This is part of our Humans of Cyber initiative, a series of in-depth interviews with key figures and leaders of the Canadian cybersecurity ecosystem.
In mid-October, we presented a high-level look at some of the cybersecurity issues affecting the online gaming industry. For part two of the discussion, we spoke with Neumann Lim, the Director of Digital Forensics and Incident Response at ISA Cybersecurity to take a deeper dive into the fraud risks that the industry faces.
In September, we interviewed Neumann on his DFIR thought leadership and practice. Download that full interview below.
The Stakes
The online gaming industry is forecasted to generate nearly $160 billion US in 2020, with growth fueled greatly by the number of people seeking diversions during the pandemic. This significant market is making online gaming an attractive target for fraudsters and hackers. Lim observes: “Each game that we see today, especially some of the larger immersive video games, have their own digital economies and digital market systems… real fiat currency is being traded for digital currency in the forms of ones and zeroes.” Recognizing the opportunity to take advantage of a largely unregulated and unlegislated industry, fraudsters are using the same approaches to attack these virtual worlds as they do against the “real world”. And as the industry continues to grow, the threat only increases.
Fraud Target: Players
A significant segment of gamer market comprises younger players, pre-teens and teens. Because of their comparative lack of cybersecurity awareness and greater exposure to social media, this demographic is “extremely susceptible to social engineering attacks,” according to Lim. Fraudsters can use a wide range of strategies against gamers. They can attempt to dupe players by pretending to be a friend or game administrator to request access to personal information. Lim has seen frequent cases in which fraudsters will post links to “phishing sites that look to harvest player credentials, tricking the user into inputting their information and then using that information against the user”. Fraudsters will use message boards to promote offers purporting to come from the game studio, or direct unsuspecting players to fake buying sites where assets are available at a suspiciously reduced cost. Older players can be targeted in a different way, with fraudsters trying to “game the system, build perhaps even partnerships, or try to co-opt some of these adult or professional players turn them into mules or partners in committing crime”.
These are all types of direct attacks against the players; of course, the risk of accounts being hacked through abuse of credential stuffing to crack userid/passwords is ever-present. The industry has seen numerous data breaches in recent years, giving opportunities for fraudsters to harvest financial information for abuse or re-sale, or to use for credential attacks on other platforms.
Risk Mitigation: Players
Many of the standard best practices in the everyday cybersecurity apply to the gaming world. Lim observes, “I think the simplest way we can protect [players] is to have a very robust multi-factor authentication, application or protection, put in front of the user accounts.” To protect against credential stuffing risks, complex unique passwords should be used for every online account, and should be changed on a regular basis. Particularly for younger players, parental oversight is important to help vet the anonymous friends that a child is making online. Finally, if players do wish to purchase digital game currency, inventory, or assets, this should only happen through the game itself, or verified “legitimate market systems”. Lim encourages studios to provide awareness training for users and a “list of all the legitimate systems that the user should go to”, with a clear warning: “If it’s not one of these approved ones, don’t go to it, you may be potentially targeted for fraud.” Players must remember that if it’s too good to be true, it usually isn’t.
Target: Game Studios
Game studios face reputational risk if they fail to provide protections for attacks against players, and to prevent large value transactions that could be involved in money laundering activities. “Unfortunately, depending on the games, and sophistication of the games in design, some of these protections may not be in place,” Lim says. “Larger game studios may have a plan and probably design their games so that there are protections and monitoring in place for large fund transfers. But what about the smaller game studios, the indie game studios that may not have that sophistication, or may not have the planned detection mechanisms built into the game?” Working for a large game studio earlier in his career, Lim has seen the challenges facing smaller outfits: “They’re just trying to make a mobile game, to have an economy, to get some cash flow to get players to play their game. And they may not be thinking this far down the road.”
The use of compromised payment instruments is also a significant threat to the game studios. “Fraudsters will go out and hunt for credit cards that have already been compromised; they will use that to create and load up accounts, and then transfer those funds before the cards are detected as compromised,” Lim explains. Compromised PayPal accounts and credit cards are readily available on the dark web, and are being used to conduct rapid, high-volume, small-dollar transactions to defraud the game studios and the payment processors.
Lim identifies “promotion abuse” as another key financial threat to game studios. “For example, they’ll have a two for one sale… if you trade $10 U.S., normally you would only get 100 ‘digital gold’, [but] in this promotion, you’re going to get 200”. The fraudsters will take this opportunity to “set up a fake account, maximize the yield on this promotion, and then dump all the currency… into a mule account, and then have that transferred out through legitimate accounts, and then they’ll empty or get a refund on the other end and get the money out. [The studio] that is running this promotion is now suddenly out quite a bit of money, because of this promotional abuse.”
The use of automation and bots to attack online games is another area of concern. “Bots, and farming of digital currency, that has existed as far as the first RPGs,” Lim observes. “There are accounts that are automated that go out and ‘farm’, …. then sell the digital assets for real money.” Some hackers will try to defraud game manufacturers by adjusting game clocks, game parameters, or the rewards provided by playing.
Fraud isn’t the only attack method against the game studios. Lim explains: “If I’m a malicious attacker, and I don’t like this game studio and want them to suffer a financial penalty, I could potentially create a bunch of fake accounts [and use] compromised credit cards to hammer this game studio with a lot of these [bad transactions]. The financial institutions will have no choice but to charge the game studio with a … legitimate chargeback fee for transactions not fulfilled. This is a financial hit to the video gaming company.”
“Game studios face account takeovers, arbitrage, money laundering, credit card fraud, chargeback fraud, refund fraud, mule accounts, promotional abuse: I feel like I’m listing pretty much the same criminal activity that the banking system faces today,” Lim concludes. “I think game studios need to realize these parallels with their digital markets.”
Game Studio Defenses
Game studios need to use the same playbook as we have in today’s “real world” banking system and financial markets. The financial sector has regulation, law enforcement, and “decades worth of knowledge when it comes to defending against fraud.” The difference here is game studios must provide their own regulation and enforcement, acting as “police, judge, and jury”. Since the studios have, in effect, created their world, they have the power to do this, and ban criminal activity and bad actors.
One of the most powerful defenses game studios can employ is to develop deep understandings of their players. Having verifiable player profile and activity information will allow studios to validate real, legitimate players, as “opposed to a fraudster that would create a fake account with fake information or stolen information that is not easily verifiable”. Lim encourages studios to “use some of the knowledge that we have in the banking industry to enhance your client information, and be able to protect the user accounts better, because real accounts have real information that can be verified, [while] fake accounts that the fraudsters use do not have that information.”
Lim provides an example: studios could “track the user accounts from where they are created, perhaps profile the user [based on] the devices they use, profile the geo locations, and then track that from the creation, the life of the account, to the end of the account and the transactions.” Lim concedes that “this is a difficult one, and it’s a somewhat sophisticated product threat to the game studios,” but believes it would be valuable logic to build into the games. The financial sector is already investing heavily in this area: “The banking system is really involved in user profiling; not just the accounts and users themselves, but also their devices.” This allows the banks to develop a robust player technology and behavioural profiles, which can be used to red-flag unexpected usage. The video game industry can leverage the same kind of machine learning and AI for detection of fake accounts, promotional abuse, and other similar fraudulent activities.
Machine learning and AI are also being used to combat the threat of bots doing so-called farming activities, or the bulk collection of in-game currency and game assets. Lim says that there are “a lot of machine learning scripts and AI algorithms to help detect whether or not a user behavior is automated or scripted”. Studios can use these techniques to detect attempts to identify “aimbots, or [attempts] to manipulate the game engine dynamics… defenses that allow us to check for adjustments or modifications to gain parameters from an external application” in the game environment.
Lim continues, “most games today have a lot of memory protection built into the games themselves. If you try to modify a value within the game, it would not allow you to do that because that that game value is protected… in different areas of the game. So if you modify one value one in one area, the values are verified, again by the game system and the manipulated values” are rejected.
While Lim feels like that defenses against game manipulation are strong, he acknowledges that security is a cat and mouse game. “The hackers are always going to be one step ahead, because they always have access to the source code and [are] able to compile the game code. But I think developers are very quick to react to these types of things. So when there is a cheat, or a manipulation to the game, the industry is quite quick to catch that, to react against it, and to put a block out for it.”
Money Laundering
Money laundering is one of the most pervasive criminal activities underway in the online gaming industry. Lim provides a scenario: when criminals “take, for example, drug money, or crime [proceeds], they will wash it through the digital currency system. They would then utilize partners or mules in that system. Some of the gamer accounts that that they may work with [will be asked] to help them wash their money. So they’ll give them an injection of illegal money, dirty money, and then ask them to get a refund or output of digital currency that can then be changed into fiat currency on the other end.” The temptation for gamers to get pulled into money laundering activities can be significant: “… It’s quite lucrative. Imagine a criminal approaching you and saying, ‘I’m going to load your account with $50,000.’ [A lot of] users are not going to say no to that.”
The lack of regulation and oversight in the gaming industry permits this kind of activity to occur unchecked. Lim contrasts the gaming world with the financial sector, “If I make a transaction today at my bank to another country, that financial transaction goes through Fintrac… if it’s a transaction that’s quite large, anything above $10,000, is tracked from end to end. It has to be.” That’s not the case in the online gaming environment: “In the game, in the digital market economy, there is no tracking. I can move $10,000 from my game accounts, and no one would ever know.”
Combining the small-value, rapid-fire transactions with the large money-laundering activities, the exposure is in the millions of dollars per day to the gaming industry.
Arbitrage
More sophisticated cyber criminals are using arbitrage to launder money and capitalize on competing markets to make profits. Lim explains: “It’s basically buying an asset at a low cost, and then selling it at a high cost.” Lim provides an example: “They can create an account, purchase everything in a local currency, then transfer the account to a North American server or account and then get a refund in U.S. currency,” or sell the assets “on the digital market and getting a payout in a US currency”. The fraudsters “game the system in this way and leveraging a ‘buy low, sell high’” strategy.
A Call for Regulation
These activities signal that it’s time for regulation. Consider financial systems, where “we have very, very strict regulations, very strict law enforcement,” Lim points out. “If a large transaction is being moved from account to account from country to country, we have checks and balances in place to watch out and monitor for these things. In a digital game economy, these protections, monitoring and enforcement capabilities may not exist.”
“The game studios themselves actually have full control over the market economy. They are literally the regulators, the judge, the jury and the police. So, from an enforcement perspective, if they so choose, they can do it. We need to get the industry involved, we need to get all players in the industry involved to say, ‘Yes, we need to do this actively.’”
The lack of action frustrates Lim: “I feel like that’s the area that isn’t really being touched on today. And there hasn’t really been that sort of a strong consensus within the gaming industry to move in that direction.”
“I think to strengthen the industry as a whole, the industry needs to talk to each other, we need to have a community consensus. We need to bring all the players together, not just the big guys, but also the small indie shops. If you’re going to create a [digital] market economy, you need to have these types of protections for your users, so that you can protect the integrity of that digital market system and to prevent the digital market system from being used for crime.”
Lim has seen some movement towards co-ordination, but not from within the online gaming industry itself: “I believe there are some talks about the coming together and [formation of] an anti-fraud video game industry group. I believe it’s being driven quite a bit by the payment card industry. So Visa, MasterCard, PayPal, those folks are really… driving that.”
We will watch with interest.
Engage with Neumann Lim on Twitter at @cybersyrupblog and on LinkedIn. Download the full interview on Neumann and his DFIR thought leadership here. And contact ISA anytime with your questions or comments about cybersecurity.