Trouble

We have it limited so that only two people have complete access to the bank. The GM and me as the banker. It's not that we don't trust the other officers; we do in fact, we've all been officers for 2 or more years together. But it's simply safer limiting exposure to the absolute minimum. No one besides the two of us can withdraw gold, and 3 of the 6 tabs are completely off limits for storing valuables. The other 3 tabs are stack limited per person such that no one person could do much damage.

It's really a numbers game. Limit the access to the bare minimum. On top of that, be aware of who you think is computer and security savvy and who's not. Some people just aren't and that's fine, but don't be giving them access that could ruin your bank.

 

Krazen

I dont think you really need to limit access to enchanting mats to that degree. They aren't that expensive compared to BT gems.

 

Faustryn

Human error can trump even the most secure system. Whoever has full access to the G-bank should be the one who's trustworthy and exercises caution.

Anyways, the bank in my current guild is accessible only by the officers (people who were long-standing members to begin with) and the GM. If anyone had an earnest need for something from the bank, one would send a tell to an officer/GM. If none were present, then one would post in the dedicated guild bank thread on our guild forum. The item would be sent to that person in the mail followed by a confirmation (ie "Sent!") in the aforementioned guild bank thread.

In regards to the epic gems from MH/BT, a dkp cost is attached to each gem and a description toward their intended use must be submitted prior to withdrawal.

 

Hand

Just ticket it and get it all back. If anything is ever taken from the guild bank, and the account holder of the account that withdrew the materials has a problem with it, Blizzard can get it all back. Period. About 20k gold, a bunch of hearts and patterns, and over 100 BT gems were recently stolen from my guild bank because I gave someone in our guild my password and he took it all. Blizzard gave all of it back and banned the person that took it. The system doesn't really need any improvements in security as long is Blizzard is willing to take care of any problems you have.

 

Shandara

Yet if you give out your password it defeats any and all security measures Blizzard could devise from their end.

 

Hand

The point I'm trying to make is theres no real way to make it air tight and foolproof, and in addition to that, theres no point in trying to do so when blizzard will help you get everything no matter how stupid you are.

 

◊ Quigon

Yet giving out your password is a good move for guild management if you trust those individuals. That is how 95% of guilds out there handled guild banks BEFORE 2.3.

Blizzard has to do what Hand mentioned in his post - fancy systems are nice, but when rules are broken they should be enforced.

I also am not sure I agree with Praetorian that even smart people get key loggers. We've had 2 keylogging experiences in the history of our guild - and both people were being stupid when it happened.
Key logging is certainly far more prevalent than a few years back - or the often overstated VIRUSES - OMG VIRUSES MUST BUY VIRUS protection!! Viruses really are overhyped.
Key logging on the other hand really is everywhere, but most of the people on this forum I'm sure have not made the mistake themselves. Its usually a friend or relative using your computer if anything (And that was both of our 2 guild cases... friends messing up).

As already stated (and amazingly without the stupid comments about it that we've had in the other 5 versions of this thread) using firefox plus noscript will protect you in most cases. Still, not clicking on questionable links is your best bet.

 

TheCutlery

Well, just to give some context to my post, my guild isn't in BT (or SSC for that matter) so really the valuable stuff in the guild bank is a couple stacks of blue gems (eh, big deal), and then all of the prismatics and voids and whatnot, and the flasks. At 30g a lotus for flasks, and 30g a shard, that's a pretty big expense, and time consuming to replace. We spent a lot of time building up a good pile of enchanting mats because paying 300g for a savagery if you have to buy the mats is just retarded. That's the kind of stuff that smaller guilds would protect I'd imagine. I've just hesistated to make an enchanter rank because I don't trust all of the enchanters equally. I'd much rather have an officer who isn't an enchanter allowed to grab a stack of prismatics than a member who is an enchanter do it. Plus it messes up chat/invite privledges and stuff from the normal guild ranks.

 

Machia

I had heard that Blizzard would restore lost items but would not do so for lost gold due to guild bank thefts.

 

Gogusrl

A bit offtopic, but a friend of mine got hacked and in 24h they already sold and transfered his char to another server. In less than a week blizzard gave him everything back and even transfered the char (didn`t expect that to happen). So yeah, I know it sounds weird but these days blizzard does actually fix problems like this.
Ontopic : I can`t do anything else but repeat what was already said, limit the access to a bare minimum, you need 5 tabs for raiders to withdraw from, we have a 15g repair limit and 5 stacks for pots / flasks. It`s more than enough.

 

Metrosexuelf

I'm no computer/software wiz but I've played WoW since release and browsed plenty o' websites of ill repute but just practicing common sense and using a fair amount of anti-virus and spyware programs have managed to go unhacked.

That aside, as others have suggested: Make the really rare stuff limited to officers only. That would include things like epic gems, hearts, epic patterns, etc. Since (I believe) withdrawals are done by number of stacks you can further protect from being cleaned out by only putting them in stacks of five or whatever if you have the bank space. That way, if an officer or someone with privileges is hacked, and they are limited to three 'stack' withdrawals from a given tab, they can only walk away with fifteen gems as opposed to sixty.

 

• Bazazu

Most of these have been listed in some form or another, but this is how we have our guild bank setup:

CASH: Only Guildleader and #2 in command can withdraw large sums of cash. No other person can withdraw "raw" gold for any reason. If they need gold for something, they come to me or #2 in command. We checked the option that people can only repair (basically unlimited repairs a day) but not withdraw raw gold.

Tabs 1, 2, 3 are setup so that only the Guild leader and #2 in command can withdraw items. Anyone can deposit though, and anyone can view it.

Tabs 4, 5, 6 are setup to allow 5 withdraws per day, and again, anyone can view or deposit. Tabs 4, 5, 6 contain mana pots, flasks, marks of illidari, etc. Basically anything that is expendable and limits our exposure.

Overall there are only 2 people who could royally fuck us, that is the Guild leader (me) and #2 in charge, whom I trust 100%.



Of course, none of these solutions prevent those the jokers in our guild from writing out "LOL" with mana pots in tab 6. Fuckers.

Guildleader of Fusion

 

Emeraude

Out of curiosity has anyone had their bank hacked and all of the items restored via Blizzard? In the case of Guild banks, since it's not exactly your property are you stuck like Chuck? Items? Gold? All of it? Etc.

 

constantius

In my old guild, we had it set up so that all officers could access all tabs in basically unlimited quantity. It was a risk, looking back on it, but one that was limited to 6 total people. Everyone was involved in organization in some way, so it was necessary for easy access to things. This was in semi-response to the previous (pre-2.3) system where I was the only one who had control in any way (4 lvl 1s in IF, each with max'd banks/bags all 16 or 18 slotters). This was a hassle for me.

The money was all in the guild bank, but access was completely limited to guild leader, so people could look at it, but not take it.

There were only two tabs that were FFA : tab 1 (open donation/food tab) and tab 4 (pots). Anyone could take unlimited stacks from either, if they chose. In the two hacks we had since 2.3 (both due to family members looking at stupid things on the interwebz), neither bothered to take anything from the bank. If they had, net loss would have been ~ 500g worth of food/pots. No big deal.

At this point in the game, I was basically willing to trust our officers to not be morons. If you want to be completely sure, limiting it to one person is just fine -- when you hit 200 epic gems and 100k gold like Fusion (nice screenshot, btw), it obviously makes sense to limit exposure. Possibly even (when you hit a certain point) use guild donation money (RL money) to setup a *separate* account which has full control. Then never login that account. Ever. That would theoretically be the most secure way to do things: put limited withdrawal privileges on everyone, even officers, and put the guild leader in the hands of a level 1 that never got logged in under anything but the most stringent circumstances.

 

◊ Penguin

There have been many anecdotal accounts of Blizzard restoring stolen guildbank items and gold. That was pretty much the whole point of the guildbank system, to bring a level of centralization and ownership to the previously horrible system.

[E] In fact just 9 posts up from yours, someone answers your question.

<Penguin> you could get a solid BT clear in the time it takes most women to have birth
<kenlyric> you could clear all the tbc instances in that time
<Penguin> well, they could c-section
<kenlyric> hey, trying to take a shortcut by hacking a wall doesn't count.

 

• Beliandra

Our GM got his account jacked in mid December and the guild bank got pillaged. We never had any significant gold in there but there were hundreds of void crystals and other enchanting mats stolen, stacks of potions, primals, etc.

He got his personal gear and cash restored quite quickly, but got told that it was impossible to restore the guild bank.

Then, weeks later (more than a month after the theft), out of the blue, he gets another email from Blizz support saying that the guild bank contents have been restored. And lo and behold, there they are.

 

Kirion

Yes, it tooked 6 weeks though and lots of gm tickets.

42.

 

Zifna

As "good" as this advice is, most people cannot remember vast numbers of passwords which means they will write them down, which then creates another security risk.

Possibly better advice would be to have a few sets of passwords

low-security set: put these in on whatever random trash on the internet you join that have essentially no penalties to getting hacked and essentially no safeguards on your info.

medium-security set: use these for stuff like WoW where there are some penalties to getting your pw stolen, but not unimaginably harsh ones, and you have some expectation that as long as you're not stupid, no one will get your pw

high-security pw: for stuff like online banking.

Keep 2-3 for each to get through different password security settings (i.e. must be at least this long, cannot be longer than this). Remembering 6-9 passwords is a lot more doable for people than remembering a different one for each thing they join. ^_^

 

• Playered

I dont believe I have ever been hacked in regards to a password being stolen, then again as Zifna has just said I've tended to have different 'levels' of passwords.

Forums and dummy account (like spoof battle.net ones) tend to follow a certain pattern of around 9 different combinations, this means while they are all different, its not going to take long to go through them to find which one is needed should I have to
My email, WoW Account and such have a very old and complex password using all the tricks you can use to make it hard to crack.

A mixture of letters, numbers, capitals and lower case, words spelt with numbers (l337 speak...), words represented by numbers (0 = oh, 8 = ate). Combine that in a phrase or saying which is completly unrelated to any personal information about yourself and you should be safe, cap out the character length or atleast go above 10-15 to be most secure.

I have a bad memory, and even forget how to type my high security password sometimes, only the pattern of how its typed on the keyboard tends to keep it in my memory.


Its really about basic internet safety which most people should be taught at school these days.


Regarding GBank safety alone, I have full access to the money only, all the 'secure' stuff is limited to officers at a few withdrawals per day. We had an occasion where a member got hacked and the person who did it stole around 100 void crystals from the 'open tab', we got them back in the end.

It would be nice if they could incorporate a request system which requires an 'authorization' from an officer (on another account, officer being either R2 by default or a set rank by the GLeader), once done the item gets mailed to the requestee. However this is really too much work on a new function like the Gbank.

 

Trilly

Very similar to how I set our bank up. If I somehow were to get hacked, we'd lose an obscene amount.

Overall I'm happy with the controls and limits. I would have liked the tabs to be cheaper, but for there to be more available, so I could organize things a bit better. I can't think of any other "security measures" that wouldn't be a hassle to deal with the 99.99% of the time things run normally.

 

◊ Quigon

Your password should be something scary like edgewalkers: XFfI3io#%$m¢^2
That way when you visit sex girl it takes the gold farmer an extra few seconds of shock and awe to copy and paste.

 

Paislee

Our guild master's account was hacked just before the holidays and our guild bank looted. As for items being restored - it seems to be kind of arbitrary. We got random green and blue boe armor pieces and various other items, but most crafting materials were not restored. Our most significant loss being our cache of hearts of darkness which is a fairly substantial loss for a guild on Mother's doorstep. What exactly was the person responsible for this ticket thinking? We did eventually get our hearts back after petitioning for them specifically and were able to continue with our progression in BT. We could probably have every item restored if we were willing to go to the trouble of petitioning for all of them.

Upon learning of our guild bank mishap, I researched experiences other guilds have had with hacking/bank looting and learned that if a vault has limited daily withdrawals per character and an officer's account is hacked, the hacker will likely create a multitude of level 1's, ginvite them and max withdraw from the bank until it is completely looted. This will make restoration of the bank far more complicated than if just one character with unlimited withdrawal rights had depleted the bank and will be much less likely to be restored. So while it is a good idea to restrict access to some parts of your guild bank; it is not a good idea to set a daily withdrawal limit.

 

Bunni

When the banks went live and we saw something about this I did quite a bit of testing back and forth between our main guild and alt guild. The only issue I found was that literally the number of withdrawals I had made that day was never reset, I never saw any problem with access to tabs or the total I was allowed to withdraw. So say as an officer in GuildX I had taken out 5 things, I /gquit or am kicked (tried both) and then join GuildY which has a daily limit of 3 for the default rank. I wasn't able to withdraw at all in the new guild because I was already over my limit for that day even though I hadn't taken anything from Y's bank. No amount of promoting or demoting changed this.

About the only situation I didn't test (for lack of motivation and willing helpers during the day) was forming my own guild and disbanding as guild master. It's possible that the special unlimited access rank is different and the source of the real problem. If that is the case though it does rather limit the problem to people specifically out to scam and willing to put time and effort into it, not just random opportunists.

As for password security, with keyloggers being the name of the game these days no amount of complicated string manipulation or regular changes is going to save you. I wouldn't recommend giving up totally and using your last name for everything (I personally use the tiered approach others have mentioned) but I think switching to Firefox with NoScript, keeping your scanners up to date and avoiding sketchy links is going to do more than anything else. Unless you stand out for some reason it's unlikely that anyone is going to target you specifically for hacking and much more likely that you just click before you think some night at 3am after a crappy pug.