Some attacks are relatively harmless, while others can cause serious damage to a game publisher’s business. Following is a list of the most common game-related cyber attacks and what publishers can do to better protect themselves and their customers:
* Account hijacking and virtual goods theft – The sale of virtual goods is a leading reason online gaming companies have seen a significant increase in fraud. Criminals use a number of tactics to acquire user names, passwords and personal data. After an online game account has been compromised, attackers drain a user’s account and quickly convert the virtual currency into real currency.
* Credit card testing – Criminals often use a gaming site to test their inventory of stolen credit cards. Credit card authorizations for many online games are instant, giving fraudsters real-time feedback as to whether a stolen credit card is legitimate. The result can be unexpected revenue loss, fines or an inability by the publisher to process credit card transactions.
* Virtual goods and services trades – Over 50 percent of online gamers engage in virtual goods and services trading; in other words, bartering virtual goods for other virtual goods, tangible goods, or services. The risk of theft increases due to the greater number of methods in which a trade can occur such as through a direct transfer, trade window, dropping, in-game mail or in-game trading tool.
* User and computer manipulation – It’s not uncommon for a user’s computer to be hostilely taken over and controlled by a criminal. Once a computer is infected and controlled, it is vulnerable to an array of malicious activities such as click fraud scams and fraudulent credit card use.
So, what can publishers do to protect their games and the people who play them?
Publishers need a fraud detection solution that operates 24×7 for constant monitoring of gaming environments. A real-time security solution should integrate seamlessly and directly into the game and monitor every transaction made, alerting publishers instantly to potential fraudulent activity. Cybercriminals are expert at determining the most opportune time to attack a business; they often wait to let an account mature before using it. Publishers should use a risk management solution that can assess and validate new accounts, authenticate returning users and evaluate and authorize all payments.
Many publishers have some means to detect whether a gamer is in the location that he or she says they are. A fake gamer may say he is located in San Francisco when his true location might be Indonesia. Publishers should deploy a geo-location tool that will scrub and evaluate more subtle indicators of fraud like languages, fonts the computer uses and whether the time zone of the computer matches the country it is in.
Cybercriminals frequently try to alter a device’s credentials or information to create fictitious accounts. Criminals change data such as email, user names, address, sex and age to fool systems. A risk management system must be able to identify a true user by generating a unique “device fingerprint” that is tolerant and sensitive to possible Internet Protocol address and browser usage changes.
The unfortunate reality is that cybercrime is a persistent problem in online gaming. Fraud and risk management should be a priority of every gaming publisher to help protect their business, their customers and the overall reputation of the industry. And the size of the business doesn’t matter. In fact, emerging and mid-size gaming companies have become a greater target due to their limited fraud-detecting tools.
Jeff Sawitke is vice president of product strategy and development at security firm Verifi. Alisdair Faulkner is Chief Products Officer at online game security firm ThreatMetrix. They’re both experts on online fraud and identity verification.