Scott Jennings and NCSoft have put out a good, thorough message on the state of the game's security issues.
The message was posted very early this morning (the 20th) and within the first couple of hours has been viewed almost 10,000 times.
People really care about the security of their accounts and their game.
Security messages on the site get a lot of visits (see stats at the bottom of Scott's message). The last message on account security, from December 24th has had over 131,000 views - far more than any other recent message thread.
It will be interesting to see if this is followed up with any press releases or interviews to the games media.
Hopefully, like Jagex, NCSoft will also pursue legal recourse against criminals who engage in account theft (a clear crime under computer security laws).
Marcus Eikenberry of MarkeeDragon has a 38 minute interview with "Patrick" - a young man who made between $10,000 and $20,000 over the course of one year of criminal scamming:
There are some fascinating details (here are my notes on the highlights):
3:00 Started in Eve Online / GoonSwarm
5:30 Scammed his own Eve Online Corporation as a Director (non GoonSwarm) stole 9B ISK in 2006
6:30 WoW Scam/Griefing casual every month of so
7:30 Lost his job and decided to sell his Eve Online Account.. he took the money and realized he didn't have to transfer the account - there was no protection for intangible items in PayPal Terms of Service - He made $750... used it for rent.
10:00 In order to "beat PayPal", he mailed piece of paper with invalid information... got through Paypal security and send the Shipping Tracking information (PERSONAL NOTE: my company used physical shipments to validate shipments of license keys to avoid fraud problems in 2003).
11:45 Scammers "networking" to develop tactics... Paypal changes and protect buyers, not sellers. Reverse scam to a "Buyer Scam": Buy Item, dispute sale, Resell the account quickly
13:30 Started identity theft ... used stolen name and SSN, to set up fraudulent paypal account tied to his Real bank account + fake ID (there is no cross verification of account names - Marcus is currently checking to see if this weakness still exists)...Patrick worked in HR as recruiter... had info of anyone who applied for a job at the company (IT IS SCARY HOW MANY PEOPLE HAVE ACCESS TO YOUR NAME AND SOCIAL SECURITY NUMBER) then close Paypal account quickly before they put in a dispute... age 21,22. Blames economy, desperation - rent & food problems.
16:30 - All you need to create a PayPal account is a name & SSN (and your own bank account)
16:50 - $10 to $20K in one year... was active for one year.
17:30 - Why he was not caught - only small transactions... keep it under $1000. Paypal "caught up with him" eventually - then he started using other peoples accounts.. that is why he stared ID theft (but they didn't validate account, see above)
19:00 - Paypal is so easy, much easier than direct deposit or wire transfer... a lot of scammers only do this (scamming) once.
20:00 - Last Scam / Biggest Scam - started getting scared. Meet girls "get them to love him" and use their Paypal account (or get them to set up a Paypal account). "Most interesting" found he actually liked the girl. Got a real job and paid her back. Realized what he was doing.
22;15 - Other most exciting was the first one. When you make over $500,... a "means to get by".
23:20 - Security advise... copy of drivers license & prove its actually the person... TrustWho works (NOTE: run by MarkeeDragon - 99.7%).. if they've never done any sales before on the site, don't trust them... reputation at sites is a problem if you haven't done a sale before... TrustWho really "ruined his (scam) business". He was not able to get TrustWho verified.
29:30 CraigsList is great place to scam people. Get 18 year olds with fresh money (after graduation).
30:50 - Successful transactions in past, get drivers license (repeat)... scary how many people have your drivers license and SSN
33:00 - Wrapup by Marcus Eikenberry - scamming women, HR attacks, name & SSN is all it takes
I'd echo Marcus' comments. The potential for abuse by people in Human Resources and customer service is truly frightening, especially in this economy. It is also disheartening how weak our financial authentication systems are.
Blizzard's customer service team for World of Warcraft seems to be at a breaking point over account theft due to key loggers, phishing, and such. First, there is a serious rumor via WoW.Com that Blizzard is considering making security tokens (from Vasco) manadatory. These tokens create a time-based password that is sent to the server in addition to a player's regular password.
The second story is that Blizzard is apparently trying to divert customers away from getting their account restored towards accepting a standard "care package" in lieu of restoration. The package includes:
2,500 gold
2 Emblems of Frost
10 Emblems of Triumph for every day the players has had to wait to receive the care package
WoW.com contends that this approach is not good customer service and does not reflect the real needs or interests of players. A good restoration capability should be quite inexpensive to implement and would incur HUGE customer good will (I await the usual objections on "economy damage" and "player abuse" grounds).
Making security tokens mandatory is an excellent suggestion. In the short run, it will push Gold Frauders to other games, but it is likely that attackers will move towards "client hijacking" on the player's computer... if the crook can take or maintain control of the game client (by keeping a session open with the server when the player thinks he has logged out, for example), he can do VERY BAD THINGS. This would not require a full client implementation as most of the attacks could be done via abstract account screens and such that are much easier to emulate than the whole game client.
By the way, these guys are no longer Gold Farmers who simply violate Terms of Service, they are Gold Frauders - criminals who are exploiting the lack of control in World of Warcraft and other MMOs. This is pretty clearly a violation of standard computer security laws and should be of sufficient scale to catch the interest of law enforcement.
Operationally, gold frauding is much cheaper than gold farming as you don't need to spend time building up characters, farming assets, and waiting to be banned. Since you are hitting accounts and looting them on a one-time basis, you are not going to trigger traditional gold farming detectors.... and if you get banned, on to the next victim.
Game companies are going to really need to rethink their approach to customer service and security as this threat grows.
An organized team that used a trojan software program to target online games has been busted by China's government. The 2 trojan authors apparently earned $140,000 while the rest of the gang may have earned $4.3 Million (30 million Yuan).
11 members of the group have already been sentenced and there may be as many as 80 participants going to jail.
The gang stole 5.3 million passwords which were likely used to loot and resell items from the players accounts as well as use them for "gold spamming" (marketing game currency to other players).
It is nice to see China's government go after online criminals. We see very few cases in the US in spite of the size of online fraud. In the future, however, these cases are going to be more difficult as the criminals may be located in other jurisdictions.
NCSoft has responded to the recent wave of phishing attacks against its Guild Wars MMO by requiring players to enter the name of one of their character's names. The phishing attacks apparently exploited information that players had disclosed to a third party web site.
There are a couple of obvious criticisms:
1. Players don't remember their player names - Players often create elaborate names with odd capitalization... and then never think about them again.
2. Players will share their character names - players are often willing to share their character names at third party sites, especially when sharing in game anecdotes.
3. Players don't protect their character names - until this announcement, players have no reason to conceal their character names.
4. Keyloggers aren't stopped - a keylogger can sniff a character name just as well as a password.
All MMOs need to take the security of third party sites like fan sites more seriously. These sites are prime "attack vectors" for criminals targeting specific games. There is a good case to be made for strengthening player authentication using security tokens or other means (if you are a game developer or operator and want some help with authentication or other issues, let me know at ceo (at) secureplay ;dot; com.).
Second Life has sold itself as a place where people can unlock their creativity and make money.
It is a large part of the draw of the service.
It is unsurprising, then, that after years of problems with Intellectual Property problems, some in-game/in-world businesses are striking back.
Eros LLC and Shannon Grei have filed for class action status in a lawsuit against Linden Lab, Second Life's developer and operator.
Though I haven't written about Linden Lab and Second Life in quite a while, the problems with license controls for user created problems have been present for years... with little to no action by Linden Lab.. and, apparently, enough is enough.
The most serious parts of the charges are the Linden Lab effectively profits from the infringement, which could make the case particularly interesting.
Gold frauders, my term for those charming individuals who use credit card fraud or other illegal means to acquire virtual currency, don't just hit MMOs, they go after the real money... online poker.
The trick, of course, is to cash out.
In an MMO, a gold frauder does this buy selling fraudulently acquired virtual currency for real money to another player. In online poker, they cash out by chip dumping.
Chip dumping is the transfer of poker chips to another player, usually through a 2-player poker game. The colluding players set up a poker match with each other and the player who wants to dump chips plays intentionally really badly so that the other player gets his chips (less the casino's / poker table's rake).
Classically, this is done for money laundering purposes (one of the reasons governments are as interested in casino financial transactions as they are in bank transactions... money laundering has also been done in a similar manner in online peer betting services).
It can also be done to transfer promotional initial currency to a colluding player...
... or by a gold frauder.
The new, very troubling version of chip dumping is done by gold frauders who use stolen credit cards to register with online casinos / poker rooms (they could also target skill game sites) and buy a bunch of currency. They then set up a match with a partner to whom they intentionally lose.
When the stolen credit card gets hit with the inevitable chargebacks, the online service is still stuck paying out to the "winner".
Ouch.
This problem can really hurt any online game or virtual world or other service that supports any sort of "cash out".
For example, in a virtual item creation game with player/creators, a gold frauder could buy a virtual item that is vastly overpriced (or lots and lots of ordinary virtual items) with a colluding creator....
I suspect that this problem is only going to get worse, much worse, and become a real problem for many types of online services. International payments are a mess, law enforcement is way behind on this, and a lot of virtual environments don't have good audit and analysis tools.
Loyalty programs. The prototypical virtual currency. What could go wrong? Plenty, as a number of Las Vegas casinos are finding.
Employees are stealing player loyalty points and putting them into dummy accounts under their control.
They are also simply creating bogus accounts and issuing tons of loyalty points to them.
Slot technicians are using blank loyalty cards (used for testing) and reprogramming the slot machine to give the points to the next real player (a confederate of the corrupt tech). By the way, this is going to become a much more serious type of problem with the casino industry's move to server-based gaming, though no one seems to be talking about it.
Employees boost points as their incentives are tied to levels of gambling.
Most of these thefts are detected by consumers, not company security.
Virtual currency is not seen as real currency... and is thus not tracked nearly as closely by security.
Payment security is a major problem for all online game businesses be they MMOs, social networks, Free-to-Play games, casual games, skill games, or online casinos and online poker.
Gambling sites are the biggest target as there is the most money involved and there are direct mechanisms for players to "cash out".
The iGaming industry just completed a conference on Fighting Cybercrime... and there is a wealth of great material that is available.
First, there is a nice video with Motie Bring of the PKR online poker site:
At the core of most problems is identity theft. This article gives a nice overview of keylogging/trojans, phishing, and drive-by-web sites:
Cooperation is key to fighting fraud. The iGaming Industry is now cooperating to fight fraud rather than competing on anti-fraud... a lesson for other online gaming firms. Player-to-player interactions are where the bulk of fraud occurs. In online gambling, the biggest target is online poker, in MMOs, it is player markets (exploited via gold farming and gold frauding and scams). International issues are a key challenge and something that the industry needs to engage with governments on (easier for the MMO industry than the gambling industry due to legal concerns). The theme of identity theft as a central issue continues. There are three level of fraudsters mentioned:
1. Customer chargebacks - a customer who uses his ability to chargeback to avoid paying for services that he purchased.
2. Amateur fraudsters - an "aspiring crook" who purchases a stolen credit card online and uses it for fraud.
3. Professional Fraudsters - a crook who studies an online service's anti-fraud and business process to create a fast, lucrative exploit or one that can be milked for an extended period of time.
Another interview, this time with Jim Noakes who leads a group of online bookmakers in the UK cooperating to fight fraud through "Gameshield":
E. Swoboda (2009), "Q.& A. | Jim Noakes", http://www.igamingnews.com/index.cfm?page=freearticle&tid=10716&showpromo=0
Another article, this time from Harry Lang, with a great top 10 list of anti-fraud techniques (they are not in order, at least as far as I can tell):
1. Device Fingerprinting -- Taking a “fingerprint” of a device like a laptop enables you to check whether it has already been used by a fraudster.
2. Location mismatches -- Running rules looking at a customer's physical location (and where they are logging in from) and their telephone number to look for any anomalies
3. Hotlists -- Referencing information (devices, I.P/s, credit cards, debit cards, etc.) to both internal and external "Hot" databases
4. Know Your Customer Checks (KYC) -- Proving that the information provided in an application or transaction is correct, namely that a person actually exists and resides where they say they do.
5. Variances -- Looking for changes between current and previous devices, I.P. locations and login sessions. If a customer usually logs in on their laptop from London you may question why they start logging in from a Internet café in Vietnam
6. Transaction Limits -- Use of limits to minimize the attractiveness of your business to fraudsters, thus reducing the value they can derive from one unique set of compromised information.
7. Velocity Thresholds -- Setting combinations of total spend over different time periods. This essentially creates “Honey Traps” to pick up unusual patterns
8. Unusual Data -- Looking for unusual changes of personal information on accounts, particularly in the early days of a new account. It's unusual to open an account on the day you move house so why change the registered address as soon as the account is open?
9. Associations -- Looking for “links” between cards, bank accounts, I.P.s, devices and personal data. Fraudsters don’t give up on the first attempt -- if a card has been used once already for a fraud, rest assured they will try to use it again
10. Verification -- Using systems such as Interactive Voice Response (IVR) to verify account applications or transaction history means that you can protect your business and the genuine consumer from identity theft or account takeover.
Finally, another article on the Fraud threat, this one including the discussion of "Friendly Fraud"... when people make purchases that they can subsequently not afford to pay for and therefore initiate a chargeback.
T. Lines Hill (2009), "Assessing the Threat | Card Fraud", http://www.igamingnews.com/index.cfm?page=freearticle&tid=11464&showpromo=0
I also have two chapters on payment fraud and a discussion of identity theft in my book "Protecting Games".
100,000 Yuan (around $14,700) in Tencent's QQ-coins virtual currency. Extorted.
That is a LOT of virtual currency. For anyone to have.
Heck, it is a lot of money. In the US or China or pretty much anywhere.
A man and three accomplices was convicted of extortion for stealing 100,000 Yuan of QQ-coins plus a large number of virtual assets.
Oh, they also stole 200 Yuan (almost $30) of real currency.
The ringleader is off to jail for 3 years and all four are being fined 5000 Yuan (around $740 dollars).
The incident happened at an Internet cafe in China where the lead criminal was apparently losing a lot of money in the online games and the victim... well, clearly, not so much.
Digression on QQ and Tencent
By the way, while people in the US are getting excited about Facebook launching a virtual currency, China has one in the shape of Tencent's QQ coins associated with the QQ service - which has 220 million registered users (more than Facebook's 200 million).
As I've noted before, you should really take a look at Tencent and QQ if you are interested in online powerhouses. (Oh, and you can by the company's stock on the US OTC market - I've owned it before and shouldn't have sold it ).
End Digression
I'm guessing that the players were playing "virtual gambling games" which seem to be quite popular on QQ, but I'm not certain. QQ-coins can be used for all sorts of things - it is such a popular virtual currency that China's government has considered regulating it.
An interesting note from the court in China... and something for everyone involved in virtual worlds, items, and currencies to be aware of:
The court held that although no law has acknowledged legitimacy of the virtual property, game players have paid time and real money to accumulate their virtual property, which should be protected by the law.
controlpanel about Piracy revisited in 2010 - Ubisoft and Bioshock 2 Sat, 06.02.2010 17:27 Forget about preventing piracy
. They should do it like in ba
tman arkham. Piraters had to f
ix the glide problem in [...]
Angelo Lozano about XBox Live Arcade - Another Platform Not For Indies Sat, 06.02.2010 07:51 Xbox Live Arcade and Xbox Live
Indie Games aren't exactly th
e same thing. They're separate
from one another on the [...]
Joan Rowlands about Help Haiti, Sell a Starship in Eve Online - AWESOME Tue, 02.02.2010 07:35 The aftermath of the quake and
human suffering are devastati
ng! Millions have lost everyth
ing – homes, food, jobs! [...]
Tyler / n00b KinG 887 about The Cost of Punishing Cheaters on Microsoft's Xbox Live Mon, 01.02.2010 07:36 Yeah sure but almost every mat
ch i find in mw2 for ffa there
s either lag switchers nuke bo
osters or someone with a [...]
Rathorius about Are Demos worse than Piracy? Sat, 30.01.2010 11:46 As for the music industry, the
reason they experienced the l
oss in revenue is because they
had a business model of [...]
raglers about Item Farming in Team Fortress 2 - The Idle Threat Wed, 27.01.2010 04:12 Well i have been playing team
fortress 2 for 3 weeks now and
i kinda got like 4 hats in th
e first week of playing. [...]
Copyright
2005-9. IT GlobalSecure, Inc. All rights reserved. IT GlobalSecure makes every
effort to include citation of sources. If you determine inaccuracies or
omissions, please
contact us. Playnoevil.com is the blog of CEO, Mr. Steve Davis. IT
GlobalSecure~
and its SecurePlay~
are trademarks of IT GlobalSecure, Inc. IT GlobalSecure supports secure
e-commerce processing for web sites including the
SecurePlay Store and commercial
clients, such as Urban Revivals
LLC.
).
Comments
Sun, 07.02.2010 10:05
Actually, comments are monitor ed here because I've had some major comment spam problems in the past. ... Someti [...]
Sat, 06.02.2010 23:03
Another sight paid for by Epic that is only reason comment a re monitored here. what a lose r site must be the inbreeding.
Sat, 06.02.2010 23:01
Well it been 6 years since thi s game came out and there are nothing left but cheaters in t his game. UT is even wo [...]
Sat, 06.02.2010 17:27
Forget about preventing piracy . They should do it like in ba tman arkham. Piraters had to f ix the glide problem in [...]
Sat, 06.02.2010 07:51
Xbox Live Arcade and Xbox Live Indie Games aren't exactly th e same thing. They're separate from one another on the [...]
Fri, 05.02.2010 18:23
theres a hacker named "excalib 0ar" uses custom kick, small, but still, deserves a punishme nt i believe...
Fri, 05.02.2010 15:13
PLEX has value as it represent s game time... which costs mon ey. The key to gambling is that the item has value, [...]
Fri, 05.02.2010 12:01
You muss the point here... the re is no way to convert PLEX t o REAL money, you can only con vert REAL money to PLEX. [...]
Thu, 04.02.2010 22:27
Congratulations
Tue, 02.02.2010 07:35
The aftermath of the quake and human suffering are devastati ng! Millions have lost everyth ing – homes, food, jobs! [...]
Mon, 01.02.2010 07:36
Yeah sure but almost every mat ch i find in mw2 for ffa there s either lag switchers nuke bo osters or someone with a [...]
Sat, 30.01.2010 13:48
Assuming the crack-proof natur e, the key here is that their offer expires on the first of May, it's only a two mon [...]
Sat, 30.01.2010 11:46
As for the music industry, the reason they experienced the l oss in revenue is because they had a business model of [...]
Wed, 27.01.2010 04:12
Well i have been playing team fortress 2 for 3 weeks now and i kinda got like 4 hats in th e first week of playing. [...]
Sun, 24.01.2010 12:38
Can someone explain to me the process in which someone would exchange virtual currency (in this case gold in world [...]