Last month, the gaming giant Blizzard Entertainment, had their security system breached. my talking tom hack had their eyes set on the company’s new game that just launched, Diablo III. Users of the game Diablo III have had many of their online valuables wrongfully stolen from them. Some of the valuables consist of online currency and precious hard to obtain gear. These may not seem like much, but as a gamer, one would know that all this equates to time consuming efforts in making one’s character stronger and better, which is part of the rewarding gaming experience. Hackers often targeted items like the user’s online currency and gear because this could be easily transfer to either the hacker’s own Diablo III account or sold to anyone who wished to purchase them. The game itself had had a lot of issues while launching, such as several launch issues, server downtime, securing their systems, and much more.
Blizzard Entertainment does offer a service called Blizzard Authenticator. However, this system of authenticating users is flawed. The authenticator, the Battle.net Mobile Authenticator app or the Battle.net Authenticator, is not adopted and used by most users. Blizzard states that, “… in all of the individual Diablo III related compromise cases we’ve investigated, none have occurred after a physical battle.net authenticator or battle.net mobile authenticator app was attached to the player’s account, and we have yet to find any situation where a Diablo III player’s account.” Although Blizzard states the above, some Diablo gamers say they have had their accounts hacked while they have implemented Blizzard’s Authenticator. The Authenticator is a 2 factor authentication security system but is not the best form of 2 factor authentication that is available out in the market.
The Battle.net Authenticator uses an authenticator’s identity to verify the validity and a user’s login credentials. This is essentially a two factor authenticating security system that Blizzard has implemented, with one factor being the user’s credentials and the second factor being the password on the mobile authenticator app or the actual battle.net authenticator which validates the user and authorizes him/her to access their online account.
The most successful game launch, Diablo III, selling over 10 million copies since the product launched, has generated over $500 million in sales revenue for the company. This staggering amount of revenue brings the attention to many, which some wonders whether if Blizzard will give back to the gaming community. There are some users that are hesitant in purchasing Diablo III because of the data breach that has occurred recently. Many gamers do not want to see all their hard earned work one day just disappear just because of the lack of proper security that Blizzard possess when handling users’ accounts. Blizzard does have a way of helping out Diablo III users in recovering their accounts by restoring their account to an earlier point in which they can continue from a point prior to the hacking. Not until the hacking has occurred, most users were unaware that the authenticator service was available to them.
Despite having said that users who subscribed to Blizzard’s Authenticator have not been hacked, there are copious amounts of Diablo III users stating on forums that they have been hacked. The Battle.net Authenticator and the Mobile Authenticator app are flawed in a couple of different ways. The way the authenticator works is by generating a password every 30 seconds. This is fine but the problem is that there is a section where you can enter in a previous password anywhere from 2 to 6 minutes. “Man in the Middle” attacks can easily use this loop hole in order to gain access to Diablo III user accounts. Once permitted to these accounts, the hackers can steal and pawn off the user’s hard earned goods. The other main problem with Blizzard’s Authenticator is that the one time password that they send out, are in fact not a true OTP (One Time Password). The authenticating security system uses a time based interval system which uses an algorithm that can be easily hacked because the server is on the same network and not an out of band authentication network. With an out of band authentication network, the one time password sent would be less likely compromised.