PlayNoEvil Game Security News & Analysis

The MMOs of the world may have to declare war on YouTube. Guild Wars is only the latest game to issue a warning to players to ignore videos on YouTube that promise players free ways to hack the game and the other promises a beta entry for Guild Wars 2, according to Suzie Ford at WarCry Network.

YouTube is becoming the preferred way to distribute fake hacks to gullible players. It is easy to fake game hacks - giving away gold, boosting players levels, issuing tons of loot, and pretty much everything else your heart desires - by using tools like Cheat Engine or MHS to alter the game client's state without actually hacking the real game.

It doesn't matter that there isn't a real hack, the game client looks perfectly hacked because it is.

Unfortunately, the only thing that game companies can do is educate their players.

... though adding tools to unravel fraudulent transactions can help... and the World of Warcraft authenticator isn't a bad thing either.

GamesIndustry.biz has an interview with David Perry of Acclaim Games. Buried at the end of the interview is the interesting fact that they are seeing $75 per customer (paying customer?) in their games.... which use the free-to-play/virtual item model as well as advertising.

The key in online games is to keep infrastructure costs down. One of the problems that some Asian online games have had coming to the US is that the Internet infrastructure is a lot less expensive (and more advanced) in Korea than in the US. This has made some games unprofitable to operate here.

A Legend of Mir player is suing Shanda for 11,000 Yuan ($1600) for emotional distress over having his account frozen. He also wants his virtual items back, of course.

I'm not a fan of banning butthis could be a dangerous trend that game developers and operators will have to watch.

(via Pacific Epoch)

Often in security, the devil is in the details. In a nice bit of security analysis from back in 1999, Reliable Software Technologies assessed PlanetPoker's shuffling algorithm and found a number of problems. Check out their work.

Diablo III is coming out soon (hooray!). To date, Diablo and Diablo II have sold 18.5 Million copies. It would be fascinating to see the long term sales chart for the series (via MCV).

Internet cafes in China account for 40 percent of the country's $2.5 Billion in online gaming revenue (projected for 2008), according to research by Niko Partners as reported by Dean Takahashi at VentureBeat.Some key numbers:

There are an estimated 21.9 million computers installed in 185,000 Internet cafes in the country. Overall, Internet cafes generate $20 billion in revenue a year.

Internet cafes are dominant in smaller cities, but even in Beijing and Shanghai, players go to cafes to socialize and compete with their friends.

This model is very important for game developers looking at other developing economies. Few games really seem to actively court Internet cafes as business partners. A notable success and exception is Giant Interactive who partners heavily with cafes, particularly in smaller markets (see previous articles).

Mathew Kumar has a good interview at Gamasutra with Gene Hoffman, CEO of Vindicia. about payment security issues. The article also includes a reference to a good article by Mr. Hoffman at E-Commerce Times.

Some key facts:

- Acceptable chargebacks for VISA - up to 1 percent
- Acceptable chargebacks for Mastercard - up to 0.5 percent
- Hoffman advocates running at the edge of this limit to maximize market size
- Fighting a chargeback - $10 to $15 (for merchants with intangible - technically free - items)
- Weak current ability to link accounts to in-game activities & fraud
- Highlights the average customer lifetime value (ACLV) as a key factor (and why games may choose to ignore fraud as ACLV could average hundreds of dollars, but the cost of a chargeback is $15).
- Because secondary markets and free-to-play games tend to be lower margin, the analysis works the other way and aggressive fraud protection is the norm.

Payment security issues don't get enough attention and are especially critical for non-tangible goods, like digitally distributed games, online game subscriptions, or virtual goods.

A couple of disagreements:

1. I think debit based payments are going to grow and perhaps overtake credit card based payments for games. This is going to be good from a fraud perspective, but does weaken identity.

2. I distinguish micro-transactions for the price of items from micro-payments. The US infrastructure is a long way from being able to handle micro-payments. Instead, consumers will either purchase payment credits in bulk via pre-paid cards or their electronic equivalent.

3. I suspect that the Free-to-Play model is going to overtake subscriptions. The big problem will not be from payment issues or identity, but rather the cost of online infrastructure in the US. Like Asia, we are probably going to see more peer-to-peer gaming.

An issue that was not addressed at any length is the problem of real criminal gold frauders using fraudulent accounts to launder their fraudulent purchases:

1. Gold Frauder buys a game account with a stolen credit card from game operator.
2. Gold Frauder buys gold, accounts, etc. from other players with stolen credit card.
3. Gold Frauder sells gold, etc. to other players with real credit card. (perhaps after passing gold through a couple of accounts for laundering)
4. Gold Frauder has party.
5. Game has customer service nightmare.
6. If legitimate secondary market is permitted, that provider has a nightmare problem as he lacks an alternate revenue stream.
7. Good luck catching the gold frauder.

I’ve long enjoyed the engineering truism “Good, Fast, or Cheap, choose Two”. So, if you want something Good and Fast, it won’t be Cheap and if you want something Fast and Cheap, it won’t be Good. I think the security field needed something similar, so here’s my stab at it:

“Lazy, Cheap, or Stupid any one will get you”… or some such.

To an outsider, security often looks like a black art. The field is full of magic words: “rootkits”, “worms”, “viruses”, “hackers”, “penetration tests”, amazing sagas, embarrassing failures, and spectacular capers. Scratch the surface, however, and you’ll find that almost all security problems arise from one or more basic human failings: Lazy, Cheap, or Stupid. Security’s Three Deadly Sins.

Lazy

There is depth and even some “rocket science” as you learn the art of security, but the reason many security experts can appear to work miracles and divine problems after taking only a cursory look at an organization or system or project comes from 1) the recognition that security is not a primary concern of most people, 2) that when you don’t care about something, you tend to take shortcuts and cut corners, and 3) people are wonderfully consistent, especially in how they cut corners.

Of course, things aren’t quite that simple. You need to have a good deal of knowledge of development practices, programming, system design, project management, business planning, and human nature to pull these miracles off. Once someone describes a security problem for me, the first thing I think about is “what would be the easiest way to do this?” and, because the easiest way is rarely the right way “what is the easiest way to exploit it?”

Habits are wonderful. In the game industry, the biggest cheating problems come from the fact that most developers start by programming a single-player game and then add multi-player features. For piracy, even though everyone knows about piracy and complains about piracy, they don’t actually seem to think about piracy until the game is about to launch. Part of this is the legacy of how computer games have typically been developed (where anti-piracy features were added to the CD itself for production), but laziness, cheapness, and stupidity creep in.

The game industry is not alone. I’ve been brought in on classified government projects after years of development and many millions of dollars spent, where security only came up because someone noticed that the system needed to be accredited before it was allowed to operate.

Cheap

Security never has a budget. Or, at least, it never has a decent one. It is a legitimate problem. Security rarely shows up as a positive revenue line item. It is always portrayed as a cost with nebulous benefits at best. Interestingly, one of the things I like best about the game industry is that its security problems are so closely tied to its business. It is very hard to argue whether one firewall is better than another or if we should invest in an intrusion detection system or not from a business perspective. Not so, for the games industry.

Piracy costs sales. As a security analyst, I can make estimates of those costs and the benefits of my anti-piracy strategy and present a reasonable business case to management for a budget. While cheating has not been seen to be a major problem in the traditional, single-player game industry, as games move to multi-player and the industry transforms from a product sales business to a service business, suddenly cheating becomes much more important (and, if you are in the skill games, contests, or gambling side of the industry, cheating and game integrity are already central issues). Similarly, payment processing, identity, protecting children, and the other topics that I will discuss are not theoretical problems. They can cost your business money or, even worse, give you the opportunity to deal with irate customers or governments.

Stupid

The game industry is unique. Just ask them. Of course, every industry is unique. Just ask them. Developers in every industry are rightfully proud of their accomplishments and eager to hurry their products to market. After a long slog of development and hopefully some testing, most developers are rather confident about their product’s ability to work well. In Physics, Work equals Force times Distance. If you don’t go anywhere, you haven’t done any Work. The remorseless Gods of Security don’t care how hard you worked or who you are. Hackers just care about what you have actually done. When I made my first security presentation to the game industry in 2000, developers shared horror stories of players hacking Flash games just to get high scores on their individual sites. Eight years later, players are still hacking Flash games to get high scores to win prizes and lots of cash… and causing some large companies serious grief in the process.

Gold farming isn’t a new problem and people have been creating bots since the early text MUDs, but pretty much every modern MMO has continued to be plagued by these attacks. Only now, instead of a couple of guys running a game on a university server, the gold farmers are earning millions, if not billions of dollars, and chewing up entire customer support teams while major game publishers are spending untold dollars suing small bot builders knowing full well that another will spring up, probably in a jurisdiction beyond the effective reach of their lawyers.

The best way to avoid security problems is to simply acknowledge them at the start of a project and address them early in the process. Or, at the very least, ignore them consciously. It is simply Stupid to do otherwise.

The good news is that solving many of your security problems may be as simple as adding “Remember Security” to your project’s PowerPoint templates.