Pretty sure my account got hacked.

[Dein]

I made another account and bought an authenticator last night, but can somebody explain how they work? If it's a random string of numbers, couldn't someone just keep trying till they got one that worked?

No since the string of numbers that would work changes often to where what you used to get in 1 min ago (hopefully even less time than that) won't get you back into your account if you tried to log in with that same string of numbers later.

Edit: Blizzard could also have it setup to where the generated password only works once as well to help increase security but I'm not paying attention to the specifics really.

[Correction]

I made another account and bought an authenticator last night, but can somebody explain how they work? If it's a random string of numbers, couldn't someone just keep trying till they got one that worked?

The device has a serial number on it that you register with your actual battle.net account (not the one you made temporarily to buy it), which keys blizzard's ability to authenticate codes coming from it.

For technical details the SO thread has a few useful links: http://stackoverflow.com/questions/5...-key-fobs-work

[Cephius]

I made another account and bought an authenticator last night, but can somebody explain how they work? If it's a random string of numbers, couldn't someone just keep trying till they got one that worked?

It's randomly generated and expires every couple of minutes. Ever take statistics? Find out the number of permutations that are possible with a 6 digit number. There's no way you could go through that many possibles in a couple minutes.

[Ohaigaiz]

i believe the number is 43,046,721 possible permutations for an 8 digit code with 9 possibilities for each code. which, is obviously impossible to randomly guess in a few minutes.

[Ohaigaiz]

i believe the number is 43,046,721 possible permutations for an 8 digit code with 9 possibilities for each code. which, is obviously impossible to randomly guess in a few minutes.

all of a sudden i'm having second thoughts about this statement. someone correct me because i'm probably wrong about the entire thing

[D44kpunk]

God damn I keep reading this post and it cracks me the fuck up. Seldom does someone go this far out of their way to demonstrate a lack of even elementary knowledge of computer security, like knowing the difference between a keylogger and a man in the middle attack, and why the authenticator is not defeated by the first but is by the second.

a man in the middle attack is just a specific name for a certain type of keylogger(in regards to WoW anyways, a lot more sophisticated but same concept.), that's why you don't see a bunch of people bandwagoning and agreeing with you. elementary indeed

[Correction]

a man in the middle attack is just a specific name for a certain type of keylogger(a lot more sophisticated), that's why you don't see a bunch of people bandwagoning and agreeing with you. elementary indeed

Wrong.

A car is not its engine. A man in the middle attack is not the keylogger used to capture keystrokes from the person sending the authentication code. A man in the middle attack also requires a proxy to exist between client and server to fake the communication going both ways. A proxy is not a keylogger.

Derp.

[D44kpunk]

Wrong.

A car is not its engine. A man in the middle attack is not the keylogger used to capture keystrokes from the person sending the authentication code. A man in the middle attack also requires a proxy to exist between client and server to fake the communication going both ways. A proxy is not a keylogger.

Derp.

you're totally wrong about how you're suggesting that WoW accounts get hacked, i realize your wiki defenition might lead you to believe that what you're saying is correct. but what you're listing is only viable on a wireless network with two people communicating wirelessly(on the same network) with someone for lack of a better word "listening in" and able to change your conversation.

pretty sure the ones that people are getting hacked by are keyloggers just sending the encrypted login packets to the MITMs WoW client and sending you back a false positive.

[Siniroth]

all of a sudden i'm having second thoughts about this statement. someone correct me because i'm probably wrong about the entire thing

I'm not sure where you're getting the numbers from, it's 6 digits and 10 possibilities per digit, unless I'm missing something

[Ohaigaiz]

I'm not sure where you're getting the numbers from, it's 6 digits and 10 possibilities per digit, unless I'm missing something

my authenticator(phone) has 8 digits. as well, i went with 9 possibilities because i overlooked the 0. so it's actually 100 million possibilities for my phone

[Cephius]

pretty sure the ones that people are getting hacked by are keyloggers just sending the encrypted login packets to the MITMs WoW client and sending you back a false positive.

As if we needed more, this is further proof you still have not read the articles describing the hack and generally still have no idea wtf you're talking about. Really, for how many more pages are you planning on embarrassing yourself for?

[Correction]

what you're listing is only viable on a wireless network with two people communicating wirelessly(on the same network) with someone for lack of a better word "listening in" and able to change your conversation.

LOOOOOOOOOOOOOOOOOOOOOOOOOOOL

[Siniroth]

Oh man I missed that...

Wut?

[Komm Suesser Tod]

It's randomly generated and expires every couple of minutes. Ever take statistics? Find out the number of permutations that are possible with a 6 digit number. There's no way you could go through that many possibles in a couple minutes.

Ok, but if it's randomly generated, how does Blizzard know it's the right one? Do they have like a list for each serial number, or does it correspond to something else?

[Norellicus]

It's a key-pair algorithm that uses an internal clock as a seed value. I don't know for certain whether the algorithms are different or just the seed values, but in any case there are only two copies of any given result set, one inside your device, and one in blizzard's database corresponding to your device's serial number.

[Cephius]

Ok, but if it's randomly generated, how does Blizzard know it's the right one? Do they have like a list for each serial number, or does it correspond to something else?

Ok, it's not completely random. I think this answers your question:

Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole's birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can't extrapolate that into what number will be showing next.

The hacker also can't hack into the device itself to find out it's key, because it doesn't connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.

Since Blizzard knows the encryption key, and your authenticator is identified by its serial number, the authentication servers will know what the number should be, but no one else will.

[Jonny]

wow really this guy?

[Tonko]

Yeah... this has gone on long enough. Buy an Authenticator. End of story.