What is Gold Farming and How Can MMOs Fight Back?

If someone asked me to go “gold farming,” I’d probably assume we were going to grab a couple pans and head north to a stream in New Hampshire, and with any luck, strike it rich.

But gold farming doesn’t refer to literal gold. Rather, gold farmers accumulate virtual currency by playing massive multiplayer online games. That virtual currency, or “gold,” is then sold to other players, despite the fact that most game operators explicitly ban the exchange of in-game currency for cash. Gold farming is so lucrative, people in China and other developing nations can support themselves as full-time gold farming ring operators.

The Washington Post recently reported, “Low-educated laborers in Asia spend hours each day advancing through levels of an online game, picking up gold, swords and gems that enhance a player’s status. Then gaming studios, which employ the players, sell those virtual goods to online retailers. Finally, the retailers sell those items to more than 120 million players worldwide, many of them in North America and Europe, who are unwilling to play the games all day to gather the items on their own.”

Some argue that in certain developing countries, gold farming is tantamount to slave labor. The New York Times reports that in China, gold farmers often work twelve hours a night, seven nights a week, with only two or three nights off per month. “For every 100 gold coins farmers gather they make about $1.25, earning an effective wage of 30 cents an hour, more or less. The boss, in turn, receives $3 or more when he sells those same coins to an online retailer, who will sell them to the final customer (an American or European player) for as much as $20.”

Meanwhile, a recent report by the World Bank suggests that online gaming has a positive impact in Asia because 70% of the industry’s revenue remains in the gaming countries, with most of that money going to studios.

I don’t know. 12-hour days, for 30 cents an hour? What do you think?

The bottom line is that gold farming negatively affects game play in that legitimate players are now unable to enjoy the full game experience. Being unsatisfied, they leave for other games (and often take their friends with them) and this damages the brand reputation and reduces the gaming publisher’s profits.

Many leading MMOs are finding it increasingly necessary to deploy a layered defense to protect against gold farming, chargebacks and increasingly, account takeovers within gaming environments.  By leveraging the power of device reputation, which looks at the computer, smart phone or tablet connecting to the games, the gaming publisher can easily connect together players working together and shut down entire rings in one sweep.  In one case, a major gaming publisher saw the marvel of Oregon-based iovation’s fraud protection service and took action against 1,000 fraudulent accounts shortly after implementing the SaaS-based service.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Chinese Prisoners Forced To Scam Gaming Sites

When you think “prison camp,” you probably don’t picture a place resembling summer camp, with arts and crafts, hiking, swimming, and playing games. But in the Jixi prisoner labor camp in the coalmines of northeast China, they break rocks all day and play games at night.

Online games often reward players who accumulate a certain quantity of in-game points with cash payouts. Guards at this particular prison camp forced prisoners to do 12-hour shifts playing games, on top of their manual labor.

One former Jixi prisoner told The Guardian, “If I couldn’t complete my work quota, they would punish me physically. They would make me stand with my hands raised in the air and after I returned to my dormitory they would beat me with plastic pipes. We kept playing until we could barely see things.”

These prisoners were “gold farming,” monotonously repeating basic tasks within online games like World of Warcraft, in order to build up virtual currency. Gamers around the world are willing to pay real money in exchange for online credits, speeding up their progress within the game.

People in many developing countries have turned to gold farming in order to support themselves, but up to 80% of the world’s gold farmers are based in China, where as many as 100,000 people work around the clock to earn virtual points.

Game operators lose profits due to forced labor gold farming, and while they certainly want to stem their losses, they also have a humanitarian responsibility to the victims of this crime. iovation’s ReputationManager 360 is a proven service that helps protect against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices and shares their reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud and lots more.

Many leading gaming publishers have been using iovation’s device reputation service for years to prevent game abuse upfront and ensure that their players have a safe and fun experience. These gaming publishers and iovation continually share information, the latest trends and best practices in order to stay one step ahead of the bad guys.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

The FFIEC Wants You to Know…

The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include multi-authentication, which may mean requiring users to punch in a second security code or carry a key fob, as well as due diligence in identifying customers as real people whose identities haven’t been stolen, and consumer education.

Consumers are largely oblivious to the multiple layers of security put in place by financial institutions in order to protect them and their bank accounts. All consumers really care about are ease and convenience. However, a better understanding of what goes on behind the scenes can help consumers adapt to new technologies that affect their lives.

I recently came across a blog post written by a financial institution’s bank manager, “Nerdy Nate,” attempting to educate the bank’s customers in response to the FFIEC’s guidance. Nate’s message is useful for all bank customers, and should be a model for other financial institutions.

“Currently, [this institution] employs a combination of a secure browser connection, customer number, password, and our enhanced login security system. We recently added the ability for you to use email, voice and text to receive a one-time passcode needed when we do not recognize your computer. We do realize that having to use a one-time passcode is inconvenient at times. Please be assured that SIS will research other options to make this more convenient. However, at this time, using a one-time passcode is considered the best practice in authenticating you as a user when you login into SIS Online Banking. This method is also compliant with the FFIEC guidance issued to SIS.

We are also working with our Online Banking provider on other security efforts in response to the FFIEC guidance.

·      Enhanced Device Identification – We will enhance the security of the multifactor authentication enrollment cookie, where it is in use, by adding device fingerprinting. This means that if the cookie is present on a system whose device fingerprint differs from what is on record, the cookie will not be honored and an additional authentication step will be required.

·      Removal of Challenge Questions – In the near future, we will no longer allow the use of a Challenge Question to authenticate you. Instead you will need to use one of the three passcode methods available; text, voice call and email.

·      Web Fraud Detection, Behavior Monitoring – We are evaluating different options to monitor your online access for fraud. Once we have a solution in place, we will notify you on how it might affect you as a user.

·      Malware Prevention & Detection – We are evaluating different options to monitor the use of malware to “hack” your online access. Once we have a solution in place, we will notify you on how it might affect you as a user.

We remain committed to providing you with the best and most secure Online Banking experience possible. With the ever-changing landscape of online fraud, this is proving to be more difficult every day. We are confident that with your help and some hard work on our side, we can achieve our goal.”

Great stuff. Nowadays, education on the “threatscape” is essential. Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate  device reputation management.

This proven strategy not only has advanced methods to identify devices connecting to your bank, but also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect your financial institution against cyber fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

North Korea Hacks Online Games to Fund Terrorism?

The Guardian reports, “South Korean police recently arrested five people who allegedly collaborated with North Korean hackers to steal millions of dollars in points from online gaming sites. Members of the gang, which included North Korea’s technological elite, worked in China and shared profits after they sold programs that allowed users to rack up points without actual play.”

Scammers resell stolen points to gamers, who use the points to play more games or to purchase equipment or accessories for their avatars. According to Seoul police, the cybercriminals behind this particular scheme made $6 million in less than two years. 55% of that went to the team of hackers, while some went to Kim Jong-il’s multibillion-dollar slush fund, which American and South Korean officials say is at least partially used to fund a nuclear weapons program.

South Korean officials blame the North Korean government’s Computer Center, an IT research venture, for orchestrating the fraud.

Many of the world’s largest gaming publishers and digital goods providers rely on iovation’s ReputationManager 360 to detect fraud upfront through its extensive, globally-shared database of 700 million devices seen connecting to online businesses and the 6 million fraud events already associated with many of these devices.

iovation has already flagged more than 13 million activities within gaming sites for gaming publishers to either reject as completely fraudulent, or to send for manual review as high-risk activity was detected in real time. This has saved gaming publishers millions of dollars in fraud losses by not only stopping a fraudulent activity (such as a cyber criminal setting up a new account in the game, or a purchase from the in-game store using stolen credentials), but it connects cyber criminals working together so that the publisher can identify entire fraud rings and shut them down at once.

Gaming operators can customize business rules around geolocation, velocity, and negative device histories (including gold farming, code hacking, virtual asset theft, and policy violations) to identify nefarious accounts activity, or fraudulent use of stolen accounts. More than 2,000 fraud-fighting professionals contribute to iovation’s global database every single day, continuously strengthening the system while maintaining a safe and inviting environment for their players.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Bad News For Banks: Courts Side With Customers

Who is responsible for financial losses due to fraud? The bank, or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer. He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email. In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

  • The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders;
  • The $5 million overdraft created by those book transfers in what is regularly a zero balance account;
  • Experi-Metal’s limited prior wire activity;
  • The destinations (Russia and Estonia) and beneficiaries of the funds; and
  • Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

 

Financial Institutions Can Protect Their Clients Using “Defense in Depth”

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

FFIEC Mandates “System Of Layered Security” to Combat Fraud

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Why Complex Device Identification Isn’t Enough

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Device Intelligence Helps Stop Scammers Targeting Social Media Sites

We’ve heard this story before, but unfortunately it happens over and over again. Social media and dating sites are overrun with criminals who pose as legitimate, upstanding individuals, but are really wolves in sheep’s clothing.

In Florida, a man named Martin Kahl met a 51-year-old woman and they developed an online romance. A quick search for the name “Martin Kahl” turns up many men with the same name and no obvious signs of trouble.

This particular Martin Kahl told his online girlfriend that he would soon be working in Nigeria (red flag) on a construction project, but a short time later he informed her that the job had fallen through. He cried poverty and asked her to send him money, which she did.

(If there are people in your life who might be prone to falling for a scam like this, please reel them in immediately. Any of their financial transactions ought to require a cosignatory.)

Anyway, during their affair, Kahl claimed he had been arrested (red flag) on some bogus charge, and requested that the woman bail him out to the tune of $4,000, which she most likely paid via money wire transfer (red flag).

All told, she sent the scammer at least $15,000 during their relationship. Sadly, social media sites can do more to protect their users, and should take advantage of information that readily exists for them to use — the known reputations on over 650 million devices in iovation’s device reputation knowledge base. Computers that are new to these social networks dealing with scammers and spammers are rarely new to iovation.  They have seen these devices on retail, financial, gaming or other dating sites and will help social sites know in real-time, whether to trust them.

In the case above, the phone numbers used in the scam were traced overseas. The computer or other device the scammer used to go online could surely also have been traced overseas and could have been flagged for many things:  hiding behind a proxy, creating too many new accounts in the social network, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.  Scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia conduct many of these scams, spending their days targeting consumers in the developed world.

Social media sites could protect users by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Dating Security on E! True Hollywood Stories.  Disclosures

Disclosing Data, Despite Breaches

The ticker tape of data breaches in the last few months has been astounding. Many have called 2011 “The Year of The Hacker“ and that prognostication has rung true, without question. Halfway through the year, data breaches are an incessant news story.

And despite the constant stream of bad news, consumers continue divulging a tremendous amount of data to retailers, auction sites, dating sites, and gaming sites. While awareness of fraud and cybercrime is at an all time high, consumers seem to feel they don’t have much of a choice but to provide all their data.

People have grown to love the Internet and all the conveniences it offers, both commercially and socially. In my household, little people under five years old whack away at online iPhone games, never knowing what it’s like not to have the Internet.

Many seem to feel that their privacy is the price they must pay for all this connectedness and convenience, and are even willing to put their personal security at risk in exchange.

Scammers know and are capitalizing on this. There isn’t an online gamer, dater, social networker, or consumer today who isn’t at some level of risk.

While all necessary defenses must be employed to prevent hackers from compromising data, an additional layer of protection should be implemented to keep them off websites in the first place.

Every one of these platforms would do well to stem the tide of fraud by incorporating device reputation. One anti-fraud service offering fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. Hundreds of online businesses prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their websites, and with iovation’s service, they stop 150,000 online fraudulent activities each day.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)