We recently warned gamers about an article on the Joystiq WoW Insider page saying that public Diablo III games were safe; that session spoofing is fake and that it's just Chinese gold farmers spreading propaganda. Well, another user actually tested session spoofing and gives a complete rundown on how to protect yourself.
We've come across many gamers on forums, websites and news post saying that after joining a public game or leaving their game open to the public while playing Diablo III online they had their accounts wiped clean and a select number of the same names were on their friends list. Well, it turns out there is a theoretical hack methodology that connects the paranoia of joining a public game and the "man in the middle" session spoofing conspiracy theories.
Forbes recently ran an article about gamers needing to take responsibility and speak up against Blizzard, as well as Blizzard needing to take responsibility and openly talk to consumers about what's happening with account infiltration. A nifty user in the comment section of the article actually provided a very logical explanation of imitating session spoofing (something anyone with the will and know-how can do) and explains the following...
Buy two games, get two accounts, join both in game, open trade screen and then inspect packets. Some interesting stuff in there to use to spoof with, not very well secured at all.
Now let's be clear, this guy is saying session spoofing or "man in the middle" attacks are possible. The WoW Insider article pointed to a forum thread where Blizzard has been feverously denying that anything other than consumer negligence is the cause of infiltrated accounts. This is not the case, however, and in personal back-and-forth communication with consumers, Blizzard's support staff has admitted that they do not know how some accounts have been infiltrated. If all account compromises were via "traditional means" the support staff would not be baffled about the ways in which accounts are being attacked.
Let's get another thing perfectly clear: Everything Blizzard says will be about protecting the resources of the company. There is a possibility of earning billions from the Real-Money Auction House. That is a fact. Blizzard will do any and everything within their power to downplay the severity of the situation, even if it means denying account infiltration techniques that are possibly being used to compromise accounts. This is the number one thing mentioned in the top misconceptions about the gaming industry.
Anyways, the user goes on to further explain how the spoofing takes place, mentioning that...
Technically they are not breaching servers. They are using stolen sessions. What ActiBlizz did not do well was use rotating session ID’s in the game. The actually might be fixing this as we speak. But they would never say anything about this, any company would deny deny deny. I would deny as well, reason being; is to fix it before it gets out of control and not to tell everyone how it was done.
Let's recount now, Blizzard has said that session spoofing was highly improbable many times on the forum, including this thread here, as well as to sites like JoyStiq. They mention that performing "man in the middle attacks" is highly complex. They refer to traditional means of account infiltration as the most viable way to lose access to your account, pinning the blame on users. This video here aims to reiterate what Blizzard says, which documents the way Chinese gold farmers get a hold of gamer's accounts via traditional means. However that's not entirely what's happening in this case.
The user Vaudevillian, who tested the session spoofing capabilities on Blizzard's Battle.net, lays out the following details...
After looking at the packets myself, I did a test to see what was happening.
Bam. Now that's some excellent information right there. The "buy account" quote was also ironically reiterated to the writer of Eurogamer when he logged in and found out that his account had been hijacked.
As mentioned before, DO NOT JOIN PUBLIC GAMES.
I cannot stress that above sentiment enough.
There are also names you should look out for and avoid at all costs when playing Diablo III, even if you do have an authenticator: “leyiong”, “Nevin”, “SBJunkie”, “luckllezz”, “McLeast”.
As for people who feel safe with an authenticator, take note that Examiner Mark Casino was hacked even though he was using one, so exercise extreme caution when playing Diablo III.
Now is it possible that the above guy is lying about his session spoof testing? It's possible. Is it possible Examiner Mark Casino didn't have the right authenticator? It's possible. However, let's take into account that the information provided actually makes sense, and ties into why people have been mysteriously losing access to their accounts and Blizzard has not been able to properly track the intrusions (it also makes sense because Blizzard won't make the information public, even though it would help protect consumers from becoming potential hack victims).
Blizzard has also been deleting threads on the forums from users claiming to have been hacked while using an authenticator, I'd point to some threads but they're deleted. The reasoning is that the support staff felt people claiming they were hacked while using an authenticator were spreading misinformation and were working with Chinese gold farmers to keep people paranoid and away from using authenticators. There's no telling how true that really is. Alternatively, it could be Blizzard's way of preventing people from seeing that a large majority of hack claims also have authenticators attached to their accounts, even though Blizzard says they have yet to investigate a case where someone had an authenticator attached.
Regardless, get an authenticator just to be sure (the mobile version is free). Change your password frequently and please do not play in public games or leave your game open for the public.
With the real-money auction house opening soon it's imperative to practice safe playing habits because there's a real possibility that users could be losing more than just virtual items and goods.
(Update: Blizzard replied to the article and says that public games are safe.)