PlayNoEvil Game Security News & Analysis

Warhammer Online has declared war on gold spammers (and gold farming in general). It appears they are providing statistics and real-time reporting of bans - which should be useful for business analysts, security folks, and gold farmers.

Free accounts and broadcast communications are the main tool of gold spammers. Given Nick Yee's statistics that say around 20+ percent of game players buy gold, you don't have to get many messages out before the gold spammer account pays for the time and effort to create it.

Previously, I wrote about phasing the distribution of broadcast messages to minimize the effectiveness and disruption from a gold spammer.

Perhaps, one needs to take this further. What are broadcast messages used for? Can they be eliminated? Are there other groups that could be set up for broadcasting that would service legitimate needs, but hurt, or at least not help, gold spammers?

Get rid of generic broadcast messages - Group all broadcast messages into specific categories so that they can be routed appropriately.

Asking for help - If people are asking for help with a broadcast message, then perhaps a Mentor channel could be set up instead.

Grouping - If someone wants to form a group, make the message structured, not generic: Group w/ [Your Name Here] levels [number range here] to do [whatever]. The message would then not even need to be sent to people who are not relevant AND it would be sufficiently structured to reduce the effective bandwidth for the spammer.

On Spam Reporting

Massively's article describes the WAR reporting process as follows:

Make sure you place the player's exact name in the first window, which asks for the player name.

Place the text the player sent you in the second window, which asks for details about what was sent. Also note if this solicitation came in the form of in-game chat (any channel), or through the mail system.

* Only submit one appeal per solicitor. Do not try to place multiple names in the first box, as the appeal will fail.

- Why not make this a one-click action directly from the chat window? The person's name, message, etc. could be automatically populated (along with the sender's name and a suitable warning about spurious reports). If the reporting process is easier, more people will do it faster and the spammer will survive shorter.

One could even have a mini-game and levels for spam and gold farmer reporting! If gold farming is a large enough problem that 20+ percent of your users are buyers, then create a game so that players can do the expensive basic research for you.

M. Jacobs (2008), "A banning we will go, a banning we will go. Heave ho off the servers yo, a banning we will go!", http://onlinegamesareanichemarket.wordpress.com/2008/09/21/a-banning-we-will-go-a-banning-we-will-go-heave-ho-off-the-servers-yo-a-banning-we-will-go/

J. Egan (2008), "Reporting gold spammers in WAR now easier than ever", http://www.massively.com/2008/10/05/reporting-gold-spammers-in-war-now-easier-than-ever/

Wooo Whooo! I've finally finished the complete first draft of my book: "Protecting Games". I'm on to the editing stage.

I know my blog writing has been a bit less than inspired of late, and I apologize. When you are writing a book like mad AND trying to keep a blog going, somethings got to give. I actually thought I would be able to use more material from my blog directly and I was totally wrong. The material is here, but it is not in a "book suitable" format.

I will say the process has been useful as it has allowed me to think through the issues related to game security very thoroughly and systematically. There is nothing like teaching to really cement a topic.

There have been a number of my readers here who were very helpful by reading portions of the book including Adam Martin, Pierre Laliberte, Alexandre Major, Marc-André Hamelin.

There have also been a number of you over the years who have provided great comments here and conversations and correspondence in the real world. Thank you.

The operator of a pirate server version of Shanda Interactive's World of Legend MMO has been jailed for 3 years and fined 500,000 RMB (approximately $73,000) for operating a private server version of the game between October 2006 and December 2007. The site grew to include 94 servers and earned 2 Million RMB (approximately $292,000) and a profit of 500,000 RMB during its period in operation.

Pirate servers should be a problem of growing concern to the online game industry:

- The huge popularity of these games is going to make pirate servers very tempting to set up.

- There is no development cost or risk as you are capitalizing on an established title.

- Pirate server operations can easily "shop jurisdictions" to make these kind of prosecutions more difficult - especially in developing markets.

- Very often MMO developers do nothing to address server piracy in their game design.

- The standard MMO architecture has a VERY HEAVY client (most of the data and game logic is stored on the client-side). It is not difficult to reverse engineer the server and data structure. The move to smaller, semi-casual games like KartRider, Audition, Sudden Attack, or Combat Arms that operate in a peer-to-peer or small server model will be particular targets as their is hardly any server infrastructure to attack at all - mainly a lobby and some basic persistent state that is replicated on the client.

China has been quite aggressive in pursuing these criminals as it is trying to establish a legitimate online games industry and has a large number of domestic companies to protect. This is certainly not true globally. There are a lot of countries with lax copyright laws... and the argument against these services is going to be very interesting if the client is given away for free (LEGAL COMMENTARY WELCOME).

See:

C. Zhang (2008), "Illegal Shanda Game Garners Five RMB 2M, Jail Time", http://www.pacificepoch.com/newsstories?id=132485_0_5_0_M

IDC did a survey (664 players from China, Korea, the Philippines, Singapore, Taiwan and Vietnam) where they found that 64 percent of gamers in a number of Asian countries were concerned about bullies targeting new players and 70 percent were concerned about rude players.

50 percent of players believed that meeting other players is important and the average player has 26 online friends while the average player under age 25 has 28 online friends.

Alexander Villafania, "‘Bullies’ big headache in Asian online gaming — report", http://blogs.inquirer.net/hackenslash/2008/09/05/%E2%80%98bullies%E2%80%99-big-headache-in-asian-online-gaming-report/

The multi-player producer for Halo 3 from Bungie has had his Xbox Live account hacked, according to a recent report at MTV.

Apparently, this problem is quite widespread. Hackers are not beating the system's technical security. but using social engineering to convince Microsoft Customer Service reps to give them access to the account.

Some people do lose their accounts by sharing them with friends, posting them on a web site for a "bonus", or have bad passwords.... but having the company compromise your account is inexcusable. Especially, as it also can compromise your credit card information.

What is disturbing is that this problem has been going on for over a year and is pretty easily fixable.

Xbox Live accounts are, at least partially, tied to a specific console, Microsoft could use that console's ID number to authenticate the user.

Microsoft could also use the credit card information to authenticate the user.

or Microsoft could send an email to another email account owned by the user that had been established previously as the "notification account" (or a phone number or whatever... even snail mail).

or Microsoft could use the official Xbox console to send a challenge message to a user (similar to the phone systems used by Korean game companies).

Of course, the best solution would be to break the link between gamertag and userID. The fact that everyone knows your user ID on Xbox Live makes the hack very easy.

As to the customer service system, it really shouldn't "unlock" the account, even for the customer service rep, until the user has passed an official, authenticating challenge.

AND, the system needs to recover well from a customer service error (I don't know if this is still a problem, it was earlier... see previous articles).


P. Klepek, "Reports Of Hacked Xbox Live Accounts Stir Concerns Over Gamers' Security", http://www.mtv.com/news/articles/1593637/20080827/id_0.jhtml

The Kahnawake Gaming Commission has released its preliminary findings in the Ultimate Bet online poker scandal.

The scandal ran for 3 and a half years and more than $6 Million was stolen.**

The scandal was discovered by players, not regulators, who noticed unusual game play patterns and performance.

The initial set of sanctions must be met by 2 November 2008:

Begin refunding all players adversely affected by the cheating scheme. The company has refunded $6.1 million to date, but this summer received another round of refund requests.

Remove from the company all persons deemed by the commission as "unsuitable," including all levels of ownership, management and operation, and is required to continue to provide complete details of all day-to-day operations of the company.

Ultimate Bet has also been issued a $1.5 million fine.

These are initial fines and in the company still faces other sanctions. If they don't pay up, they will lose their license.

The investigation was done by Frank Catania, formerly a NJ regulator, and now head of Catania Gaming Consultants.
E. Swoboda (2008), "Breaking News: Refunds, Fines, Overhaul for Ultimate Bet, KGC Decrees", http://igamingnews.com/index.cfm?page=artlisting&tid=9787


** THE SOURCE ARTICLE WAS CORRECTED SUBSEQUENT TO MY QUOTING IT FROM $60 MILLION TO $6 MILLION.

Yet another online music service, this time from Walmart, is shutting down its DRM servers. These companies should actively move to send DRM-free music to their customers, or give them a refund. It is really not even enough to transition the servers to another provider as it should not be the user's responsibility to keep their music "alive".

The shuttering of DRM services from major companies - Yahoo, Microsoft, and now Walmart - should really push a reconsideration of the acceptability of DRM by its most ardent advocates.

Also, one wonders what sort of liability tail a DRM "sale" creates?

M. Hefflinger (2008), "Wal-Mart to Discontinue Update Support for DRM-Wrapped Songs". http://www.dmwmedia.com/news/2008/09/29/wal-mart-discontinue-update-support-drm-wrapped-songs

There is a trojan targeting players looking for a shortcut in Eve Online.

A web site is offering a "macro" to help players automatically handle their skill progression in the game. Eve has a unique skill system based on real time, not play time. Since this often requires logging in at odd times to select the next skill to be studied, some players would like a shortcut.

The "tool" promises to login and select the next skill for a player once the last one has been learned... all you've got to do is enter your username and password into the tool.

Hmmmm.

Of course the tool sends that little piece of information home... and your account is sunk.

J. Egan (2008), "EVE Online trojan warning", http://www.massively.com/2008/09/27/eve-online-trojan-warning/