MMORPG Developers Warned of Security Risks

phantomfive writes "According to an article on ZDNet, hackers are now targeting players of MMORPGs (mainly WOW), stealing their passwords, then selling their gold/equipment for money in the real world. Microsoft security development engineer Dave Weinstein warned developers of the new dangers their titles face at the company's annual Gamefest event." From the article: "Online game accounts are already on sale in the black market next to stolen credit card accounts, fraudulent passports, fake work papers and other illegal items gathered by identity theft. In fact, some game accounts can be worth up to $10,000. 'For a lot of the customers out there, there is more store value on their MMO characters than there is on the credit card with which they pay for the account,' said Weinstein."

That's a Lot of Cash

[neonprimetime]

In fact, some game accounts can be worth up to $10,000

Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account? It's as ridiculous as the price of some of the paintings that sell at art galleries! I can't imagine a game account selling for that much.

Re:That's a Lot of Cash

[thelonestranger]

Not quite $10000 but still a lot of money http://video-games.search.ebay.com/wow_Video-Games _W0QQfsooZ2QQfsopZ3QQsacatZ1249QQsbrsrtZl

Re:That's a Lot of Cash

[crazyjeremy]

Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account?

Probably the same guys that get certain jobs just so they can continue to play at work, who make online relationships instead of real ones, and who buy $3000 laptops just so they can run the latest iteration of a game. 90% of their life is wrapped up in the game. During that other 10% of eating and sitting on the throne, they just think about how they could get more into it.

Re:That's a Lot of Cash

[PFI_Optix]

I can't imagine someone paying hundreds of thousands of dollars for a single item of sports memorabilia, but it has happened. Is it really so far-fetched to suggest that there exist at least a handful of people with too much money who are willing to spend that money on having more than anyone else does on WoW?

For that matter, given the current state of society, should we even act surprised? These are the same rich kids who spend thousands of dollars a year to have the fastest computer on the block, the latest iPod and accessories (even though four perfectly good iPods are sitting in a desk drawer somewhere), and whatever else they perceive as a must-have status symbol.

Re:That's a Lot of Cash

[IMarvinTPA]

Why didn't he take the laptop with him to the throne? And if he's in any way reasonable, he'd eat at the computer while playing. The only thing befuddling him is why he's not getting experience for the kills he makes while sleeping. (Darn dreams aren't "real"...)

IMarv

Re:That's a Lot of Cash

[neonprimetime]

That's insane, this one even has a $1000 bid already!

Re:That's a Lot of Cash

[Atheose]

The difference between the two is that sports memorabilia is physical--you can put it in a glass case, you can touch it. The only thing you can do with that level 60 Paladin decked out in Epic items is run through Ironforge.

Re:That's a Lot of Cash

It's not necessarily the account alone though. They can sell the Gold in the account, across all of the characters. Sell items on the characters to get more gold to sell, then sell the account itself.

Re:That's a Lot of Cash

[gEvil+(beta)]

...you can put it in a glass case, you can touch it.

I thought part of the reason for putting it in a glass case was so that it couldn't be touched...

Re:That's a Lot of Cash

[91degrees]

But these guys spend so much time in the game that they can get a decent character pretty quickly anyway. Obviously there must be people willing to pay that amount, since we can clearly see people are doing so, but it would appear to be a contradiction since the addicts don't have any need, and the non-addicts don't have any desire.

Re:That's a Lot of Cash

[rbarreira]

I thought that one can still get things out of a glass case after putting them there.

Re:That's a Lot of Cash

[eht]

But then it loses value and ends up just an ordinary baseball you can get for 5$.

Re:That's a Lot of Cash

[zhouray]

It doesn't have to do with addictions. Some rich kids who want to show off would pay for it.

Re:That's a Lot of Cash

> Who can imagine paying $10,000 for a WOW account?

Easy. A stolen guild-bank could be full of epic items, herbs, gems, ores, and lots and lots of gold. All easily sold for gold and converted into cash.
I would guess my guild bank is worth over $2000 if liquidated - and we are a not even close to a 'top' guild

Re:That's a Lot of Cash

The vast majority of stockholders just own some bits on a broker's server somewhere, yet the public considers this as "property", and even insures the stockholder against their broker's server simply disappearing their stock.

Re:That's a Lot of Cash

[gstoddart]

Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account? It's as ridiculous as the price of some of the paintings that sell at art galleries! I can't imagine a game account selling for that much.

It may not be that someone would be $10,000 for the account. But if you sell off the individual things in that account, it might be possible to add up to that amount. A few hundred here and there add up.

That's probably what's happening in this case.

Cheers

Re:That's a Lot of Cash

[vadim_t]

You can't touch the cash in your bank account either, but do you think it's somehow less real than if it was physically in paper somewhere?

Re:That's a Lot of Cash

[caffeinatedOnline]

Back when SWG was at it's heyday, I was one of the first people on my server to unlock the Jedi archtype. After playing it for a few weeks and realizing that the entire class was borked, I put the account on eBay for $300... at the end of a week long auction, it sold for over $1600. I couldn't believe that anyone would pay that much for a game account, and was sure that it was some scammer. But, the funds got transfered from France through PayPal, and it was legit. I still to this day get a laugh out of it... my wife gets a bigger laugh (she is an accountant) when she realized that I made ~$0.50/hr on the deal!

Re:That's a Lot of Cash

[twistedsymphony]

I thought that paper money (at least in the US) was just a "note" that said you own X amount of the federal reserve. In other words just as worthless as the digital bits on a server simply filed in archaic paper form instead of on a server somewhere.

Re:That's a Lot of Cash

[garylian]

But how many individual things does each toon have that aren't soulbound? Most of the best items in the game get soulbound to the player. So, the chop-shop thought doesn't work. Unless you are talking about a guild bank type player.

Seriously, if you really wanted to, you can hit 60 in WoW in a few weeks without killing yourself.

This all comes down to the e-penis factor. People will pay that kind of cash to have the biggest e-penis there is. And for WoW players, that means having a completely tricked out toon or two, with all epic gear.

The problem is, there are so many people buying toons/stuff/gold that it becomes a vicious cycle. FFXI had that problem with its gil farmers running amok. Once it starts, it's a slippery slope, as regular players have to think about keeping up with the Jones'.

Re:That's a Lot of Cash

Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account? It's as ridiculous as the price of some of the paintings that sell at art galleries! I can't imagine a game account selling for that much.

The account itself may not sell for $10,000, because that's a lot of money and it's something that is fairly easily traced, assuming the victim presses the issue with Blizzard. However, if you can snag the passwords for an account, it may have several well-developed characters with many highly prized assets. In that case, you can "strip" the account for assets and sell them individually and come up with a lot of money. Next to that, the account itself is almost worthless.

Re:That's a Lot of Cash

Well, I haven't seen a WoW account go for that much... but I have seen a Star Wars Galaxies Jedi account go for upwards of 5000 dollars. Hell, one of the people on my server bought his for 2000, not leveled or anything, just had Jedi unlocked.

Re:That's a Lot of Cash

[vertinox]

These are the same rich kids who spend thousands of dollars a year to have the fastest computer on the block,

These aren't kids usually, but rather 40 somethings with a great deal of disposable income. I've known a few to dump $7,000 on a Ultima Online account.

Re:That's a Lot of Cash

[drsquare]

I can't imagine someone paying hundreds of thousands of dollars for a single item of sports memorabilia, but it has happened. Is it really so far-fetched to suggest that there exist at least a handful of people with too much money who are willing to spend that money on having more than anyone else does on WoW?

That sports memorabilia can go up in value over time. A WoW account's value plummets to zero as soon as the game becomes unfashionable. Or when it's deleted due to a breach of rules. Or the game closes down.

Re:That's a Lot of Cash

[Sage+Gaspar]

How many people are actually going to whip out their autographed baseball and have a game of catch? The amount of money they're paying for MMO stuff is misguided and not my type of fun, but at least they're getting something functional. Collecting is the worst type of consumerist whack jobs.

Re:That's a Lot of Cash

[Sage+Gaspar]

How many rich hack job golfers at the country club drop a couple thousand on clubs that no one's really going to know or care about? It doesn't improve their shitty game, either.
 
As online gaming becomes more prevalent, those same numbnuts will drop cash there.

Re:That's a Lot of Cash

[dorzak]

When I played Shadowbane, somebody paid $300 for a player-owned city on the Mourning server.

The thing is player owned cities can be destroyed by other players.

He lost the city a few months later.

Re:That's a Lot of Cash

[PFI_Optix]

It can go up in value only because there's some other schmuck willing to spend more money on it than you were. I can't imagine why they would want to spend the money any more than the first person. There is no value in something like that, other than being the only one to have it. The same goes for WoW items and accounts; some people buy them just to say they have them.

Re:That's a Lot of Cash

[The+Snowman]

But how many individual things does each toon have that aren't soulbound? Most of the best items in the game get soulbound to the player. So, the chop-shop thought doesn't work. Unless you are talking about a guild bank type player.

Guild bank aside, I have a ton of stuff on my account. I have tons of high level tradeskill junk like arcanite, mooncloth, stacks of thorium bars, essences, enchanting shards and dusts. I have some rare and epic items not souldbound just sitting in the bank. I have a few hundred gold (from selling junk like that arcanite and mooncloth). And I'm not even all that rich compared to most people on my server. Still, I'm sure I could liquidate most of my junk, sell the gold, then sell my level 60s. I'm sure I'd make at least a few hundred dollars, more than I spent on my subscription.

Seriously, if you really wanted to, you can hit 60 in WoW in a few weeks without killing yourself.

Looking at my characters' play time it doesn't look like much, but in order to keep my job and family, it would take a little longer. Maybe two months. Then again I choose to have some semblance of a life outside the game, even if not much of one.

Re:That's a Lot of Cash

[Atheose]

I meant either or. You could put it in a glass case, OR you could touch it. My main point was that it's a physical object, unlike a WoW character.

Re:That's a Lot of Cash

Once the secret of how to unlock Jedi came out - just master professions - I set up 3 spare machines to do nothing but multi-box and bot/grind professions out all day. In 3 months I managed to unlock a dozen Jedi accounts, and sold them for a total of $13,000. Considering that I would spend maybe 2 hours a day on getting the bots set-up and dealing with maintenance, that's not a bad haul at all.

Re:That's a Lot of Cash

[snuf23]

I've seen guilds purchase characters (not at $10,000) to flesh out a class they are lacking. For example, the core guild members have too many hunters and need another priest. They purchase a 60 priest and have a one of the hunters use the character.
I've also seen guild leaders who maintain a couple of accounts in this same way so that critical but understaffed classes (commonly healers) are always available for raiding.
High level raiding guilds get crazy like that sometimes.

Re:That's a Lot of Cash

[werewolf1031]

The value of any currency is merely an agreement. It's only worth something if everyone agrees it's worth something. Which in itself makes it astounding that modern economies function at all...

Re:That's a Lot of Cash

[IMarvinTPA]

How is this Flamebait? It is clearly a joke. It even got moderated as Funny BEFORE getting Flamebait.

Did I manage to hit somebody too close to home?

IMarv

Value is in the eye of the beholder

[mhazen]

'For a lot of the customers out there, there is more store value on their MMO characters than there is on the credit card with which they pay for the account,'

If that was really true, MMO's would let users pay their monthly fees with virtual gold.

Re:Value is in the eye of the beholder

[TahitiBlue]

That would only be true if there was a limited supply of gold in the game. With the developer able to control how much gold theres is in the game at the flick of a few bytes on the server, virtual gold is worthless to them. However between players it can have some real $ value if one of them is trying to get ahead.

Re:Value is in the eye of the beholder

[ichigo+2.0]

If that was really true, MMO's would let users pay their monthly fees with virtual gold.

Read the quote you copied again. Some of the customers value their MMO characters more. If a customer values rocks more than dollars, does it mean Dell will sell him an laptop for rocks? Of course not. To a MMO customer virtual gold is a limited commodity, and involves grinding and work to create. To Blizzard virtual gold has no value, as they can create it in unlimited amounts with a press of a button.

Re:Value is in the eye of the beholder

[Diss+Champ]

I DO pay for my Eve access with my ingame currency. Here's how:

The one way in which CCP allows Eve users to use ingame currency for out of game stuff is to buy timecodes from other players. Those players spent real game cash to get the timecards, so CCP is still getting their cut. So it's true that CCP is not accepting the currency for playtime directly, they are agreeing in principle that paying for gametime with ingame currency is "OK".

This practice is somewhat controversial in the Eve community. It's not that it's particularly unbalancing for me to buy my gametime this way, it's that people with realgame cash to buy LOTS of gamecards can get LOTS of ingame currency, and buy characters, blueprints, and other stuff with it- wealth isn't being added to the system, but it IS being concentrated. Ultimately, I think it's not a big deal or I'd still be paying RL cash for my subscription, but some feel that CCP should stop allowing time for ISK transactions.

One good effect of his practice however is it is undermining gold farmers somewhat- by allowing a outlet for those who want to turn real game cash into ingame cash w/o risking account banning, and at a better rate than ISK was welling for, it makes it harder for the farmers to profit. They can try to do a reverse- buy gametime with ISK then sell it for RL cash, but there's enough chance of being burned that way that the people with RL cash are more likely to simply go through the approved system and not risk getting a bad code.

The US dollars I've saved paying for game time with US dollars is significant - I bought enough time to get me well into next year in case CCP changes their policy. And since I earn the ingame dollars doing things I consider fun, it's win-win for me.

Re:Value is in the eye of the beholder

[Kaa]

If that was really true, MMO's would let users pay their monthly fees with virtual gold.

You can do this in Eve.

Re:Value is in the eye of the beholder

[mhazen]

The quote reads as I stated, not as you claim.

It specifically says there is more store value to the account than to the credit card used to pay the subscription fees. Store value, not perceived worth by the customer themselves.

Re:Value is in the eye of the beholder

[ichigo+2.0]

No, it specifically says that there is more store value to the account than to the credit card used to pay the subscription fees, for a lot of the customers out there. Obviously you're not one of those customers (neither am I), but there are people out there to whom their account is worth a lot more than the subscription fees they've paid for them.

Re:Value is in the eye of the beholder

[mhazen]

The definition of "store value" refers to the ability of an entity as a deposit for later financial recoup. Specifically, this is a feature of negotiable currency, which is referred to as its "store of value" nature. Since the article specifically uses the phrase "store value", the article is referring to a negotiable financial store. If the value were a perceived value by the owner, the phrase "store value" would not have been used.

In other words, it's not perceived value, it's a specific value of a monetary nature. You're referring to what could be ambiguous syntax, but the use of a specific fiscal term is what I'm referring to.

Cheers,

Re:Value is in the eye of the beholder

[ichigo+2.0]

If many customers are prepared to pay real money for items and characters in a MMO, then don't the items then have store value to the customers? That doesn't necessarily mean that entities outside this economic system have to accept items from these customers as payment. Lots of people think paper money stores value, but if I decide that it isn't worth the paper it's printed on, then you can't force me to accept it as payment. Therefore, virtual gold has store value to those that believe it has, but it doesn't mean that Blizzard has to accept virtual gold as payment because to Blizzard virtual gold is worthless. I.e. store value is a perceived value.

Re:Value is in the eye of the beholder

[CherniyVolk]

Some MMOs actually do allow players to pay for their accounts with in-game currency.

People in EVE-ONLINE do it all the time. CCP allows people to buy an EVE-ONLINE Time Card and resell it to gamers for in-game currency isks. So some people do pay for their accounts with virtual money; but, at some point, someone had to pay for with the less virtual but noless intangible hard formal currency.

Re:Value is in the eye of the beholder

[mhazen]

Ichigo-

Fair enough.

Cheers,

MS Say's Games on its platform insecure?

[fullphaser]

Microsoft warned video game developers on Monday that their PC games are now a target for criminals.

I guess It must be nice to have the burden of only your OS and all your own software being the target lifted off your shoulders, now you can blame your third party developers too. I guess that hack for MMORPG Tycoon isn't just M$ fault anymore :P

Good practices

[andrewman327]

As with all of these hacks, the key is vigilence. I know that Runescape has an optional banking PIN number that has to be selected by clicking on randomly positioned numbers. I know that screengrabbers can still read it, but it is a good step. Change your password often, especially if you game from public computers. Even reputable Internet cafes can have a malicious user who installed a small hardware keylogger a few hours ago to steal passwords.

I have read many tales on gaming forums of "I gave my password to person X for this reason and now 300 people have it." Do not give your password or other information to anyone for any reason. Report players who try to get it from you to the appropriate authority. Also avoid websites that offer training or any other gimmick that requires account info. I know that identity theft (real or virtual) is impossible to prevent 100% but common sense steps can make it much more difficult.

Re:Good practices

Good practices are great and all, but they don't help much if the game software itself is riddled with holes. Do a quick search for `Luigi Auriemma overflow', and see how many holes in popular titles he's found. Pay close attention to the number of vendors have actually fixed these problems...

Write Little Say Little

[FST]

The article (a whopping 300 words long) says not much more than "people are selling mmorpg accounts on the black market". How is this not obvious, let alone even slightly newsworthy even on a slow day?

Is This the Virtual Post-Modern Equivalent...

[RobotRunAmok]

...of somebody breaking into my house and stealing all my cigs, scotch and cocaine?

Which is to say, how much of the theft is from true strangers, and how much from wives and girl friends?

PEBCAK

[spyrochaete]

I've played a few MMORPGs (WoW, Guild Wars, Anarchy Online) and I've only seen one kind of keylogger exploit - the kind you install yourself. People shout in-game "Visit www.guildcheats.com for Guild Wars god mode!" and the like. It's just a case of the greedy preying on the greedy. Circle of life. If your account is stolen it's 99.9% likely that it's your own fault.

Even so, in the case of Guild Wars, which has given me better support than any piece of software in my whole life, I go out of my way to report these instances with screenshots or URLs when I find supposed cheats in torrents. The sanctity of the game is at stake when unscrupulous parties try to hijack others' accounts and lewt.

Re:PEBCAK

[sunwukong]

Heavens! We wouldn't want an army of networked zombies out there, would we?

Oh wait ...

Re:PEBCAK

From what I've seen, many MMO's also send passwords in clear text, so that anyone on an customer's or intermediate network only needs to use a packet sniffer. Forget keyloggers - who needs one when you only need to get a hold of somebody on the player's subnet?

The future of commercial gaming

[davidwr]

To prevent wholesale account-jacking, any time an account has "suspicious" activity, such as wholesale giving-away of assets or being played from IP addresses on opposite sides of the planet on the same day, the game would make you answer a "security question" you set up when you created the account. It would also email you at a third-party email account and possibly even phone you or send snail-mail.

Customers who rarely trade and never play away from home will also have the option of "locking" their accounts so that, before they trade or play away from home they have to "unlock" the account. The unlock would involve more than just knowing the account login information.

Re:The future of commercial gaming

[spyrochaete]

This kind of authentication will only happen if and when account hijacking is caused by something other than the end user trying to cheat. Right now MMOGs can't be bothered to make life easier for cheaters. People lose accounts because they try to install third party software on top of their games. No systemwide keylogger cares about game passwords yet.

According to Guild Wars, all trades and transactions are final and cannot be undone by anyone. All account\behaviour violations result in a permenant ban that cannot be appealed. Your account is your responsibility.

Some do let you use virtual gold

[edremy]

Puzzle Pirates is an MMO where you can pay your fees in virtual gold. For example, a shop badge (which lets you play more puzzles) costs 5 doubloons/month. You can buy 5D for ~$1-2 real money, or you can buy doubloons with the in-game currency of pieces of eight at about 1000 POE= 1D. You can buy a ship for ~50D: real cash that's $20 or about 50,000 POE. You'd have to play a lot, but it's doable.

I've heard of others, but can't remember them right now. (EVE, maybe?)

Re:Some do let you use virtual gold

[vadim_t]

Second Life. You can buy currency, and you can sell it back. Some people even make a living on it.

This is new... how?

[Rachel+Lucid]

I could be mistaken on how bad the problem is on 'other' games, but Neopets (and now Gaia) are very poignant, large-scale examples of some people's willingness to cheat the system only to find themselves scammed (largely because the game itself is free, and the userbase is proportionally dumber than most systems you 'pay' for).

The only thing this article points out is how much 'wealth' is tied up in these programs (and I can believe that, seeing how I probably have a down payment for a car tied up in my Gaia account - if it were even possible for me to extract that value out of the account, since it's mostly due to a few overinflated items), but aside from that, the main issue here is not security of the games, but security of the users.

Social Engineering is alive and well on the internet. Keep your wits about you and your password strong, and there's nothing to worry about.

Typically the user's fault.

Most of the account stealing in question has nothing to do with security flaws within the game itself, and more to do with user stupidity.

1. User gets themselves infected with malware. Many executables out there that claim to be "cheat" tools for the game end up simply being trojans with keyloggers designed to steal your account name and password. The solution is not to download what you think is a cheat or hacks, and to follow standard steps to prevent yourself from getting malware.

2. Many users will use the same account name and password on game-related fansites and forums that they do for their actual game account. It has been revealed that many of the very popular WoW "fan sites" (some that allow you to log in and create a profile) are owned by IGE, partners of IGE, or similar "gold selling companies." No fansite should be accepted as trustworthy, including your guild's own forums. Users should never use the same account name and password they use for their game account for a login on a fan related site

3. Many users have extremely weak passwords. Simple enough.

4. Many users will flat out share their account name and password with their online friends and guildmates. Not smart at all.

Quite a feat fitting 5 figures in there

[sixdaywar]

In fact, some game accounts can be worth up to $10,000.

I've also heard the population of African Elephants has tripled in the last six months.

Re:Quite a feat fitting 5 figures in there

"I've also heard the population of African Elephants has tripled in the last six months."

Its true, I read it in an encyclopedia.

Nothing New At All

[ggKimmieGal]

selling their gold/equipment for money in the real world.

This has been a popular way to make money in EverQuest for YEARS. Only not hackers, but actual players sell their stuff. Nothing new at all. Hackers selling your stuff? It's like a theif selling your stuff at a pawn shop. It was bound to happen sooner or later.

WoW Chop Shop

[SQLGuru]

It's a chop shop for WoW characters. My old 95 Nissan Altima is worth more as parts than it is as a vehicle.

Layne

Re:WoW Chop Shop

[rabidgoldfish]

.02$

New airplane engines run into the same sort of thing. You can buy a good cessna 150 for less than the price of the new engine.

Why is it ridiculous?

[TheLink]

A WoW account is a bunch of digits in some computer. Most USD10K is a bunch of digits in some computer.

So it's a matter of supply and demand. Heck it may be harder to forge items in some online games than it is to forge paper USD.

Some game items might take months to get for normal people, so if a game account has characters loaded up with rare weapons, I figure some people might actually pay USD10K for it.

Seriously though, if the cops don't take theft of such stuff seriously or similar crimes, then more and more people might actually resort to unlawful actions.

Just like that guy in China who killed a fellow gamer - the murderer lent his sword (which he only just got at that time) to his "friend" who then sold it for USD900. In China many people consider USD250 a month a good wage. And it might have been worth more than USD900 to the original owner (who might only have sold it for more- thieves often sell for lower than market rate, so I guess it could be worth significantly more which is why he wasn't happy when his "friend" offered to give him the USD900).

I'm not saying he was right to kill, but I'm not surprised he did. People have been killed for far less than four months average salary. Especially when betrayal and other stuff is involved.

To his defense, he actually did go to the cops first, but:
"Before the attack Mr Chengwei told police about the theft who said the weapon was not real property"

Not real property? Something that sold for 4 months wages? Two lives wasted (one dead and one suspended death sentence - might get out in 15 years if lucky) because the cops didn't take things seriously. Maybe the Chinese courts cut him some slack, coz over there it's real death for so many things - e.g. hooliganism, "stirring up fights and causing trouble". The parents of the dead guy are still calling for his blood though.

In South Korea the cops actually do recognize such crimes (maybe many of them play those games too and thus can understand the value of some "dragon sabre").

Many stamp collections are worth far more than their face value.

How about the recent case - a teddy bear (Mabel?) that used to belong to Elvis, apparently worth USD75K got savaged by a guard dog assigned to protect the bear collection/display.

Should the cops and courts say, "It's only an old toy bear" ? After all who can imagine paying USD75K for an old toy bear?

For justice to be served one should not be quick to judge, nor take everything at face value.

Re:Why is it ridiculous?

[drsquare]

Not real property? Something that sold for 4 months wages?

It's not his property, it's an item in a game owned and operated by someone else, which at one point was carried by his character in that game. If people want to attach value to virtual items which can be arbitrary created and destroyed, that's their problem.

Supposing you bought a sword for $500, then the game designers made a change that made that sword worthless, or removed the item from the game altogether, what would you do then?

Re:Why is it ridiculous?

[Sage+Gaspar]

There are lots of items that can be devalued at someone else's whim. Once it gets serious enough that more companies start implementing in-game, "legit" systems, I bet you see the item fluctuations controlled more.

Re:Why is it ridiculous?

[TheLink]

I think if I steal your casino chips it's still theft.

I could say a very similar thing for shares traded on a stock exchange. How many think Skype was worth what ebay paid for it?

There are laws regulating publicly held companies - they can't just create new shares arbitrarily, or suddenly not recognize existing shares.

Also, if the central bank of your country chooses to print/create more money, it will devalue the money you already have. It's called inflation. Hyperinflation did actually happen in many countries.

A game company might choose to differentiate itself from other game companies (for a competitive advantage and gain market share) to voluntarily bind itself legally to regulations that ensure some protection of player owned in-game assets.

e.g. we are better than XYZ because if some guy steals your stuff even with a key-logger, we'll check our logs on item/gold transfers and work to put things right, and we are willing to freeze stuff pending a legal decision by the courts.

Naturally in some games (Eve?) stealing could be part of the game, so too bad (and there's pro-boxing where you can get yourself legally bashed or even killed by someone else).

Whether we should allow such games to be legal might actually be a good question.

Because in the future it might get less and less easy to say "It's not real".

paraphrase The Matrix: "people's minds make it real".

Re:Why is it ridiculous?

[drsquare]

I think if I steal your casino chips it's still theft.

You pay the casino for the chips. You don't play Blizzard for your Supreme Sword of 0wn-ness, you pay them to play the game.

Stealing someone's WoW item is like stealing money from the bank in monopoly.

Re:Why is it ridiculous?

[Mykid8yours]

I think the sword was a real sword, not from a video game.

Re:Why is it ridiculous?

[TheLink]

You've never won anything at the casinos?

Saw it at GDC

[Dixie_Flatline]

I saw Weinstein's talk at GDC a few months ago, and this article really doesn't do it justice. His talk is mostly speculative; there aren't any cases of accounts being sold for thousands of dollars out there. However, he does point out the stuff to be aware of when writing and designing an online game. He also doesn't limit the talk to MMOs, though that's the most common kind of online game these days. A game like Unreal Tournament with the server browser can also be a security risk, but it's worth less money than stealing gold in WoW.

If you have a chance, see his talk. He's an old-school gamer and game programmer, so he's not just some guy that understands security and nothing else.

Re:Saw it at GDC

[Araxen]

Apparently you missed the boat, because when Everquest was at it's height of popularity. It wasn't uncommon to see accounts going for $2000+ easily.

Re:Saw it at GDC

[syukton]

there aren't any cases of accounts being sold for thousands of dollars out there.

You're right that this isn't the case now, because the market is saturated with accounts for sale. 3-4 years ago, though, it was not unheard-of for an Everquest account with multiple well-equipped high-level characters to go for over $1000.

Re:Saw it at GDC

[Dixie_Flatline]

Fair enough. The $10,000 number is still a little over blown, right? :)

Keylogger trojans

[Sierran]

WARNING: Anecdotal reply. :-) On the WoW server I am on, two players that I am aware of (one from my guild) have had their accounts jacked by keyloggers in the past week. In the case of my guildmate, the keylogger was, as far as we can tell, installed by website malware and not by trojan. S/he logged on to find every possession of every 'toon gone, and even the hunter toons pets dismissed - a purely malicious touch, since there was no way for the intruder to make money off of that. However, I just wanted to point out the following - this player had ~5 level 60 toons on this account on one server alone. Those toons had perhaps a total of 2000 gold among them. That, according to recent articles on gold farming, is the equivalent of twenty goldfarmer 'shifts' output, *not counting* any gold received from selling their possessions. All this from a single downloaded piece of malware, as opposed to twenty shifts of manual labor. Given that we *know* goldfarming companies are willing to do the former, it seems a no-brainer that this method is quite obviously 'worth it.'

Blizzard, in response to the ticket filed, locked the account while they investigated, and have said they are attempting to trace the trades with an eye to restoring all items. If they can do this (and I don't see why they couldn't, if they decide to) then my guildmate and the others affected will only be out the lost gameplay time and the aggravation - but we don't know if that 'rollback' does, in fact, remove the items from the *recipients* of the transactions. I would bet it probably would, but I'm not Blizzard. If I was the person doing this, I'd have my realworld cash already, so even if the transaction got rolled back, there'd be nothing the buyer could do- so for minimal effort over the three weeks it took for Blizzard to deal with this I'd have made my profit.

Besides, there will always be those who don't find it worthwhile to complain to Blizzard and just quit in disgust, figuring they're just out the $15 of that month's game fee. None of the measures I've discussed above address the structural problem of preventing this sort of attack in any way, because it doesn't take place on Blizzard's infrastructure; in order to address it, Blizzard would have to change their authentication systems to incorporate more robust client code and more secure methods such as the PIN-clicking method described in another post. That means coding, testing and waiting for the patch cycle - so they have a window of vulnerability anyway.

It all comes down to - the effort expended by the malware attackers is minimal. The risk is somewhat higher, but not much higher than that of being goldfarmers anyway, so why not?

Basic rules of not getting scammed in a MMORPG

As a fairly hardcore MMORPG player, who's been playing FFXI for 3 years and has played about with WoW on the side as well, I'd offer the following (fairly obvious) advice to anybody wanting to keep their character secure.

1) Do not ever lend "virtual" currency or items to anybody you do not know in real life unless you can accept their loss. By "know in real life", I mean "know and see on a regular basis and are on good terms with", not "met once at a convention". Many people adopt in-game personas drastically different to their "real" personas. With this separation between the player's avatar and the player themselves, it becomes all the more tempting for a even a generally well-intentioned player to give in to temptation and behave in a way that they wouldn't towards somebody they knew in real life.

2) Do not share access to your account EVER, even with people you know well in real life. I've known more people come to serious grief this way than in any other. Real-life relationships can break down too, and deleting or emptying out a MMORPG character is, in many ways, the geek relationship equivalent of taking a kitchen knife to an ex-partner's wardrobe. Make sure that logging in to your account requires the use of at least one password that only you know. Disable any "auto login" options. If you have housemates, particularly if your relations with them aren't great, or they have an "odd" sense of humour, never go away from your keyboard while leaving your character logged in. Don't make a big deal out of it, just make it part of the routine. I know this sounds paranoid and draconian, but I can think of at least 3 FFXI players, one of whom I knew well in-game who have lost characters in this way when a real-life relationship has broken down.

3) Be very, very careful about using *any* third-party software relating to the game. Not only is this probably against the EULA (and hence potentially going to get you banned by a GM), but it exposes you to the risk of malware. In general, it's the 3rd party tools that offer the most (eg. cheats) which are most likely to turn sour on you. As ever, it's easiest to trick people through greed. However, even the most innocent little tool can have a nasty payload.

4) Any website other than ones run by the game's developer which requires you to enter your login details is a scam. End of story. If you are uncertain as to whether a site is run by the developer, check the game's manual to find the game's official website. The official forums for some games do require you to use your game login to access them. This is OK, but be sure to protect your login details (eg. don't have your browser auto-remember them if you have housemates).

5) Any in-game offer which looks too good to be true probably is. Casino scams in FFXI are one of the most obvious examples, but there are plenty of others. There's an amusing example here from FFXI. There are two pieces of neck gear, the Ranger's Necklace and the Peacock Charm, which both use the same graphical icon. The former is automatically given to players when they complete the flag quest for the Ranger job. It sells for about 1000 gil. The latter is an incredibly rare and powerful item, dropped only very occasionally from a tough arena fight. It sells for 14 million gil or so, on average. Just 3 months ago, I saw a /shout from a player in Jeuno (the main FFXI hub city at the time), saying "Peacock Charm for sale, 8 million gil, check my bazaar". This prompts a frantic race to buy this item before anybody else can. The "lucky" winner was distinctly miffed when he noticed he'd just spent 8 million on a Ranger's Necklace. At current IGE exchange rates (I hate the site and all of its ilk, but it's useful for comparison here), this cost the scammed player around $220.

I know all of the above really is "water is wet, fire is hot" type stuff, but it's amazing how many people forget it, some of them multiple times.

Re:Basic rules of not getting scammed in a MMORPG

[irablum]

Though its been stated on slashdot in the past, there are a number of scams within the game of WOW being used to steal your gold. One involves the Auction house. For those of you who don't play WOW, the AH works like ebay, with a buyout feature. These scammers put a fairly low minimum bid price for items (like 2 gold), with a 99 gold buy out. People see the low minimum bid and attempt to buy the item out, not noticing that they've paid 99 gold for something not worth 5.

A second scam involves the mail system. They send unsolicited mail to people where they claim they are sending an epic, but its wrapped up in a box. They send this mail COD for 50 or 60 gold. If you are curious, and spend the money, what turns out to be in the wrapper is Coal or some trash green item worth very little.

$0.50 / hr?

[EnglishTim]

Wait... if you made $0.50 an hour off it, then at $1600, you would have had to have spent 3200 hours getting your character to that level; how much time were you spending on it? You'd have to spend over eight hours a day every day for a year to rack up that kind of time!

Re:$0.50 / hr?

[caffeinatedOnline]

Your point being? LOL In all honesty, I was addicted to the game. I would get off work, come straight home, and start playing till the early hours of the morning, catch a few hours of sleep and start the whole process all over again. The weekends were spent in front of the computer as long as I could. Right before I sold the account, the previous 3 months I was out of work on FMLA for severe depression (which, in hindsight, I attribute to the amount of time I was playing the game and not anything else), and spent easily 14-16 hours a day playing the game.

It had become my life. I was one of the top people on the server, and my mindset was that if I stopped playing as much as I did I would drop in 'standing'. Rather sad to think about it now. A good year and a half pretty much wasted.

Re:$0.50 / hr?

[EnglishTim]

Crikey! Well, congratulations on breaking the habit before it broke your marriage! ;-)

not news

[crabpeople]

Well if you consider that 8 or 9 years ago, this same type of thing was happening in UO, i'd say the articles a bit late. The funniest part about this is whenever i hear someone say "i got haxed!!!", the first thing i always say to them is "who did you tell your password to?". I would say 95% of all cases of this i have heard of in various games has been user error. Trust NO ONE. I've never given my password to anyone, except people i can beat down in real life, and coincidentally I have never had a game account hacked.

Its all user error. There is no "Security Risks" to mmo players any more theres a security risk to email users that give out their hotmail passwords.

This is not news.

[SupremoMan]

This has been going on for years! No wonder it was so wide-spread if the developers had no idea it was going on. Not to mention that their games are to blame for this. Most are very insecure. I can remember my best friend having one of his Diablo 2 accounts stolen about 4-5 years ago. There was no recourse he could take to get his account back. Atleast now a days in WoW ther eis a process you can go through to reclaim your account and any items the hacker might have destroyed or characters he might have deleted. Of course in other games you are not so lucky. The value put on these account is a direct result of bad game design. If you design a game that takes 15 days on average (ingame time) to reach to maximum level, then you add a bunch of "rare" items which take even long to acquire, you have only yourself to blame for what happens. A game where items are easily attained and lost, where the grind isn't so extensive and the main attraction of the game is the human interaction would not have these problems.

Worth of an account

I play everquest 2 on a station exchange server.

To me, my two accounts are worth .. well.. I don't know.. at least $4k. Why? that's how much I made working within the rules of the station exchange in a year's time.

How much will I make next year? A third year?

I won't be truly able to put a price on those accounts until I leave eq2, the station exchange completely fails or until eq2 is taken offline.

The loss of either account would set me back for a month or two, both and I'd have to start over from scratch which would be more than I could bear.

An entire account with 6+ characters with different tradeskills (capable of making many different items and thus, lots of money) would be worth a lot of real $$$ to a hard worker/successful seller. Especially on a non-exchange server.

Will Probably Get Worse

[DaltonStorm]

I figure this will only become worse as MMO's become more popular. The irony is I was just working on our plans to address this growing problem the other day. We got some ideas on how to address this in the works.

Re:Value is in the eye of the EVE player

[cloricus]

You can pay your monthly fees in EVE Online using virtual ISK (dollars) collected in the game.

Selling online items for money

[MM_LONEWOLF]

Whether or not you believe it, people can and do sell online accounts and items for RW money. I think the going rate on ebay right now is something like $1 U.S. dollar for 3,000 platinum pieces. Maybe one person doesn't sell an entire account for ten thousand dollars, but selling a bunch of people $50 dollars worth of online MMORPG items, it can add up really fast. I'm just glad that runescape, my MMORPG of choice, has never allowed people who sell items for real world money to keep their accounts. Thats not to say that people don't get caught, but most do.