d20radio.com

Having lost an ENTIRE guild bank in another game to a high ranking officer getting hacked, I can attest to the importance of security keys for Guilds. I would love the whole guild to have them (and be happy to help subsidize this effort). However, I know that some will not want them.

I could see making at least 2 or 3 ranks acceptable without a security key. I don't think we need to keep people at Initiate just because they don't have one. Given the limits on bank withdraws, I think it would be safe to allow the first two or three levels to not require them. Basically Initiate (with no bank access), the next basic member level with limited bank access (5 items I think right now) and the next level above that (10 items?). This would give non security key members a chance to advance and be recognized as NCOs basically. But if you want to advance higher, you must have a security key.

Just my thoughts on the matter.

Thanks,
Duncan

_________________
Gold 109 (ret.)
Leader of the Anti-Gungan Defamation League
SWTOR: Server Bergeren Colony
Hobbie - Jedi; Hesrat - Trooper; Deridre - Scoundrel
Vice Admiral Dallas of the 66th Fleet, STO
Captain Hetsh, Leader of the Gorn Resistance, STO
Got Gorn?

It may seem that way to you, but not everyone feels that way. Maybe you could tone it down a notch?



Are you putting that key fob in your laptop bag? May as well throw the security out the window - if they steal your laptop, they get the key fob as well. Also, not everyone has the latest and greatest smartphone...some of them are quite slow when several different programs are loaded into memory.



Which is nearly useless against someone with your password and any knowledge of social engineering - ask Kevin Mitnick. Most of the questions can be answered by a stranger who knows how to research...and heaven forbid you have a Facebook account (should we forbid those, too?). The questions BioWare offers are things like your favorite author, and where you had your honeymoon...not hard to figure out unless you do the smart thing and LIE with your answers.

The best defense against someone getting access to your account isn't a security key. It's a combination of hiding information, giving false information, and choosing answers for passwords and security questions that people aren't going to be able to guess. If you had your honeymoon in Vegas, but you put Alaska as your answer, it's going to be hard for others to figure that out. Likewise, if you choose a strong password ('abcd1234' or your birthday are right out) with a combination of numbers, letters, upper and lowercase, and as many characters as they allow in the field, it's hard to figure out. If you also make sure that people aren't watching you type in that password, and avoid using a acquaintance's computer that might have logging software, it's very, VERY unlikely you will have your account stolen.



Here's where we get to the meat of the issue. I've already mentioned that BioWare has given a LOT of controls to protect the bank from being looted. There are credit limits, as well as item limits which can be separated by tab. Put simply, the guild is not at risk for a catastrophic loss if those controls are used. Heck, I'm willing to offer to give the guild the first 100,000 credits lost by any theft caused by hacking. That's one hour of my time with a level 50...not a big deal.

Should that offer not be sufficient, and people without security keys are kicked out of leadership positions...well, that doesn't affect me on the Republic side of things. Where it would cause a problem is with the Exiled Lords. I've been given a leadership position in order to allow me to invite alts of the Heroes of the Expanse, and the same courtesy has been extended to DarthGM for my guild. If I am excluded from leadership simply because of the remote possibility my character could take items out of a bank tab that no one bothered to secure, then I would choose to leave the guild entirely. We're here to have fun, and putting more effort into locking down a $15/month investment than what Visa does with my credit card is not something I want to bother with. Feel free to offer suggestions on how the credit card companies can do more...



To assume I am "putting people at risk" just for not choosing to use an extra, optional security measure is the height of arrogance. It is not required by BioWare, and to my knowledge hasn't been required by any other major MMO. Furthermore, it hasn't even been an option in most MMOs.

That said, I don't mind having restricted access to the bank - it didn't exist when I joined the Exiled Lords, so I'm not really losing anything. What I mind is being told that my participation in the guild is limited because I don't use an optional feature. Use the carrot, not the stick.

For those who can't find it, you don't have to pay an exorbitant amount on shipping it from the UK store. They're $4 with $2.50 shipping through the US store here: http://store.origin.com/store/ea/en_US/ ... 0/sac.true

No security is 100% perfect, but that doesn't mean you shouldn't make the effort to protect your valuables simply because of that fact. Yes, I know who Kevin Mitnick is too; I’ve read The Art of Deception more than once. I've even seen The Takedown one time. I deal with IT security every day. The fact that those circumstances exist does not make them the norm. If you are specifically targeted by a person who knows what they’re doing and is hell-bent on accessing your account (which are the scenarios you’re describing), there’s not a whole lot you can do to stop them, but that doesn’t mean you shouldn’t try. For your garden-variety hacks, however, the security key adds an extra layer of protection to an account. A layer that, when detected by most hackers, is sufficient to cause most of them to stop trying to intrude on your account and move onto an easier mark who doesn’t have a security key implemented. Even Mitnick cased his targets and picked the weakest link before he acted.


Again, that is extremist reasoning. Reductio ad absurdum. The chances of your account being hacked outright by a complete stranger are significantly higher than a complete stranger stealing your laptop bag, going through the effort of discovering your username and password, and then accessing your account. Even if they hacked your Facebook account and the security questions became the chink in the armor (which you don’t keep the same password for every account you have, right?), that doesn’t give them your username and password for TOR, nor does it give them the credit card number on the account – things customer service would ask for when resetting the security key on the account. That is why you have multiple layers of security in any system. Individually, they are strong, but together, they form something even stronger.

The best security is when you know something (a password), have something (a physical key), and are something (biometrics). My WoW account got hacked 4 times in 2 years even when I changed my password monthly with good “strong” passwords, and no, there weren’t any virii or malware on my machine(s). It’s just after a while, hackers discover ways to intrude on the standard security process (nothing on the internet is truly secure, after all), and they exploit the holes faster than Blizzard can patch them. I got a digital security key on my Blizzard account and it's been almost 3 years since I've been hacked (though one attempt was discovered and failed both miserably and comically). That’s all the proof I need to know security keys are an effective deterrent to most hackers. So yes, without the security key, you are at a higher level of risk of your account (and therefore the guild bank) being compromised unless extra measure are taken (i.e. limiting guild bank access).

It doesn’t really matter a whole lot right now because the contents of the guild bank could be replenished fairly easily should something happen, but do we really want to wait until after we suffer a breach to implement the security? Just because it wasn’t an option in a lot of previous MMOs isn’t a valid point to argue that they’re unnecessary. Hackers get smarter and more resourceful, technology improves, and with it, so must the security.

Contrary to popular belief, a password with numbers, letters, and special characters is NOT the best way to create a password (http://xkcd.com/936/ for a funny yet informative explanation).

What latest and greatest are you talking about? My smartphone is over four years old and it takes me literally seconds to access the security key app no matter what I’m doing on my phone.

TOR is just a game, but that in no way means I don’t value the time I spend playing it, nor does it devalue the time my guildmates spend playing it. If valuing the time and effort spent by all of the members of the guild as a group more than my own is arrogance, well then I guess I’m arrogant.

_________________

Ryan "Tron" Brooks
Fandom Comics: Home to the Clone Wars Saga Edition Fan Sourcebook, perfect fan supplement to The Clone Wars Campaign Guide

I'm all for the security key requirement at any and all levels. I understand that there is a minor fiscal inconvinence for some but it is a faction of what we have all shelled out for the game already.

_________________
Frobi-Wan Kenobi

"That's no moon. It's a Space Station." - Obi-Wan Kenobi, Jedi Knight and General in the Grand Army of the Republic

I've tried to get back to this post for 4 days, but with the thread rehashing the same topics and lots of other things going on in my life, I honestly haven't had the interest. So, I'll give the bottom line - if a guild I'm in imposes a security key lockout of ALL leadership positions, I'll leave that guild. I've stated repeatedly that there are more than enough controls to limit guild liability, and the earning potential of a level 50 is such that you can give reasonable limits on credit and item access without a hacked account bankrupting the guild.

Anstrona, I understand that being hacked multiple times has made you very wary about it happening again, even indirectly. But I think you're taking it too far, and I don't think I want to be involved with a guild that takes it to the level that you want. Fiddleback and the other leaders make the call for the Order of 66, while Perrian makes the call for the Exiled Lords. We'll see what happens.

I'm all for the security key. I too have seen the problems with guildies being hacked. I enabled the security key on my cell phone immediately after access began. Yes, it takes me a half second more to login than Gunn, but really you'll always see us pop in within seconds of each other. The fobs can be put on a key chain.

For those that don't want to do it, don't. If you need something in the Guild Bank, you can contact a member who does have a key fob and have them access the bank for you. We want to protect Guild assets. I'm sure as helpful as the Guild is, we can make arrangements for those who live in foreign countries or don't want to lock down the account. So, aren't forced to buy a fob. The Bank is safe and everyone is happy. Yes, yes, this is an added aggravation, but its the best for everyone.

_________________
-------


Fear is the path to the dark side. Fear leads to anger, anger leads to hate, hate leads to suffering, suffering leads to succotash.

You're going to have to clarify what you mean by "ALL leadership positions". I feel more than comfortable saying that any ranks that have almost limitless access to the bank will have a key requirement, but we want to know what kind of threshold members of the guild feels acceptable.



That's true right now. Say, however, that down the road they say that guild capital ships are coming, and they're going to be expensive. Like a couple hundred million credits expensive for the larger ones. We've been saving up for a while, and that's cleared out by someone getting hacked. That's not something you can just do some dailies to get back. There's also no guarantees that Bioware will restore anything lost from the guild bank by just putting in a CS ticket either. Guilds have fallen apart over incidents like this.

I don't think we're worrying about hacked accounts being able to pull out 100k credits a week. But clearing out tens of millions of credits or full stacks of Corusca Gems or Advanced Neural Augmentors is an entirely different matter. This is why I stated previously that this conversation is tied directly into the Guild Bank discussion. What levels are acceptable here?

Keep in mind: The developers have tied in the key requirement to rank, and if we set the key requirements at the Master's Council level, the game AUTOMATICALLY demotes any people on that level to the next highest level that doesn't require a key.

_________________
"Keep your friends close and your enemies closer. That way you don't kill your friends with area of effect powers." --thirstywizard

A base level of leadership, to me, is where where the person is given sufficient responsibility to invite members and take charge of minor functions. For example, Gisben might be a low-level leader because he regularly assembles a guild-related ops group.


Well, I've stated 100k a week is acceptable. Really, I don't see a need for anyone other than the guild leader to be able to tap more than 100k from the bank in the course of a week. You want to grow the guild bank, and taking money out for anything besides upgrades to the vault (or capital ships) is counterproductive. You need a million credit loan from the guild? Then it's time to talk to the boss.

Items are a trickier issue, but I would divy it up by what can be easily replaced. For example, an orange headband with an augment slot may sell on the GTN for 150k (I've sold a few with my alt) but only require a little time and a few low-level components to craft. In such a case, I don't see a need to restrict access on such items to the highest levels of the guild. On the other hand, a stack of 99 Corusca Gems is both high-value AND takes a long time to replace, so that should be restricted. If you have six tabs, set 2 or 3 for open access, and restrict the rest, dividing up items based on the above criteria.


Does Master's Council include ALL Order of 66 (or Exiled Lords) leadership, or are there those who are delegated to run events and/or have invite privileges who aren't on the council?

I don't think they are planning on imposing this on every single "leader" but that's a vague term. There should only ever be 4-5 on the Master's Council. On the Guild I ran for WoW we had 1 General (Fiddleback is the equiv) and 4 Colonels (the Masters Council) and down from there. Only the General and Colonels had access to the 5th tab on our bank and access decreased from there. New initiates could only access the first tab.

I don't like that idea because it restricts highly active players who don't want leadership positions from the tabs where they might need things or contribute. I'd rather have access to those tabs restricted by security key.

A guild is more than one person and the rules must benefit the most people. Protecting our assets are important. Fiddleback is running this like a democracy and in any democracy, there is dissent. You are free to leave or stay as you like. But, one voice cannot be the deciding factor on something this important. It seems the majority of the people responding here are for the security key.

But, why not put up a poll and see what kind of response we get. If this is the type of forum that most people use, then we should be able to restrict the poll to ensure that logins can only vote once. If the majority rules one way, we'll accept that.

_________________
-------


Fear is the path to the dark side. Fear leads to anger, anger leads to hate, hate leads to suffering, suffering leads to succotash.

This is a case where I feel the extra options BioWare's given us are just more confusing than helpful.

Authenticators are useful to secure characters' resources and protect the assets in a Guild Bank.

I'd like to see anyone who's meant to have full access to the Guild Bank have an authenticator.

I'd like to see that every rank and file member (Revanchist) who has access to the most valuable resources in the Guild Bank have an authenticator.

If Revanchists and lower-ranked members aren't going to have full access to the Guild Bank because of their rank restrictions, then I still can't see a need to require them to have authenticators.

In short:

Access to most valuable stuff = Authenticator.
Otherwise, no Authenticator required.

I can probably suppose whatever is the easiest way to make that happen.

_________________

I think the issue is that the restrictions on the bank are keyed to your rank, and your security requirement is also keyed to your rank. From what I understand, there isn't a security key requirement to access tab of guild bank?

The item limit for access levels does offer some protection, and therefore I don't see the need to have a security at Revanchist and below (10 items per week?), but as soon as wer're talking 20, 30 items? What then?

And it's all well and good saying keep the most valuable items out of access for most people, but does anyone really want the role of bank teller, getting emails from the rank and file wanting 3 or 4 or some high value crafting item? The point of the item limit is so that people can help themselves to a limited amount of those items so they need to be accessible all the time.

I can't say I fully understand internet security, but I try to make sure all my passwords are unique, I don't actually put too much personal information anywhere it doesn't need to be and I use the security key because it's there, so why not?

Finally, for those out of reach of "affordable" keys, can't they be purchased in the US and mailed? I don't see anything stopping them working, and people can pay for them via paypal.

_________________
Captain J'aan Erron out.

If it helps anyone I am happy to send the key fobs via untracked mail, and therefore not guaranteed, to countries in the EU for no more than £10, including the £4.00 it would cost me to get them for you.

I will send details of the cost first to prove I am not making any money on this and if happy send money via paypal.

Check the royal mail website.

I am in the UK and got mine direct from swtor in Jan for approx $10

I am Roger Hall on google+

_________________

Is there a deadline on this discussion? I've considered donating to the Exiled Lords guild bank fund, but have been holding off until a decision is made on this issue.

Officers are planning to make a decision this weekend (5/5).

_________________
Listen to me play on the Real Gamers podcast
http://realgamerspodcast.blogspot.com/

Decision made -

The ranks of Initiate and Revanchist do not require security key access. In order to limit guild bank liability, withdrawal privileges have been slightly reduced for Revanchists. Initiates continue to have no withdrawal privileges.

All higher ranks require security key access.

Thanks,
Kat

_________________
Listen to me play on the Real Gamers podcast
http://realgamerspodcast.blogspot.com/