Japanese Man Arrested For Virtual Theft

Kethinov writes "The Daily Yomiuri is reporting that a 21-year-old man was arrested for "illegally accessing an Internet game server to sell a virtual 'house' owned by a woman to another game participant for 50,000 yen, police said Thursday. According to the MPD, Ryusei Sakano of Itabashi Ward, Tokyo, posed as a female game player he met online while playing 'Ultima Online,' a popular Internet-based game. Sakano reportedly asked the game's system administrator to provide the female player's entry password on the pretext that she had lost her password to the game.""

for the inevitable slashdotting..

[siliconshock.com]

'Ultima Online' hacker arrested over 'house' sale
Yomiuri Shimbun

The Metropolitan Police Department has arrested a 21-year-old man on suspicion of illegally accessing an Internet game server to sell a virtual "house" owned by a woman to another game participant for 50,000 yen, police said Thursday.

According to the MPD, Ryusei Sakano of Itabashi Ward, Tokyo, posed as a female game player he met online while playing "Ultima Online," a popular Internet-based game.

Sakano reportedly asked the game's system administrator to provide the female player's entry password on the pretext that she had lost her password to the game.

The police said Sakano then used the female player's password to illegally access the company's U.S. computer server for the game a total of seven times over a period of three months from September.

According to the MPD, Sakano took advantage of the fact that the game's virtual gold pieces--used by players as a virtual currency--can be traded through bulletin boards. He sold a virtual house belonging to the female player valued at 25 million gold pieces for 50,000 yen, the police said.

50,000 yen = about $417 (USD)

(just in case anyone was wondering)

-- Guges

This sure isn't the first case of UO house fraud

[Jarnis]

Anyone who has followed/played UO over the years knows that all kind of fraud happens all the time. This case is notable because the guy both illegally accessed the account of another person by social engineering the password (this is clearly illegal in most countries), and surprisingly *got arrested* for his stunt. I could dig you numerous stories of people being frauded out of their virtual possessions thru old fashioned tricks or outright password stealing using trojans and social engineering emails designed to lure the victimg to disclose his account details.

In previous cases these incidents have usually been ignored by law enforcement, as it's understandably hard to explain how someone 'stole' stuff from you when it's all bits on some game server. So most cases are handled by EA/Origin customer support, and while sometimes the stuff is restored by the game admins, there are plenty of cases when the thief got away scot free since the situation was 'word against word' and EA/Origin decided not to interfere.

Looks like in this case the person losing the stuff went further than EA/Origin customer support and got law enforcement onto the case - and they actually responded and arrested the guy!

Re:Theft?

[The+Only+Druid]

There's an argument in several models of jurisprudence (notably realism and Dworkinism) that fraud, when it causes economic loss, is no different from theft. Or, if its different at all, it is not a seperate crime but instead a sub-class of theft.

In this interpretation, the definition of theft becomes something like "The deprivation of a person's rightful and legal property through illicit means." With such a definition, its clear that there's some difference between knocking you down and robbing you, and stealing your Ultima password and selling your stuff, but both would be theft.

Re:Virtual Arrest and Virtual Fine

[Ninja+Master+Gara]

¥50,000 == $414.38

Exchange is just over ¥120 to $1

Re:50,000 yen = about �256 (GBP)

[terrencefw]

for us brits.

Re:Idiot Admin

[Bartmoss]

For a game, using a registered (and verified during sign-up!) email address might be sufficient. For more serious issues, yes, photo-id should be required in my book. And handing out existing passwords is even worse than resetting a password, because many people re-use their passwords on other systems, or have some sort of system for their password choice, which could be guessed at by obtaining a sample.

Try an E-Bay Search

[Greyfox]

Search E-Bay for "Ultima Online" or "Everquest" sometime. I've seen prices go well over $1,000 USD there for primo accounts. Bidding for 1 Million gold on Ultima Online usually starts at somewhere between $10 USD and $20 USD. We did a quick back of the napkin calculation of the worth of one virtual character based on that and decided that if he put his mind to it, he could probably sell his stuff for in the neighborhoold of $9,000 USD. I've heard of companies being formed to collect Everquest stuff for sale on E-Bay.

Re:Idiot Admin

[Lawbeefaroni]

Well that and resetting the password will also tip off the legit user something is wrong (when they go to login with their old password and it doesn't work). Ideally you would re-set the password and email the new one to the user's registered email address.

Re:Idiot Admin

[sfe_software]

Okay, how? Short of the person turning up in person with photo ID, 100% proof of identity just isn't going to happen.

In this case, *resetting* the password (changing it to something new) would have been much more appropriate. Given that he had been accessing the account over a period of three months, obviously the real account holder would have noticed that their password no longer worked by that time.

I say, never *give out* the current password, only reset to something new after confirmation (using the correct email address, or providing some information that was provided upon account setup -- a "security question" perhaps). Not foolproof, but it would certainly stop someone from using a hijacked account for such a long period of time.

Re:Idiot Admin

The company I work for requires you verify all your billing information. That includes the original credit card used to pay for the account, billing address, e-mail address (it's preferable that you are e-mailing from the original address), name, and age.

The most important pieces of information as the last digits of the credit card or the money order/check number and issuing bank.

And even then the old password is not given out. A new temporary password composed of a scrambled series of letters and numbers is generated and e-mailed separately. Each time this is done a note is made on the account recording the nature of the request and the e-mail/person it was supposedly coming from plus what (if any) account information was updated in the process.

Don't have that information? Have a big sob story?

Tough luck.

It is also important to note that the "cr/hackings" are almost always one of two things. Customer was sharing their account with other individuals willingly and got ripped off by them (illegal in some, but not all, games and a real pain in the ass to investigate), or through poor judgement/lack of basic system security allowed their computer to become infected with a trojan like Sub-7 and their keystrokes watched/recorded.

The lesson here? Learn basic computer security. Never give out your password to anyone. 9 times out of 10 the you are really the source of your own security breach.