Online Gaming: Real Money, Real Threats

30 11 2012

by A.J. Holton

Background

Today millions of people across the world are joining together over the Internet to immerse themselves in the virtual world of gaming.  MMORPGs (Massively Multiplayer Online Role Playing Games) are the top guns of the industry, boasting millions of subscribers worldwide.  “New World of Warcraft® expansion sells 2.7 million copies in first week — global subscriber base passes 10 million” (“Alliance and Horde Armies”). This is a game which has been out for 8 years, and it still has many subscribers paying roughly $15 dollars a month for service.  Games like Blizzard’s World of Warcraft are constantly being exploited through cheats and account hacking.  Guild Wars 2 was just released late August 2012 and had problems with account security that day with more than 11,000 accounts being exploited due to malware from adversaries (Parrish). It would seem account hacking is somewhat correlated with third-party account modification. TheGuardian wrote a story on Chinese prisoners who were actually forced to play this game to turn a real profit through illegal sales (Beijing).  So as you can see, there is definitely a market for the willing adversary.  The focus here is on Blizzard as I am most experienced with their company, it is the biggest, and most newsworthy.  However, security applies to all online games, especially those of the MMORPG variety.  What I aim to discuss is the implementation of what is called a Real Money Auction House, but first I must explain the security measures already in place.

Security Measures

Overall, MMORPG security issues have been growing, forcing companies like Blizzard to come up with ways to counteract them.  “The Battle.net Mobile Authenticator is an optional tool that offers Battle.net, the Blizzard game client, account users an additional layer of security to help prevent unauthorized account access” (“Battle.net Authenticator”).  The authentication process was needed to help Blizzard deal with the amount of account compromises going on.  Basically what it does is generate a random number, held by Blizzard and the user, which changes every minute allowing only the user to log in (“Battle.net Authenticator”). Another security measure taken is the use of spyware like Blizzard’s Warden.  This software takes information from your RAM, hard drive, CPU, IP address, OSes, and others “FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF ANY BLIZZARD AGREEMENT” (“World of Warcraft Terms of Use”). Obviously the implementation of these security measures is because of the severity of the problem.  We would expect for companies like Blizzard to continue making games safer, but sometimes money is more important in the end.

Real Money Auction House?

Yes, Blizzard’s Diablo III came with a new, experimental RMAH (Real Money Auction House) which allows users to purchase in-game items on the auction house with real currency.  In an auction house users can purchase anything from equipment to collectables.  With this RMAH, you no longer need to spend countless hours collecting materials for in-game currency to purchase items.  All you would have to do is enter your credit card number and your transaction is processed almost instantaneously.  I believe this was a bit too ambitious for Blizzard as security was already compromised frequently.   “This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard”, taken from the Blizzard website September 2012 (“Important Security Update”). Gaining access to Blizzard’s database would offer an adversary hundreds of account passwords and users’ credit card information.  Blizzard gets a cut from the RMAH, meaning when a player makes a sale, Blizzard takes15% off the top of the sale price (“Diablo III Auction House”). I think it almost goes without saying; the RMAH could be a very lucrative business for a skilled adversary to get into.  It would be easy to modify transactions or redirect funds to new accounts.  I can see countless vulnerabilities this new auction house brings to the online gaming world.  Finding ways in code to repeat a transaction, modify the value of items before or after transactions, rerouting money to different accounts, and simple password theft/account fraud are all examples of problems that could arise.  If the problem gets too bad, Blizzard could lose the trusted fan base they have been working so hard to maintain.  There is a story about a player losing $200 dealing with this RMAH, and the FBI even got involved.  They were able to assist and return the user’s money (Usher). This is just one of many problems this implementation has caused already, and the FBI getting involved is nothing to disregard.  We need to take a look at Blizzard’s perspective to better understand their reasoning behind creating a RMAH.

Blizzard’s perspective is totally profit driven in a sense; however this RMAH does offer a service to players.  Instead of players buying and selling items from third parties, which is usually the main culprit behind compromised accounts, they will buy the items from Blizzard (Heartbourne). When looking at it from this perspective, it doesn’t seem so bad.  This would actually help cut down on account hacking and make Blizzard big profits in the end.  I think using the RMAH as a “security device” is brilliant and could really bring about a new age of gaming, if successful.  I have not found sufficient numbers to determine the success of the RMAH in Diablo III, as sadly I think the game died out much too quickly.  If games continue with this trend, the system could be completely compromised by an adversary getting into the company database.  If they do not implement this, there will still be a demand for purchasing items with real money from third parties (possibly leading to user account exploitation).  It is a tough decision, but I would opt for the RMAH because it has a high profit margin for the company and reduces user attacks.  I would put more resources into keeping my company’s systems secure, whereas I do not have as much control over the user’s account.  All in all, there will always be a market for adversaries in the online gaming realm.  Blizzard will remain a key innovator in the industry and it will be exciting to see if other companies start to follow suit. I would like to hear other people’s thoughts and comments on whether a system such as this is a good or bad idea for the future of online gaming.

__________

Beijing, Danny Vincent in. “China Used Prisoners in Lucrative Internet Gaming Work.” The Guardian. Guardian News and Media, 25 May 2011. Web. 01 Nov. 2012. <http://www.guardian.co.uk/world/2011/may/25/china-prisoners-internet-gaming-scam&gt;.

Blizzard. ALLIANCE AND HORDE ARMIES GROW WITH LAUNCH OF MISTS OF PANDARIA. Blizzard.com. Blizzard Entertainment, 04 Oct. 2012. Web. 15 Oct. 2012. <http://eu.blizzard.com/en-gb/company/press/pressreleases.html?id=6147208&gt;.

Blizzard. “Battle.net Mobile Authenticator FAQ.” Battle.net. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <https://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq&gt;.

Blizzard. “Diablo III Auction House”. Blizzard.com Blizzard Entertainment., n.d. Web. 26 Oct. 2012. <https://us.battle.net/support/en/article/diablo-iii-auction-house-general-information&gt;.

Blizzard. “Important Security Update.” Blizzard.com. Blizzard Entertainment, n.d. Web. 26 Oct. 2012. <http://us.blizzard.com/en-us/securityupdate.html&gt;.

Blizzard. “World of Warcraft Terms of Use.” Blizzard.com. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <http://us.blizzard.com/en-us/company/legal/wow_tou.html&gt;.

Heartbourne. “Diablo III Real Money Auction House: Analysis of Fees, Market Forces, and Strategy.” Lorehound.com. N.p., n.d. Web. 26 Oct. 2012. <http://lorehound.com/news/diablo-iii-real-money-auction-house-analysis-of-fees-market-forces-and-strategy-part-2/&gt;.

Parrish, Kevin. “Guild Wars 2 Accounts Hacked Immediately After Launch.” Tom’s Hardware. Tom’s Hardware, 08 Sept. 2012. Web. 20 Oct. 2012. <http://www.tomshardware.com/news/ArenaNet-Guild-Wars-2-MMOG-PC-Gaming-Hacking,17455.html&gt;.

Usher, William. “Gamer Loses $200 Due To Diablo 3’s RMAH Region Restrictions.” Cinemablend.com. Gaming Blend, n.d. Web. 19 Oct. 2012. <http://www.cinemablend.com/games/Gamer-Loses-200-Due-Diablo-3-RMAH-Region-Restrictions-44123.html&gt;.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: