Friday, August 18, 2017

Global War On Illicit RMT - Albion Online's Rough Start

When a new MMORPG launches, a lot of people get excited. Players. Developers. Gold sellers. That's right, every new game launch is another opportunity to make a quick buck. For some reason a sizable minority of players do not want to play the game except for the "fun" stuff. To bypass the "not fun" stuff, those players pull out their credit cards and look for sellers of game currency.

For brand new games, gold sellers don't have a lot of stock (i.e. gold) in the beginning, but until gold farming accounts become skilled up, gold sellers resort to other means such as hacking and credit card fraud. A World Bank report published in 2011 noted that one of the negative externalities secondary real money trading market brings to games is:
"Secondary markets create incentives for cybercriminals and scammers. Virtual goods are among the most sought-after commodities in the general hacking scene (Krebs 2009). This forces game publishers to spend more on security and increases their customer service costs (although one retort is that indeed any market where goods can be resold is an incentive for crime)." (p. 18)
The same report estimated that 20% of all virtual currency sold on the secondary markets came from hacked accounts.



Into this environment, the German game studio Sandbox Interactive launched the crowd-funded MMORPG Albion Online. Access to the game is acquired by purchasing a starter pack, which provides gold and 30 days of premium access as well as unique items at the higher tier of packages. Players could pay for continued premium access as well as purchase additional gold from the cash shop. Sandbox also offered the option of acquiring additional premium access time by trading their silver for gold in the game (aka the PLEX model).

Theoretically, offering gold with the initial purchase is a good idea. Not only does Sandbox entice people to buy larger packages, but hopefully players will not feel to immediately go out and purchase gold. The only problem was that the packages made credit card fraud more attractive. After all, if the gold sellers needed to buy a copy of the game anyway with a stolen credit card, why not buy the biggest package? Think of the situation as one-stop shopping for gold sellers.

On 20 July, three days after launch, Community Manager Talion announced the banning of 250 accounts involved in buying or selling gold. Talion explained Sandbox's rationale for the bans:
As most of you know, and those accounts now learned the hard way, we are taking a "No tolerance" stance towards anybody involved with 3rd party currency transactions. Why? Glad you ask!

The Gold that these 3rd Party sellers offer comes, in nearly all of the cases, from purchases with stolen payment data. So: fraud.

This will always cause economic damage. Either to the owner of the misused credit card, if he did not notice the charge. Or to us, because not only is the money for these fraudulent payments then charged back, we also get to pay a chargeback fee on top. And I won't even start with the influence it can have on the economy if left unchecked.

We will continue with our efforts to make the game a fair playground for everyone - and shall nuke again.
Unsurprisingly, people continued to buy and sell gold on the grey/black markets. On 25 July, Sandbox announced another 350 account bans. Still, the next seven days saw more than an additional 800 accounts banned. Sandbox responded in Launch Patch #2 on 4 August by removing the ability of players to directly trade gold or deposit gold into guild accounts. Talion explained on the forums:
Hello everyone,

we have made a few posts announcing that we’re banning 3rd party currency sellers and buyers in the past. We did so again today.

More than 800 accounts that acquired currency from 3rd parties have been permanently banned.

Keep in mind that currency that these people “sell” has been acquired with stolen credit card or Paypal data. This makes it a financial problem for all involved - the people whom these cards belong to, the banks - and us. Hence, we reinforce our stance that we fight this on every level.

On top of permanently banning accounts that are involved in these trading schemes somehow, we are taking steps towards making this kind of currency trades much more difficult. The first step for this is removing the ability to directly trade Gold with another player, or donate Gold to guild wallets. Withdrawing will still be possible, however no new Gold can be donated.

This will happen during today’s maintenance. The only way to trade Gold will be through the player-driven Gold market.

This is only the first step we will take to make it as difficult as possible for these criminals to keep doing their “business”.

Important: we will continue to permanently ban all accounts involved in 3rd party currency transactions!

To quote myself from a later post in the thread but also make it visible here:

"The bans are obviously not just because “someone accepted Gold / Silver”. Else, probably half of the game would be gone now. Giving a friend a leg up with some currency, or even giving a guild or a friend a larger amount is a standard procedure in MMOs.

We don’t want to make it easier for the criminals, so I cannot go into too many details about how exactly we do it, but:

We only ban in cases where we are certain that the persons received the Gold from 3rd party sites."
To change a mechanic so closely tied to Sandbox's business model is an indication of how much the credit card fraud hit the studio. According to LexisNexis Risk Solutions, every dollar of credit card fraud cost merchants $2.40. So, for example, every fraudulently purchased Legendary pack cost Sandbox almost $240 in addition to the lost revenue. If Sandbox sold 2,000-3,000 packages later reversed due to fraud, the fees alone would run over $500,000.



Sandbox's moves did not go unnoticed the the gold sellers. Distributed denial-of-service (DDoS) attacks, a common response when an RMT operation becomes particularly upset, began almost immediately. On 6 August, Sandbox posted the following:
Fellow Adventurers,

as you might already be aware, Albion Online is currently being targeted by so called "Gold Sellers". These are criminal enterprises who obtain stolen credit cards and paypal accounts, use them to buy gold from us and then sell on that stolen gold (or now, silver) to players of the game at a discount. This is very damaging to everybody who has their credit card or PayPal stolen, and of course to us as a company. It's also damaging to everybody who purchases gold or silver from these websites as their accounts will be permanently banned.

To combat these activities, we have tightened up our internal protection measures and will add additional measures going forward.

More importantly, we will try to go after the gold sellers funding source. What really surprised us when researching these websites - involved in credit card and PayPal fraud on a massive scale - is that they actually accept PayPal and credit cards as a form of payment. We are certain that if PayPal and the credit card companies knew about these activities, they'd quickly shut down their merchant accounts. Hence, we have started collecting and compiling evidence of their conduct and are going to directly report the fraudulent websites to the payment processing companies such that hopefully their funds will be frozen and they won't be able to accept credit cards and PayPal on their websites any more. If us contacting the payment processors ourselves is not effective, we will directly contact their headquarters through a specialized law firm. We are not trying to go after the gold sellers directly, as that usually won't work, but rather shut down their means of getting paid and we are eager to find out how successful this will be.

Finally, when it comes to black mail attempts by some of these companies, it goes without saying that we will never give in to them. As every black mailer will know, it's the worst thing you could ever do. Of course, every blackmail attempt and DDOS attack is being reported to the relevant law enforcement agencies, too, though realistically the chance to catch somebody is quite slim. Having said that, sometimes it does happen, and if it does, we will pursue every case to the fullest extend possible, no matter where the offender is based - above activities are a crime in every jurisdiction in the world and it's always possible to find a local law firm to represent you.

Your Albion Online Team
In the midst of the DDoS attacks, Sandbox began to name and shame buyers in response to claims of unfair bans.





The detection process is pretty simple in cases of credit card fraud. Once the account is identified, all the fraud team has to do is follow the transactions. Sandbox doesn't even need to write a detection script that might have a bug.


On 11 August, Sandbox deployed Launch Patch #3 which introduced more changes to combat the gold/silver trade. The most noticeable change involved a pop-up screen informing players that buying/receiving any illicit currency would result in a permanent ban. Less flashy changes included the introduction of a report player function and a new requirement for using the gold market: "at least one character on the same account must have been logged in since this patch while having Journeyman Adventurer unlocked."

Yesterday marked one month after the official launch of Albion Online, but the developers are not getting the expected inflow of money for the start of the second month. Due to issues at launch and the DDoS attacks, the company is giving out compensation. Bercilak, the CEO of Sandbox Interactive, made the announcement on the forums:
Dear Albion Community,

In the first two weeks post launch, our servers had some performance issues, causing frequent reboots and some zones in the game being unavailable due to overcrowding. We have dealt with these issues and announced compensation for this here.

Unfortunately, on Saturday, August 5th, we had a short DDOS attack followed by an extortion attempt, which we of course did not comply with and immediately reported to the relevant law enforcement agencies.

This was followed by heavy DDOS attacks from Sunday, August 6th onwards. Properly defending against well-executed DDOS attacks is a very challenging task, and far harder than a quick Google search might suggest. In close collaboration with leading experts in the field, we are making significant progress. Recent attacks have impacted the server's performance, but generally were not successful in bringing it down. Our defenses are constantly being optimized and fine-tuned. Having said that, we are not in a position to give the "all clear" just yet.

To compensate players for the outages caused by the past days' DDOS attacks, we are awarding an additional 7 days of premium time to all characters that played with active premium any time between July 17th and August 11th (UTC time). This means that those premium characters who had also been affected by the server issues immediately post launch will now get 14 days extra premium time in total.

The compensation will be given out during the daily maintenance tomorrow, August 12th.

The ongoing server attacks are extremely frustrating for all players. Tackling them is our utmost priority. We will certainly get them under control, and expect to make further progress of the coming days.

Some of you might be worried about the long-term impact of the server issues on the future of the game. Our philosophy here is quite simple: We have always believed and consistently communicated that Albion Online is a game with a long-term focus. We have been working on the game 5 years, with the goal that it shall be successful 5 or even 10 years down the road. What counts is the longstanding quality and longevity of the game, and not just riding the hype wave around release. While the release hype has of course taken a hit due to the attacks, in the long term, it won't matter, as the lasting success of a game is solely dependent on how good it is.

So, let's fix the current issues, and get on with it!

Your Albion Online Team

Albion Online still has a lot of problems with hacking of the client and botting, but the grave damage credit card fraud did to the corporate wallet required Sandbox to take drastic actions on that front. But will the damage caused by the server instability caused by the DDoS attacks irreparably harm the game in the long run? The answer to that question as well as will Sandbox eventually suppress illicit RMT activity to manageable levels are yet unknown.

No comments:

Post a Comment