Blizzard has admitted that there is an active and successful attack against their Blizzard Authenticators.
Man in the middle attacks circumventing authenticators
This makes perfect sense as:
- OTP tokens such as the Authenticator are obviously susceptible to a live man-in-the-middle (MITM) attack as has been demonstrated as something well beyond “theoritical” a decade ago. The issue isn’t with the token vendor or type, it is with the entire scheme of a short-lived, shared secret in an increasingly real-time, share-it-and-lose-it networked world.
- Blizzard is likely the largest OTP deployment on the planet. They haven’t released any numbers, but if even 10% of users use it, that’s roughly 1.2 million users. i.e. Big ROI.
- There’s money in “them thar accounts”.
What can you do?
- All the normal things, run anti-virus, anti-spyware, etc.
- Log into WoW from as few PCs as possible and only those you absolutely control.
- Try to log into any web page that requires authenticator authentication as little as possible, as a man-in-the-middle attack in a browser doesn’t require a local keylogger file as is being used in this current attack
What can Blizzard do?
- The obvious:
- I believe their thick client already scans for a large number of known attack libraries, files, etc. at the time of launch. This will be added to the list.
- I also suspect they are looking for suspicious behavior to the extent that they can with the client. This type of behavior should be added to the list for that. Also, they may want to consider increasing the terms and conditions of what we allow them to do in the client with regard to looking for vulnerabilities and suspicious behavior.
- Less Obvious: Blizzard should seriously consider having a separate authentication mechanism for getting into the game client than for logging into the various portions of Battle.Net / WorldofWarcraft.com / etc. Why?
- The more times you use the Authenticator, the more opportunities you have to be compromised.
- Blizzard has more controls and capabilities to protect the login through their seriously “thick” client to provide additional protections to the authenticator login.
- Blizzard has much less control over the login environment and ability to monitor what is happening in a web-based authentication with an authenticator. This current attack is heavy-weight in regards to payload necessary to pull it off. A successful MITM attack in a web login requires much less work and no payload (client software installed) to execute.
- What does the attacker want access to, my WoW account details or the stuff on my various characters, in my banks or my guild’s banks? Go look at what is on file in your “My Account” section. Ask yourself:
- What is there that an attacker couldn’t get more readily and simply somewhere else given Blizzard is following good practices with regard to what details are shown, masked, etc.?
- What can the attacker do to you there? Change your password? Why bother when I can steal both your static password and dynamic password in a simple web-based MITM attack? As you now realize, an attacker only need to compromise you one time. They don’t need to have a reusable password.
- How about turn off your authenticator? Hopefully you would stop and think seriously about providing the serial number of your Authenticator if asked outside of your specifically intending to turn it off.
- My suggestion to Blizzard is to consequently move authenticator management and use completely into the WoW client and only ever ask for the Authenticator code from within the client for game session login. Enable the ability and strongly suggest to users that they use a separate password for Battle.Net web page logins (sans Authenticator) and another separate password to use in the game client with your Authenticator).
- Lastly, and I know from first-hand experience in discussing this with Blizzard devs that this probably won’t fly, but seriously consider offering additional forms of authentication that aren’t susceptible to MITM attacks. I know the alternatives aren’t as globally friendly for all our WoW brethren that login from shared network cafe PCs, but that’s not the whole market and those of us not constrained in that fashion would like something better if you offered it. More work for you, yes. Better security for us and retention of us as customers, yes.
