Diablo 3 Account Hacking and Security Issues
Users reporting that their accounts have been hacked and their items stolen continue to fly forth. Dozens (hundreds?) of fans have reported that their accounts have been compromised and their gold and items stripped, presumably by hackers who are hording the loots for the impending start of the RMAH when your labor can become their profit.
Hacked accounts aren’t anything new to online gaming, and certainly not in Blizzard games. I did a quick search and the top return was an eHow.com page about what to do after your WoW account has been hacked. Their first point was to scan your system for a key logger, which is how the VAST majority of account hacks occur.
I am not a computer security professional, but I heard from literally hundreds of fans who had been “hacked” in the D2 days, interacting with them via our old Warnings section, and I can not think of a single person who contacted me (often mistakenly believing we *were* Blizzard) hadn’t been tricked into revealing their password or ripped off via a key logger, almost always inserted into their system via social engineering. That or via a trojan, as they tried to install maphack or some other program they’d been told was a great way to cheat at the game. (Like casinos and Wall Street, scammers almost always use your greed against you.)
Unsurprisingly, most people who get ripped off want someone to blame, and since they don’t realize they were the cause of their own undoing, they look for external problems, ideally technical ones with Blizzard’s servers. The hot rumor flying around is that hackers are somehow gaining access to accounts via the “last game joined” list, or are victimizing people they meet in public games. This could be true, but Blizzard has offered several denials of that possibility.
We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
As for the Authenticator, get the actual physical device or use the smart phone one. There is also a “dial-in authenticator” which many fans confuse with the mobile ap, but which doesn’t work the same and is not enabled for Diablo III.
To be clear, the mobile authenticator (the phone application that mimics the physical authenticator code generation), and the dial-in authenticator, are not the same, and do not offer the same types of protection. While the dial-in authenticator can be a helpful addition to your account security by attempting to detect fraudulent login attempts, it is not the same as the physical and mobile authenticators which require a unique code be generated from the physical or mobile device to allow access to the account.
In addition, the dial-in authenticator is only currently supported for World of Warcraft.
If you’ve been hacked, assume the worst, that your machine has been compromised, and take appropriate security measures. Maybe you weren’t, and maybe there really is a huge hackable hole in the Battle.net D3 system, but even if there is you can’t do anything about that. You can secure your own computer, you can avoid downloading any fishy software, you can set a strong password for your D3 account, and you can get an authenticator to be doubly-sure.
Blizzard tech support does offer roll-backs to restore lost loot; they check to see if an unknown IP# logged onto your account and if so, they can give you back what you lost, but it’s a roll-back; they’ll just revert your account to where it was before X happened. So if you play any while you’re waiting, current progress will be erased.