Authenticator Will be Mandatory for Taking Diablo III RMAH Payments Through Battle.net Balance

[News Portal]

"Starting today, in order to add to your Battle.net Balance, players will be required to have a Battle.net Authenticator or Battle.net Mobile Authenticator attached to their Battle.net account,” comes the word from Blizzard. As they gear up to the launch of the RMAH, they're locking down their system to make it as watertight and safe as possible, and one of the changes includes mandatory authenticators if you're intending to take payments as Battle.net balance - or if you intend to add funds to your Battle.net balance at all. There is no word on whether an authenticator will be required if payments are being taken to PayPal instead.

Source: http://us.battle.net/d3/en/forum/topic/5594218404#1

Read full article by GON News

[Yurtles]

Isn't that the wrong way around? I thought the authenticator for sending money to paypal would be what peole would want. Sounds more like they're protecting themselves rather than doing us any favours.

[PalZer0]

Why even have a real money auction house to begin with? That's just asking for account hacks.

Also, I've seen reports of people's accounts being hacked even with authenticators. How are Blizzard dealing with that?

[Bronze_D]

you wanna know one of the reason why there are so many account hacks on blizzard games?

http://us.battle.net/d3/en/forum/topic/5152409863

like... seriously Blizzard...

[Marius]

It's not blizzard's fault that people use minimum length passwords.

Making passwords case sensitive won't do anything unless the user goes beyond minimum level security, because it's up to the user to do something like KlmStV867, instead of porsche. The user who uses porsche or something guessable like that won't use the case sensitive mix. They'll still get hacked, even if they had the option to use better password security.

In short... password security is a user responsibility, and people shouldn't blame Blizzard if they have guessable passwords.

[Bronze_D]

yeah, but it's common sense that being non case sensitive lowers the permutations combination factor significantly...

anyone else in charge of password security asked to do that would think you are nuts.

all this time we KNEW that there were a TON loads of ppl who were getting account hack since Blizzard got so many reports of it they setup a special team just to handle that.

but before this i thought that was just because they had the most userbase in general (and thus the biggest target around)...

now... with this... i am not so sure anymore..

[Tydus]

ahhhh. tbh why the hell does it matter. i imagine none of the passwords are brute forced hacked because im pretty sure blizzard will have a system in place to cancel the login and flag/lock an account after 20 thousand wrong guesses. seriously, these accounts are hacked through fake phishing websites or keyloggers, not brute force. ergo it doesnt really matter how strong your password is.

[Bronze_D]

Yeah, that would be the case if they had a proper security layer..

but see the thing is, i can't recall any decent security barrier that uses case insensitive password layer.

if even that is not in place, what are the chances that they actually got a decent layer behind it to stop generator permutations?

[CJGordon]

My battle.net account has only ever been hacked once, the reason it was hacked is the exact reason Marius said, I had a one word password.

After that my password was changed to a series of numbers and letters that is more than 16+ characters long, I have not been hacked since then, although there have been many a spam email sent to my email.

Since then I have added the phone security, authenticator and changed my original email which has pretty much stopped all spam emails going to my Battle.net email, I think the reason behind the drop in spam emails is because the people who originally stole my account don't know I changed the email, considering they are still sending emails to the old address.

Also, I've seen reports of people's accounts being hacked even with authenticators. How are Blizzard dealing with that?

Everyone who has had a whine at blizzard about their account being hacked whilst they had an authenticator were lying, blizzard has already stated that those people had their accounts returned and then added an authenticator (probably to try and make blizzard look stupid, without thinking that blizzard might be able to track authenticator use)

[Tydus]

It's not blizzard's fault that people use minimum length passwords.

Making passwords case sensitive won't do anything unless the user goes beyond minimum level security, because it's up to the user to do something like KlmStV867, instead of porsche. The user who uses porsche or something guessable like that won't use the case sensitive mix. They'll still get hacked, even if they had the option to use better password security.

In short... password security is a user responsibility, and people shouldn't blame Blizzard if they have guessable passwords.

These days they say your much better off not making a password like KlmStV867 as it is particularly hard to remember and only really helps protect you from dictionary attacks because a brute force cracker will still get to it in time. Your far better off going for a phrase, like thequickbrownhippojumpedovertheworldtradecenter something that you should have no problems remembering and due to its length would take longer then humanity has existed to crack through brute force. cant remember the details but its pretty well publicized online if your interested.

[Marius]

I can remember that...

Klam Street V8 '67.

Clam, on a street, with a '67 model V8.

[Tydus]

Yeah, that would be the case if they had a proper security layer..

but see the thing is, i can't recall any decent security barrier that uses case insensitive password layer.

if even that is not in place, what are the chances that they actually got a decent layer behind it to stop generator permutations?

I imagine they have a very good security layer and have made the conscious chose to disable case sensitivity so that people have less trouble entering their passwords and they have less stupid tech support phone calls tickets from people being unable to log in. I find this answer makes a lot more sense then the idea that a multi-billion dollar company hasn't figured out high school level security. As i said, if they have a system in place to deal with brute force hacking, then having case sensitivity is pretty unnecessary.

[Tydus]

I can remember that...

Klam Street V8 '67.

Clam, on a street, with a '67 model V8.

Then you should have no problems remembering ClamStreetHoldenV81967. My point is if your really are going crazy over security you should be adding more letters in not taking them out.
Though to be honest, i think people are far to cautious about this anyway, I'm not protecting national secrets so i don't need some crazy hard password, I have nothing that anybody would go through so much effort to get.

[Bronze_D]

I imagine they have a very good security layer and have made the conscious chose to disable case sensitivity so that people have less trouble entering their passwords and they have less stupid tech support phone calls tickets from people being unable to log in. I find this answer makes a lot more sense then the idea that a multi-billion dollar company hasn't figured out high school level security. As i said, if they have a system in place to deal with brute force hacking, then having case sensitivity is pretty unnecessary.

Hmmm, good point, or you know... they probably also would just say, if you got hacked then you should've purchased an authenticator and while at it we have a great offer of mobile phone app premium service including auction service for the low low cost of...

incidentally it's a bit odd that they would want to cut the need of having tech support handle ppl who can't log in and spend the resource for special team to handle hacked account instead... i mean either way, you have to spend the resource.

[Marius]

Well, where I was coming from is that in the case of Blizzard, dictionary cracking and third party website hacking is far more significant than brute force. I expect Blizzard to have basic protections against brute force, but they can't guard against user error.

Much of the D3 account hacking so far has been due to the number of third party fansites without Blizzard security getting hacked, and people signing up to those sites using their WoW, SC, or D3 details. Hackers then simply enter those details into D3. It's the simplest and basic way of password hacking around - get the code from an insecure place.

Even if they used a long password like kellychambersisthehottestwomanintheuniverse on both sites and D3 accounts, then they'd still fall to that cracking method. Password length doesn't really protect against the way hackers commonly get into Blizzard accounts. Unique passwords is the safest bet.