It was striking to see one of the first things that Epic Games did with its pile of money from the enormously successful battle royale game Fortnite. With a billion dollars in cash or more, Epic Games acquired game security and player services firm Kamu in Helsinki. Stopping fraud, cheating, and other attacks has become a big deal in the $139 billion game market.
We talked about the problem of fraud in video games at a session entitled “Hate the fraudster, not the game” at the recent Money 20/20 event on the future of money in Las Vegas.
Brad Wiskirchen, CEO of Kount, moderated the panel. I served as a speaker on the panel, as did Scott Adams, former director of risk management at Riot Games and fraud expert at FraudPVP; and Nina Diatchenko, fraud operations supervisor at Linden Lab.
Our panel touched on the explosive growth of games and the return of fraud as criminals and others follow the money. I spoke about the history and context behind the fraud while Adams and Diatchenko talked about specific problems like fake account creation, account takeover, cheating, and what to do about it.
Here’s an edited transcript of our conversation.
Brad Wiskirchen: Joining me on the panel today, we have three other individuals. We have Dean Takahashi, lead writer for GamesBeat at VentureBeat. We also have Nina Diatchenko. And Nina has a background in banking but is now with Linden Labs, the creators of Second Life, which is pioneering the virtual world and home to the world’s largest digital goods economy. We also have Scott Adams, the former director of risk management at Riot Games, and he’s been consulting with a lot of gaming companies now in his new life as a post-Riot games consultant, helping gaming companies overcome fraud problems. Thanks for joining me, everybody.
I think I’ll start with Dean. You’ve been covering the gaming industry for over 20 years now. How has the prevalence of fraud in gaming evolved over the years?
Takahashi: [I’ve been writing about games for decades.] Fraud seems to have stuck around. I think that things that everybody is familiar with, you can summarize in a few short ways. There’s the one everyone in the room knows, which is children play and parents pay. There’s the entitled or entrepreneurial gamers, who twist the rules like with the gold farming in China. There’s fraud in that perpetrated, depending on your POV, by either the gamers or the companies. There’s the usual currency fraud and cheating as well. So, these things were around a while ago and are still around.
Wiskirchen: Nina, you’ve been in this game a long time. What about you? How have you seen this evolve?
Nina Diatchenko: I would say with digital goods, you can buy goods digitally in Second Life, but it’s … similar to a brick and mortar — people try to steal things from you. People will try to social engineer your account and take over your account and make purchases with your existing information on file. And with that, they keep trying to get in. That’s never going to change. They’re not going anywhere, and if you don’t see them, that means you’re not looking hard enough.
Wiskirchen: Scott, how about you? Has the growth of the industry overall lent this to becoming a bigger target?
Scott Adams: Yeah, I think if you go back five or six years ago, kind of the advent of esports added a whole new dimension to this. Most of us who’ve dealt with fraud a long time, will see things like credit card fraud and its high impact. But now, mixed in with esports and now the big, social side of gaming, I think you tie it just as much back to say you’ve got rank fraud. When you have [rankings in games], you get all the rewards, and people want to have that rank, which leads to other means of fraud.
Wiskirchen: Interesting. So Nina, we’ve been talking so far about keeping fraud rates down and types of fraud. Is there a way for gaming companies to improve their acceptance rates in addition to fighting fraud?
Diatchenko: Well, you have to first think about what your risk appetite is. What are you willing to accept with declines? What are you willing to accept with fraud actually getting approved? You want to find a nice balance. It’s all about balance. You want as many as good customers to go through and be able to buy things.
You want them to be engaged, and you don’t want to put too much friction to keep them from doing so. So, I think you have to first understand who your good customers are, but you also have to understand who your bad customers are and differentiate — make profiles about them. So, you can let as many good customers through, and that will increase your acceptance rates and you know how to keep your chargeback rates down.
Wiskirchen: Dean, you interact with a lot of gaming companies. How do you find, from what you’ve seen, how do you find them balancing that growth and addressing fraud?
Takahashi: Well, if you remember, Zynga was one of the biggest meteoric rising game companies from 2008 onward. But a lot of people may not remember that when Zynga Poker came out, it got hacked. It got hacked so bad that they were potentially going to go out of business. They were losing so much money trying to deal with the poker chips that they were supposed to be selling for real money. Instead, people were stealing.
If they had not solved that problem, they would have never become a multi-billion dollar company. So, there’s a lot at stake — especially at the very beginning when you’re just getting started. Fortunately, they did solve it within a matter of weeks, but I think it’s a good lesson for any company.
Wiskirchen: Scott, how about you? What do you think about the rise of fraudulent accounts in gameplay, like account takeover? You think those things have turned players … the legitimate players, I guess I should say.
Adams: No, I don’t think they’ve really deterred players. As a consultant, I like to see the other side and lot of the other parts. What I see a lot is that I don’t think it really deters the player during gameplay. Especially, as you said earlier, there are a lot of young people playing, and they don’t even realize it. If you go back, you can ask people how many accounts they have.
They’ll say a lot. You probably have just a very high percentage — that same password is [used in every one of the accounts]. People have to realize that they can protect themselves, and they can use two-factor authentication, and other things so that they [can be safe]. Make sure that their good, important accounts are protected along with their gaming accounts.
Wiskirchen: Nina, how about you?
Diatchenko: To add to that, I would say that education of your customers is important. If they don’t know what a good password is — I know, yes, we still have passwords, and they still exist, and that’s a lot of what is securing you from a hacker. And if you want to avoid just basic brute force hacking of accounts, you have to make good passwords.
And if you don’t tell your customers, especially people who spend a ton of time, money, building their accounts and have communities, they have things of value attached to that account. If they have a password123 on it, they’re going to come to you — come to me, why didn’t you do something sooner? Why did you let this happen? And then, we’re gonna try to scramble and try to retain as much as we can.
Adams: And that goes back to your comment earlier — optimizing friction and what risk the company is willing to take. Because really, you can solve this with two-factor authentication. But, that’s too much friction for the marketing team. How do you balance that? Every company that I work with — that’s a fight every time. Do you give up verification?
Do you require verification on sign-on? No, you don’t. None of us do. We should but we don’t. So, I think in a lot of ways, it’s just as much our problem, and if we would all talk about this and will say our companies are doing that, it’d be great. That would be educating the consumer and more of us taking responsibility in protecting those accounts.
Wiskirchen: Do you think the players have a role in combating fraud or ever report fraud to the organization?
Diatchenko: Definitely, yeah. In Second Life, you have in-world reporting tools. The [reports] directly come to us. We get to review it at our leisure, depending on how urgent it is. And we can really take a deep-dive and find out something. And they try to call us. We have a fraud line for exactly these reasons. If you suspect your account is hacked, let us know. We want to fix it for you. Don’t just chargeback all those fraudulent charges. Let us know so that we can keep that from happening to another customer in our system.
Wiskirchen: Scott, what are you seeing on that front?
Adams: If you have a good community — that’s one of the things I liked best about Riot. Their community was incredible. One time we had, I was on the East Coast, and Riot’s West Coast, and my team is on the West Coast. One time, some guy was going to forums, saying, “Hey, my account was banned, but I didn’t do anything wrong.” Our founder was up early, so I get an email from him at 6 a.m. my time, and said, “Hey, check this out.”
Before LA woke up, before my team woke up and could actually dig into it, the community had chimed in. They looked up the guy’s account. They basically told him and wrote in to tell him, “Here all the ways you’ve been hacked.” And by the end of it, the guy’s admitting, “OK. Yeah, sure. That was me.” The better your community, the more interactive you are with your customers, the more that happens. And that’s why in gaming, especially, people get really passionate about the game. So often times, you will have an active community if you engage with them. It’s really valuable.
Takahashi: I also see a very different type of phenomenon where the company and its programmers leave a door accidentally open and the gamers will take advantage of it. And then, at some point, the company figures out, “We’re losing stuff this way.” Or, “We set up a rule in a bad way,” and then, they shut it down. And then, the entitled gamer effect comes about. “What, what’s going on? You made this available to us. We figured out how to take advantage of it, and now, you’re taking it away from us? We’re in an uproar and have a revolution.”
And that’s when they call me. I’m sort of their outlet for frustration when companies are overwhelmed with too much to do or too many complaints. They band together sometimes and form a community to protest against a company. All these mobile game companies in particular have had revolts from gamers who felt wronged in some way when they felt like the company took away something that was there by accident.