ActiZard’s Evil Corporate Secrecy Behind Diablo 3 Account Hacking?
Posted 29 May 2012 by FluxI’ve done (more than) my fair share of conspiracy theorizing and Bobby’s Eyes jokes, but there’s speculation, there’s satire, and there’s outright tin foil hatism. I think this editorial on Decrypted Tech crosses the last line by quite a ways.
The editorial references the ongoing “hacked” Diablo III accounts, demands that Blizzard reveal just how so many supposedly tech-savvy users are getting ripped off, speculates that there are dark secrets and Battle.net security issues they’re not telling us about, and connects that to the cruelly-mercenary way that Activision fired the lead devs of Modern Warfare 2 shortly after that game’s record launch, in a move widely-believed to be motivated by a desire to 1) take full control over the game series to turn it into a yearly commodity, and 2) sack the men responsible for the game’s massive success before they became eligible for huge bonus royalty payments.
Here’s a quote: read the whole thing if you dare.
On the one hand we have already told you about Blizzard’s heavy handed approach to the rather large number of hacked accounts. This has been in the news enough that we do not need to go into too much detail, but it is important to flesh things out. Blizzard made the decision to make Diablo III an online game only. This is due to their DRM scheme that requires you to connect to their server to verify the game is legit (even in single player mode). Since the launch of the game, thousands of users have claimed that their accounts have been hacked (even players running the single player mode). Blizzard’s response to this has been pretty much cookie cutter: It is your fault your account was compromised.
Many are beginning to feel that Blizzard does not want to admit there is anything wrong, but would rather stick to the story that it is all the end user’s fault. This means that they do not have to refund the price of the game on a large scale, face the costs and time of a rewrite/global fix of the system, and also remove liability for the loss of virtual items that users might have paid for. The fact that they have shelved the real merchandise auction house is a good indicator of this.
The second item that could stand alone is the litigation between Activision and the former heads of Infinity Ward; Jason West and Vince Zampella. According to the timeline West and Zampella were fired by Activision for insubordination. Activision claims they were going to setup a new gaming company with the help of EA Games. West and Zampella claim that this was not the case, but that Activision fired them to avoid paying the large bonuses and royalties they were due from Call of Duty Modern Warfare 2. The timing of the layoff is suspicious as it happened right after Modern Warfare 2 was delivered and while West and Zampella were operating on a contract extension.
Connecting it to the dual beheading of Infinity Ward is a stroke of conspiratorial evil genius, but that editorial is not alone in demanding that Blizzard be more forthcoming in their disclosures over the Diablo III account “hacking.” Besides umpteen angry forum posters, there’s this editorial at Gaming Blend.
The best info we’ve seen from Blizzard about the hacking came from one of their tech support guys, and you can see it summarized and quoted in this post from a couple of days ago.
So what do you guys think? Is Blizzard saying, “use an authenticator” enough? Should they share more details about what’s happening? Bashiok made a couple of replies in a post on this issue last night, and you can click through to read them, though he doesn’t say anything we haven’t heard before.
Bashiok: We’ve made multiple statements, the latest of which is the bottom-most sticky in this very forum.
In addition to verifying all compromises have been through someone’s password being stolen, and that no instances of a mobile/physical authenticator being attached before a compromise took place, we’re seeing compromise claims on the same general scale as a World of Warcraft expansion launch. The fact that far more people are playing Diablo III that have never been exposed to the concept of an account theft likely correlates with the seemingly bigger impact. World of Warcraft players, for example, has a CS forum where most compromise claims are posted (Diablo III does not have such a forum so most are posted in General), which is in addition to World of Warcraft players just being more acquainted with the concept and steps to correct it than… say StarCraft II players that picked up Diablo III.
…I really don’t care to point blame, or decide who as at fault, or argue theories about what may or may not have happened. We’ve said what we know to be true, and that’s that.
All I want is for you to take your account security seriously. Follow the steps, and do everything you can to be aware of the links you’re clicking on, programs you’re downloading, where else your same account and password may be used, and the websites you’re logging into. If you do all that then I don’t mind being called a corporate shill or liar or whatever, just please don’t take your account security for granted.
HA exactly what I said earlier in the forum, wouldn’t be surprised if Actiblizzard is doing all the so-called hacking themselves, just to scam 6-7 more dollah outta everyone. as if the Black Soulstone sticking out of Kotick’s bumcheeks wasn’t indication enough. it’s gotta hurt when he sits down though, no matter what he is.
http://diablo.incgamers.com/forums/showthread.php?831282-If-you-haven-t-already-get-the-authenticator&p=8331291&viewfull=1#post8331291
*edit* just to shut them up in the future, I decided to buy one for myself and…..have you SEEN the international shipping fee??? 20 bucks??? and it’s the only option, can’t choose any other shipping services.
Authenticator is free on Droid phones, iPhones and even Windows 7 Phones…it’s seriously one of the only apps I’ve found to be useful on my WP7 phone so I doubt they’re doing this to sell you a $6 piece of plastic when you can get it for free.
It dosen’t work properly for Diablo 3 as of yet.
I just installed it on my android and it worked perfectly with d3.
Dial-in Authenticator doesn’t work for anything but WoW. Mobile and physical ones work fine for D3 and have since launch.
@DiabloBaal – what are you talking about? It has worked since beta patch 15. Incorrect numbers properly reject the login. Are you just making stuff up for the fun of it?
Have you tried EU shop? http://eu.blizzard.com/store/details.xml?id=221004517
Yep, to scam $6-7 from people when it costs them more than double that per authenticator, since they sell them below cost and only charge for shipping.
Greatest scam ever, to lose money! Brilliant!
And where’s the source proving they don’t profit from the authenticators? I have yet to see any company in the world selling products without profiting from it. Its like those promotions you see sometimes, gather 10 coupons plus 3 dollars and trade for this amazing plastic object made in China and shaped in a way to make you feel is costs more than 2 cents to produce.
When Blizzard address their fanbase explaining the motive for this huge increase of hacking reports (compared with the normal amount of hacked players everyday) then I’ll be the first one to stop saying there’s something strange happening. The fact the game just launched is not really a motive because WoW has more players than D3 currently and we had no reports about an increased number of hacked players there.
The problem is that we don’t have any way to prove or disprove the hacks. It’s too easy for both sides in this history to lie. If there is really a problem in Battle.net 2.0 it’s to easy for Blizzard to lie about it and blame the players to avoid bad publicity for a recent launched game and it’s also easy for stupid players to lie about how they were hacked if they installed d3hack.exe in their computer.
What I really hate is how Blizzard’s fanboys (not you) always try to protect Blizzard from all forms of critic, even constructive ones.
I agree with you, blindly defending Blizz (or anything, for that matter) doesn’t help anything.
Here’s some food for thought, though. Sure, we don’t know if they directly profit off the authenticators, but consider they’re sold at or close to cost. Blizzard probably profits from the fact that (supposedly) fewer accounts are compromised when an authenticator is attached, and thus, the fewer accounts compromised, the fewer customer service people are needed.
I find it pretty funny to keep reading the “Blizzard sells authenticators at a loss!” bleatings, those USB’s are cheap as chips when you bulk order them, and you can bet your ass Blizzard does. If they released their cost for them and it was above $2 per USB I would honestly be astonished and wonder who Blizzard should fire for such ****ty sourcing. You can buy customised small orders of USB’s for under $4 per piece, and if I can buy 25 custom USBs pre-loaded with a 1gig program file of my choice (as long as I have distribution rights for it) for $3.95 each, Blizzard can buy 100,000 for $1.50 each.
The game was cracked within it’s 1st day of release, gold spammers are a major problem already and item duping looks as bad as it ever was in D2. Check out the legendaries in the AH to see what I mean, every one has about 35 pages or more of them. Out of the 13 people I have on my friends list, only 1 person has found a legendary since the game came out and we’re all playing a LOT. No one has found a single set item…
Additionally, I personally know someone in real life who has an authenticator and had his account stripped of gold 2 days ago. He tried contacting Blizzard and was told that was impossible, he tried posting on the forums asking for help and had his posts deleted. Blizzard are telling him he must have given out his password – this is a 40 yr old man who’s day job involves software. He isn’t giving out his password in AOL chatrooms. Blizzard just doesn’t want to handle the problem.
The only people I have seen complain of having their stuff stolen is people who play open public games. Blizzard can deny it all they like, but their game is ridiculously broken. I for one am uninstalling it and pre-ordering Torchlight 2.
The authenticators are this:
http://www.vasco.com/products/client_products/single_button_digipass/digipass_go6.aspx
It’s hard to figure prices since they’re cheaper in larger orders, and obviously Blizzard orders tons of them.
Here’s a place to buy them in various bundles. Cheapest I see is about $15 each.
http://www.sonicwall-sales.com/vasco-digipass/digipass-packs.html
The whole argument about a dollar or two in costs is childish and beside the point. Does anyone honestly think Bliz wants more of their customers to get their account hacked? Obviously Bliz spends a LOT more in man hours for their tech support than a dollar or three they might make selling the authenticator, and that doesn’t even include lost customers and bad publicity.
Should Bliz include authenticators with every box sold? A free one with every digital purchase? Perhaps, but you know tons of people wouldn’t enter their mailng address to get it shipped out, or wouldn’t bother to set it up once they had it. It’s not the price that’s dissuading people from using them. It’s the laziness and “bad things won’t happen to me” mindset of most humans.
Honestly?
My mind tells me it seems to make sense that many of the account compromises are user error,
. . .but my gut tells me Blizzard isn’t being fully transparent with everything which is going on.
It isn’t an authenticator issue. I believe it is how the public games are set up. When you open your game to the public anyone can join your game. So what the hackers are doing are joining public games, hacking people’s accounts and leaving. Blizzard needs to give the user more control over his/her game when opening it up to the public. We can’t name our own game, we can’t see what games are currently open to the public either and we can’t create games with a friends only option like Xbox live has. It is a problem for D3 legit players the way Blizzard has it controlled. Why they chose it this way makes you wonder what Blizzard is really doing. Only going to get worse when the RMAH releases.
No. What’s happening is people are falling for phishing scams, or have malware on their PCs, or are reusing the same email/password combination on other sites (which have had their database leaked). An authenticator provides very good (although not 100% foolproof) defense against this. It has nothing to do with public games or “session IDs”. It’s simply people whose own stupidity leads to a failure in their security and then they look around for someone to blame.
YES. Blizzard is to blame, as I ever so eloquently explain here
http://diablo.incgamers.com/forums/showthread.php?831440-Worried-about-level-of-hacking-once-RMAH-goes-online&p=8331928&viewfull=1#post8331928
That’s far from an explanation, and that’s far from eloquent.
erm……..I was erm, being sarcastic? ya know? not exactly an explanation since it didn’t come from Actiblizzard’s mouth, but it sums it up pretty damn well. online-only DRM is meant to fight piracy and it’s also possible the hacking is done by ACBl themselves for the purpose of scamming more money outta you.
and noone has answered my other question: have you ever seen anyone in the history of D2′s lifespan so far having had their offline SP characters hacked like that?
I assumed you were being tongue-in-cheek regarding “eloquence”, but you weren’t being sarcastic. Sarcasm is more than just “saying something that you don’t mean completely”; it’s a certain way of saying something you don’t mean completely.
You reply to someone talking about how phishing works by saying “It’s Blizzard’s fault because they have no offline!” No, that doesn’t explain how the hacking is happening at all, or even why. Hacking would still be taking place if there was an offline way to play, it just wouldn’t be affecting as many people.
Frankly it’s absurd to suggest that Blizzard would hack their own game to cause security concerns after pushing the online-only model to begin with. They don’t make “profits” by having people put in a ticket to have their character restored. How dense can you possibly be?
And what do you mean, “my other question”? This is the first time you’re asking that question, on this page at least.
wrong
I have no spyware, malware or viruses on my pc
my email, password combo for battlenet is different from any other email password combo I have
yet I was still hacked
I got an email from blizz saying there was suspicious activity and that they locked my account
I scanned my pc with 3 different scanners and they all came up with nothing
strange thing, they took my gold, but not any items
maybe Blizz put my items back ?
I don’t know
Scanners are NEVER wrong, and they NEVER miss anything… Just like I’m sure your computer is a security haven.
/sarcasm
Whenever you start a game, unless you checked the option to not allow fast join, your games are already friends only.
I am curious to know why they allow IP addresses from far far away access.
Locking out unknown IP addresses is generally a standard feature now.
Apparently not for the game with the biggest launch in PC history.
I’m pretty sure the whole “OMG PUBLIC GAMES ARE HACKING US” charade is orchestrated by people who want Blizz/D3 to fail. And a bunch of morons jumping on the bandwagon.
So that’s my conspiracy theory.
Diablo 3 cannot fail… it’s a great game. How the company is handling it’s paying customers is what will be it’s downfall if it has one.
Download and install wireshark. Start it up and login to Diablo 3. You’ll find out how the hackers are stealing the account info.
Just to clarify. The username and password is sent over in plain text over http. The password seems to be very poorly encrypted. They don’t use https/ssl.
Yeah, why would a company pretend that they don’t have any security holes while they rush to fix them behind the scenes? Every video game company possesses flawless security and is always truthful to their customers.
It’s really dumb to assume that no one within the company would learn of the internal hacking without saying anything.
An even more retarded notion is that Activision has control over Blizzard. They are together in name because their parent company Vivendi.
Here’s a quote from wikipedia you stupid assholes. “Activision and Blizzard Entertainment still exist as separate entities.[9] The holding company does not publish games under its central name and instead uses its subsidiaries to publish games, similar to how Vivendi Games operated before the merger.[10] The merger makes Activision parent company of Vivendi Games’ former divisions.”
Here’s the problem, plain and simple.
There are two groups of bitterly angry players that are spamming D3 hatred 24/7:
Diablo 2 vets that wanted Diablo 2.5
Pirates and “the internet should be free, I bought a single player game” zealots
These players are the same ones that made up ridiculous 0/10 reviews on metacritic, and they are the same ones that are creating misinformation about account hacking. They are so bent out of shape over their precious game not being what they dreamed it would be, they’re going out of their way to cause problems. Don’t believe me? How about the blue posts replying to some user’s ranting/raving about having their accounts stolen confirmed to be fake?
I have no doubt users are having their Battle.net accounts compromised (read: not hacked) through social engineering and other devious methods (key loggers, worms, etc.). Blizzard has setup a really streamlined channel for getting these events reversed and restoring accounts. At the end of the day, with all the myriad tools and educational articles Blizzard (et all internet sites) has provided to learn how to protect your account, it IS your fault if you have your account stolen.
Finally, with regards to the DRM crew: Diablo 3 has forced online play for many reasons, and DRM is just one of them. Blizzard isn’t stupid: every game developer attempts to find ways to A) prevent their games from being stolen, and B) prevent their games from being cheated (especially if high scores, or multiplayer are involved). As a D2 player who was sick of duping tricks and other mechanics that ruined the game, having it be online-only to solve problems like this is fantastic.
Don’t hold your breath, Diablo 3 Beta private server is already up, hackers working on full emulated game with an eta of couple of months. Hacking is already going on….. what tomorrow brings for D3, who knows. I personally love the game, but I strictly discard Bl$$ fanboydom and “everything Bli$$ does is great”. I’m not being offensive neither am I calling you a fanboi, it’s just that be practical in your argument. You got to play the game fine… good for you, don’t diss the thousands of people who couldn’t log in or play without lag or who got hacked. The 0/10 rating was there for a reason. You think everybody who waited for this game for 12 years would just in the end hate it..? GET REAL BUDDY.
Only reason for the DRM was for maximum exposure to RMAH to maximum player.
That’s another argument I don’t understand. Why all the hate on the RMAH? Devs who build games that are solely monetized by the purchase price live and die by colossal success or underwhelming failure. Entire dev teams are fired after release when the game launches and doesn’t do as well as sales projections hoped. By building in some form of monetization that provides longevity, games like this can see continued support.
You like Blizzard games? Warcraft, Starcraft, Diablo, and their secret-veiled, next-gen MMO? In order for them to continue to justify spending 5-10 years on a game like this, they need to make money to support the salaries of the best-skilled labor in the industry (avg game dev salary is 40-60k, Blizzard’s is exceedingly higher than that). And yes, as a company/publisher in our great, capitalist country, the investors and founders behind the company are seeking a significant profit margin.
The RMAH is a great idea, in my opinion. I’d gladly pay $15 a month, just like I did for WoW. I don’t plan on using the RMAH to buy anything, unless I can make a small amount through selling neat items I find/craft, creating a leverage pool. If Blizzard makes more money off of my shenanigans, especially if I didn’t even ever lift my wallet a second time, power to them. It seems highly logical to me that Blizzard has built the game’s itemization and endgame around the RMAH’s success to increase reasons to drop money on it.
That said, if you look at social games and mobile games (in-game purchases to customize avatars, add on content, etc) and DLC through PS3/360 (same), it seems to me the RMAH is a reasonable extension of that very same idea: support the developers and add-on to your gaming experience. Completely optional too, btw.
I’m not a Blizzard fanboy, so much as I am a supporter of quality games. I know what it takes to build a game like this, and it doesn’t come cheap (in terms of raw finances or human time investment). I am just tired of reading one conjured story after another about session ID hacking and other tomfoolery that is sadly catching wind with folks who just don’t know any better.
Remember when the game still had singleplayer content and the items would bind to the players to prevent selling? I do. Blizzard also had this nice policy of making battle.net 2.0 so good that players would prefer playing online rather than offline (at that time they said that bnet 2.0 would be their DRM, but everyone thought it was the “good” DRM at the time).
Blizzard was really trying to prevent item selling in the game, and there are millions of ways to avoid, or at least discouraging it, but they suddenly decided to scrap the idea just because they wanted to make more money at the cost of fair gameplay system (bobby eyes explains why).
It makes me sick how almost every online RPG game right now has pay-to-win inside it. Even in GW2 they pushed the limits and are now offering a lot of things that make farming easier (Extra karma points, banker teleports etc). I’m really tired of this.
The only think that will ever make me buy another online RPG again is if the game has a system where players cannot trade with other players, so everyone would have to find their own gears. That would really be nice!
I certainly understand your point in desiring to be in a situation where you + others only have gear they found themselves… I debate with myself just how much the AH is potentially ruining an element of the game I really enjoy. I do buy Jay Wilson’s argument though that trading was happening pre RMAH, pre GA too, and that adding these features doesn’t break the gameplay anymore than it already was in D2. Players just went outside of the system and spent their money in risky places. I would love to see them eventually add a mode that didn’t allow use of the AH/trading at all… I know this won’t happen due to their business model, but I do see a fun element. Throw in hardcore mode to the mix and you have ULTRA hardcore mode
So you want an online multiplayer game that completely eliminates a social economy, which is generally one of the lifeblood elements of an online RPG? Sounds like you better stick to single-player games then.
Secondly, I’m so tired of people complaining about “pay-to-win” and doing their best to misinform everyone else who might listen. No, Diablo 3 is not pay to win. Neither is Guild Wars 2. Both games are completely optional for spending money. But it’s popular to demonize anyone who actually wants to, you know, succeed and profit off of their creation. What a terrible thing they’re doing!
The issue here is that you don’t know what pay to win actually is. When you cannot advance in the game without spending money, THAT is pay to win. What you (and others) are complaining about is “pay-for-convenience.” How dare someone has more money than time, so they can get ahead by spending some money instead of sitting in front of a computer for hours on end! A lot of us gamers grew up, have families, jobs, and other things that take up their lives. I can’t spend 10 hours a day playing Diablo anymore like I could when D2 came out. But all of a sudden, since there’s another way for me to advance, it’s “not fair” and “pay to win!” From my chair, it sounds more like “b-b-b-b-but you didn’t play for 90 hours this week you don’t deserve the stuff I have!” Then remember that time equals money, and choose your currency.
HAHA, a private server. Hilarious. Get back to me with the server up-time of this private server when it goes online. For grins, go and read about some of the WoW private servers that were out there. You are going to go back on your wish for a private server after you read about them.
The 0/10 rating was the metacritic “protest” vote for the server downtime on days 0, 1, and 2. Those aren’t accurate ratings of the game.
The reason for DRM was dual-hatted. Piracy was the 2nd hat. I’m not even sure your theory for the other hat holds water as there is ZERO enforcement that the player enter the RMAH at any time.
Why are you telling him not to hold his breath, when he’s not expressing hope for anything? He’s just describing the way things are.
OMG. We say Blizzard is hiding numbers. Blizzard shows us estimates that numbers are not catastrophic. We say that they are hiding numbers.
What gets changed if they do show us non-catastropic numbers?? Do we believe that those number are not made up? Why “no accounts hacked with authenticator” is less reliable than “number of accounts hacked with authenticator is 0.00%”?
What do all those doomsayers want from Blizzard?
An offline Mode for single player.
Well said!