Last week, on May 21st, Blizzard Entertainment was hacked. Diablo 3, their new MMORPG released last week, was the target of user accounts being hacked. Diablo 3 had a rough launch with multiple launch errors, server downtime, and now some customers have said that their accounts were hacked. Customers are saying that their accounts were breached, and hackers got away with in game gold and their hard earned gear. This may not sound like a valuable commodity since it’s a game, but in a game where gold and gear can only be earned in online play, players are at a loss because they must invest their time to get this gold and gear. Hackers often steal online currency and items like this because they can transfer them to other servers, characters, and even sell them the black market or even online where users will pay a premium for these items. Users have access to an optional Blizzard Authenticator, but it is flawed.
Blizzard offers an authenticator for their users, the Battlet.net Authenticator or Battle.net Mobile Authenticator app, but not all users opt to use it. Blizzard has stated, “in all of the individual Diablo III related compromise cases we’ve investigated, none have occurred after a physical battle.net authenticator or battle.net mobile authenticator app was attached to the player’s account, and we have yet to find any situation where a Diablo III player’s account.” Some gamers have claimed that their account got hacked even when they used Blizzard’s authenticator, but Blizzard stated that this is not the case. Blizzard’s authenticator is considered a form of two factor authentication, but it isn’t the strongest type of two factor authentication available to users.
Blizzard’s two factor authentication works by using a user’s login credentials and an authenticator to verify their identity. One factor of the authentication is a user’s login credentials and the second factor would be the password on the physical battle.net authenticator or mobile authenticator app which verifies the user and authorizes them to access their online account. The authenticator verifies users by asking the users to provide a unique code once a week.
With already 10 million copies of Diablo III sold since its launch, it is the most successful PC game launch ever. Diablo III has generated revenues of over $500 million in revenue for Blizzard just in its first month of being launched, but some users are weary or purchasing the game after the recent attack. Blizzard has a system of restoring accounts and helping users who were hacked by restoring a character to an earlier point in time so users can get items and gold back, but this hasn’t happened for all users requesting it yet. Many users didn’t hear about the authenticator service until the hacking happened.
Although Blizzard claims that users who used the Authenticator weren’t hacked, many users on online forums are stating that they were still hacked even though they used the authenticator. Blizzard’s authenticator is flawed in a couple of ways. The Authenticator generates a password every 30 seconds, but there is a window where you can enter in old passwords anywhere from 2-5 minutes and they will still work. This is a problem because “man in the middle” attacks can easily steal a user’s login and also the unique password to steal a user’s data, gear and gold. The second flaw is that the passwords aren’t true one time passwords. The passwords generated by the Blizzard authenticator are time based meaning they follow an algorithm that creates a password at intervals rather than issuing a unique password when requested. This is a flaw because if hackers were to figure out the algorithm, they would be able to figure out every single one of the passwords generated by the authenticator. The third, and the biggest flaw, is that the passwords aren’t being sent from an out of band authentication network. This means that a separate network isn’t being used to send out the mobile password which reduces the chance of the password being compromised. This is important to have because if a hacker were able to gain access to the app on the phone, install malware on the phone, or gain access the algorithm on the authenticator they would be able to compromise the password. With an out of band authentication network such as a cell phone network, a true one time password can be generated and sent to a user’s cell phone using the cellular network (separate network) on command which is a safer way to receive the password and authenticate a user.
Blizzard is a company with many users and they need to re-evaluate their security measures to keep their users safe from fraud and hackers. Blizzard’s expected revenue for 2012 is $4.5 billion and with that much revenue coming in, they need to allocate some of it to a preventive security to protect its users and also the company from future hacking attacks. Blizzard also needs to use their funds to incorporate a more effective two factor authentication solution using an out of band authentication channel to effectively verify their users.