Could More be done on the Diablo 3 Hacking Problem?
Posted 31 May 2012 by EllyThe account hacking has been a hot topic since the game launched and there are many players quite rightly upset at the loss of items or gold, whether it is their fault or not. Over the past 48 hours, Forbes.com have been covering the topic and the comments in the articles have become rather heated.
In the first article the author explains his experiences being hacked without an authenticator in place and questions whether it is entirely the fault of the users after noticing that only some characters on an account are being stripped. To follow-up, he looks at the source of the problem and whether Blizzard are doing enough.
Blizzard has urged everyone to be super careful and advised that players should use an authenticator which costs a little extra, but as the author points out, is that really enough? There has been a discussion on the authentication methods used such as case insensitive passwords and some kind of alert to users when a character suddenly loses everything in one swoop, both of which seem quite logical measures for Blizzard to add.
I will cite a recent example from the MMO world which is very similar.
RIFT Account Coin Locked
When TRION were experiencing hacked accounts with RIFT they implemented a safeguard called ‘coin-lock’. If your account was logged into with a suspicious IP (one far removed from your own) the account would become ‘coin-locked’.
The only way to unlock the account was to click the button on-screen which would send a string of randomly-generated numbers to your account’s email address. You could then go back in-game with the number, paste it into the unlock box in-game and your account would unlock. This process would take literally a couple of minutes, if that.
During ‘coin-lock’ you could still play the game, (questing, killing) but could do nothing with your inventory (no removing items, no selling, no dropping of items, no removing gold). This proved very successful and stopped the problem overnight. TRION had this up and running in around 48 hours after the initial reports.
Obviously if a hacker had access to your email and you used the same password for mail as your Battle.Net account (which would be really silly) they could retrieve the coin-lock password. However, this would, if anything alert you to the fact that your PC had definitely been compromised (if they’re accessing your personal email account too).
Subsequent investigation revealed a hole in TRION’s authentication system which they plugged thanks to a community member who found the problem and alerted the development team privately (never making the method publicly known). The point is however, TRION acted fast to find a solution for the users and worked to get it in place to protect them very quickly, and to be honest, it did wonders for their PR and community team.
Whether the user is to blame or not, the Forbes article suggests it does not appear that Blizzard are doing enough and aren’t being pro-active at all. As TRION demonstrated, they took action, accepting that users could be lax with security, but still wanted to make sure players were being protected from their end.
The hacked accounts discussion is not going away any time soon unless more is done. Users are likely at fault in most cases, but should Blizzard add something like “coin-lock” to at least put a stop to it and show the community they are looking at every angle to help protect customers from losing time and money?
Thanks Softshack for the Forbes links.
Should Blizzard Implement a "coin-lock" type system
- Yes as soon as possible (69%, 1,640 Votes)
- Yes. But not for people with Authenticators on their account (19%, 444 Votes)
- No, it's a user's responsibilty (12%, 302 Votes)
Total Voters: 2,386
Loading ...
This is a good article. Just because blizzard’s servers are technically secure (According to them) does not mean that they can’t offer an additional layer of protection for their customers. If TRION did it in 48 hours, I’m already a little disappointed big blue hasn’t come up with something similar.
And one rich in irony… a hack psuedo-journalist got hacked. While playing a game made by a bunch of hacks.
That’s just a pun, it isn’t irony.
He messed up should of left at “a hack got hacked.” (hack is slang for a journalist)
I dont see how anyone could trust Blizzard with their paypal account with all of this negative activity going on. Something needs to happen, that’s for sure.
The “negative activity” is almost completely fabricated. Yes, there is hacking going on, but is in no means massive or wide-spread. A small, very small percentage of people are getting hacked due to their own stupidity (untill it is proven that there is a hole in Blizzard’s security, I’ll go with the much likelier scenario), and now haters, trolls and idiots across the entire battle.net have joined up in an effort to make everyone believe that something like 99% of people are being hacked and that it is either Blizzard’s fault and they are doing nothing, or that Blizzard is in fact doing the hacking and are disguising it. Have I mentioned how much I despise battle.net forums?
This. This. A thousand times THIS
I wouldn’t want Blizzard to block the system unless they know there is a problem on their own end. I bought an autentificator for this reason. See I’m (was) a wow player. Players getting hacked I have seen this for 6 years straight and among my close friends. Players then say they don’t understand why and there are no reasons for the hack. But wow players kinda got used to it being a risk and those concerned already had an authentificator.
Time will tell whether or not it was a mistake by Blizzard, I’m pretty sure they are investigating since hacked accounts cost them a lot in CS and reputation. They are also obligated to declare a breach if they find one in their system, not doing so would have unimaginable consequences.
Meanwhile change your password to something unique and get an autentificator, mobile one is free and other one is cheap.
And you will be able to use it for all your Blizzard game.
You hit the nail on the head.
A lot of people don’t believe what you’ve stated is true – that they have an obligation to their customers. many write it off has false information. If anybody is interested or attempting to refute that fact, please follow this link to brush up on common business law in the United States regarding confidential information and how businesses must comply:
From the Bureau of Consumer Protection:
Safeguard Act: http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule
Identity Theft: http://business.ftc.gov/documents/bus66-businesses-must-provide-victims-and-law-enforcement-transaction-records-relating-identity
I thought the mobile one didn’t work with D3
and I already paid $60 for an online only game
now I have to pay more to make the online game secure ?
Trion didn’t charge anything for their fix
The dial-in authentication does not. The mobile app does. I’m not entirely sure how this wasn’t clear, but it seems that many are predisposed to point at a cash-grab for authenticators as the reason for this confusion rather than use misinterpretation of their explanation (a difference that has been clear in their FAQ’s for almost a year)
Oh wells.
Mobile one works just fine. I use and have had no issues.
Dude you’re just trolling like always.
Get your fact straight, mobile one is free and works, other one is 6$ (in the US) and works for ALL your Blizz games.
REALITY CHECK: Blizzard is already doing everything possible. The conspiracy theories are stupid; Blizzard was founded by passionate gamers and no one is more irritated by hacks than they are. Look at Warden and their litigation efforts against groups which try to circumvent Battle.net.
Think about it. 12 years of development, countless hours away from family, hundreds of artists, programmers, designers… do you really think they’re going to hold back, as malicious individuals try to ruin the game/launch?
They have made it so abundantly clear that an Authenticator is the best way to stay safe. Seriously, if you don’t have an Authenticator have you been on Mars? They’ve been including them with the BlizzCon swag for years. What do gamers want, an animated slap in the face if they log in and no security has been added?
You miss the point of Elly’s article. Regardless of who is responsible, a system to protect everyone can be added quickly if more time is required to investigate. At least users would have that added protection right away.
I am sure Blizzard’s systems are secure like they say, but it would be good PR if anything to implement a system like this now to protect everyone, and it would alert users who have got compromised PCs to deal with their security issues.
Authenticators are the obvious choice and good on everyone who has purchased one. But until everyone has one, people could do with another layer of protection. If you have an authenticator you should not be coin-locked anyway.
I understand what she’s saying about TRION, but that would be a band-aid, not a cure. There is already a system available to protect everyone. What stops someone from logging into your Battle.net account via the web, and wreaking havoc there? Nothing. The Authenticator does though.
EDIT: I do have to admit, they could have thrown one in the box, at the very least.
Agreed, however, to protect users NOW until they sort out their own PCs (or other issue is found with Bnet) etc, this would be an easy solution that is no real hassle to players.
Just to add, I got caught a few times with ‘coin lock’ in RIFT myself. Not sure why.
The first time I panicked and assumed that would be locked into countless hoop jumping and it would be like pulling teeth. I had hopped on to do some auctioning which I wouldn’t be able to do if I was ‘coin-locked’ so was doubly frustrated.
However, it literally took 1 minute from clicking the button you see in the image above to getting the email, alt tabbing out to copy the code and pasting it in game. It unlocks instantly. No need to log out the game, it was all there on screen. It was wonderfully a simply solution.
I agree it seems simple Elly, but I think it’s a bit naive. I think we’re all in agreement (apart from the odd tin foil wearer) that the people getting hacked have keyloggers of some description installed on their PC/Mac, or fell for a phising scam. If this is the case – the coin-lock style system offers significantly less extra security than an authenticator because if you can record someone’s battle.net password, you can record their email also, even if they were smart and used a different one for each service.
In this case it also wouldn’t really alert the user at all, at the hacker would just log into the game, click the coin, log into the email, authorise it, and then just delete the message – no trace at all. I’m not against Blizzard implementing more security, but this system seems like minimal extra protection for the possibility of serious inconvenience – especially if you play on the move a lot like me.
By this logic, paramedics shouldn’t have bandages. All that bleeding can be stopped at the hospital!
An irrelevant logic analogy is always the most pathetic form of argument.
Blizzard had decided that best method to secure an account is something that is independent from your computer, a physical authenticator or a mobile app. If a hacker has keylogged your battle.net account then he as also most certainly has you email account and password as well. Blizzard is not going to replace their current security system that they spent probably spent $100Ks to implement with one that is less secure. Diablo 3 players are going through the same QQ that WoW players went through 4 years ago. Nowadays most WoW players happily type in their authenticator code once a week and enjoy the game and peace of mind.
“Blizzard is already doing everything possible.”
This is innacurate - they could very easily do the same thing Elly mentioned in the article above. As another example, every bank website has (or should have) a security measure where logging in from a different computer and/or IP requires some extra authentication step – be it email or answering a security question. That’s not difficult to implement.
I agree that people should get authenticators, and in fact, all of this has led me to get one as of 2 days ago. However, if you’re not reading online forums, you’re never going to know about the authenticator or hacking problems. THOSE are the people who deserve some sympathy, and the people that Blizzard really ought to be trying to protect.
Bottom line is that Blizzard CAN do more – arguably quite easily, and I believe they should.
It’s easy to look at the situation and say they could do more… but I say give them the benefit of the doubt, assuming they have security researchers who know a heck of a lot more than I do about network packets and keyloggers.
They have made in the area of 1/2 billion dollars revenue on D3, They claim to care about security and that they want to do everything possible. … Heres the important part **THEY LEAVE OUT A FEATURE THAT HAS BECOME ESSENTIALLY STANDARD ** and would clear up the whole security situation instantly.
Trion isn’t the only company to implement a feature like this. Others have as well, go look that up.
Blizzard accounts have been the most targeted game accounts for years now, and yet blizzard are lagging behind in the security department .
Trion implemented the fix within two days… and the problem essentially went away. There are many simple solutions blizzard just don’t care to implement.
Actually – the problem was just a lot less visible in Trion case, and honestly – no-one cares that much about hacking RIFT account – the characters and items have so much less value than WoW so even this weak security change would be enough to make it just not worth it.
Things are different in D3, especially with the RMAH on the horizon.
There is actually a significant downside to putting this all on Blizzard though – if you’ve got a keylogger on your machine, you have much more serious problems than your battle.net account being hacked. What about online shopping? Email?
I love Blizzard too, but you forget to mention the Bobby eyes….
Also, there is no way in hell I would spend extra money to buy their damn authenticator, nor do I wanna associate my cell phone number with an online game. The idea of “coin-lock” is brilliant and should be implemented ASAP.
If D3 where an MMO they’d act quickly too. Because losing subscriptions in that genre is a no-no. But with D3 they have our money. So if a player stops playing, it doesn’t affect Blizzard one bit.
^ the same problem applies to WoW as well, they both use the same protection methods.
Blizzard is obviously NOT doing everything possible
did they implement a FREE authentication system as Trion did ?
No
It took Trion 48 hours to put in the fix
48 hours !
I already paid $60 for an online only game
now I have to pay more to make the online game secure ?
what a joke
IMO Blizzard is doing nothing because they want to force players to use the authenticator and possibly the ones that cost money.
It amazes me how someone voted in the option “it’s the user responsibility”, it clearly shows the fanboysm level from the Blizzard players these days. An inventory lock would bring only advantages for the players, I really can’t see how accessing your email to unlock the inventory can be so annoying in the rare event your account was suspiciously accessed from a different IP. This already happens when you try to access your battlenet account from a different place than usual, why not implementing the same thing in D3?
“It amazes me how someone voted in the option “it’s the user responsibility”, it clearly shows the fanboysm level from the Blizzard players these days”
Really? Wanting to hold people accountable for their own actions is fanboyism? Tell me then, if these people aren’t getting hacked because of trojans/keyloggers (which are quite easy to avoid in the first place), then HOW are they being hacked?
Blizzard is losing money per authenticator sold because they are selling them significantly below price. The reason why they chose to lose money on the authenticators is because they lose even more money per hacked account, hence, lesser of two evils. So, no, Blizzard is not hacking their own users in an attempt to make money from selling authenticators. But I’m sure there will be some (crazy) conspiracy theory around how Blizzard is still the guilty one in the end.
“did they implement a FREE authentication system as Trion did ?
No”
Actually, yes, they did. Did you actually look for the answer to that question yourself, or do you just believe what all the angry people say? I find it amusing how big a deal people are making out of all this. I NEVER saw this big of a deal in all my years of WoW combined. Until it’s proven that people are getting hacked because of blizzards servers, and not someone just being an idiot, I’ll just keep laughing at all of this.
keyword = WAS founded
90% of the Blizzard BoD from their glory years (Phinney, O’Brien, Wyatt, Roper, Brevik, Schaefers, Adham) has been gone for a decade.
METZEN! We still have Metzen.
He counts for 50%.
I really like Blizzard and all, but Metzen and Knaak need to be fired. As soon as possible. And, yes, I do know that he had and active role in D1 and D2′s story, but I imagine, back then, he wasn’t the one who was calling the shots, hence the distinct lack of mary sues and similiar cliches. As much as I love D3 and think it a master piece, the story, not background story and not lore, those are both mind-blowingly amazing, but the story itself is rather dissapointing.
Actually they don’t ship Authenticator worldwide, only to the limited number of countries.
And if you mobile is not apple or android stuff you have zero protection.
Blizzard do not provide good coverage for users and reacted poorly. This attitude: “only noobs are hacked” will last only until you will be hacked yourself.
Most people that know how to play diablo games can hack so it’s no fun when people get all angry because they can’t hack. In diablo 2 everyone had map hack and you are a filthy liar if you say you didn’t know how to map hack. I truly think everybody wines` to much in diablo 3 when it’s gonna happen no matter what u gonna do! peace!1
:o
You are a filthy liar if you think everyone is a cheater like you. Not everyone used maphack. I can point to hundreds of people that never used it.
When OP said hacks he was referring to account theft and not maphacks, dupes etc. Dafuq? Learn how to read please…
EdwardMcHater: “In diablo 2 everyone had map hack and you are a filthy liar if you say you didn’t know how to map hack.”
*Who* can’t read?
You admited to cheating so your opinion doesnt count bro
Good lord!! Do you even know how the reply system works? My first message wasn’t addressed for you TPJ, it was addressed to EdwardMacHater.
But anyway, you guys were arguing about maphacks etc, but that’s not the point of this article. When OP wrote about hacking it meant account hacking and not maphacks….
Seeing situations like this makes me want to quit trying to discuss anything related to D3. 75% of people writing things are fanboys irrationally defending Blizzard and the other 24% of them don’t know how to argue and use a forum…
I think coin-lock is a great idea.
Great stuff Flux, it is not the first time that I hope that Blizz checks this site regularly
My name is Elly
Are you really?
If authenticators are such a neccesity, they should have shipped with the game. You can’t tell me this isn’t a security breach on blizzard’s end, there’s far more valuable information to hack into on computers than Diablo III accounts. I’m not angry about getting hacked (it sucks having to find new equipment, but big deal) but there’s an obvious security breach and something needs to be done. So far all I’ve seen that’s been done is \buy our authenticator\. Really? If I sent a flawed product to the customer and then had the balls to ask them to pay for the solution I’d get sued.
You may have a point. TRION didn’t think they had a hole either, they couldn’t find it, but a user did.
It’s not flawed because Blizzard can’t control your PC. That’s like saying Microsoft should be sued because their operating systems have flaws which are exploited.
Obviously, if there is some massive breach going on, they should tell the public, but they can’t be expected to hold your hand while you install Windows Updates.
/facepalm
They hack only your D3 accounts and not more important stuff because thats the target of the hack. The hacker is not scanning manually your computer and picking things one by one. The method emplyed just gave him your login/password with thousands of others and then he just uses them one by one.
I read somewhere several years ago that a blizzard account was actually worth more than the average credit card. This was due to the way Blizzard security vs financial/credit security was set up.
They could essentially sell all of your wow things/character, and would end up making more in the long run, and never be caught, than if they stole your credit card information.
I imagine that this has gotten worse since then, as banking security has improved and blizzards security has essentially stayed the same
This: ships with game. Period. End of discussion. Unforgivable for a game with this much potential for…
I have an authenticator (mobile) and support it 100%. I do believe it solves 99% of all problems we see reported. That said, a coin-lock like feature would all-but stop the problem altogether. You see, it gets to the root of the problem: authenticators are optional, so there will always be a percentage of the user base that is vulnerable to social engineering and other tricks employed by gold selling sites.
If you strip away their ability to access items of value in the game entirely, they lose all incentive to even bother. Does anyone have any knowledge of whether this feature all-but solved Trion’s problems in Rift? If so, why NOT implement coin lock? It’s very rare that PC gamers login from different IP’s (and in those cases, this doesn’t sound like too large an inconvenience).
At the time, it stopped it right away. Players were very pleased with the results.
As above – the fact this this worked for RIFT is simply because items in RIFT are of such dubious value in the first place that even this weak security was enough to tip the balance over to not being worth the hassle.
This is not the case for WoW, and it’s for D3 now – and especially not when the RMAH launches.
What does the coin lock add to a machine already infected with a key-logger? Nothing.
I agree what would a coin lock do if Blizzard is not at fault ?
It would piss players that aren’t hacked and once its unlocked everybody that got their password stolen would be hacked again.
how would a player who’s not hacked get coin locked in the first place ?
and why would players get “hacked again” ?
inventories become locked, you can’t trade or drop anything of sell anything
what’s the point of hacking ?
Trion’s coin lock put an end to the problem over night
people didn’t continue to get hacked
did you even read the article ?
Apparently he didn’t.
It would be annoying if every player had to unlock their inventory every time he accessed his account, but this is not the case. The lock only happens if the password was compromised and if the real account owner noticed he was locked then he will know he was almost hacked and he must change his password ASAP to fix the problem.
Misread nevermind then.
also, in relation to what synch said. For the first week or so after coin lock was implemented, non hacked users had to unlock their accounts a number of times due to them working out the kinks in their programming.
No one complained, as they were doing it for piece of mind.
Their accounts were secure, and a few extra mouse clicks were worth that trouble
Blizzard has already done something similar to Trion’s coin lock system, and they did it before Rift was ever released – it’s called an authenticator. We all have access to an optional second layer of security that is as close to 100% secure as can be, and certainly more secure than something like coin lock. Blizzard has no responsibility to force additional superfluous security measures on everyone in order to protect those users who choose not to make use of the most obvious and most effective security measure available to them. Besides, the entire argument presented here is flawed based on the information given. Trion’s coin lock was a system designed out of desperation to address a server vulnerability, something they were clearly responsible for. Blizzard, on the other hand, can’t be held responsible for users who refuse to use an authenticator and can’t keep their PC free of malware.
Yes, but TRION didn’t need to add coin-lock, they could have left it up to users to get an authenticator instead.
Your car company didn’t have to put a car alarm on your car, you could get one aftermarket instead.
Microsoft doesn’t have to give you free AV/firewall tools with their computer, you can get 3rd party solutions.
The bottom line is that it’s simply GOOD customer service for Blizzard to implement something easy, such as “coin-lock” – rather than relying on the user’s to go get something that they might not even be aware that they need.
Don’t get me wrong, i love Blizzard’s games, and it’s not really their fault that people are getting hacked, but Blizzard is in a position where they can fix the problem quickly and easily.
Sup, bro.
“Blizzard has already done something similar to Trion’s coin lock system”
authenticator costs money
coin lock free
yes, I can see the similarity
“Trion’s coin lock was a system designed out of desperation to address a server vulnerability, something they were clearly responsible for. Blizzard, on the other hand, can’t be held responsible for users who refuse to use an authenticator and can’t keep their PC free of malware.”
big assumption you’re making there boy
How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?
you must be a fanboy !
I’m sure Rift fanboys were saying the samething about the Rift players who got hacked, “Its your own fault for having malware.”
But they were wrong. It wasn’t the players’ fault. It was Trion’s.
And that could be same thing here.
It could just as easily be a problem with Blizzard’s servers as it could be a problem with the users.
and as for “Blizzard, on the other hand, can’t be held responsible …”
why should they be held responsible ?
when they can just SELL authenticators
“How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?”
There are several attack vectors that don’t require a users pc be infected with anything. Social engineering and phising attacks don’t require the pc be infected with anything. If the user has used the same user/pass combo anywhere else then that other location could have been breached.
“authenticator costs money
coin lock free
yes, I can see the similarity”
Authenticators prevent unauthorized access to your account. Coin lock prevents unauthorized access to your account but in a significantly less foolproof manner. I said they were similar, not identical. Do I need to provide you the definition of “similar” or can you Google it for yourself?
“big assumption you’re making there boy
How can you possibly be sure that EVERY single D3 user who got hacked had malware on their pc ?
you must be a fanboy !”
I’m not fanboy, I’m just a fan of people taking responsibility for their own actions and inaction. If you can’t secure your PC and choose not to use an authenticator then it seems fair for you to take responsibility for the consequences. Blizzard’s comments on the issue have repeatedly made it clear that the people being “hacked” are actually the victims of keyloggers or other forms of malware.
“It could just as easily be a problem with Blizzard’s servers as it could be a problem with the users.”
But there’s no evidence anywhere to indicate that’s the case. It could also be aliens. I mean, clearly it isn’t aliens because there’s no evidence that aliens exist or that they would care to attack Blizzard’s servers but apparently evidence isn’t something you value very highly.
“why should they be held responsible ?
when they can just SELL authenticators”
Authenticators are available for free if you have a smartphone and sold at cost if you need to purchase the hardware version. Yes, I can see the conspiracy here. Oh, wait.
There’s no conspiracy no, but
Authenticators are sold at cost. Sold, as in they cost us money.
PC software authenticators are sold too, but at an even higher price than the real ones
And not everybody has or even wants a smartphone
authenticator costs moneycoin lock free
bad troll, using such obviously false info.