Saturday, 6 September 2008

Guild bank security - what if someone was hacked?

Recently we have had an account hacking incident in our guild. One of the Officers who had just left was hacked and their alt was able to clean out our "Last Chance" tab where all the vendor trash is stored. They also removed their maximum allowance from the "Free For All" tab, the Jewelcrafting and the Enchanting materials tabs. We also have an "Ask an Officer" tab where all the good stuff is stored, but only Officers can access that. Luckily we didn't loose too much and it wasn't worth a lot anyway.

However, some of our Officers have up to 7 alts, all with Officer access to the guild bank, access which lets them withdraw up to 7 stacks of items from each tab. If they were hacked, well, they could grab a lot of goodies from the guild bank. So something had to be changed.

After some head scratching, AblazeTheMage our guild bank man and one-of-4 GMs, came up with the following scheme:

  • All Officers have 1 character with Officer rank, their main. This rank has the same privileges as before, so this is what Officers use to withdraw items from the Ask-An-Officer tab for guildies.
  • All alts of Officers have the rank Officer-Alt, which can take only 1 stack from each tab, apart from the vendor trash tab, where they can take 10 stacks. The maximum damage which can be done now by a hacked Officer is 1 withdrawal from the Officer tab per alt.
  • All members have 1 character with Member rank, their main. Accesses are as before; they can take only from the enchanting, jewelcrafting and free-for-all tabs.
  • All alts of members have the rank Alt, which can take only 1 stack from the enchanting, jewelcrafting and free-for-all tabs. Again if a member was hacked, the number of items they could withdraw is limited.

Hopefully this will protect us a little from hacked accounts. I've heard the WoW bank UI is a lot rubbish and it seems very odd that you cannot restrict withdrawals to a number of items, only stacks, because a stack of Large Prismatic Shards is fairly valuable.

So I urge anyone setting up a Guild Bank to consider not just what a trusted guild member could remove, but what could they do if their account was compromised.

1 comment:

Crashandburn said...

It's quite a cool system and in theory also helps with the situation where someone random whispers claiming to be the new alt of an officer and get's an invite and promotion. Once they have access it's but a moment to ninja the guild bank of everything they can get their hands on and /gquit before anyone's fully realized what's happened.

© 2008, 2009 FlameShock. All Rights Reserved.