How to prevent Virtual Theft
We have talked a lot about theft in the real world so I guess it is about time we also discuss theft in virtual world. The BBC reported that some Trojan software are now targeting Online Games and stealing login information from their victims. Microsoft have stated that Taterf (one such Trojan) was reported to have infected nearly 5 million computers in the last 6 months of 2008.
So why do malicious people bother stealing online games credentials? The answer as always is Money.
Since the dawn of online gaming people have figured out that there is money to be made by selling virtual and actual goods ‘in game’ currency. As opposed to offline games, online games are generally slower to generate ‘‘in game’’ money for the players. ‘in game’s, money will also help players buy better equipment which will give them an edge over other players. This creates two needs that malicious people can exploit.
The first need is obviously for ‘in game’ money and then there is the need for premium virtual objects. Where there are needs one can be sure that there will be people selling items to satisfy those needs and here it’s no different. While selling / buying game items including ‘in game’ currency is generally prohibited by the EULAs of most, if not all, online games the practice is still widely used. A quick search on Google returns numerous sites that sell gold and/or items for World of Warcraft and other games. Prices are quite similar with the cheapest I found being $31.49 for 5000 World of Warcraft Gold coins whilst the most expensive site wanted $47.99 for that same amount of gold. Now the question is ‘what’s the worth of 5000 gold coins really?’Well for a new player who plays casually 5000 gold coins will mean a couple of months of gaming but this is just a very rough estimate. For veteran players these sites sell bundles of 100,000 gold coins at the cost of ~$600. And that’s not all. It’s also possible to buy ‘in game’ items with prices for rare items going for +$1000 each. This all illustrates that even though we’re talking about games and items that do not really exist; they still have real world value which makes them worth stealing.
The people who are selling these items do not have magical ways to acquire them. In some cases bots are used to acquire these resources. Bots are a software program that take control of the game and perform tasks automatically without a player’s intervention. While they are great to generate gold while someone is busy either at work or doing something else, they are forbidden by the game EULAs as well. A court has also ruled against one such bot and this is the only court case I know off against such programs. Furthermore accounts using bots are sure to be banned if caught, so using bots to generate gold is not very efficient. This leaves one other option to obtain gold and items in mass quantities and efficiently – steal them off other players and the only way to do that is if someone gets access to that player’s account.
Another motivator for people to resort to stealing virtual items is that it is generally safer for them to steal virtual items than it is to steal money/items in the real world. Prosecution of people stealing virtual items is quite low if at all, while if one were to steal money from a bank one can be sure they will have the police looking for them almost immediately. This is not to say that stealing virtual items automatically makes a person safe, as this story illustrates – a guy killed another player for stealing his virtual sword after the police said they couldn’t do anything about it.
In conclusion, people who play online games invest both time and money in them and they too are assets that require protection. Security is not something that applies only to big companies, even a home user who uses his computer exclusively for gaming needs to secure his environment or risk losing everything virtual that they own. In short, the threats you need to defend against in your online game are not just enemies within the game but also malicious people in the real world who would love to get hold of your items the easy way.
Something to consider is that if someone has access to your account it means they have access to your credentials. If those same credentials are used elsewhere then that too is at risk. This is more so if those same credentials give access to systems inside your company IT infrastructure. Even though the risk might be low since the person who stole the credentials needs to link you to your workplace it still can be done. For this reason and more it is good practice to change all the passwords in the event that a password which gives access to multiple systems is compromised.
The usual tips apply here as well.
- Always ensure you are running an antivirus programme that is up to date.
- Do not visit dubious sites that might carry viruses or at least ensure that your web access is also scanned for possible viruses.
- Do not click on email attachments without knowing what they are, especially if they are executables – no matter who is sending them.
- Always ensure that your computer has the latest patches and is fully up to date.
It is also good to remember that your game credentials are likely to be a target for malicious people almost as much as bank credentials are. For this reason I would recommend that you try to use unique credentials for online games. Do not use the same login and password you use for your systems, emails and anything else.
It should be noted that mobile gamers have also been targeted for mischief. In a disturbing case involving Storm8, a maker of video games for the iPhone and iPod Touch, it was discovered that the game vendor was harvesting cellphone numbers with its application.
Since mobile numbers are like gold to marketers, Storm8, which claims 20 million downloads of its games, was essentially using its game to mint money for itself.
After the company’s dubious activity was exposed this summer, it fixed the problem, which it characterized as an “oversight” and a “bug” in the software. However, that didn’t deter a class action lawsuit from being filed against the company last week. In that suit (http://www.prnewschannel.com/pdf/Complaint_Storm_8_Nov_04_2009.pdf), the plaintiffs aren’t buying Storm8′s “bug” defense. They argue in their compaint filed in a federal district court in California:
“Storm8’s characterizations of its practice of harvesting phone numbers as a bug”and an “oversight” are false. Storm8 could not have accidentally harvested its users’ phone numbers. It used very specific and specialized software code to do so.”
Since iPhones are so popular among upper level executives, this kind of theft could present corporate computer security personnel with even more severe problems than online gaming scams that may victimize their rank-and-file users.
Wow takes some guts to characterize such practice as a bug! This story you mention might also be expanded to be a cautionary tale for installing games / other software on mobile devices used for work reasons. The potential is there when you install software to turn your device into a spy gadget of sorts.
I have to admit I am not really familiar with mobile device development but once an application is installed and trusted I expect it has full access to your device and could potentially, when presented with an Internet connection send out, mobile numbers and possibly smses, calendar events and maybe even notes present in your mobile device. More insidiously I guess it can initiate an Internet connection itself via WiFi or even GPRS. That being said I do know that some mobile phones ask for permission before allowing applications access to certain things such as the WiFi or GPS data, however with a little social engineering I bet people can easily be convinced to allow it.
So I certainly agree with you John. Beware that even mobile devices can be a target. As with everything else ensure not to run anything you don’t trust and are absolutely sure of its origin.