Slashdot Mirror
Online Games a 'Playground' For Organized Crime
New submitter cadenceaniya sends this excerpt from Polygon:
"Online games are a 'playground' for organized crime and cyber criminals, JD Sherry, vice president of technology and solutions at Trend Micro said following the news that League of Legends accounts were compromised. Earlier this week, account information — usernames, email addresses, salted password hashes, and some first and last names — for some North American League of Legends players were 'compromised' by hackers. Riot was also 'investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.' The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.' The simple and functional systems created so players can spend money effortlessly creates 'playgrounds' for cyber criminals take advantage of. 'Game platforms can have millions of users all storing sensitive information or code access for more features,' Sherry said. 'These are highly sought after in the cyber-crime underground for trading and selling in the black market. These platforms can fall victim to cyber-attacks just like any organization, especially if they have vulnerabilities that go unpatched.'"
http://massively.joystiq.com/2013/08/20/disneys-toontown-closing-on-september-19/
VP of online security firm warns people the internet isn't safe.
What's next? Glock's VP says streets aren't safe?
The headline makes it sound as if the criminals are -playing- the games to steal info. They are just stealing the info same as they would from any other company. It has absolutely nothing to do with the fact that it is a game, except for the fact that the amount of players and possibly lax security make it a valuable and vulnerable target.
Silence is a state of mime.
Game companies seem to do everything they can to piss players off. While charging them. Goes double for any so called 'free to play' games. The most scummy tactics ever. The most greedy underhanded should be criminal bullshit.
That creates alot of really unhappy people who hate your guts and want to see you burn.
And some of them are smarter than your security people.
Especially when companies won't do fuckall about security until after the fact because it costs them money and they are greedy.
You made it an adviserial situation of money vs players. And now you're suprised some of those players learned your lesson and broke into your company and made money off you.
Sounds like plain ol 'you reap what you sow'.
Someone has been reading Reamde lately. Anyway, that something that enables you to interact with other people can be used to interact in "wrong" ways is something that don't applies just to games, and yet, that argument is being used to demonize internet, games, even the Tor network. If you want to be free must accept that people could use that freedom to do bad things, and the solution is going after those people, not punishing everyone taking out freedom.
At least they've got a hobby!
n/t
Replace FOO with some type of online service in the following soundbite:
"FOO a 'playground' for organized crime."
Congratulations, you are now a security expert! Let's try it out:
"Social network services a 'playground' for organized crime."
"FTP servers a 'playground' for organized crime."
"VoIP providers a 'playground' for organized crime."
See! Wasn't that easy!?
Fucking stupid ass wankers that don't know shit wants to tell us what is up.
Thank you, Nyder, for that report from Slashdot's Tourette Syndrome news desk.
Up next, authorities say a common network protocol used every day could kill you. Find out which one after this commercial break!
why would you bother storing hashed and salted credit card information? The only thing you could do is match it against the credit card used on the next transaction - but what does that really get you? The hashed/salted card number would be usable again (if hashed+salted properly)
I've always avoided any game which relies on these in-game purchases.
Firstly, because I'm cheap and have no interest in having to pay for baubles in a video game with real money. But second, because I don't necessarily trust that companies put enough effort into safe-guarding my financial information -- they put a lot of work in the glossy bits and setting up a way to get my money, but they're not as interested in keeping it secure.
If you know that a system has a vast number of credit card details stored in it, it's going to be an attractive target, because any exploit of it is going to yield a lot of stuff. In this case, it's a big giant database of credit cards and names, stored by a company who may or may not have put enough effort into protecting that.
This is why I'm of the opinion that companies need both restrictions on the kind of data they collect and use, but also some steep penalties for failure to safeguard it once they have it.
If someone can do an incompetent job of security and have their users be the ones affected by it, it has to be a lot more than "ooops, sorry".
Lost at C:>. Found at C.
Online retail stores are a 'retail shop' for organized crime and cyber criminals
Yo dawg, I see you be speakin' all street and shit. You're all gangsta bro, and you've clearly got your shizzle in the hizzle. 'yo peeps must be proud.
Seriously man, learn how to write a fucking sentence.
One use would be for ongoing purchases in / for the game. When you sign up, they store the CC on a protected payment system that's not directly accessible from the internet. The internet-accessible server has only a secure salted hash of the CC. For a purchase, the client prompts for the CC to use, then sends the hash of it to the public server. That confirms that the user truly has presented the correct card number. The public server can then call the one and only function exposed by the payment server, billcard(hash,amount).
That way they can prove that the customer entered the card number into their game, without sending the card number over the internet.
A bit off-topic, but if games with online playability lack security, it by their choice. They certainly spy on their players enough.
Get an IP sniffer.
When I play StarCraft II, which insists on being online even for single-player, I get tons of connection attempts going places other than Blizzard. I block them, and gameplay does not suffer.
* www.reuters.com
* www.googleanalytics.com
* akami (OK, that's for downloading updates)
* sevreral other all-digit IPs, which I also block.
Nobody really gets hurt, trolls get their kicks from pissing off normal people, game companies get reminded again that security is important, and the criminals refine their skills.
Everybody wins.
Sounds like an excellent way to launder money, as well. Virtual goods with no real inventory....
If you were me, you'd be good lookin'. - six string samurai
Yup, it works.
The only way to stop a bad guy with a video game is a good guy with a video game
Any fool can learn a name a postal address an email address a birthdate a social security number. Those things therefor have no value and there is not much point in obscuring them. Passwords (disgusting method, relies on users and communication cryptography, neither of which is reliable) are perhaps another matter - but hopefully if the access a password guards matters, that password is NOT used elsewhere by that user. Well, one might hope I suppose.
Biometric has a chance, at least to guard access at the endpoints. Maybe the quantum folks will discover something that not only obsoletes existing cryptography (as it appears they basically have), but something reliable.
I suspect currency interchange by NFC might be the solution for money. I can think of no solution for privacy and reputation. Perhaps social and legal penalties for degrading someone based on information that in former times would have been private might help, but gossip control is contrary to human nature. We're in a village of a billion and climbing towards ten times that many, this is one of the ways things are and increasingly will be different.
I am convinced World of Tanks is nothing more than a way for the Russian Mob to launder money. There is no way they have as many users as they claim.
At first I thought they were talking about actual organized crime like the mafia "meeting up" in World of Warcraft or something, to setup hits on witnesses and stuff.
Frankie: "Hey Tony, I need to speak to you about last nights heist real quick."
Tony: "Yeah sure thing boss. Gimme a minute and I'll jump on my Paladin so we can do business."
Seriously, NSA, Really? Thanks for finding an excuse to monitor the potheads in my everquest chat box?
You guys are fucking pathetic.
A) It doesn't necessarily require that the CC be sent over the internet. You COULD phone it in. On some sites, we used to have an applet for your modem to call the payment system directly. Today's version of that would befor the game setup to include a VPN-like client. That can be followed by a confirmation call or other one-time security measures. Even if it WERE sent over the internet with no extra security, doing that once is better than doing it every time you buy a game token.
B) unsecured? You oobviously haven't seen our payment server, or the PCI standards required for all systems that store CC info. Yeah, credit card billing requires storing credit card information. You do that on a hardened internal system, not a publicly accessible web server.
C) What?! It's a bad idea to follow secure procedures because not doing so would be bad? If they want to set up a new payment card, they go through the secure procedure again, which is allowed to include time delays, phone confirmation, etc. Those security elements are not then required each time you want to buy a game trinket.
To look at it another way, you're saying "it's dumb to have passports or driver's licences. Since you need to have security measures in place to acquire that identification, you should go through the same verification processes every time you want to buy a beer". That's actually a very powerful principle for security generally - do thorough verification ONCE, for good security, then issue a secure token for convenient use. That's the underlying reason sites protected by the Strongbox security system are so much more secure, for example. Competing systems do all their checks for every hit, dozens of times per page, so their verification can't be very thorough.
Yeah, that's what the vast majority of web sites do. PayPal or Google checkout for one-time purchases, CcBill or Verotel for subscriptions. That's not a bad idea.
Most site operators truly need assistance just securing the interfaces to payment processors, and securing passwords. For example, most store passwords using DES hashes (1972) or plaintext until we fix it for them. I think they are correct to focus on their core competency and let professionals with time-tested solutions handle difficult issues outside their expertise. Especially so when the consequences of error can be significant.
I've been really enjoying On-Line Yakuza, but since I 'lost' several levels last month. I can't type QAZ or hit Caps Lock.
Hello, everybody, the good shoping place, the new season approaching, click in. ( http://www.sheptrade.com/ ) (Discount Air jordan shoes) $36, (Air Max shoes) $35, (Nike shox shoes) $36, (Handbags) $39, (Sunglasses) $16, (wallet) $18, (Belt) $17, (T-shirts) $20, (Jeans) $37, (NFL/MLB/NBA)Jerseys $25, ( http://www.sheptrade.com/ )