PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com - Payment Processing and Financial Fraud

NCsoft selects Kount Anti-Fraud to protect its MMOs

ceo@secureplay.com (SecurePlay) — Thu, 15 Apr 2010 05:07:00 -0700

NCsoft has chosen Kount's fraud management solution, according to a press release. The company has a range of technologies including device fingerprinting and "proxy piercing" and the usual features: geo-location, and lots of "data streams", etc.

"Fraud is readily apparent in our industry, plaguing online game publishers worldwide," said Steve Levy, global director of NCsoft Publishing Operations. "The implementation of Kount helps us alleviate fraud, allowing us to provide a safe and secure gaming environment for our fans."

Proxy piercing sounds kind of cool. My guess is that their is a piece of code that "phones home" to the company or some such with a unique ID that matches up with information that the game server gets.

The service also automates review of purchases which may be the real driver for NCsoft... reducing operational costs..

"Kount Provides Fraud Control to Global Online Game Publisher NCsoft", http://www.prnewswire.com/news-releases/kount-provides-fraud-control-to-global-online-game-publisher-ncsoft-90603739.html

Real Threat in Virtual Battleground: Hackers - QUOTED

ceo@secureplay.com (SecurePlay) — Sun, 28 Feb 2010 13:05:58 -0800

A. Martínez-Cabrera (2010), "Real Threat in Virtual Battleground: Hackers", http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/02/26/BU5D1C7QI1.DTL

I'm quoted several times in this article about the threat of hackers/fraudsters to online games in the San Fransisco Chronicle.

NOTED: Good Message from NCSoft on Aion Security

ceo@secureplay.com (SecurePlay) — Wed, 20 Jan 2010 05:28:30 -0800

Scott Jennings and NCSoft have put out a good, thorough message on the state of the game's security issues.

The message was posted very early this morning (the 20th) and within the first couple of hours has been viewed almost 10,000 times.

People really care about the security of their accounts and their game.

Security messages on the site get a lot of visits (see stats at the bottom of Scott's message). The last message on account security, from December 24th has had over 131,000 views - far more than any other recent message thread.

It will be interesting to see if this is followed up with any press releases or interviews to the games media.

Hopefully, like Jagex, NCSoft will also pursue legal recourse against criminals who engage in account theft (a clear crime under computer security laws).

S. Jennings (2010), "GSUs Message on Account Security", http://na.aiononline.com/board/notices/view?articleID=197&page=

via

S. Jennings (2010), "A Note From My Day Job", http://brokentoys.org/2010/01/19/a-note-from-my-day-job/

Confessions of a Game Scammer (and Identity Thief)

ceo@secureplay.com (SecurePlay) — Mon, 18 Jan 2010 05:01:00 -0800

Marcus Eikenberry of MarkeeDragon has a 38 minute interview with "Patrick" - a young man who made between $10,000 and $20,000 over the course of one year of criminal scamming:

There are some fascinating details (here are my notes on the highlights):

3:00 Started in Eve Online / GoonSwarm

5:30 Scammed his own Eve Online Corporation as a Director (non GoonSwarm) stole 9B ISK in 2006

6:30 WoW Scam/Griefing casual every month of so

7:30 Lost his job and decided to sell his Eve Online Account.. he took the money and realized he didn't have to transfer the account - there was no protection for intangible items in PayPal Terms of Service - He made $750... used it for rent.

10:00 In order to "beat PayPal", he mailed piece of paper with invalid information... got through Paypal security and send the Shipping Tracking information (PERSONAL NOTE: my company used physical shipments to validate shipments of license keys to avoid fraud problems in 2003).

11:45 Scammers "networking" to develop tactics... Paypal changes and protect buyers, not sellers. Reverse scam to a "Buyer Scam": Buy Item, dispute sale, Resell the account quickly

13:30 Started identity theft ... used stolen name and SSN, to set up fraudulent paypal account tied to his Real bank account + fake ID (there is no cross verification of account names - Marcus is currently checking to see if this weakness still exists)...Patrick worked in HR as recruiter... had info of anyone who applied for a job at the company (IT IS SCARY HOW MANY PEOPLE HAVE ACCESS TO YOUR NAME AND SOCIAL SECURITY NUMBER) then close Paypal account quickly before they put in a dispute... age 21,22. Blames economy, desperation - rent & food problems.

16:30 - All you need to create a PayPal account is a name & SSN (and your own bank account)

16:50 - $10 to $20K in one year... was active for one year.

17:30 - Why he was not caught - only small transactions... keep it under $1000. Paypal "caught up with him" eventually - then he started using other peoples accounts.. that is why he stared ID theft (but they didn't validate account, see above)

19:00 - Paypal is so easy, much easier than direct deposit or wire transfer... a lot of scammers only do this (scamming) once.

20:00 - Last Scam / Biggest Scam - started getting scared. Meet girls "get them to love him" and use their Paypal account (or get them to set up a Paypal account). "Most interesting" found he actually liked the girl. Got a real job and paid her back. Realized what he was doing.

22;15 - Other most exciting was the first one. When you make over $500,... a "means to get by".

23:20 - Security advise... copy of drivers license & prove its actually the person... TrustWho works (NOTE: run by MarkeeDragon - 99.7%).. if they've never done any sales before on the site, don't trust them... reputation at sites is a problem if you haven't done a sale before... TrustWho really "ruined his (scam) business". He was not able to get TrustWho verified.

29:30 CraigsList is great place to scam people. Get 18 year olds with fresh money (after graduation).

30:50 - Successful transactions in past, get drivers license (repeat)... scary how many people have your drivers license and SSN

33:00 - Wrapup by Marcus Eikenberry - scamming women, HR attacks, name & SSN is all it takes

I'd echo Marcus' comments. The potential for abuse by people in Human Resources and customer service is truly frightening, especially in this economy. It is also disheartening how weak our financial authentication systems are.

World of Warcraft under stress from Gold Frauders via Phishing and Key Loggers

ceo@secureplay.com (SecurePlay) — Fri, 08 Jan 2010 08:22:54 -0800

Blizzard's customer service team for World of Warcraft seems to be at a breaking point over account theft due to key loggers, phishing, and such. First, there is a serious rumor via WoW.Com that Blizzard is considering making security tokens (from Vasco) manadatory. These tokens create a time-based password that is sent to the server in addition to a player's regular password.

The second story is that Blizzard is apparently trying to divert customers away from getting their account restored towards accepting a standard "care package" in lieu of restoration. The package includes:

2,500 gold
2 Emblems of Frost
10 Emblems of Triumph for every day the players has had to wait to receive the care package

WoW.com contends that this approach is not good customer service and does not reflect the real needs or interests of players. A good restoration capability should be quite inexpensive to implement and would incur HUGE customer good will (I await the usual objections on "economy damage" and "player abuse" grounds).

Making security tokens mandatory is an excellent suggestion. In the short run, it will push Gold Frauders to other games, but it is likely that attackers will move towards "client hijacking" on the player's computer... if the crook can take or maintain control of the game client (by keeping a session open with the server when the player thinks he has logged out, for example), he can do VERY BAD THINGS. This would not require a full client implementation as most of the attacks could be done via abstract account screens and such that are much easier to emulate than the whole game client.

By the way, these guys are no longer Gold Farmers who simply violate Terms of Service, they are Gold Frauders - criminals who are exploiting the lack of control in World of Warcraft and other MMOs. This is pretty clearly a violation of standard computer security laws and should be of sufficient scale to catch the interest of law enforcement.

Operationally, gold frauding is much cheaper than gold farming as you don't need to spend time building up characters, farming assets, and waiting to be banned. Since you are hitting accounts and looting them on a one-time basis, you are not going to trigger traditional gold farming detectors.... and if you get banned, on to the next victim.

Game companies are going to really need to rethink their approach to customer service and security as this threat grows.

Welcome to Gold Frauder 2.0.

A. Holisky (2010), "Blizzard giving serious consideration to mandatory authenticators", http://www.wow.com/2010/01/08/blizzard-giving-serious-consideration-to-mandatory-authenticator/

A. Holisky (2010), "Account Administration told not to restore hacked characters", http://www.wow.com/2010/01/08/account-administration-told-not-to-restore-hacked-characters/

both via Massively.