Feldon 
If you read the above headline and immediately checked your bank statement, well, that’s probably not a bad habit to get into, but we weren’t actually talking about Account Security. In today’s article, we talk about how plat farmers have gotten more sophisticated and are picking SOE’s pocket via new (StationCash Gifting) and old tricks (Legends of Norrath packs).
Fraud Happens
Every online business has its share of Credit Card Fraud. However digital currencies like StationCash have been especially prone to this problem, due to the immediacy of the conversion from real dollars to virtual ones. Scammers can create thousands of SOE accounts using automated scripts, activate them with stolen or faked credit card information, “fund” them with StationCash via more fraudulent transactions, and now with the new StationCash Gifting feature, “sell” items to players in-game using their ill-gotten StationCash. The scammer gets the platinum for the sale of the SC item, and then they can turn that platinum around to a plat-selling service. They get money for nothing via a bit of digital switcheroo.
By the time the dust settles, and SOE realizes that a House, Pegasus, Glider Mount, or other SC item has been ‘gifted’ to another player without SOE having received a penny, it’s too late. What is SOE going to do, cancel or take back the item? SC items have no inherent value and taking back pixels would just infuriate the ‘customer’. It’s lose-lose for SOE.
Moves and Countermoves
Potential fraud has always been a spectre over MMO transactions, and every design decision has to consider that possibility. In the past few weeks, SOE have taken many steps to try to throw a wet blanket on the scammers and plat farmers seeking to defraud SOE (and sometimes players).
Recently, StationCash Gifting, the ability to mail a Marketplace-purchased item to another player, was changed to permit no more than 2 gifted items per 24 hours. A minor inconvenience for some, but it was done to try to stem the tide of fraudulently-purchased StationCash. I and others have suggested what may seem an obvious fix — limiting StationCash Gifting to accounts that are older than 30 days or even setting the threshold to 6 months.
However as SOE International Customer Service Manager Ima Somers (interview @ EQ2Players) told us at Fan Faire 2010, not only do hackers have a lot of pilfered SOE accounts on hand, they have a lot of very old accounts, acquired by phishing for passwords not only for EQ2 but from its competitors such as WoW and even banking sites. The human foible of using the same password on different websites has led to tens of thousands of old SOE accounts — from people who no longer play — falling into the hands of plat farmers and others who would readily use them in any scheme that will make a buck. Hopefully, the forced password reset instituted by this spring’s security breach will help cut off scammers from many of these dormant accounts.
A Chronology
SmokeJumper on July 20th explains the change to 2 SC gifts every 24 hours:
It’s per account, not per character.
It’s also a first step. We now have the ability to throttle it further in different ways if we need to do so. But plat farmers are like other business folks. If something becomes too inconvenient or costly, then they’ll bail on it to find another way. We’ll see how this change works. It has worked well with other things (like character transfer tokens).
SmokeJumper on July 21st about whether SOE looks the other way when a gold/plat seller has lots of active accounts:
Actually, that’s not true. We’re actively combating this right now because we don’t get a red cent from those folks. Trial accounts or fake credit cards are used in most gold farmer/pirate transactions.
The reason it may seem we’re not responsive is a) we don’t talk about our struggles with these thieves very often, and b) we have lots of competing priorities, so until it ratchets up to problem size we do have a tendency to let it exist. We think it’s a problem now, so some changes are occurring. But if we can come up with “silent” solutions that don’t require pop-up dialogs and such, we will choose the silent options every time. No one wants to play a game and think about thieves all the time. My personal opinion.
Players on EQ2X noticed that SC-purchased Mastercrafted armor had disappeared. SmokeJumper on August 29th:
[Mastercrafted] equipment has been *temporarily* been removed from the marketplace as we look into ways to keep it from being involved with fraud. We expect to have it back up again next week sometime hopefully.
Players couldn’t help but notice that just as Double XP Weekend was getting underway, XP and Vitality potions became ungiftable. SmokeJumper on August 1st:
Turning off Gifting for the potions was a temporary measure. We have some stuff going in soon that will hopefully enable us to free up the gifting restrictions again.
as to why it’s being taken so seriously:
It changes it from being a slap on the wrist “don’t do that” kind of thing to being an actual crime. We don’t want it associated with our game. So we’re making changes.
From SmokeJumper on August 1st, regarding Tradeskill Rares purchased through the EQ2X Marketplace suddenly becoming rare:
We hope that this is a very temporary measure as we fight back against the credit card thieves that have been abusing our Gifting system.
We have some measures going in soon that we think will resolve this entirely, and if so, then we’ll back off the Gifting restrictions ASAP thereafter.
Amnerys on August 4th, 2011:
The sale of Legends of Norrath cards through the in-game Marketplace has been temporarily disabled as a means to fight fraud. In the meantime, clicking to purchase cards through the Marketplace will redirect you to the Legends of Norrath’s online store. Purchases of cards can be made through the website, however please be advised that these sales are only possible with a credit card and not with Station Cash.
“I and others have suggested what may seem an obvious fix — limiting StationCash Gifting to accounts that are older than 30 days or even setting the threshold to 6 months.”
I think a cooloff period for the new account makes a lot of sense, as Smokejumper points out though it pushes the fraud onto requiring an account though.
But why not put a cooldown on the gifting of SC if the payment type has been changed recently for an account? I’m sure it will inconvience a few people, but hardly many, and people can at least work around it. But for plat sellers leaving such a period where their card purchases will be flagged and cancelled should push the vast majority out of business and limit what is left to only freshly hacked accounts, the SC limit then should really make that less profitable.
One more contraversial option though, I wonder how many of these hacked accounts are operated out of China (or remote data centres to prevent the tracking).
Kind of wonder then if something could be done on the login checks that would immediately flag up if an account is suspicious and perhaps put a pause on SC related activities.
You know honestly SOE has brought it on themselves by turning a micro transaction into a major transaction. It is a ripe picking when you are talking $@0 for a mount or $15 + for a house.
For me the obvious countermeasure would be linking SC gifting to verified cash income at SOE. Giving away SC while the Credit Card Transaction could still be charge-backed is an invitation for scammers.
SOE should track the net-income an account has generated for them and factor this in when allowing SC transactions. No scammer would put in $100 to be allowed to make a $10 transaction.
An old account, say 4 years old, could be banned from SC transactions altogether unless some whatever foolproof manual, additional reactivation is been done. After all there was no SC at that time anyway.
The legitimate customers are financing the fraudulent plus SOEs battle against them by having to pay inflated prices ! If everyone gives up a little bit convenience it might make it much more difficult for scammers, lower the prices and make more money for SOE in the long run. Hap-hazard action like crippling the SC-functionality is hopefully not their only response. They have to re-think the whole SC-concept.
Quote:
“No scammer would put in $100 to be allowed to make a $10 transaction.”
Actually, they would if they are using a stolen or otherwise illegally obtained line of credit and it isn’t costing them a dime of their own money.
“An old account, say 4 years old, could be banned from SC transactions altogether unless some whatever foolproof manual, additional reactivation is been done.”
The problem is, NOTHING is “foolproof” . . . if it was, Sony (and everyone else involving any kind of anything that involves money) wouldn’t have to do any of this.
Even the authenticators are not fool-proof. One popular authenticator company itself was hacked. If you can get access to this information, the thieves can. To quote a friend who, in his teen years, got into the wrong crowd and stole some cars (and did some time for it) “If there’s a way for you to start your car, there’s a way for me to start your car.”
Even if they took away Station Cash and made EVERY transaction “Credit Card Only”, The thieves are still going to get stolen cards and/or numbers, buy the digital items, sell them for plat, then sell the plat for cash. It really DOES lend itself to being the perfect system to launder money . . .
It would seem that SOE implementing a system like Trion’s CoinLock would go a long way towards curtailing this sort of thing. Of course, it doesn’t completely stop it (if your email account is also compromised, then you’re pretty much screwed to the post anyway) but it does put a significant speedbump in the road to using a stolen account.
For those who aren’t familiar with it, basically the server keeps track of the IP addresses that you login from. If you (or someone else) attempts to login from an unrecognized address, the game “locks” the account so that you cannot buy or sell anything, destroy anything, etc. You’re basically limited to just running around until you enter a special code that’s emailed to the address that’s associated with the account.
The only real hitch to this kind of system is if you don’t keep your email address updated, or if whoever got access to your account credentials also has access to your email account. In the first case, it would require you contact customer servers. In the second, you’re just in bad shape all around.
Perhaps SOE should require players too register/apply for the ability too gift Items. A check would be done on the account and credit card and if everything looks good the account woud be on a probation period that would allow only say one gifting per month. After a probation period is over the account would be able too gift more and more.
Gifting SC is just asking for trouble in my opinion. Sure it’s a nice idea for those of us that actually want to use it legitimately, but is it really something we need in EQ2? No. Turn it off. Problem solved.
This debate is poorly framed. Here, let’s try again:
CasualPlayer says “I’d like to use my REAL-DOLLARS to get more FREE TIME or GAME-DOLLARS,” and, at the end of the day, gets those GAME-DOLLARS.
FreePlayer says “I can’t take credit card payments or I’d happily take your REAL-DOLLARS, of which I have none, but I have a surplus of GAME-DOLLARS and FREE TIME, which I’d like to use to get that shiny GAME-ITEM,” and, at the end of the day, gets that GAME-ITEM.
SONY says “I have that GAME-ITEM for sale, but I won’t take GAME-DOLLARS, it’s REAL-DOLLARS or NOTHING,” and, at the end of the day, SONY has NOTHING.
Scammer says “I have LIES,” which are NOTHING, but tastes worse, “and I want REAL-DOLLARS and EVERYTHING.”
Scammer *deserves* NOTHING
But Sony already took that.
So, Scammer uses EVERYTHING and gets REAL-DOLLARS.