Battle.NET account + Blizzard Authenticator + today = fail

[Prepared]

There is one way around all of this. Create multiple battle.net accounts. I've confirmed the same authenticator attached to multiple battle.net accounts allows the same code to be used at the same time. So if you have 5 WoW accounts for example, instead of creating just one battle.net account and merging all of those to the one battle.net, create 5 battle.net accounts. Merge each WoW account to each battle.net account and the authenticator that was attached to each WoW account will automatically be attached to each battle.net account. When Keyclone, Octopus or whatever you use to start WoW up with, you enter the account name with the separate battle.net account logins. The issue of having the same authenticator code used at the same time goes away because you have separate battle.net accounts. I've confirmed this. However, Blizzard could possibly change this is in the future but for now it works by logging in at the same time without any issues.

[Dramoth]

had 2 guildies that use auth get "hacked" over the last 2 weeks... thought it was a fluke, but maybe the loggers/hackers have found a way to quick log into someones accts now and blizz stopped that from happening? just a guess

A friend of mine had his account seized by a hacker using an exploit.

They managed to get a keylogger onto his machine and got his username and password.

From there they made a b.net account and merged his wow account with it. They then proceeded to sell off all his good sellable items and because he was a miner was flying him all over the place grinding mining.

He called me on the day he lost access to his account and was asking me about it. He told me that he had received an email from Blizzard saying that they had merged his wow account with his b.net account and told him that the new login id was some email address from yahoo in Croatia.

Unfortunately for them, I was on the phone to my mate talking about his lost access to his account, when I logged my solo main into the game and while I was chatting to him I pulled up my friends list and there he was online...

I opened a ticket then and there to report it. Also talked to someone who knew a GM IRL (because I did a /y looking for a GM... got a couple of arseholes /w'ing me laughing about it).

His account got locked that night or the following day and he got an email from Blizzard about it all. They unlinked his account from the b.net account and reset his password.

He had all his gear they sold restored to him, minus gems and chants. He wasn't complaining about it all... he managed to come out of it with a profit... about 100 stacks of saronite and 30 stacks of titanium.

Straight after he told me about it, I did some checking and found a few people had been done over like that and decided then and there to create my own b.net account there and then and merged all my accounts with it. I also downloaded an authenticator for my iPhone and for a while, I was able to log in all of my accounts with the one code from the authenticator.

While it is inconvienant for me to enter 1 number per login, the security side of things is a lot better (apart from the fact that this gives the hackers 2 sequential authenticator numbers for removing the authenticator)

[Ualaa]

I'm going with 5 battle net accounts, one per wow account.
Each will use an email to log in, and will have the same password.

Essentially this is no change from my current set up, which is a username per account and a shared password.

I already have two authenticators, because I wanted an extra for when the battery in the first (linked to all 5) dies way down the road. In anticipation of Blizzard eventually changing it so an authenticator in only valid for one code, even if associated with different B.Net accounts, I've ordered three more authenticators. Basically PiP swap from one account to another and pressing a button once per account, but not having any delay (needing to wait for the next number) won't be too bad. I'll of course wait until the last day to merge the accounts, so one password (broadcast) along with one authenticator code (also broadcast) gets me into the game.

The extra authenticators are a gamble, but really 6 bucks per authenticator isn't all that much. If this is an intended change for security purposes, I'm betting its a bug in that you can still use one authenticator across multiple B.Net accounts, when you cannot use one authenticator across multiple accounts within one B.Net account. Worst case scenario, I'm wrong and am out 20 bucks plus shipping, but then have 5 authenticators and can give two away to real life friends who also play wow but don't have authenticators.

[Phanes]

I also bought 4 more authenticators with the same idea. One B.net account then just use pip. I will probably put them all on a keychain in a certain order or attach them to a peice of cardboard or something.

[Souca]

Simple post: I don't care. I pay to play, if I can't play without unreasonable actions, I stop playing. Will not be renewing canceled accounts for Halloween and likely Icecrown. The remaining account is going to get canceled as well.

Long post: They fucked up, plain and simple. Just like the AV "oops" the rushed a change in and either ignored the people that brought up the possible problem or never even considered it. Either way, I don't care. They make things a pain in my ass, I move my ass, I don't try and find a pillow and sit back down on the broken beer bottle.

To those of you who still enjoy the game, I truly am sorry they do this kind of stuff. It sucks to just want to play a game for enjoyment and have to jump through hoops because suddenly things change without notice or explanation.

The justification for forcing OTP instead of time window tokens is BS. If they can get the token on the first try they can already block your login and get into your account. The security that is being used is not safe against man in the middle attacks, and the changes they made do nothing to change that. A simpler and more effective solution would be to disallow the same token to be used from different IPs, but even that isn't perfect.

Yea, I'm bitching, I figure after all the money I've paid and all the BNet crap I've had to do with minimal benefit to me, I'm entitled.

- Souca -

[Klesh]

Simple post: I don't care. I pay to play, if I can't play without unreasonable actions, I stop playing. Will not be renewing canceled accounts for Halloween and likely Icecrown. The remaining account is going to get canceled as well.

Long post: They fucked up, plain and simple. Just like the AV "oops" the rushed a change in and either ignored the people that brought up the possible problem or never even considered it. Either way, I don't care. They make things a pain in my ass, I move my ass, I don't try and find a pillow and sit back down on the broken beer bottle.

To those of you who still enjoy the game, I truly am sorry they do this kind of stuff. It sucks to just want to play a game for enjoyment and have to jump through hoops because suddenly things change without notice or explanation.

The justification for forcing OTP instead of time window tokens is BS. If they can get the token on the first try they can already block your login and get into your account. The security that is being used is not safe against man in the middle attacks, and the changes they made do nothing to change that. A simpler and more effective solution would be to disallow the same token to be used from different IPs, but even that isn't perfect.

Yea, I'm bitching, I figure after all the money I've paid and all the BNet crap I've had to do with minimal benefit to me, I'm entitled.

- Souca -

Simple Post: Can I have your stuff?

Longer Post: Last time I checked, no one is forcing you to use an authenticator. If the additional account security isn't worth the trouble to you, remove the authenticator. But it looks like you are looking for a reason to quit, so well...

[Chumbucket]

I had a strange issue come up. I called Blizzard for a support issue and the guy asked for my authenticator serial number right after he asked my name and the answer to my secret question. I felt weird about it but gave it to him because he was a blizz employee. Does this mean he or someone he passes the info on to can hack the accounts?

[Schwarz]

As of last night I can still use my authenicator with all my accounts at the same time. I HAVE NOT CONVERTED MY ACCOUNTS TO BATTLENET. Reading this thread I am not going to transfer over until they fix this problem. I think it is a minor bug that they will eventually fix.

I really like using the authenticator. I don't know how many times I have accidently /said my password on slaves. I don't really care since having a password isn't any good without the authenticator.

[Korruptor]

On a different note, my iPhone got hosed when I tried to update to 3.12.

I had to recover with a full wipe

To my surprise, after reinstalling the Mobile Authenticator it automatically had my serial id for generating the correct access codes and I was able to log right in.

[kadaan]

Supposedly this was how it was supposed to have been working all along, and they FIXED what they considered a bug and not introduced one.

As Souca stated, this doesn't completely negate the possibility of a man-in-the-middle attack, but it reduces the window of opportunity from 30 seconds down to how ever long it takes for you to press enter after typing the last digit of the code. More security for 99% of authenticators vs 2 minutes of hassle for 5-boxers... it's not too hard to see why Blizzard made the choice they did in fixing the bug.