MMORPG Developers Warned of Security Risks

phantomfive writes "According to an article on ZDNet, hackers are now targeting players of MMORPGs (mainly WOW), stealing their passwords, then selling their gold/equipment for money in the real world. Microsoft security development engineer Dave Weinstein warned developers of the new dangers their titles face at the company's annual Gamefest event." From the article: "Online game accounts are already on sale in the black market next to stolen credit card accounts, fraudulent passports, fake work papers and other illegal items gathered by identity theft. In fact, some game accounts can be worth up to $10,000. 'For a lot of the customers out there, there is more store value on their MMO characters than there is on the credit card with which they pay for the account,' said Weinstein."

That's a Lot of Cash

[neonprimetime]

In fact, some game accounts can be worth up to $10,000

Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account? It's as ridiculous as the price of some of the paintings that sell at art galleries! I can't imagine a game account selling for that much.

The future of commercial gaming

[davidwr]

To prevent wholesale account-jacking, any time an account has "suspicious" activity, such as wholesale giving-away of assets or being played from IP addresses on opposite sides of the planet on the same day, the game would make you answer a "security question" you set up when you created the account. It would also email you at a third-party email account and possibly even phone you or send snail-mail.

Customers who rarely trade and never play away from home will also have the option of "locking" their accounts so that, before they trade or play away from home they have to "unlock" the account. The unlock would involve more than just knowing the account login information.

Re:Value is in the eye of the beholder

[Diss+Champ]

I DO pay for my Eve access with my ingame currency. Here's how:

The one way in which CCP allows Eve users to use ingame currency for out of game stuff is to buy timecodes from other players. Those players spent real game cash to get the timecards, so CCP is still getting their cut. So it's true that CCP is not accepting the currency for playtime directly, they are agreeing in principle that paying for gametime with ingame currency is "OK".

This practice is somewhat controversial in the Eve community. It's not that it's particularly unbalancing for me to buy my gametime this way, it's that people with realgame cash to buy LOTS of gamecards can get LOTS of ingame currency, and buy characters, blueprints, and other stuff with it- wealth isn't being added to the system, but it IS being concentrated. Ultimately, I think it's not a big deal or I'd still be paying RL cash for my subscription, but some feel that CCP should stop allowing time for ISK transactions.

One good effect of his practice however is it is undermining gold farmers somewhat- by allowing a outlet for those who want to turn real game cash into ingame cash w/o risking account banning, and at a better rate than ISK was welling for, it makes it harder for the farmers to profit. They can try to do a reverse- buy gametime with ISK then sell it for RL cash, but there's enough chance of being burned that way that the people with RL cash are more likely to simply go through the approved system and not risk getting a bad code.

The US dollars I've saved paying for game time with US dollars is significant - I bought enough time to get me well into next year in case CCP changes their policy. And since I earn the ingame dollars doing things I consider fun, it's win-win for me.

Why is it ridiculous?

[TheLink]

A WoW account is a bunch of digits in some computer. Most USD10K is a bunch of digits in some computer.

So it's a matter of supply and demand. Heck it may be harder to forge items in some online games than it is to forge paper USD.

Some game items might take months to get for normal people, so if a game account has characters loaded up with rare weapons, I figure some people might actually pay USD10K for it.

Seriously though, if the cops don't take theft of such stuff seriously or similar crimes, then more and more people might actually resort to unlawful actions.

Just like that guy in China who killed a fellow gamer - the murderer lent his sword (which he only just got at that time) to his "friend" who then sold it for USD900. In China many people consider USD250 a month a good wage. And it might have been worth more than USD900 to the original owner (who might only have sold it for more- thieves often sell for lower than market rate, so I guess it could be worth significantly more which is why he wasn't happy when his "friend" offered to give him the USD900).

I'm not saying he was right to kill, but I'm not surprised he did. People have been killed for far less than four months average salary. Especially when betrayal and other stuff is involved.

To his defense, he actually did go to the cops first, but:
"Before the attack Mr Chengwei told police about the theft who said the weapon was not real property"

Not real property? Something that sold for 4 months wages? Two lives wasted (one dead and one suspended death sentence - might get out in 15 years if lucky) because the cops didn't take things seriously. Maybe the Chinese courts cut him some slack, coz over there it's real death for so many things - e.g. hooliganism, "stirring up fights and causing trouble". The parents of the dead guy are still calling for his blood though.

In South Korea the cops actually do recognize such crimes (maybe many of them play those games too and thus can understand the value of some "dragon sabre").

Many stamp collections are worth far more than their face value.

How about the recent case - a teddy bear (Mabel?) that used to belong to Elvis, apparently worth USD75K got savaged by a guard dog assigned to protect the bear collection/display.

Should the cops and courts say, "It's only an old toy bear" ? After all who can imagine paying USD75K for an old toy bear?

For justice to be served one should not be quick to judge, nor take everything at face value.

Basic rules of not getting scammed in a MMORPG

As a fairly hardcore MMORPG player, who's been playing FFXI for 3 years and has played about with WoW on the side as well, I'd offer the following (fairly obvious) advice to anybody wanting to keep their character secure.

1) Do not ever lend "virtual" currency or items to anybody you do not know in real life unless you can accept their loss. By "know in real life", I mean "know and see on a regular basis and are on good terms with", not "met once at a convention". Many people adopt in-game personas drastically different to their "real" personas. With this separation between the player's avatar and the player themselves, it becomes all the more tempting for a even a generally well-intentioned player to give in to temptation and behave in a way that they wouldn't towards somebody they knew in real life.

2) Do not share access to your account EVER, even with people you know well in real life. I've known more people come to serious grief this way than in any other. Real-life relationships can break down too, and deleting or emptying out a MMORPG character is, in many ways, the geek relationship equivalent of taking a kitchen knife to an ex-partner's wardrobe. Make sure that logging in to your account requires the use of at least one password that only you know. Disable any "auto login" options. If you have housemates, particularly if your relations with them aren't great, or they have an "odd" sense of humour, never go away from your keyboard while leaving your character logged in. Don't make a big deal out of it, just make it part of the routine. I know this sounds paranoid and draconian, but I can think of at least 3 FFXI players, one of whom I knew well in-game who have lost characters in this way when a real-life relationship has broken down.

3) Be very, very careful about using *any* third-party software relating to the game. Not only is this probably against the EULA (and hence potentially going to get you banned by a GM), but it exposes you to the risk of malware. In general, it's the 3rd party tools that offer the most (eg. cheats) which are most likely to turn sour on you. As ever, it's easiest to trick people through greed. However, even the most innocent little tool can have a nasty payload.

4) Any website other than ones run by the game's developer which requires you to enter your login details is a scam. End of story. If you are uncertain as to whether a site is run by the developer, check the game's manual to find the game's official website. The official forums for some games do require you to use your game login to access them. This is OK, but be sure to protect your login details (eg. don't have your browser auto-remember them if you have housemates).

5) Any in-game offer which looks too good to be true probably is. Casino scams in FFXI are one of the most obvious examples, but there are plenty of others. There's an amusing example here from FFXI. There are two pieces of neck gear, the Ranger's Necklace and the Peacock Charm, which both use the same graphical icon. The former is automatically given to players when they complete the flag quest for the Ranger job. It sells for about 1000 gil. The latter is an incredibly rare and powerful item, dropped only very occasionally from a tough arena fight. It sells for 14 million gil or so, on average. Just 3 months ago, I saw a /shout from a player in Jeuno (the main FFXI hub city at the time), saying "Peacock Charm for sale, 8 million gil, check my bazaar". This prompts a frantic race to buy this item before anybody else can. The "lucky" winner was distinctly miffed when he noticed he'd just spent 8 million on a Ranger's Necklace. At current IGE exchange rates (I hate the site and all of its ilk, but it's useful for comparison here), this cost the scammed player around $220.

I know all of the above really is "water is wet, fire is hot" type stuff, but it's amazing how many people forget it, some of them multiple times.

Re:$0.50 / hr?

[caffeinatedOnline]

Your point being? LOL In all honesty, I was addicted to the game. I would get off work, come straight home, and start playing till the early hours of the morning, catch a few hours of sleep and start the whole process all over again. The weekends were spent in front of the computer as long as I could. Right before I sold the account, the previous 3 months I was out of work on FMLA for severe depression (which, in hindsight, I attribute to the amount of time I was playing the game and not anything else), and spent easily 14-16 hours a day playing the game.

It had become my life. I was one of the top people on the server, and my mindset was that if I stopped playing as much as I did I would drop in 'standing'. Rather sad to think about it now. A good year and a half pretty much wasted.