I'VE BEEN HACKED!
I immediately went over to us.battle.net and found that my authenticator worked there. Hmm. OK, not removed. Come to find out, that Blizzard did this on purpose. They had implemented a new policy that states if you consistently access your account from the same location, they won't prompt for your authenticator, regularly.
Why didn't I get an Authenticator prompt this time?I like this idea, but hate the implementation. Blizzard has multiple means of communication with us end-users, and they could have used any of them to warn us of this major security policy change. I'd love to have seen on the realm page where I type in my password info, "We've changed the way we process authenticators, go to the Battle.Net Authenticator FAQ for more information."
The Authenticator system will now intelligently track your login locations, and if you are logging in consistently from the same location, you may not be asked for an authenticator code. This change was made to make the authenticator process less intrusive when we are sure the person logging in to your account is you.
The Good, Bad and Ugly.
How is Blizzard tracking my location? We will probably never know the full details of this, but Blizzard has straight said they were monitoring our account information. I believe it was soon after the mandatory roll over to the battle.net account requirement, that it appeared. I am guessing it is more complex that simply my IP address. Blizzard knows that:
- IP addresses can change regularly. All of users on dial-up DSL can guarantee a new IP each time they start the computer. This would imply that each time I reboot, I'll be asked to type in my PIN. What's the point then?
- A computer can be spoofed, sort of. You can spoof my PC name, by creating a virtual copy of my machine with my network card info (mac, IP) , but you can't spoof everything. Could Blizzard be doing a 'reverse lookup' of my IP address? Oh sure, why not. This is a spam-prevention technique. Take the IP address you are reporting, see if it is coming from a domain that owns it.
|or else... (random stern look pic)|
I have multiple computers behind an router. They're doing a computer profile check. My primary desktop isn't asking for token. My secondary laptop is getting challenged.ReplyDelete