August 19, 2016
Avoiding Whack-a-Mole: How to Stay Ahead of Online Gaming Fraudsters
By Katie Flood, CardNotPresent.com Staff
Online gamer Danny Bailey had been away for a week when he returned home to find he had been robbed. Nothing was missing from his apartment and his bank accounts were untouched, but the account for his favorite massively multiplayer online role-playing game (MMORPG) had been hacked. “My character [had been moved], my sellable gear was gone, and I had no idea how long the hackers had used my character.” Bailey’s “sellable gear”—in-game currency that allows players to participate in the game’s trade economy and progress within the game—represented hundreds of hours of his time, not to mention the hundreds of dollars he had put into his gaming account.
Those unfamiliar with the world of online gaming might look at this scenario and wonder why anyone would bother stealing virtual currency in a make-believe world. But in fact, there are plenty of real-world buyers willing to pay real money for this online currency.
In most MMORPGs, players pay to maintain an account and they may also pay to purchase currency within the game, which typically comes in the form of points, coins, skills, power, or weaponry. Most gaming companies offer a free-to-play option for beginners, but to create an ongoing game or to advance within the game, players must sign up for a paid account. Gaming merchants’ revenue thus depends on consumers’ interest in playing the game and their willingness to purchase currency within the game in order to progress.
So, when it comes to risk management and fraud prevention for the companies that create and run online games, practices that degrade the game pose as much of a threat as those that scam gamers. Bert Wolters is director of Risk and Fraud Mitigation at Adyen, an online payment solutions company that works with a number of online gaming companies. Wolters recalls one client whose game was invaded by Chinese hackers who were intermittently shouting “Buy Viagra!” at other users over their headsets. This sort of in-game spam is a serious problem, Wolters explains, because “we want to give players true, immersive experiences in the game, not trashy spam.” Most users aren’t going to put up with this random screaming for long, and once they leave the game, it’s hard to bring them back.
One of the most popular forms of fraud that threatens the gaming experience is a practice known as gold farming. Many MMORPGs have places where players can go and collect a small amount of virtual currency–or “gold”–for free. But accumulating a large amount of this free gold takes a great deal of playing time. Players in developing countries realized that if they visited these spots repeatedly and “farmed” the gold, they could then sell their harvest, for real money, to players in wealthier, more developed countries. The buyers are able to acquire gold for lower rates than what the gaming merchant charges, without having to put in any playing time. In its heyday back in the mid-2000s, gold farming was a full-time occupation for tens of thousands of people, particularly in China.
If players aren’t spending money on gold within the game, game developers and publishers are losing revenue. But, even more worrisome for some gaming companies, gold farming floods the game with currency, causing inflation and allowing players to advance to the upper levels of the game with minimal effort. This degrades the gaming experience for legitimate users: If gamers can simply buy their way to the top, achieving advanced levels is no longer much of an achievement. If honest players get fed up with this and lose interest in playing, it can mean game over for gaming merchants.
In response to this threat, gaming companies implemented software that detects and targets the behavioral patterns of gold farmers—e.g., new users who immediately go straight for the free gold—along with software that allowed them to identify the IP addresses of known gold farmers. Suspected gold farmers can then be blocked from the game. Of course, some simply buy a new copy of the game, create a new account and attempt to start over. As the response from antifraud providers has become increasingly robust, however, many have abandoned gold farming altogether. Though gold farming has not been eradicated completely, it is certainly less pervasive today than it once was.
Data breaches, payment scams, and phishing are among other ways fraudsters threaten gaming companies and their customers. Scott Adams is director of Fraud and Risk Management for Riot Games, which created and runs League of Legends, one of the top games in the world with 35 million active users per month. Adams says one of the most effective weapons in Riot Games’s risk management arsenal is simply excellent customer service.
“Our business depends on player loyalty, so really what it comes down to in the long run is just treating the player well,” he says. “Even if someone gets hacked, they are still going to be happy [with our game], because we take care of them.”
This may be the only true constant in Riot Games’s risk-management strategy. Their internal risk management model combines software that tracks payment patterns, manually reviewing suspicious or unusual activity, and monitoring hacker chat rooms. Adams explains that they update their anti-fraud model frequently, even daily, because “the fraudsters are always coming up with something new. We’ve found that if we catch [a scam] and start doing something about it, then word spreads in the fraud community, that [Riot Games is] fixing this now, so then people stop doing it.” And in many cases, move on to the next scam.
Even with a proactive fraud prevention model and excellent customer service, this game of online cops-and-robbers can start to resemble something more like Whack-A-Mole. In an effort to break out of this pattern, Adyen is taking a different approach to risk management in online gaming: isolating the fraudsters in their own “world” within the game. Users who are suspected of fraud are placed in a part of the game that looks exactly like the real thing, where they are actually interacting only with other suspected fraudsters, and transactions on the stolen credit cards they attempt to use are blocked, unbeknownst to them.
Maikel Lobbezoo, vice president of Product Development for Adyen, explains that isolation “[impedes] the trial-and-error approach where fraudsters try to find out how they were detected. If you isolate someone, then you are not giving him direct feedback about his actions. So it will take much longer before he finds out that he was isolated in the first place and then to find out a way to get out of the isolation. So that’s making the professional fraudster’s life very difficult.”
Ultimately, disrupting fraudsters’ operations is the aim of all of these prevention technologies and techniques. Says Adams, “It’s a big business for these guys. They’re in it to make money. And when fraud is no longer profitable, they’ll move on.”