and purposely talked about how I loved donuts all the next day until finally one of them clicked that was the new password when I brought a huge box of donuts into the house and told them they should love donuts too.

At the end of the day I don't think 6 euro was a huge amount to pay even if it never saves my account from being hacked.

Each to their own so I'm not going to give a lecture on the pros and cons of having one since their are benefits and drawbacks to almost any product/method in the entire world and it seems we've covered them all for this product :p

But please stop bitching about it because the major drawback right now is me having to re-read this sodding thread endlessly seeing the same debate ¬_¬
 

Chirrad

Member
Sep 29, 2009
143
Mystara said:
But please stop bitching about it because the major drawback right now is me having to re-read this sodding thread endlessly seeing the same debate ¬_¬

But it's fun baiting all of the authenticator evangelists!
 
OP
Joy

Joy

Administrator
Staff member
Aug 26, 2005
10,227
Haven't read everything, since this discussion has been brought up many times before.

The main reason there is even a discussion about this, is that even though the authenticator only secures your own account, it's partly a concern for the group as a whole. I for one could care less if people got their Pacman account hacked and couldn't play that for a week. However, when people in our raidgroup are lax with their security, it affects us all. It's happened several times before, even with people who "trust in their ability to keep my account secure". They get hacked, we lose a critical raider for a week, and a raid gets cancelled because of it.

I just feel it's such a silly "pride" thing for people. The fact that using an authenticator someone diminishes your PC-security-penis-size, the feeling of being "too good" for some cheap extra security. And this is assuming the authenticator isn't used to REPLACE common security sense!

The argument regarding losing your authenticator is ironic. I'd like to meet the person who generally loses items they care about, or are important, but that are ALSO somehow experts on computer security. People that are careless with their keys, phone and/or authenticator, generally will be careless with their security. Prove me otherwise.

It's even more ironical when you start about not being able to raid when you lose your authenticator. What about getting hacked, it's not like Blizzard instantly restores your items. I'm pretty sure it's faster to get your authenticator disabled over the phone, than to get your gear restored.

Also realize Blizzard is considering making the authenticator required for WoW and other Battle.net games, so may as well get used to it.