 |
01/26/08, 7:47 AM
|
#1
|
|
Von Kaiser
|
Guild Bank Security
I assume pretty much every raiding guild uses the new guild bank feature these days. I'm also pretty sure that the majority of players either have lost access to their account at some point or know someone who has. What I don't know is how all of you deal with it when these two circumstances collide. Obviously before the bank patch it wasn't a massive deal when a member clicked a sex girl only to find themself naked the next day. The character's owner wouldn't be able to raid for a while and eventually they may have to re-enchant and re-gem their gear. Nowadays, however, it seems to be a much larger problem.
Long story short we've had a recent spree of hacked accounts in our guild. The first one to go down was a general raider. It wasn't a huge deal given we have fairly low limits set for that rank (100g and 10 stacks a tab). The hacker was smart about it and did it right before and after the day reset and got 200g and a bunch of mageblood elixirs. Then one of our officers got hacked. They have full access to the bank but luckily he plays way too much for his own good and all they did was make sex women posts until he noticed and changed his info without the hacker logging in-game. The real issue came today when we found out he apparently didn't clean his computer as well as he thought he had. About an hour and a half after the dirty deed was done, we checked our bank to see pretty much everything gone. Most of the guild's gold, raid consumables, and enchanting mats just disappeared. Given how banks work these days it was pretty easy for him to grab the most valuable stuff out of a tab and leave the junk.
My question is twofold. One: what do guilds with much more valuable banks than ours do to safeguard themselves from both irresponsible members and outright thieves? What limits do you set for tabs? Do your raiders all have access to all of the tabs or do your officers have to taxi materials for them? Two: what can Blizzard change to prevent the inevitable account hack from destroying months (or years) of guild resources, especially if it's an officer or a guild leader?
As for our guild, we setup our bank so that all of those of raiding rank had pretty limited access. Guild policy is to sell things to the bank for a lower price than on the AH and for guildies to buy it out of the bank for the same price. I have heard that the devs are considering adding in a feature to set the price of items so it's no longer an honor system and you have to pay the cash to extract an item just like a vendor. This would obviously allow us to eliminate all access from general raiders, but what about safeguarding it against an account hacker on an officer's account? The best thing we could come up with is some sort of in-game password system to actually access the bank. Ideally something like a vault combo that you'd have to click to access so a keylogging program wouldn't have a chance to get it. Something like a set of numbers with an up or down arrow you could click on to set. I'm not overly savy on how some of the keyloggers work but perhaps it wouldn't even be necessary and it'd be too hard for a program to discern the valuable keystrokes once a person logs in and starts talking to people. Regardless of what it is though I do feel the guild bank needs a secondary level of security beyond simply being able to log into the account.
So what do you all do to secure your guild bank? Should something be implemented in-game or does it ultimately end with hoping your raiders don't click stupid shit while using Internet Explorer? If so I can't imagine it's even worth using the guild bank feature at all. It's far too likely that just one person with access does something stupid, and with all of the guild's resources centrally located it's just too easy to lose it all.
|
|
|
|
|
01/26/08, 7:54 AM
|
#2
|
|
Don Flamenco
Undead Priest
Talnivarr (EU)
|
What other level of security you want? Another password when accessing the guild bank? That can be keylogged too.
Other way is to limit access of all people except of one person (still a small risk then).
|
|
|
|
|
01/26/08, 8:31 AM
|
#3
|
|
King Hippo
|
At least the GM and the officers should be smart enough to use Firefox+Noscript. Putting additional security measures would make day-to-day operations annoying
|
|
|
|
|
01/26/08, 8:40 AM
|
#4
|
|
Great Tiger
Orc Death Knight
Blutkessel (EU)
|
One of our officers took almost everything from our guildbank, transferred and sold on Ebay. We never heared of him again  . See, you don't even need to be hacked.
|
|
|
|
|
01/26/08, 8:44 AM
|
#5
|
|
Glass Joe
Blood Elf Warrior
Tarren Mill (EU)
|
As a GM I set pretty strict limits on our guildbank
officers can withdraw 50g a day (covers a respecc for a raid) and about 5-10 stacks. and that's about it. no ordinary members kan take anything from the guildbank, so we wouldn't loose much if the accident did happen.
If I however get hacked, which I plan not to - it's a whole other story, nothing to do about it!
|
|
|
|
|
01/26/08, 8:56 AM
|
#6
|
|
Von Kaiser
Human Paladin
Stormrage (EU)
|
Well, if one of the officers got hacked, or the guildmaster, it wouldnt be any different than it was before with banking alts. Just to draw a comparison. However, these days it is a lot more obvious when a certain member has acces to a bank.
Either way, back than or now, if your banker got hacked, you lose all of it.
|
|
|
|
|
01/26/08, 9:08 AM
|
#7
|
|
Foobar
Troll Priest
Azjol-Nerub (EU)
|
Originally Posted by Skulli
What other level of security you want? Another password when accessing the guild bank? That can be keylogged too.
Other way is to limit access of all people except of one person (still a small risk then).
|
It would be significantly harder to keylog an onscreen numpad that requires you to enter a numerical code by clicking on the numbers.
Make that pad appear on a random location on screen and you would really have a hard time trying to crack that, although most likely not inpossible.
|
* Bla
|
|
|
01/26/08, 9:14 AM
|
#8
|
|
Piston Honda
Undead Warrior
Boulderfist
|
My guild bank is just set to pretty much be an iron fist on just about everything. Officers have access to only about as many stacks as they would theoretically need for crafting, no more. Members are set at 3 or 5, and alts are set to a stack a day. Even if someone and their entire stable of alts went psycho, about the most I would lose would be a stack of arcane crystals and some primal shadow or something equally ridiculous.
I also keep the tabs set differently and informed the guild of this. There's a tab for potions, and there's a tab for flasks, with different permissions set. It's not a big deal if someone runs away with 20 major agilities. It's a huge deal if someone runs off with 20 Relentless Assaults. I don't need someone cleaning out my entire stock of LPS's, but if you really wanna screw yourselves out of a bunch of friends over some noble topaz, go right ahead.
I used to have it set so people could repair with gold, but my officers bitched about that because they always hit the wrong button and used guild funds for it even when we weren't doing guild activities. So I nixed the gold withdrawal and everyone goes through me when they need money for anything. Small price to pay to make sure we've got cash in there when we need it.
And as far as account security goes, I'm still not of the belief that keyloggers are really the problem. 99% of all account compromising comes from people sharing their info. Just don't do that with everyone, and you won't have a problem. As a guild leader, it's more important now than ever, since you're the only one who should have access to clean out the bank.
|
|
|
|
|
01/26/08, 9:27 AM
|
#9
|
|
Not Enough Rage.
Ehandel
Tauren Warrior
No WoW Account
|
There's always going to be the failure point of someone with access to most/all of the bank, and really that hasn't changed with the advent of guildbanks. As Arakan stated, there used to be the chance the guild mules would be hacked/sold and you'd lose everything that way. With the integrated guildbank feature at least Blizzard has a logging system in place as well as concrete ownership rights by the guild, rather than "Character XYZ left the game and took all our bank toons".
This thread should really be "Best Practices: How to not click links with .cn"
|
There's not some hidden "but he tries really hard" variable built into the game. -Slake
I always love the "it doesn't fit my style of play" line. There are only two styles of play; Correct, and Incorrect. The only people that ever use this line are people with the incorrect style of play. -Sebudai
|
|
|
01/26/08, 9:50 AM
|
#10
|
|
Don Flamenco
Blood Elf Warlock
Turalyon
|
Wonder if they could put a transaction limit, where any daily withdrawl over 1000g triggers some kind of alert, similar to real life banks.
|
|
|
|
|
01/26/08, 10:22 AM
|
#11
|
|
Piston Honda
Undead Warrior
Boulderfist
|
Originally Posted by Krazen
Wonder if they could put a transaction limit, where any daily withdrawl over 1000g triggers some kind of alert, similar to real life banks.
|
I dunno how this would be useful. Only the guild leader should have the right to pull that much money out of anyone's guild bank. If they don't, it's no one's fault but your own.
|
|
|
|
|
01/26/08, 10:27 AM
|
#12
|
|
Don Flamenco
Blood Elf Warlock
Turalyon
|
Originally Posted by TheCutlery
I dunno how this would be useful. Only the guild leader should have the right to pull that much money out of anyone's guild bank. If they don't, it's no one's fault but your own.
|
Which still leaves the problem of the GL getting hacked. It alleviates, but doesn't solve, the problem.
If nothing else, I don't see why Gold Withdrawl cannot be on a 24 hour timer, as well as a 24 hour 'security' tab where withdrawls of rare stuff takes 24 hours.
Last edited by Krazen : 01/26/08 at 10:35 AM.
|
|
|
|
|
01/26/08, 10:34 AM
|
#13
|
|
Not enough rage
Gnome Warrior
Argent Dawn (EU)
|
In that case do you only allow the GM to access valuable guild goods as well?
Getting even a single stack of crimson spinels would be thousands of gold on any server.
It seems to hamstring daily operations to much.
|
|
|
|
|
01/26/08, 10:52 AM
|
#14
|
|
Don Flamenco
Human Death Knight
Archimonde
|
A good place to start is to educate your members - all of them - on how not to do stupid things on the Internet. WoW-specific BadStuff(TM) is of course going to be mostly found on WoW and gaming related sites, but there are also broader keylog and hacker attempts aimed at information that's usually far more valuable than someone's WoW account or even their guild bank.
Run heavy security programs including a restrictive firewall and don't click on garbage. When your browser or your security system throws up a block, at least think about why it is doing that, and if what you want to see/download is remotely worth the potential loss of thousands of dollars, credit history damage, etc.
There's also the moron password problem - it wasn't necessary to hack your account because someone who knew something about you could guess it fairly easily. Let alone "I gave it out to my buddy and I didn't know that he posted it on a Post-It note near the entrance of his dorm room so that he didn't forget it."
WoW "hacks" that aren't related to downloading shit onto your computer are going to be either a stupidly easy name/password combo or bad log-in info security. Truly "random" WoW account hacks without malicious software on your own computer are damn near impossible because of how WoW account access works. Anyone with the horsepower to even attempt that has much better things to steal. Odds are that anyone who says that this has happened to them either doesn't realize that they compromised their own security or is lying through their teeth.
Your username shouldn't be the same as any of your characters, and your password should be at least 10 digits long, use no dictonary words and as complex as a given site will let you make it.
There is no truism that "everyone is going to be hacked someday" anymore than "Everyone will be in a car accident someday" or "Everyone gets STD's". All are overwhelmingly related to moron behavior.
|
|
|
|
|
01/26/08, 10:56 AM
|
#15
|
|
Piston Honda
Undead Warrior
Boulderfist
|
Originally Posted by Krazen
Which still leaves the problem of the GL getting hacked. It alleviates, but doesn't solve, the problem.
If nothing else, I don't see why Gold Withdrawl cannot be on a 24 hour timer, as well as a 24 hour 'security' tab where withdrawls of rare stuff takes 24 hours.
|
Oh come on. Who really gets "Hacked?"
Every time I've ever heard of anyone getting "Hacked" in an MMO, it always comes back to "Well, Bob had my account info, Jim too" or "I just got divorced, and my wife moved out last week." The threat of keyloggers is largely overplayed in my opinion. 99% of the people who get hacked just have poor account security habits when it comes to their friends or family. The guild leader just need to be vigilent about his account info and you shouldn't have any problems anymore.
Now, as for the limit and transaction cooldown, who has oversight in that regard? If the guild leader is the only one who can withdraw that sum of money anyway, who's going to stop the transaction? Bobbycasual is going to press the red button that locks everything down when he hears at 4am that the guild leader took 2k gold out? It wouldn't prevent anything from happening, just slow down the process.
|
|
|
|
|
|