Hacked and robbed blind, one guild's cautionary tale
by Zach Yonzon 
Feb 29th 2008 at 12:30PM
A little over a week ago our Guild bank was robbed. It was cleaned out -- so empty I could almost imagine the sound of flies buzzing about -- well, okay, it wasn't that empty. On the third tab, the robber was kind enough to leave us ten stacks of Roasted Clefthooves. At first it struck me as odd because we had fixed our Guild permissions somewhat after our GM left the game to take a shot at a relationship and play with his Nintendo Wii. In what order exactly, I can't be sure. He passed the mantle off to one officer who passed it to another officer who later passed it on to me. So for a while, I was GM of a Guild that wasn't quite doing anything but waiting on people to come back to the game. So imagine my shock (more like anesthetized indifference, to be honest) when I was going to deposit items into the Guild bank only to find that it had nothing. Well, nothing but those clefthooves.
The most frightening thing about the whole affair wasn't the fact that we were robbed, but that we could've been betrayed by one of our own. Because the officers were in charge of cleaning and arranging the bank items, they pretty much had unlimited withdrawal capabilities. This turned out to be a mistake. Set your permissions very carefully so that users are unable to withdraw more than a few stacks at a time. One of our officers' characters was the culprit, and checking the Guild Bank log only showed the mysterious 'Unknown' to be the robber indicating that the thief must've transferred the guilty toon off the server.
The troubling thing was that this person was our friend. The officer and I had gone way back when Molten Core was still fashionable, and I couldn't bring myself to believe that the person who would ask me how my three-month old daughter was every time I logged on could do such a dastardly thing. So I needed to know. Reading the Help section, I found that restoration of items stolen from the bank is beyond a GM's capability. In short, you give permission to a person, then that person cannot be reprimanded or punished for taking what he has been allowed to take. Understanding this, all I really wanted to know was who did it. I wanted to be sure. I wanted, more than the restoration of items, to know who it was that could do something like that. The GM's answer: sorry, we can't tell you. Wasn't I well within my rights to know who the person was? As the GM of the Guild that was just robbed blind, didn't I deserve to know who 'Unknown' was? Well, according to Blizzard, no.
No question, the hacker must've made a hefty profit from selling all the materials in our bank. A profit good enough to sell for a few hundred dollars, to be sure. This is why people simply must stop patronizing power levelers and gold selling outfits. The gold they sell, aside from being against the EULA that players agreed to before entering the game world, are often obtained through duplicitous means. We were fortunate in the sense that it was a hacker who had done us in. I can imagine the horror if it were simply one of your trusted colleagues who decided to make a sweet profit -- with no repercussions.
A word of caution to all Guilds with a Guild Bank... remember to set your permissions carefully. If there's anyone in charge of rearranging the items in the bank, allow only that person access to do it. Even then, allow that person access for limited periods of time or limited stacks. If the person decides to take all your items, Blizzard believes that if the Guild agreed to give them permission to withdraw, there's pretty much nothing they can do about it. For all of Blizzard's hard line stance against gold sellers and their methods, they don't punish asshats. Needless to say, be wary of keyloggers, always protect yourself. Of course, as much as you can restrict permissions with your members, there's nothing you can do if the Guild Master himself gets hacked. It makes me doubly glad that I play on a Mac.
Filed under: Analysis / Opinion, Guilds, Blizzard
Reader Comments (Page 1 of 4)
JPN Feb 29th 2008 12:41PM
You know it'll be a good column when it starts, "our guild had been going downhill for a while now."
I think this is a good point as far as, protect your stuff. I don't expect Blizzard to be able to DO anything about it, and I'd rather they not, as they have enough to worry about without mediating who took who's Void Spheres and he-said-she-said bull shit.
I would hope that if it were a hacker, they could maybe replace the stuff, however.
anonymoose Feb 29th 2008 2:26PM
I have to confess I'm very suprised at the response you received from the GM--I would consider trying again. If the officer in question was *hacked*, along with their character restoration should come the restoration of your guild bank.
One guild I was in was hit by this 2 times, a member or officer getting hacked and decimating a guild bank--each time the items in the guild bank were restored.
Kadathwack Feb 29th 2008 12:44PM
My guild actually had our bank robbed recently as well. Someone got in posing as an officer, and made off with a healthy pile of gems, crafting patterns, and lots of materials. Still not positive who it was.
We did eventually get some of it back, and I understand the thief got himself banned over the whole thing. Sometimes you really just have to be persistant, and then patient, with the GMs.
niko Feb 29th 2008 12:44PM
Umm, I play on a Mac, too... but I wouldn't be so sure about that feeling of security JUST BECAUSE YOU'RE ON A MAC. Wake up, this is a FALSE SENSE of SECURITY.
I think it's very much within the realm of possibility to get your account hacked while being on a mac.
While I'm with you on the agony (if I got hacked, I'm sure I'd be done with this game once and for all), I have to caution you to not be so liberal with your spreading of the dogma that macs are all you really need to be hacker-proof for WoW.
It's simply not true.
Chad Feb 29th 2008 1:12PM
It is not a false sense of security. OS X is inherently more secure than Windows, and it has nothing to do with market share. OS8/9 had a smaller market share than OS X does now and there were several hacks and viruses affecting that OS version.
When it comes to keyloggers, you are currently 100% safe on a Mac. There are none for OS X.
If someone gets your info from phishing (much like the Paypal phishing story going around.), then it comes down to common sense or lack-thereof. If your account is hacked, it isn't because you are on a Mac. You could have been on Linux or Windows and the same thing would have happened.
peaglemancer Feb 29th 2008 1:33PM
@Chad
To quote a Blizzard response to this claim: "I would have to disagree on this. There are keyloggers for OS X it's just that they require you to enter an admin password to be installed on the system. There are however no known keylogger trojans."
Joshua Ochs Feb 29th 2008 1:34PM
No one says they *can't* exist, it's just that they *don't* exist. Simply put, there is no malware on OS X. No keyloggers, no viruses, no worms, no trojans.
Even if such a program was written, the user would have to allow it to run, give it their password, wonder why whatever it is *needs* their password, etc. It would be a whole hell of a lot of social engineering to do it, and thus far, no one has done it. Plain and simple. Let me reiterate - NONE.
The permissions system on OS X is also much more secure by design and default than XP, and much better implemented than Vista. It's nearly impossible to use Vista with UAC and WoW, especially if you want to use add-ons. Nevermind the constant and numbing "this program wants to do this, click proceed" (yeah, yeah, click, click, whatever).
Find me a *single* story of a WoW account getting hacked on a Mac where the person did not give out their credentials. Good luck with that.
Raaj Feb 29th 2008 1:46PM
In before the great Mac vs. PC debate...
However, I'm not taking sides (especially since I've never used a Mac for great lengths of time), but thinking that you're completely safe on ANY computer is a bit naive, in my humble opinion. Don't think that because you're on a Mac (or Linux for that matter) that nobody can get to you. Just because it hasn't happened yet doesn't mean that it won't in the future.
brittwilson Feb 29th 2008 1:51PM
The whole "Macs are immune" thing is so much BS. Yes I understand that The OS has a better security system. Awesome. But not only can good security not stop idiots from downloading and installing viruses, the only real reason that Macs have stayed remotely safe is the lower user base. If Mac and Windows switched places, this argument would be going the other way. If you are going to write a malicious program, you are going to do in a manner that hits the most amount of people, and that means Windows.
Take the Iphone for example. Thats an apple product, running a version of their "secure" OS, yet as soon as it came out, people we making viruses for it, because they knew everyone would get one.
All it takes is a large user base and you are in trouble.
William Feb 29th 2008 3:03PM
i use a mac and I've had no problems with hackers, key-loggers, pop-ups, viruses, email-spam, weight-gain, headaches, itchy kneecaps or anything.
Well most of that is accurate... occasionally my kneecaps itch.
Point is, I've had no problems with my iMac. Nothing malfunctions ever. My PC at the office is breaking down weekly. Since I use both I'm going to offer my humble advice to anyone who wants to avoid viruses. Get a Mac.
There, that's my two-cents. Tear me apart.
Calaana Feb 29th 2008 5:14PM
The reason people think they are so safe is because of the number of people that use macs. It's so low it's not worth the effort to write the programs. The more and more people that claim to be immune, the more and more people swap to macs and the more and more attractive they become to exploiters... gotta love the cycle.
AlmtyBob Feb 29th 2008 7:34PM
Love your Mac? Let me sell you a car. It's absolutely beautiful, will never get stolen and won't break down. Problem is there's no space for an engine or wheels. It does however have a radio, but it only gets AM. Oh and it's slightly better for visual designers (ok the metaphor falls part there).
Bottom line: Firefox + NoScript, never ever ever let anyone else ever log onto your account at any time for any reason and never log onto your account on a machine that isn't yours no matter how much you trust the owner. Also, don't be a gold-buying, power-leveling asshat.
Ironhide Feb 29th 2008 12:50PM
The answer isnt in putting stronger permissions on your guild bank, and its not really in stopping gold sales.
the answer is Blizzard making the login to wow more secure and harder to get hacked. Simply having the login name and password should not be enough. they need to look at adding something else to the login mechanism to make it multi factor.
Couple with adding several other factors to the login a default deny policy on logins from other system.s IE if your login name and password get hacked, and someone tries to login to your account from a system other than the one(s) you've authorised, the account gets locked.
Not the full answer though, they DO need to address the gold selling. That is almost impossible to stop though. If hacking an account becomes alot harder to do it will stop being the easiest method to "farm" gold for these companies. As it stands now a simple keylogger on a site can potentially liberate hundreds if not thousands of accounts and make the gold farmers a considerable amount of gold.
More security on the forums would be a good option too, its far too easy for a hacked account to post keylogger links and hack many other accounts.
JPN Feb 29th 2008 1:05PM
This is a good point. A very good point, really.
I wish they'd offer an easy program where you could buy (depending on cost, I'm not going to look it up) one of those biometric security things for your computer. Probably the fingerprint ones. I'd use it if it was necessary for my login. I only play on one computer. It would need to be Blizzard-side, not a local setting, to be effective. But yeah I might pay a little bit to buy into something like that, not more a month...of course you could make the argument that THEY need to make it more secure. Hell, even those little $5 or $10 things keychain things you can buy from PayPal with the 6-digit code that changes every minute that's required to login would be AWESOME. I really fear getting hacked and losing everything; I think I would probably quit instead of starting over.
kevan Feb 29th 2008 12:51PM
The GM is the only person in my guild that can change/withdraw items from the bank. I'm baffled why many other guilds are not like this. If you leave it open, they will come.
Johan Feb 29th 2008 1:05PM
Quoted for truth. Why the hell do you let officers have withdraw privileges. All I see is that you got exactly what you set yourself up for. Stop the QQ, learn and live.
jrodman Feb 29th 2008 5:18PM
Because it's useful to have people be able to exchange items via the bank? I mean, the bank is there to be useful and if it's well protected but not useful, you still lose.
Obviously control and trust must be balanced. I'm in a fulll-trust guild where everyone can withdraw anything from any tab. We're all real life personal friends. No one comes into the guild who isn't. Sure, one of them can choose to rob the guild blind but, it's just not going to happen. Even if they wanted do, they'd jeopardize their real life friendship.
I'm also in a raiding guild that does some soft recruiting - pulling in people from pugs. In that guild I have no withdraw priveledges and can only see what's in some tabs. Makes sense to me.
Alchemistmerlin Feb 29th 2008 12:58PM
"It makes me doubly glad that I play on a Mac."
I'm really tempted to pay a team of gold farmers to make more mac viruses and keyloggers just so this smug BS stops.
Frank Feb 29th 2008 1:04PM
right -- because *that* would help matters.
Chad Feb 29th 2008 1:16PM
'I'm really tempted to pay a team of gold farmers to make more mac viruses and keyloggers'
More than zero, you mean?
Smug, maybe, but there is no BS about it.