Env:
only available in Asia Battle.net.
Because only the region can use the SIMcard(phone number) as the account login.
Attack conditions:
If the owner of the game account has an expired SIM card, and he does not immediately unlink the card and the game account, this will happen. (If the telecom carrier redistributes SIM cards quickly, this will happen even faster)
(SIM card is not equal to the mobile device. If the authentication APP and the cell phone to which it belongs uses another cell phone card. This is more likely to be ignored)
The method can bypass all 2FA method:
authentication token APP identity confirmation,
Mailbox address confirmation (he does not know the mailbox address)
Mailbox ownership (he cannot access the mailbox.) Since the attacker does not even know the address of the mailbox, so of course he can not enter the mailbox)
Attack method:
Asia Battle Network platform can click “Forget Password” when you have a cell phone SIMcard BUT no need for authenticatorAPP and mailbox confirmation.
Then he can reset the password.
Then he can log in with the new password. Submit a ticket to unbind the mailbox.
Then you can bind your own mailbox.
Then submit a ticket to remove the authenticator.
Finally, you get all rights.
Yes, you can blame the account owner for not paying for his cell phone card.
But this is already a violation of the 2FA rules.
During this time, nothing happened with the token APP or the mailbox.