Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsHacked and robbed blind, one guild's cautionary tale
by Zach Yonzon 
Feb 29th 2008 at 12:30PM
A little over a week ago our Guild bank was robbed. It was cleaned out -- so empty I could almost imagine the sound of flies buzzing about -- well, okay, it wasn't that empty. On the third tab, the robber was kind enough to leave us ten stacks of Roasted Clefthooves. At first it struck me as odd because we had fixed our Guild permissions somewhat after our GM left the game to take a shot at a relationship and play with his Nintendo Wii. In what order exactly, I can't be sure. He passed the mantle off to one officer who passed it to another officer who later passed it on to me. So for a while, I was GM of a Guild that wasn't quite doing anything but waiting on people to come back to the game. So imagine my shock (more like anesthetized indifference, to be honest) when I was going to deposit items into the Guild bank only to find that it had nothing. Well, nothing but those clefthooves.
The most frightening thing about the whole affair wasn't the fact that we were robbed, but that we could've been betrayed by one of our own. Because the officers were in charge of cleaning and arranging the bank items, they pretty much had unlimited withdrawal capabilities. This turned out to be a mistake. Set your permissions very carefully so that users are unable to withdraw more than a few stacks at a time. One of our officers' characters was the culprit, and checking the Guild Bank log only showed the mysterious 'Unknown' to be the robber indicating that the thief must've transferred the guilty toon off the server.
The troubling thing was that this person was our friend. The officer and I had gone way back when Molten Core was still fashionable, and I couldn't bring myself to believe that the person who would ask me how my three-month old daughter was every time I logged on could do such a dastardly thing. So I needed to know. Reading the Help section, I found that restoration of items stolen from the bank is beyond a GM's capability. In short, you give permission to a person, then that person cannot be reprimanded or punished for taking what he has been allowed to take. Understanding this, all I really wanted to know was who did it. I wanted to be sure. I wanted, more than the restoration of items, to know who it was that could do something like that. The GM's answer: sorry, we can't tell you. Wasn't I well within my rights to know who the person was? As the GM of the Guild that was just robbed blind, didn't I deserve to know who 'Unknown' was? Well, according to Blizzard, no.
No question, the hacker must've made a hefty profit from selling all the materials in our bank. A profit good enough to sell for a few hundred dollars, to be sure. This is why people simply must stop patronizing power levelers and gold selling outfits. The gold they sell, aside from being against the EULA that players agreed to before entering the game world, are often obtained through duplicitous means. We were fortunate in the sense that it was a hacker who had done us in. I can imagine the horror if it were simply one of your trusted colleagues who decided to make a sweet profit -- with no repercussions.
A word of caution to all Guilds with a Guild Bank... remember to set your permissions carefully. If there's anyone in charge of rearranging the items in the bank, allow only that person access to do it. Even then, allow that person access for limited periods of time or limited stacks. If the person decides to take all your items, Blizzard believes that if the Guild agreed to give them permission to withdraw, there's pretty much nothing they can do about it. For all of Blizzard's hard line stance against gold sellers and their methods, they don't punish asshats. Needless to say, be wary of keyloggers, always protect yourself. Of course, as much as you can restrict permissions with your members, there's nothing you can do if the Guild Master himself gets hacked. It makes me doubly glad that I play on a Mac.
Filed under: Analysis / Opinion, Guilds, Blizzard
Reader Comments (Page 3 of 4)
Badger Feb 29th 2008 1:51PM
Thanks for speaking up, Zach.
You're right, Macs are inherently more secure, but this is largely due to the fact that there is less to gain from hacking Apple computers, as they are purchased/used far less often than PCs.
However, that won't solve the problem some people have with a ridiculous urge to make themselves look or feel superior.
jrodman Feb 29th 2008 5:27PM
But a hacker doesn't have to compromise your macintosh, he just has to compromise wow. What if a hacker adds malicious code to an addon in the distribution channel? That will affect any wow user equally.
There are other possible vectors.
Yes you have some obscurity advantages, and in some ways windows is more ridiculous (administrator by default, usually), but don't bank on your security.
Harlequinné Feb 29th 2008 10:12PM
I think, and agree, that it's the false sense of security you're giving off with that statement. Sure, Macs might be 'safer', but that doesn't excuse the USER from refraining from basic precautions.
And UNIX-based systems are popular server solutions. Hack that...
Does anyone remember this by the way?
http://youtube.com/watch?v=rEvYETWVK6M
Janthras Feb 29th 2008 1:47PM
@Ironhide
Yes, I am aware of of "Zero-day" threats, and yes, I do realize that not all malware is detected by all AV companies. I do, however, know how to track down undetected files, exploits, security breaches, etc. Please do not assume I do not know what I'm talking about because you tested 5 AV scanners.
My point is not about AV companies and their capabilities (or lack thereof). I am simply pointing out the increasing number of these "mystery" hacks being reported, and suggesting that there may be another cause (one which I have yet to see be mentioned). That is, internally, Blizzard may be the culprit.
I'm not confirming it, I'm merely suggesting it.
Also, having an AV scanner is not the end all be all of computer security. I don't care what scanner you have, and how often you update it, if you open your network up to everything, you're going to have a problem.
Bearskunk Feb 29th 2008 2:26PM
common sense and you wont get hacked. all cases of someone getting their account compromised are based on a dumb person sitting at the keyboard.
Janthras Feb 29th 2008 2:58PM
Your naivety is amusing and also sad. You remind me of a politician who once said, "Either you're with us, or you're against us". The choice of black or white and nothing in between accomplishes nothing.
Copernicus Feb 29th 2008 2:31PM
Every other instance I know of a guild bank being cleared out and then transferring to another server has been dealt with by the GMs. You really should put in another ticket. The standard GM won't be able to deal with you, but the loot restorers can. The timeframe for returning stuff is one to four weeks.
Armath Mar 2nd 2008 1:13PM
General comments:
Macs are safer, or at least less unsecure, but no guarantee against hacking.
Limiting the number of people with unlimited bank access definitely reduces the potential liability if someone gets hacked. 5-10 items per tab should be plenty of access for any officer.
Blizzard should have no problem with revealing who "Unknown" is. If they transferred off the server or changed their name, they shouldn't be allowed to hide behind that, especially after cleaning out a guild bank.
Blizzard needs to improve their login security - they've been way too many instances of accounts being hacked lately. I suspect Blizzard actually is working on this, and are just being quiet about it.
There is no One True Way. Anyone who tells you otherwise is lacking in wisdom.
Falathar Feb 29th 2008 3:32PM
The reason there are no OSx keyloggers ect is simply because there are not enough of them in use to make it worht the time, there is no OS security out there that can not be bypassed by someone with time and talent.
The GM will restore you Guild bank if it was due to being hacked as this happend to our GM a few months back and we did finaly get it all back, it just took a while. As for gold farmers, the best way to get rid of them woudl be for Blizzard to just sell the gold them selfs. There will always be people willing to buy it, so there will always be someone willing to sell it. If Blizzard did it them self the would sell for so much less then any gold farmer because they would not need to farm the gold. They will never do this because of the control they like to have over the econemy..
Pax Feb 29th 2008 3:45PM
Does anybody else here doubt that the officer really got hacked? I mean come on, that's the oldest excuse in the book, right behind the "bro" excuse. ("Oh that wasn't me, my bro was playing.")
At best, the officer might have tried to sell (I say tried because you can't really do it - it's against the rules and is always recallable) their account. At worst, they were leaving the server and just didn't care.
Zali Feb 29th 2008 3:55PM
I personally believe that the GM's are members of a "family" that is lead by a "don" who is often called the "Godfather." They hide behind the legitimate title of "GM," but secretly run a criminal cabal that sells the drug of choice... WOW Gold. Ahhh what a buzz. I'm pretty sure that if you have the right connections, that for just 100G per week you can pay for "Hacker" protection for your account, which will guarantee that you will never get hacked.
I think that Lich King should offer another new profession... two of them actually. Lawyer and Insurance Salesman. That way you can insure your bank items, and your bag items from the insurance agent, and you can have your lawyer deal with Blizzard and the GM's instead of going through their incredibly unfriendly customer unservice departments. With the money they make, they should be able to afford a bloody 1-800 number for customer service that is manned 24/7. I can get someone at my bank 24/7 and they don't have 10 million customers.
I'd even spend an extra couple bucks each month for some sort of "gold" account or something, that will get me friggin service at 3:00 AM on a Sunday morning if that is when I happen to be playing. The kind of service that would get all the items in my bank restored within 24 hours if I ever get hacked.
One thing for sure, is that Blizzard is run by a bunch of socially inept computer geeks that wouldn't know how to talk to a human if you stuck them in a room full of them. How in the world can a commercial company actually have worse customer service that the Department of Motor Vehicles and the IRS on their busiest days of the year?
True story. A long time ago, when I was just a wee druid, feverishly leveling up my very first toon, I went to Stormwind to the park to get a little training. I had several skills to train that morning and had just enough money to pay for them all, with enough left over for a cup of coffee. Well, oddly one of the skills I trained on didn't show up in my spell book, although I got charged for it, something like 40 silver. Not a lot now, but when you are a young toon, every copper counts. So I opened up a ticket. I was told that they would research it and they would get back to me. All I wanted was my 40 silver back, or the skill. No biggie. So I waited. And waited. And waited. About two weeks later, after another ten or so levels and paying for all the new training except for this one skill that I refused to pay for twice, I finally gave in and paid for it a second time. I asked again and again for updates. "Unable to recreate the problem again. Still under investigation." Yadda yadda yadda.
It is now more than a year later. I'm a lvl 70 and have been for a very long time. I spend almost as much on five waters as I spent on that training, so 40 silver isn't going to make or break me... yet oddly, the ticket is still open and under investigation. I still can't get my 40 silver back, and they still haven't decided if I should even get it back at all. A YEAR LATER!!!
Now THAT is customer appreciation. Did I mention that it was 40 silver? Hardly an amount that will throw the delicate balance of their fake economy into disarray.
huangism Feb 29th 2008 4:51PM
o u been robbed in a game... dude it's just a game. one day u will have to quit and all of this would mean nothing but a good time wasting time. and please dont mention playing on a mac would help u not get hacked lol the only way people get hacked is if they have done something wrong without knowing which always goes back to the user. "o no i got a virus" "did you go to a porn site" "yes" "well you reap what you sew"
huangism Feb 29th 2008 4:54PM
and why o why do attach your personal feeling into this game. o we go way back to like the molten core! unless his your best friend or something that u see on a weekly or daily basis, you cant say we go way back
Todd Feb 29th 2008 5:09PM
Doesn't anyone use a router or do regular virus scans anymore?
and as far as your officer that got hacked? how did he get hacked and what was he downloading and looking at on the internet to get hacked?
As far as I'm concerned if someone gets hacked it's there own fault for not taking the correct security precautions to protect there computer, key loggers just wont take you wow info they will take everything from aim passwords to online banking passwords ect ...
I'm sorry his guild bank got robbed, but whoever this officer is it's his own fault for getting hacked, whether he was going to the wrong sites or downloading wrong material, in the end technically it's his own fault for turning a blind eye to computer security period.
theRaptor Mar 1st 2008 12:08AM
Routers stop hacking? *VIRUS* scanners pick up brand new spyware? Please don't use IT words like you understand them. A router with NAT is not a firewall, and even a firewall will let Javascript/ActiveX/Image exploits through unless specially configured.
Im behind a NAT, have a firewall, use Firefox (with most ads blocked) and don't accept HTML emails, have virus, spyware and rootkit scanners, and still I don't feel that safe (mainly because I see the hack attempts hitting my firewall). The average person does not know they need to live in a virtual fortified compound to avoid these issues, NOR SHOULD THEY HAVE TO. Default security should be good enough to avoid average break in's.
Trospar Feb 29th 2008 5:21PM
Ummm, this isn't a case of being hacked and it probably wasn't a case of one of your Officers cleaning out the bank. It's a bug in Blizzards guild bank system that has been around for quite some time. I think it's even been reported on wow insider before too.
The same thing that happened to you, happened to us recently. null user that was Guild Master but there hasn't been a Guild Master transfer fo power for over 8 months and the old Guild Master isnt't even in our guild anymore.
What happens is that you invite an 'alt' to the guild who was Guild Master in their own little guild. When they are invited they retain the Guild Master permissions from their previous guild even though they are labeled as a member in your guild. This allows them to take anything and everything they want. Then they change their name or transfer off the server with all your loot.
Blizzard knows of this bug and they should restore all your items. They did it for us without even blinking an eye.
MartinC Feb 29th 2008 5:32PM
Lesson learned: Don't group or guild with people who are too stupid to secure their own machines.
Oh, and btw, playing on a Mac IS NOT SAFE. If anything, based on statistics, you are *more* susceptible to being hacked.
Zach Feb 29th 2008 7:37PM
Based on statistics Macs are MORE susceptible? I'd appreciate a link. I'd like to read more about that.
Felwrathe Feb 29th 2008 6:05PM
GMs show up in Zeppelins?
Oldbear Feb 29th 2008 7:03PM
That's what I want to know... Forget the PC vs Mac crap, or keyloggers - I want to see a GM fly in like that or even just do some other crazy thing...