Monday, May 9, 2016

Account Security And Skill Point Trading

I am so far behind on my blogging that I still haven't blogged about perhaps the most significant security story coming out of Fanfest. I'm referring to the increase in hacking attempts since the introduction of skill point trading in February.

Account hacking has long plagued the online gaming industry. Blizzard developed a smartphone application providing two-factor authentication for Word of Warcraft accounts long before tech giants like Google began offering the public similar software. A World Bank report published in 2011 concluded that 20% of all virtual currency for online games sold on the secondary RMT markets came from hacked gaming accounts.

Hopefully regular readers of The Nosy Gamer are not shocked that the amount of activity seen on sites like Player Auctions jumped beginning in February. Offering players the ability to buy and sell the most precious commodity in EVE, time in the form of skill points, opened up a lucrative new market for illicit RMT operators.



Initially, the secondary market followed the lead of the PLEX market in The Forge. Player Auctions, a major illicit RMT site that facilitates the sale of virtual items and currencies for most major online games, saw the sale of ISK increase by 92.4% from January to February. The increase closely matched the 95.2% increase in the ISK value of PLEX sold in EVE's main market in The Forge during the same period. 



In March, the secondary market diverged in direction compared to the PLEX market in Jita. While the amount of ISK exchanged for game time in The Forge declined by 18.6% from the preceding month, the amount of ISK sold on Player Auctions increased another 80.6%. Much of the increase was due to a single buyer purchasing 1.845 trillion ISK between 8-23 March, but even subtracting those purchases, the daily demand for ISK rose by 8.2%.

How does a marketplace handle a nearly 250% increase in demand over the course of two months? Additional sellers either entering or re-entering the market is the obvious answer for those who claim that the EVE Online secondary market, or at least Player Auctions, is totally stocked with legitimately acquired ISK and items.  The data I tracked, however, suggests that new sellers only account for, at most, half the increase. I should also add that the seller who sold the 1.845 trillion ISK in 15 days is a long-time presence on Player Auctions. CCP Bugartist's statement in the roundtable session that hacking attempts are up since the introduction of skill point trading rings true.

The first subject that CCP Bugartist addressed was an increase in hacking attempts. He noted the lack of players using two-factor authentication and how well the feature works. Accounts protected by 2FA are only involved in 0.6% of successful hacking attempts. Or, to look at the issue another way, 99.4% of successful hacking attempts involve unprotected accounts. In an ironic twist, once an account is compromised, the hacker will install Google Authenticator on the account in order to keep the owner from taking back control of the account.

The big hole in the security, though, is communications between CCP and players. If a hacker can compromise a player's email account, then CCP cannot determine that the hacker is not the legitimate account owner. For players concerned about game account security, securing their email accounts is equally important.

One of the oldest methods used by players is using a dedicated email account for each gaming account. The less the email account is used, the less visibility the account has to hackers. A more modern solution is the use of password managers that automatically populate password fields. Password managers helps users keep from reusing passwords across multiple sites, a major no-no in internet security. I am not a security expert, but tech sites like PC Magazine offer reviews of the top password managers. A final major solution is to put two-factor authentication on email accounts. Doing at least one of these is better than doing nothing at all.




One final item from the roundtable I'd like to address is the effect of skill point trading on hacking. Due to the ability to now strip skill points from characters, hackers not only do more damage to players' accounts, but make more real world cash with a successful hack as well.

For the first few weeks, the illicit RMT shops had a negligible amount of skill injectors for sale. The situation changed in March as the injectors got into the hands of the illicit RMT operators. In April, I tracked the sale of 839 million skill points using Player Auctions' feedback system. While 36 years of training seems like a lot, given the size of the player base, hopefully the figure indicates that hackers are not having great success in looting accounts.


An often overlooked fact is that fixing a hacked account is a manual, time consuming process. I forget if CCP Bugartist stated the time during the roundtable, but restoring an account can take up to two days. That is two days of time that customer service could spend working on other tickets. Recently I began to hear complains of increasing times for ticket resolution from customer support. I wonder how much of the delays are due to tickets concerning hacked accounts.

One last thought. Account security is not a sexy subject. Game companies can only give players the tools to secure their accounts. No one can make someone actually use those tools. But picking up good habits in securing your gaming accounts translates well into having a safer online experience in the rest of your life. Or, as CCP might say, "EVE is real."

No comments:

Post a Comment