PlayNoEvil - Game Security, IT Security, and Secure Game Design Services

Game accounts get hacked. Players lose their "stuff" and investment of time... and they take it very personally.

Marcus Eikenberry of MarkeeDragon has a video about the problem of players losing their accounts due to the account being hacked. He notes that most games basically shrug off the problem and "blame the player", though sometimes game operators will make an effort to "investigate" and "return" players items.

I've argued previously that game companies should be very aggressive about restoring player assets. There is a cost in terms of customer service associated with any sort of "investigation". If the game company does restore the assets, there is a huge amount of good will with the customer while if the items or other account assets are lost, the player may well just quit (both scenarios are discussed in the video - Blizzard gets credit for restoring some of the player's stuff).

The Customer Service Perspective

For a subscription game, this should be a no-brainer - just give the items back (at least the first time).

For a Free-to-Play game, this should almost be a no-brainer... anyone who has invested real money is much more likely to invest more.

For either case, if you are quesy about "disrupting the game economy" (PLEASE, one user or some small number of users?), charge a fee (I'd have 2 tiers - one for players who pay in advance for "account recovery" insurance and another for those who want their account fixed)....

... and I'd require them to buy a security token at the same time (I'd also give free restoration for players who use security tokens).

The Player Perspective

I see three options here that start with the same step:

1. Gather a petition list of players who have had their accounts looted in a specific game (include copies of trouble tickets, etc. for substantiation).

Option 1 - Call the Feds (with Friends) - With a large number of players, you can show a large implied dollar value lost (play time at minimum wage, current "resale" value of the accounts) and a large number of victims. The US is not taking identity theft nearly as seriously as it should. By putting together a big case, you've got something that can catch law enforcement's (and the media's) interest... as in the video... move yourself to the top of the pile.

Option 2 - Petition the Game Company - The Publicity Attack - large groups of people can get attention in a way individuals can't. If there are hundreds or thousands of victims, you can get the company's attention... the media can help a lot here.

Option 3 - Sue the Game Company - Players are spending a lot of money on these games and there is an implied level of service. With a large set of names, you may be able to form a class action suit, at a minimum with the goal of getting the company (and others) to change its practices. One lawsuit of this sort may cause a real change in the view of customer service for the industry.

Wow!

It looks like a digital version of my book Protecting Games has been released at Safari Books!

Check it out and let me know what you think.

The traditional version is available, of course, at Amazon and elsewhere.

Public Relations (PR) is a key part of security incident response. You need to keep your partners, customers, and potential partners and customers (the public and press) informed of what is going on... at least at some level.

Last week, several online news sites and forums broke a story about NCSoft having some serious problems with its master account which may have been causing a large number of incidents of account theft and, disturbingly, people logging in and finding themselves in control of some other customer's account.

I have been following these stories... the scenario did not make too much sense (logging into OTHER people's accounts?!?!?!) and I wanted to wait for the dust to settle.

It hasn't.

Instead, there seems to be a growing tide of stories about some sort of pretty serious security problem at NCSoft with no systematic response from the company.

Messages on community forums don't count.

At this point, it looks like the story is getting away from NCSoft. While the coverage has been restricted so far to online games news and community sites, there is a potential for the news to cross over to the mainstream press.

Also, depending on the nature of the problem, NCSoft may need to notify customers under California (and other) data disclosure laws if personal information has been compromised (something the company faced in Korea several years ago).

We will see if NCSoft moves to get ahead of its perception problem in the next couple of days... and if they ever disclose anything about what the underlying security problem is or was.

A. Meer (2010), "Guild Wars Wars: NCSoft’s Security Scandal", http://www.rockpapershotgun.com/2010/01/04/guild-wars-wars-security-scandal/#more-23341 .... among many others.

Demos are an increasingly popular tool to promote games. You give players some time to play with a free download, limited by time, features, or content, and then hope you've teased them enough to convert to a sale.

Why not? After all, bandwidth costs are low (if not negligible) and players will then be able to see what you are selling them and get a taste of the game.

Which may be the problem.

A Digression on the Music Industry

If you look at the music industry, the online revolution has changed how music is purchased. The most important change is not that people are buying (or pirating) online, but that they are no longer buying albums, but singles. This single change is likely for a huge portion of the loss of revenue for the music industry. After all, in the "old" days, if you wanted a song, you bought the album of 10 to 15 songs for $10 to $20 (a nice, but bundled, deal). Now, if you want a song, you buy it, probably for $0.99 or at most $1.29. If the "album" is good, you may only buy 3 or 4 songs that you really like... and you have made $4 to $5 in purchases...

A huge haircut for the industry that could account for a large part of its revenue losses without any piracy at all.

End Digression

For the game industry, we have a different problem. A large number of players abandon games. Often after playing only an hour or so. They do so for a number of reasons: they don't like the game, they don't like the controls, they get stuck, or they are "satisfied" with the experience and ready to move on to something else.

A mini version of Peggle came with my purchase of the Orange Box. I played through the levels and never felt the need to purchase the game. Conversely, I picked up a copy of Titan Quest and totally hated the controls and quit after playing an hour or so.

Demos give all of these players a free way to "complete" their game experience.

And don't even provide as much money for the game company as a single does for a music publisher.

The goal is to maximize revenue.

If we build a simple model, we can see what the problem is:

Our revenues are based on the Number of People Purchasing the Game (NumPurch) times the price of the game (GamePrice).

Rev = NumPurch*GamePrice

We have 2 choices. We can not give away a demo or we can provide one.

The value of the Demo is the increased number of games purchased:

DemRev = AddNumPurch*GamePrice

However, there are also some people who would have purchased the game at risk without the demo who, if a demo is available, try the demo and choose not to purchase the game:

DemRev = (AddNumPurch-Defectors)*GamePrice


And, of course, demos aren't really free. You still have to pay something to distribute them.

DemRev = (AddNumPurch-Defectors)*GamePrice - (NumDemos)*DistCost

If you have a good game that draws the players in with the demo and drives them on to purchase the rest of the game, you are in good shape. However, demos are often arbitrary initial slices of games. They are not designed as seducers, but are simply the initial "piece" of the game. If you read game reviews, you will often hear about games that "really pick up" after the first 5 or 6 hours.

Does your demo even get to this content?

If not, you've lost a sale.

Now, lets consider piracy.

Pirate copies of a game (assuming no DRM or code tweeks that, if a pirate copy is detected damage game play) can only result in additional revenues.... and may be better for a game company than demos.

Why?

Players can play the entire game and may decide that the game is "worth purchasing" (hey, the pirates say this all the time).

One "nice" feature of pirates, is that you aren't paying for distribution. So, any revenues you get from pirates who convert to legitimate sales will be revenue in your pocket. If they don't like the game, there is no additional cost. The only lost revenue is from players who would have bought the game if it was not pirated at your full price... a number that appears to be pretty small, based on the very few studies in this area (and certainly reflected by the lack of investment in anti-piracy by gaming firms).

AddPirateRev = AddPirateNumPurch*GamePrice

(Game companies could almost certainly include code in the games that would allow them to track Pirate-to-Sale conversions)

Nagware + Piracy may be better than Demos

Conceptually, game publishers would do better by selling demos and using the demo price as a full discount towards the full purchase of the game.

Episodic games revisited.

An episodic model may work better for the game industry (at least in the PC space) as publishers can lower the initial acquisition cost and then allow players to purchase increments of content or the entire game later with different discount models (or no discount model). This may also have a real impact on fighting piracy if it is combined with an easy distribution and sales process - the power of Apple's App Store is that it is so easy to buy and install apps... ease of use is key.

Google's days are numbered.

While Google is an amazing company in many ways, financially, it is a one-trick pony and that trick is ads, not search. AdWords & AdSense are totally brilliant and should be the target of any competitor, not fiddling with search algorithms.

The problem with search-based ads is that they are essentially anonymous. In some sense, the main benefit to Google of adding applications and mail is that Google is somewhat penetrating the default anonymity of the web... where cookies reign supreme.

But my gmail address does not tell much about me... and even analysis of the text of all of my mail messages is going to give great insight into who I am.

There has been a lot of attention on Facebook's traffic growth. In September, Facebook was responsible for 25% of US page views. Apparently, Facebook has just surpassed Google as the most popular site on the web.

Which still doesn't matter.

What matters is that Facebook users happily provide a wealth of personal information to the company. We provide information about where we live, who we work for, our interests, our friends, etc. etc. etc. etc. ... all in a nice, highly structured format.

It is a marketeer's fantasy made real.

To date, Facebook seems to have focused its revenue collection on internal ads... just as Google did. The problem with internal ads in Facebook is that users are actually interested in the destination pages within Facebook. It is a much smaller step from search to "paid search" than it is from the latest news from my friends.

Search ads are all about the "near miss" - where the target web page is of interest, but the visitor's goal can be found in a paid ad.

The next step is where things get interesting.

Once Facebook launches its own external ad network to compete with AdWords & AdSense, Google will be facing a competitor who knows a lot more about the ad viewer than Google does. AdWords is predicated on an analysis of the destination site to determine what ads are "relevant" for that site. Facebook's service can use some site information, but, more powerfully, it will be able to tap its deep user profile information to serve ads that reflect both.

In addition to more effective ads, Facebook should be able to offer "higher level" marketing services such as promotions and other incentives (the effectiveness of offers and virtual currency incentives used on top of Facebook is a scary tribute to their power). Moving these services off of Facebook's own pages should lead to much higher conversion rates and valued clicks and actions. Facebook is well positioned to provide an end-to-end service from marketing to e-commerce.

After all, if you own my online identity, you own me.

P. Kafka (2009), "Mark Zuckerberg Spends Christmas Dethroning Google", http://mediamemo.allthingsd.com/20091229/mark-zuckerberg-spends-christmas-dethroning-google/

An organized team that used a trojan software program to target online games has been busted by China's government. The 2 trojan authors apparently earned $140,000 while the rest of the gang may have earned $4.3 Million (30 million Yuan).

11 members of the group have already been sentenced and there may be as many as 80 participants going to jail.

The gang stole 5.3 million passwords which were likely used to loot and resell items from the players accounts as well as use them for "gold spamming" (marketing game currency to other players).

It is nice to see China's government go after online criminals. We see very few cases in the US in spite of the size of online fraud. In the future, however, these cases are going to be more difficult as the criminals may be located in other jurisdictions.

"China jails 11 over online games scam", http://news.yahoo.com/s/afp/20091217/tc_afp/chinainternetcrime

via

M. Humphries (2009), "Online games trojan sees 11 jailed in China, 69 more could follow", http://www.geek.com/articles/games/online-games-trojan-sees-11-jailed-in-china-69-more-could-follow-20091217/

There has been rampant speculation about some sort of new tablet from Apple and that this is somehow going to be the "next big thing".

Apple may build a tablet, the big money is going to be in Apple TV. The logical next step is to move aggressively into the set top market.

While Apple does make money on the iPhone, it makes a ton of money on the App Store and iTunes. It uses its market power to ensure it gets a healthy piece of revenue no matter what a consumer purchases and Apple doesn't have to create content.

A tablet would tend to take revenue away from the iPhone/iTouch and the company's notebook computers without really adding a major new revenue stream.

The set top is fertile ground.

It is worth looking at the real brilliance of the iPhone - the App Store. The App Store broke the carriers' stranglehold on content on phones (whether it is a good business for developers in the long haul is a different question).

Cable companies are pretty much the same. They've locked down their platform. Products like TiVo have (sadly) been unable to gain major headway against the proliferation of underpowered cable boxes because they really are not much more than a slightly better set top.

Sound familiar?

The game consoles do have the ability to compete here, but they have also not really positioned themselves seriously as set top alternatives. More importantly, the consoles have totally failed to open themselves up to innovative applications. The "certification" process is a stumbling block, not a bar of quality - especially with very unsure revenues for application once they are available.

profitable, consumer friendly platform + Apple amazing UI + App Store / iTunes / iMedia = Apple TV done right

SIDE NOTE ... and whoever goes after the set top should get smart and allow external hard drives from third parties. The big money is in the App Store, not hard drive sales (I'm looking at you game consoles!).

WACKY THOUGHT ... the other company that might go here would be Nintendo. Apple vs. Nintendo - the battle of the white boxes.

Sony has launched a web site - http://www.ps-playsafeonline.com/ - to encourage safe gaming for kids in many countries. The site is targeted as parents about appropriate gaming as well as helping with reporting problems if they occur. The site supports many countries and I didn't see a section for the US.

This is great and, hopefully, Sony will follow up with an extended campaign to increase awareness of the site and its tools.

What would be even better would be if game industry leaders would cooperate to create a sustained campaign to educate parents and kids about safe gaming and providing tools to deal with problems. Pretty much every company has launched one of these campaigns over the years. What has happened previously as that companies launch these programs and don't support them.

Do you remember Microsoft's PlaySmart or NCSoft's PlaySmart programs?

I devote a chapter to Protecting Kids in my book Protecting Games.



L. Plunkett (2009), "Sony Promoting Safe Online Play With Handy Website", http://kotaku.com/5433385/sony-promoting-safe-online-play-with-handy-website

Square Enix is taking action, probably under DMCA, against sites that sell third party software for its MMO Final Fantasy XI.

Use of third party software is prohibited under Final Fantasy XI's Terms of Service.

They claim that they are going to go after players who use the programs as well as the programs' developers.

This is analogous to Blizzard's efforts against the Glider application.

"Regarding Malicious Third-Party Programs used in FINAL FANTASY XI (12/24/2009)", http://www.playonline.com/ff11us/index.shtml

Regarding Malicious Third-Party Programs used in FINAL FANTASY XI (12/24/2009)

Over a period of time, we have been monitoring an individual responsible for the creation, sale and distribution of 2 third party tools in violation of the rules of the FINAL FANTASY XI service and various state and federal laws. The tools were utilized by players and gil farmers to gain an unfair advantage over other players in a variety of ways. As a result of our investigation, we have taken appropriate action against the individual, have halted distribution of the programs and have disabled the servers used to run them.

We are in the process of investigating other third party tools originating in the U.S. and abroad and will take similar action against the creators and their customers when we are ready to do so. We have a zero-tolerance policy against any attempts to artificially manipulate FINAL FANTASY XI gameplay or the PlayOnline service. Usage of third-party tools will not be tolerated within the FINAL FANTASY XI community, and we will continue to ban user accounts for consumers of these products and will potentially take legal actions against those who create the tools.

We would like to remind players that, in addition to adversely affecting game balance, using third party tools or cheats can also have potential consequences that are not immediately obvious, as they often contain damaging viruses and Trojan horse programs, which may result in the transmission of account details.

We continually strive to create a fun and balanced environment for FINAL FANTASY XI, and we hope that our efforts ensure that our players continue to enjoy the experience.

Thank you for your continued cooperation and understanding.

via

E. Lefebvre (2009), "Final Fantasy XI cracks down on cheating", http://www.massively.com/2009/12/26/final-fantasy-xi-cracks-down-on-cheating/

Gambling has three elements:

1. A payment or consideration to enter (something of value).
2. An element of chance.
3. A prize (also something of value)

Lotteries are fairly popular in online games (as are traditional gambling mini-games). The traditional argument against these games being gambling is that there is no way for currency or items to "exit" the game. However, that is not what the legal definition implies...

... and games are leaky.

CCP Games' Eve Online space-based MMO has added the ability for players to convert between the in-game currency and PLEX which can be purchased directly or used for subscription time.

PLEX clearly has official value.

An Eve player is operating an in-game lottery where players can win high value ships. The ability to convert ships to the game's currency (ISK) and convert ISK to PLEX clearly implies that the input ISK has value as do the output ships.

Payment CHECK
Chance CHECK
Prize CHECK

J. Egan (2009), "EVE player run lottery offers some of game's rarest ships", http://www.massively.com/2009/12/28/eve-player-run-lottery-offers-some-of-games-rarest-ships/#continued