Friday, June 24, 2011

Granting Permission Debit? Know Some Facts

No matter which life we live, scammers and other people wanting to take our money are out there.

In Second Life®, the ways to have money extracted from our account are:

  • We buy something when an object is set for sale (it's okay, we all are aware of when we buy something)
  • We pay money to another avatar (something from what we're also aware of)
  • We pay money to an object scripted to receive money (we're aware for this too, since nobody forces us to click "Pay..." and then hit the quantity)
  • We buy through Marketplace (still... we're aware of this, aren't we? ;-) )
  • Group liabilities (which we should check for the groups we join)
  • An object takes money from our account. Ruh-roh. This one sounds like "and how can this happen?"

For the latter happening, we have to complete the following steps:

  • Rez that object inworld
  • Grant debit permission from the BIG yellow popup with a scary warning

Since granting access to our money is serious business, this popup is much more noticeable than the usual granting animation permission in a club. We will see it.

So until we complete the two steps (rez inworld, THEN gran debit permission), an object can't take money from our account. In this sense, we're relatively safe: just by accepting an object an stranger sends us, the object WON'T take money from our accounts. No while in inventory. It has to be rezzed, and the big yellow popup, granted the permissions.

Still, it's a good idea to delete an object mistakenly accepted from a total stranger the moment we've accepted it, for a reason: we forget things.

We can forget we accepted the object.

We can be cleaning inventory and find it.

The object might have an innocent name, like "Official Linden Labs Balance Checker (rez to check)". We're curious and rez it. Big yellow pop up appears and we accept: we're busted.

Ok, here's a fact: no Linden Labs employee will ever give you an object to check your balance. Even more, this feature is built in in your viewer. How to access it? Well, if you don't have your advanced menu open, do it now (CTRL ALT D), and then you can click CTRL ALT B to get your balance reloaded, or follow the menu "Advanced: UI: Reload L$ balance". There you have it: balance updated.

What could happen, then, if we rez this object with an innocent name as "Official Linden Labs Balance Checker (rez to check)"?

The object could tell us in chat a reassuring thing like "This device will check if you have your L$ balance updated. Please grant permissions to check it. The device will get self-deleted as soon as you're informed."

And what could an evil scripter make the script do once we've GRANTED debit permissions?

Begin saying in chat something like "Your balance is correct. Deleting the object, thank you!"

A reassuring message. And the object vanishes. We can breath, it's all okay!

Is it?

Want to know what an evil scripter could have done?

The object, totally transparent.

Resized to minimum size allowed in SL.

Moved it to another position in the sim, 200 meters far from you in a random direction.

Changed its name to "Phoenix Client Bridge" or simply "Object".

And take 1 L$ from your account each 2 minutes.

And now go find the object.

But still, if we're online we'd notice that something's happening with our money.

An even more evil scripter would add sauce, and instead of taking money on a timer basis, would make the script wait for us to be offline and THEN take 1 L$ each second. Or 100 L$ each second. If we're offline, we'd only realize once we're back... and our account is drained.

And an even more evil scripter could make the object to scan from avatars and run away from you anytime you're 96 meters close to it. So what a trip, to find it!

The only information we can obtain is, in our transaction history (log in the SL website, then go to Account: Transaction History):

  • When
  • The region name
  • Who's been receiving the money.

But it doesn't say where exactly. And if we complain to Linden Labs, if they reply back something, it will be "did you grant permissions?"

TIP: Requesting granting permissions requires from a script existing within the object. You can try to help yourself by using "View: Beacons" and click for "Scripted Objects".

All this is very important to know because commission vendors will also request us for debit permission, so they can pay the percentage back. There are also tip jars that will need from debit permission since they split payment between the employer and the employee. So check always that the object comes from a trusted source!

So, moral is: objects can't take money from our accounts until rezzed and debit permission granted, correct. It's OUR responsibility, then, to know the facts, and be sure when we say "GRANT". If we don't remember where the object comes from, DON'T GRANT. Even more: DELETE it. And remember that no Linden Labs employee will ever trick you to take money from you. Know your tools and check the sources for the objects you grant debit permissions!

That was it. Stay safe :-)

PS: This article has also been published in the builders community website Primbusters.

1 comment:

  1. Thank you so much for this, it's very helpful and informative :D