Slashdot Mirror
MMORPG Developers Warned of Security Risks
phantomfive writes "According to an article on ZDNet, hackers are now targeting players of MMORPGs (mainly WOW), stealing their passwords, then selling their gold/equipment for money in the real world. Microsoft security development engineer Dave Weinstein warned developers of the new dangers their titles face at the company's annual Gamefest event." From the article: "Online game accounts are already on sale in the black market next to stolen credit card accounts, fraudulent passports, fake work papers and other illegal items gathered by identity theft. In fact, some game accounts can be worth up to $10,000. 'For a lot of the customers out there, there is more store value on their MMO characters than there is on the credit card with which they pay for the account,' said Weinstein."
In fact, some game accounts can be worth up to $10,000
Come on people, nobody is that addicted? Who can imagine paying $10,000 for a WOW account? It's as ridiculous as the price of some of the paintings that sell at art galleries! I can't imagine a game account selling for that much.
I have read many tales on gaming forums of "I gave my password to person X for this reason and now 300 people have it." Do not give your password or other information to anyone for any reason. Report players who try to get it from you to the appropriate authority. Also avoid websites that offer training or any other gimmick that requires account info. I know that identity theft (real or virtual) is impossible to prevent 100% but common sense steps can make it much more difficult.
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
If that was really true, MMO's would let users pay their monthly fees with virtual gold.
Read the quote you copied again. Some of the customers value their MMO characters more. If a customer values rocks more than dollars, does it mean Dell will sell him an laptop for rocks? Of course not. To a MMO customer virtual gold is a limited commodity, and involves grinding and work to create. To Blizzard virtual gold has no value, as they can create it in unlimited amounts with a press of a button.
I've played a few MMORPGs (WoW, Guild Wars, Anarchy Online) and I've only seen one kind of keylogger exploit - the kind you install yourself. People shout in-game "Visit www.guildcheats.com for Guild Wars god mode!" and the like. It's just a case of the greedy preying on the greedy. Circle of life. If your account is stolen it's 99.9% likely that it's your own fault.
Even so, in the case of Guild Wars, which has given me better support than any piece of software in my whole life, I go out of my way to report these instances with screenshots or URLs when I find supposed cheats in torrents. The sanctity of the game is at stake when unscrupulous parties try to hijack others' accounts and lewt.
I DO pay for my Eve access with my ingame currency. Here's how:
The one way in which CCP allows Eve users to use ingame currency for out of game stuff is to buy timecodes from other players. Those players spent real game cash to get the timecards, so CCP is still getting their cut. So it's true that CCP is not accepting the currency for playtime directly, they are agreeing in principle that paying for gametime with ingame currency is "OK".
This practice is somewhat controversial in the Eve community. It's not that it's particularly unbalancing for me to buy my gametime this way, it's that people with realgame cash to buy LOTS of gamecards can get LOTS of ingame currency, and buy characters, blueprints, and other stuff with it- wealth isn't being added to the system, but it IS being concentrated. Ultimately, I think it's not a big deal or I'd still be paying RL cash for my subscription, but some feel that CCP should stop allowing time for ISK transactions.
One good effect of his practice however is it is undermining gold farmers somewhat- by allowing a outlet for those who want to turn real game cash into ingame cash w/o risking account banning, and at a better rate than ISK was welling for, it makes it harder for the farmers to profit. They can try to do a reverse- buy gametime with ISK then sell it for RL cash, but there's enough chance of being burned that way that the people with RL cash are more likely to simply go through the approved system and not risk getting a bad code.
The US dollars I've saved paying for game time with US dollars is significant - I bought enough time to get me well into next year in case CCP changes their policy. And since I earn the ingame dollars doing things I consider fun, it's win-win for me.
A WoW account is a bunch of digits in some computer. Most USD10K is a bunch of digits in some computer.
So it's a matter of supply and demand. Heck it may be harder to forge items in some online games than it is to forge paper USD.
Some game items might take months to get for normal people, so if a game account has characters loaded up with rare weapons, I figure some people might actually pay USD10K for it.
Seriously though, if the cops don't take theft of such stuff seriously or similar crimes, then more and more people might actually resort to unlawful actions.
Just like that guy in China who killed a fellow gamer - the murderer lent his sword (which he only just got at that time) to his "friend" who then sold it for USD900. In China many people consider USD250 a month a good wage. And it might have been worth more than USD900 to the original owner (who might only have sold it for more- thieves often sell for lower than market rate, so I guess it could be worth significantly more which is why he wasn't happy when his "friend" offered to give him the USD900).
I'm not saying he was right to kill, but I'm not surprised he did. People have been killed for far less than four months average salary. Especially when betrayal and other stuff is involved.
To his defense, he actually did go to the cops first, but:
"Before the attack Mr Chengwei told police about the theft who said the weapon was not real property"
Not real property? Something that sold for 4 months wages? Two lives wasted (one dead and one suspended death sentence - might get out in 15 years if lucky) because the cops didn't take things seriously. Maybe the Chinese courts cut him some slack, coz over there it's real death for so many things - e.g. hooliganism, "stirring up fights and causing trouble". The parents of the dead guy are still calling for his blood though.
In South Korea the cops actually do recognize such crimes (maybe many of them play those games too and thus can understand the value of some "dragon sabre").
Many stamp collections are worth far more than their face value.
How about the recent case - a teddy bear (Mabel?) that used to belong to Elvis, apparently worth USD75K got savaged by a guard dog assigned to protect the bear collection/display.
Should the cops and courts say, "It's only an old toy bear" ? After all who can imagine paying USD75K for an old toy bear?
For justice to be served one should not be quick to judge, nor take everything at face value.
I saw Weinstein's talk at GDC a few months ago, and this article really doesn't do it justice. His talk is mostly speculative; there aren't any cases of accounts being sold for thousands of dollars out there. However, he does point out the stuff to be aware of when writing and designing an online game. He also doesn't limit the talk to MMOs, though that's the most common kind of online game these days. A game like Unreal Tournament with the server browser can also be a security risk, but it's worth less money than stealing gold in WoW.
If you have a chance, see his talk. He's an old-school gamer and game programmer, so he's not just some guy that understands security and nothing else.