PSGarak

Am I safe in making the following few technical assumptions about the security?
1) The internal seed is assigned to the external serial number, but the two actually have different values, and the only table of correlations is inside blizzard (or vasco)'s server.
2) Even if the encryption algorithm were to be reverse-engineered, it would be cryptographically strong enough that it would be impossible (mathematically or practically) to either spoof the number or recover the seed on any device other than the one that had been physically comprimised.
3) The button doesn't cycle the numbers, but rather only activates the display temporarily, and is otherwise identical in function to one whose display is always on and changes periodically (the RSA ones you mentioned).

http://sig.gamerdna.com/quizzes/INFL...erks/Garak.png

 

Knaughy

(1) The Serial number is just a label. The cryptographic secret key is either a 3DES (112-bit effective) or AES (128-bit) key, customer gets to pick which algorithm they prefer. There is no algorithm to convert the serial number to the crypto key, keys are assigned randomly. No one but Blizzard and Vasco have the mapping. For some banking customers, even Vasco doesn't have the mapping, via rather complex methods to do with tamper-proof computers.

(2) The crypto algorithms are public: AES and 3DES. They cannot be brute forced. The exact method used to use AES and 3DES to generate the OTP itself is "semi-public" - Vasco's customers are informed, so they can vet it. Physical compromise of a token to discover it's secret key is the sort of thing a MIT post-grad with an atomic-force microscope, some patience, and a desire for a very weird PHD topic might be able to manage. IE: Not technically impossibly, but there's no "diagnostic" mode that can spit it out. You have to read CPU registers out of a running micro-controller that's embedded in a block of epoxy. Good Luck...

(3) Close enough. There's no "counter" that would be incremented by the button. But the token doesn't bother calculating values that aren't going to be displayed. Until the button is pushed, the only thing that's running is the clock. Press button token fetches clock value, calculates OTP, turns on display, shows OTP. Takes maybe half a second? Doing it this way saves a ton of power compared to XYZ brand tokens that display the current OTP 24 x 7 x 365 1/4. I mean... do you really need OTPs being displayed while the token is sitting in a pocket at 3 AM? Always struck me as stupid... Admittedly, you have to work a bit harder to water-proof the token, but still! (Yes, the Go-6 is waterproof).

 

splidge

I guess this explains why they can be made multi-account so easily, you don't need to worry about the "number of button presses" being synced across accounts (and indeed there is no need for ANY read/write state at the remote end at all, unless you need to store persistent clock-drift information?).

Presumeably there is something at Blizzard's end that remembers the last code you used and doesn't allow it again even if correct, to avoid hackers having a 36-second window to get in?

 

kargathia

Will multiple identicators be allowed for a single account? I can very much imagine that this won't be the case, since it enables account sharing, but I just so happen to lose a lot of things, so having a backup would be useful.

 

Wodahs

No, but you can buy a backup, and if you lose the assigned one, switch to the backup one with a phone call to blizzard. Not painless, but the best you can do.

 

• Theras

I know if I worked at Blizzard customer support I'd be worried for my job right about now.

 

Putts

Spending about 5 seconds on the official WoW forums would suggest otherwise. Even with the authenticators, there are enough idiots that play the game to keep CS occupied for a long time. The only thing that this might change is shorter turnaround times on tickets, which is good news for us all. It would be foolish for Blizzard to start laying off employees when so many account-related tickets are taking upwards of a week to resolve.

 

• Theras

Of course it would be foolish. That doesn't mean it's not going to happen. And if I know anything about the service industry - and I do - a large decrease in workload almost inevitably results in layoffs. Probably not now, but if these key fobs became mandatory and bundled with the next expansion it seems to me that a majority of CS-related issues would vanish overnight.

 

Denogran

To be immediately replaced with "I lost my keyfob, I can't log on!!!!!111!!!" problems.

I really don't get why you think this is going to be a panacea that solves all of Blizzard's customer support issues? If anything, I'd guess that the majority of people getting this are those that have extremely low risk of getting hacked in the first place.

And even if they become mandatory(god forbid), there'll still be plenty of account-related issues for customer service to deal with.

 

• Adoriele

Time necessary to deal with an account being hacked: 1 week, perhaps longer.
Time necessary to deal with a fob being lost: 5 minutes to deactivate the service temporarily, and another five minutes to reactivate it once the idiot gets his new one.

Even assuming the same percentage of people get hacked as will be stupid enough to lose their fobs (a lot fewer will lose their fobs), it makes much less time to deal with.

 

Denogran

Why do you believe this statement to be true? (Or perhaps the more correct statement would be "stupid enough to lose/break their fobs").

Personally, I've lost about 4 Thumb Drives in the past 3 years and I've gotten hacked a whopping total of 0 times. The people I know personally that have gotten attacked have never been without suspicion (curious timing on their "hacks" - Gets you out of farming Vashj for several weeks what?, or highly suspicious of botting/powerlevling/account buying/etc).

While I think the fob is a great idea if you play in public places, on computers you don't have full control over, I don't think it's the magic cure-all to account hacking like a lot of people seem to be proclaiming. Personally, I know that my frustration would almost certainly increase if I had to use of them, and would far rather just try to keep my computer safe by practicing safe surf habits - something I do already to secure the rest of my machine.

 

Blacksen

I don't get why Blizzard doesn't use something like Bank of America's online banking. With that, you have a "picture" that is linked to your account. Each time you log-in, you click on your picture in order to proceed. The picture changes its location among the 15 others each time, and the 16 pictures are always the same. You only get 2 shots before they prompt you for an answer to one of your secret questions.

Wouldn't cost anything for us, and should seriously cut down on simple key-logging since keystrokes would always be different (picture is moving). Would force people to genuinely "hack" your account rather than just steal your password.

Another question I have is just about hacking in general. How does a keylogger get your account name if you always have it remember it?

 

◊ Turik

Investigations fall under Specialist's purview - whom have many more tasks. Not to mention that everyone would actually have to have these. Remember the people who get Keylogged are very likely to not know about these, or be interested in such safety preventions.

A common misconception is that keylogger are so simple as to log your keystrokes. Most will simply capture the account name and password strings that are sent when you hit login. This thwarts cut and pasters who think they are safe, as well as if you already have your account saved.

turik(at)elitistjerks.com

 

Blacksen

So then they literally are implementing a WoW hack to get that data?

Sigh, and I'm a copy/paster :-\ Hope my authenticator gets here soon.

 

Fendryl

Keyloggers are much more advanced than just logging keys. Recording screenshots, mouse actions, etc are all quite possible as well, this is why having an external security means is very desirable.

 

• Chicken

Theoretically any type of security which doesn't rely on a separate piece of hardware can be breached through a keylogger. It all depends on the complexity of the keylogger. It's definitely possible to make one that sends screen captures upon certain types of events happening. That's also pretty rare that a keylogger would do so, typically they limit themselves to text data (So they're smaller and thus easier to spread).

I'd guess the World of Warcraft hacked account market is large enough that any kind of security that wouldn't be based on a separate piece of hardware (Like Blizzard is doing now) would be cracked one way or another. Surprisingly despite what people think I'd wager that keylogging World of Warcraft accounts is actually more attractive as it's much less risky than doing the same with an online banking service.

buff /bʌf/ Pronunciation[buhf]
–verb (used with object)
- to reduce or deaden the force of

 

Knaughy

Vsaco do store persistent clock-drift information for every token.

The Vasco back-end does this as well.

*Statement was "not many people will lose their fobs"

Vasco have data from several large (million user) token deployments for major international banks regarding loss, destruction and failure rates. I imagine this data was provided to Blizzard. Blizzard know how much time/effort is spent on password resets and account restorations. Given Blizzard have all the data, and went with the idea, I'm guessing it must have made sense.

To use a recent example:

(1) Do you surf the web?
(2) Are you running Windows?
(3) Do you have Flash turned on?

If you answer "yes" to all three, you are not "Keeping your computer safe" and there was a (brief) period earlier this year where there was a zero-day exploit out that even with perfect user-end security, you were vulnerable to keyloggers stealing your account data. Last time I checked, WoW accounts are worth more on the black market than stolen credit card numbers, there are professional full-time hacking groups targeting you. Zero-day exploits are relatively common, and WoW is big enough, and valuable enough, that it is a how profile target for the hacking groups.

Again - the only people with all the data are Blizzard, and they decided it was worthwhile. We're not in a position to gainsay them.

Blizzard think it is a worthwhile step, so do over 1,000 banks (most of whom actually give the token away for free). They have data, you don't. I believe the banks / Blizzard. But to provide a small data point of my own: No Vasco customer has been successfully Phished after implementing two-factor authentication using Digipass tokens. There have been several attempts, all have failed.

Last point: They're not compulsory! If you don't want one, you don't have to get one.

 

Knaughy

It isn't theory - trojans that do this exist, are in use, and have worked. They require tuning for the target, which is why smaller banks can get away with "floating keyboard" type solutions sometimes. WoW is too big and juicy a target.

There's no risk involved in either option. The organised criminal gangs that are doing this simply don't get caught.

Blizzard are targeted because of their size and scope. 11 million active subscribers is more that the vast majority of banks have in their e-banking sites, and the activity levels on those accounts are far too high to use fraud detection software. An account compromise is worth about $10 to the hacker.

You've got maybe $100 million of virtual goods, just sitting there, waiting to be stolen, protected by a password, with many of those passwords controlled by children.....

 

Denogran

They're not compulsory yet.

And I'll amend my "keeping my computer" safe comment. There's clearly no way to make your computer completely safe, aside from taking it off the network and never, ever installing any program. Given that I'm violating both of those solely by playing WoW, I'm not keeping my computer safe. There's no real way around that.

Given that, you start playing the game of likelihoods, risks, and rewards, until you reach a point you're comfortable with. For me, the risk( hacked account) is low enough where the rewards of a keyfob don't outweigh the hassles. In fact, I think it would be far more likely to break/lose a keyfob than for me to get hacked (this is where the god of irony strikes of course, as I continue to desperately knock on wood).

I'm not saying it's a useless item. If your risks of getting hacked are far higher than mine, then it's clearly worth the hassle. If you're dealing with hundreds of thousands of dollars, then the risk becomes far greater and it's worth the hassle. Market value on my account is worth a couple of thousand at best - and, much like the money in my bank, is recoverable. Even if it just makes you sleep better at night because of the additional level of security, then it's worth the hassle. But it's not a panacea, it won't remove the need for Blizzard customer service, and it's not for everyone.

 

Lazare

General security principal is that two-factor security (something you know AND something you have) is always preferable to one-factor security (just something you know). Something that really bugs me is when someone (usually a bank, for some reason) tries to increase security by using the same factor multiple times. Making people enter a password AND answer a question (for example) is a very limited security increase because it's all still vulnerable to the same factors: keyloggers, people looking over your shoulder, telling someone while drunk, having someone perform a TEMPEST attack on you, sharing the info with a now-ex girlfriend, etc. If they can find our your password, they can probably find out the right picture to click fairly easily.

By contrast, a cryptographic key fob is a second factor; unless you do something very retarded indeed (like point a webcam at it or something), it simply isn't vulnerable to any of the same attacks that would compromise a password/secret question/magic picture/etc.

 

• giansm

Despite the term "keylogger" being used to describe them, these sorts of things are not always just pure keyloggers, they can "look at" the screen as well.

 

Knaughy

Most of the time you can do a very good job via standard techniques: Get AV software, use Firefox instead of IE, don't run random crap off the Internet, etc, etc.

Sometimes, even that isn't enough - I used the recent Flash vulnerability as an example.

Higher levels of practical, real-world security was a very small part of the reason I switched to Macs. Most of the benefit is due to being a low profile target. Note that the main reason to switch was so I didn't have to use Windows anymore, the security benefit was just a bonus.

Possibly true. The issue is that the banks (and Blizzard) can't tell who's a tech guru and who isn't. Many banks start with small-scale rollouts to test the technology, and eventually migrate to full deployments. I have no information at al about whether Blizzard are planning to every require them for all customers.

My personal risk of getting hacked is substantially lower than yours, simply because I'm running OS X and you're running Windows. But I'm still looking forward to being able to order a token once they'll ship overseas. Mostly because I think the same username/password for both the forum and the game is.... suboptimal. The WoW client is fairly trustworth, web-sites aren't, especially given the exact HTTP/HTTPS mix Blizzard use, combined with the "semi-transparent" web-cache my soon-to-be-ex-ISP insists on using.

But this also demonstrates where the security aspects of an on-line service are largely outside your control. I was unhappy with "one password for both game and forum", but I can't do anything about it. I wanted more security, and couldn't have it. I still can't order a token, as I don't live in the states. IF!! Blizzard ever make them mandatory (in the Wrath box?) you don't get what you want - which is password auth.

Lots of security aspects are outside Blizzard's control as well: I'm sure they see a big spike of CS requests when a major UI or mod site gets compromised or loads bad adds. Heh, or zero-day flash exploits....

Every guild I've been in has had someone hacked each year - maybe the hack rate is 1% per annum? That's still 100k compromised accounts each year, and a ton of staff time doing restores. It doesn't take much for it to make sense for Blizzard to do this.

PS: On the Mac vs Windows thing... this is a WoW board, can we pretend we already had the big FAN BOI argument / flame-fest and decided to hate each other, then eventually got over it? Would save time. Short version is that all commercially available crimeware, trojans and botnets are written for Windows, who cares why.

 

PSGarak

Whether it's a worthwhile investment, given "good" security, depends on whether you consider expectation value of hassle or the minimax principle as your objective function. The expectation value looks at your likelyhood to get hacked, your likelyhood to lose the fob, and six dollars, and comes out as a small net loss. The minimax principle looks at the hassle of losing your account against the hassle of losing your fob and decides the worst-case scenario of having the fob is worse than without it. Personally I think the minimax principle is a more realistic measurement to use because a 1% chance of a $1000 loss is not a $10 loss, it's 99 nothings and one $1000 loss. The expectation value really starts to lose meaning with small-odds large-risk probabilities like that.

If you're looking at other security holes like ex-girl(/boy)friends or internet gaming cafes, the expectation value starts to become more meaningful.

http://sig.gamerdna.com/quizzes/INFL...erks/Garak.png

 

Denogran

The risk involved in using a fob isn't only the very minimal $6 cost. It's also the time lost if one were to break/lose it - especially if they made it required for use and not optional as it is now. And it's also the annoyance factor of having to input yet another code everytime you start up. If it weren't to keep my roommates/visitors off my WoW account when they casually use my computer, I would have hacked in the password to be saved already.

Figure that I log into my WoW account an average of 3 times a day (yay weekends!), and each log-in adds an average 15 seconds to my log-in (find keyfob, click button, enter code), then you're looking at 45 seconds a day spent doing something I don't consider necessary in the first place. Over 3 years, that's almost 14 hours of my life spent on something I don't really want - at which point we're looking at a cost in the $500+ range.

Again, I'm not saying this device is without merit - it's clearly a great device for some people, many of whom have voiced their joy in this thread. But I, for one, would not like to see these devices become mandatory in the future, as having one would be nothing but a nuisance to me.

 

Oscarvil

We understand you don't like the idea of it but this is ridiculous. There's no way you can justify 45 seconds per day of WoW time adding up to any kind of monetary value.

Sorry I was incorrect. You're spending 14 hours of your subscription time over 3 years. So at ~30 hours a week that works out at $1.75 WASTED on subscription fees just by entering your keyfob code.