Are we really secure on Blizzard's end??

Q u o t e:
I'm not saying that Bliz was hacked and they are covering it up. I'm just wondering if someone has not found a loophole that they are unaware of. And yes all my adobe flash and so forth are always updated. I run Kaspersky that is updated 2 and sometimes 3 times a day. I ran spybot and malwarebytes(all updated) as well as a few others that I don't remember and all found nothing. Everyone is quick to say it's on my end, until that is it happens to you. I keep all my cpu's updated regularly have never had an issue of any kind like this on my home network. Again, I'm not pointing fingers , just seems strange to me this many at a time. As you read these forums, and refresh your screen you will see additional people that have been hacked.

When something like this occurs, it's perfectly natural to look for answers and try to find some causality. That's actually not only reasonable, but by far the best and most preferable course of action. I'm delighted to hear that you make active use of well regarded malware scans, but I also feel compelled to remind you of a couple things.

The unfortunate truth is that it doesn't matter how effective your system security is if:

• You've ever provided your account information to another person.
  
• You fell prey to a phishing scam.
  
• You've ever logged in from a potentially unsecured or infected system.

There's more than one method of ingress for malicious account thieves, I'm afraid. Merely because you haven't found a keylogger, is not indicative of a security issue on our end.

As of this moment, I can confidently state that our systems remain secure. I would remind those reading that there is more at stake in our security measures than player accounts (though that information is crucially important). We also have all kinds of our own data and creative properties to protect, that are vital to the existence of Blizzard Entertainment.

Approaching the situation logically and bluntly: those who engage in these practices have a much easier time getting account information directly from our customers - ultimately a cheaper and better course of action for them. Where keyloggers and trojans fail, they fall back on social engineering and phishing. I'm sure that if those measures were no longer as effective, that they'd devise new ways to get at your accounts.

That's one of the reasons why we made the Blizzard Authenticator and Mobile Authenticator available, as well invested effort in helping to educate our players regarding account security:

Account Hacked? Security Issue? Look Here!
http://forums.worldofwarcraft.com/thread.html?topicId=24702231244&sid=1

Moving forward, and within the bounds of appropriate responsibility, we will continue to examine new and better methods to help protect and educate our players.

Q u o t e:


Thanks for the replay and the understanding that I'm out for answers not "blood" as some have posted here believe. The problem may very well be on my end; I just have not found it. I just find it funny when everyone assumes that the person hacked has been visiting gold sites or fallen for the e-mail tricks. Honestly I wish I had , then I would know why this all happened. And yes I ordered 2 authenticators the day this happened. And I'm worried about that as well because I read posts where those accounts are also being compromised. I'm not stupid, I surf safe I update things, and I was like many of you reading this right now, thinking "bah, he's been doing shady stuff, or just stupid.It will never happen to me." Well it did happen to me and I know how safe I have been, Just keep that in mind when your turn comes.

Thanks for understanding.

I should point out that no security measure is 100% effective. The man-in-the-middle attacks that resulted in the bypassing of several Authenticator protected accounts were not common to begin with, and have become less so. Overlapping security measures can each help promote the effectiveness of the others - thus, good anti-malware measures will help ensure that your Authenticator remains virtually impregnable. At any rate, an Authenticator can still provide a very substantial additional layer of security, and is one of the only measures I can think of that is also effective vs. phishing and the like.

It should be possible to debate this point without hostility, guys. It's amazing how far a little courtesy goes - even if you disagree with the opposing party.

With regard to brute force trespass? That isn't a common form of compromise to my knowledge (I haven't personally heard of any compromises perpetrated by this method), and unfortunately, there are 'better', faster and cheaper methods available.

I'm glad that there's discussion of the risks though, since awareness is a crucial part of account security. If we can keep this discussion friendly and focused on recognized security threats, then I think there's potentially much to be gained from further dialogue on the subject.

Q u o t e:


Who knows? Maybe there's some server-side bug that allows access to a non-authenticator account using an unassigned authenticator and without the password, and a side effect is that the unassigned authenticator gets attached to that account. Anything's possible, and the worst thing that can happen is for people to pretend that it's impossible when they don't really know for sure.

As far as I'm aware nothing like that is occurring, nor is the Authentication system designed or implemented in such a way that such a thing would be possible.

Authenticators are being added after the fact to allow compromisers more time with infected accounts. Unfortunately, that allows them to use them for various nefarious purposes.