As you will have noticed, there’s a widespread account hacking activity going on at the moment, and many people, me included, aren’t exactly happy about the customer service options currently provided by Blizzard.
However, to be perfectly clear about one thing, keeping your PC secure isn’t anybody but your own business. And as this story from BRK’s guild shows, when you’re an officer and have guild bank access, you are a particularly fat goose to pluck and just changing the account password without cleaning up your computer first leaves the door wide open for an account thief to get back and start over.
We aren’t computer security experts, though, and some of the things may appear daunting and complex. Further, there’s little to no way to stop a really determined cracker to get in. There are however a couple of measures to take to ensure the casual fishing expeditions will come out empty, and they are tied both to tools and behaviour.
So without further ado, here are a couple of recommendations to tighten up your (windows-based, sorry Mac and Linux users) PC:
1. Get a decent personal Firewall. The default Microsoft one is pretty much worthless. If you don’t know where to start, I recommend either ZoneAlarm or Comodo Personal Firewall, which are both free for private use. Or just check out various tests and reviews and pick what gets the best mix of useability and security. If you’re reading independent test reviews, make sure to also check out feedback they got by various firewall producers, and you’ll probably do best to stay clear off these where the manufacturer blames the testing methodology.
2. Get an antivirus software. This should actually be as natural as protecting yourself during a certain type of real world encounters, but if you actually have no antivirus installed, go and get the free AVG antivirus from Grisoft. Install it, update it, then run a full scan
3. If you haven’t done so already, switch away from Internet Explorer, and use for instance Firefox. If you pick that one, also get the NoScript addon.
4. Get a spybot / adware cleaner, and run that one too. I’m personally partial to Ad-Aware but there’s plenty of decent ones out there too.
You should have a pretty much clean slate at this stage. Regarding the firewall, make sure that you set it so that it asks you before authorizing an application to reach the internet, and be wise about what you let go out. If you’re not sharing a printer between several computers, for instance, the Microsoft Spooler doesn’t need internet access. The default windows Explorer (not the browser)? Why does this even want to access the internet? Use caution. If something with a strange name requests access to the net, google for it before deciding.
5. Now we switch to user behaviour. Keyloggers are the most widespread tool used to gain control of your account. Now if you don’t type in your username when you log onto WoW, the only thing a hacker can get is your password. So remember to check the option to have the logon screen remember your username from now on.
6. If you are more than one player to access WoW on the same box, the best option to keep your accounts separate is to first have each of you using a separate windows user account, and second, to actually create multiple WoW installation folders. Yes, it’s a disk space hog, but that’s the safest way to ensure that if the worst came to worst, only one account is actually compromised
7. The simplest way a cracker will try to get you to download a keylogger or other malware is through AddOns. Here you should be extremely cautious in what you get from where. Always run a virus check on any package you downloaded before you install it. Don’t hesitate to scan the content of an addon folder either – normally the legit files will be limited to .lua, .toc, .xml and some graphical files. Anything else may be fishy. Learn to know who maintains your most popular addons, read the comments from other users off the addon download site, and fundamentally distrust a new major version popping up out of the blue from someone who you never heard of. Read the patch and release notes, if you’ve been using Titan Panel 2.x for a year and suddenly Titan 3 gets released by someone other than the previous maintainer, there should be enough changes in there that there’s actually a difference. If you want to go further, open the new package and compare the different .lua files to the previous one, if basically only the .toc got changed but the main addonname.lua file is the same size, something might be fishy.
In general, err on the side of paranoia.
Now if you have been hacked, once your account has been locked, before you do anything else, do the following:
- Get a Linux Live CD image and burn it to a CD. Yes, I know, you’re on windows and that’s complicated stuff. Just do it, for instance Knoppix does the trick
- Boot from the Live CD, locate the browser (it’s called Konqueror on Knoppix for instance)
- Do all your WoW account administration from here, in particular the password changes
- Once you reboot, redo a full virus and spyware scan. If nothing has been found at all, consider your PC still compromised. Reinstalling the OS may be painful but your fastest option
- Only when you are positive that your PC is clean can you return to the game.
Yes, it’s complicated, and it’s not funny, but get used to it or get used to be hacked (and distrusted with guild bank access). That’s, unfortunately, pretty much the price for safety.
Other basic security rules: make sure you get an unique and reasonably complicated password for WoW – if you use the same username and password than for everything else, your computer but potentially also your blog, your guild web site and your forums may get compromised. Did I say err on the side of paranoia?
For Guild Masters, make sure there’s a procedure in place allowing to remove guild bank access from a hacked member, even when you’re not around. If it’s a top officer nobody but you can demote in your absence, make it clear that you only promote people mature enough to /gquit once they return ingame, to get reinvited at a lower rank without bank access for a “security period” of two to four weeks.