Thursday, July 3, 2014

Wildstar's Bot War: A July Update

Wildstar's Executive Producer Jeremy Gaffney gave another update on Carbine's continuing war on botters, hackers, and RMT on the forums Tuesday.  As one of the draws of Wildstar for me is to see how a company like Carbine who talked such a good anti-RMT game before launch would actually perform, I'll make more posts like today's.  Which includes posting Gaffney's entire post and offering commentary.  First, a few words from Gaffney:

Quick update on the current state of the late-June botwar:
Some concrete info:  We've banned/suspended about 7300 accounts in the last 3 days or so between various detection methods and player reports.  Obviously 7300 is a tiny fraction of the overall player base, but it's a noticeable chunk of the current bots.

Our strong goal is to get botters/RMTers knocked out of the game entirely.  The fight goes on, as alluded to in my first post on the subject 12 days ago here:  https://forums.wilds...k-bans-round-1/ .

The main upcoming fix for us is going to be reporting tools integrated with our back end processes letting you easily submit reports and our CS teams to easily field them.  Those should be coming online next week if they make it through the QA process - this basically mirrors what we were able to do for zone spam (which got cut down efficiently based on a similar system).  A few addon developers have worked on the ease-of-reporting part of this in the interim (thanks guys, it's appreciated).

We've also further tuned our automated bot detection processes; we've been careful to catch as few innocents in the web as possible.  We can't go into a ton of details (don't want to give the botters hints on avoiding detection) but you've probably seen some improvements in botters getting knocked out of the game.  It's also not perfect yet, but we've made some good strides.

Many (between 50%-70%, not all data is in yet) of those 7K+ accounts are compromised - regular players who have (usually) re-used account names and passwords from other stuff on the internet (games, email, etc.) and thus are vulnerable to hacking.  PLEASE do use 2-factor authentication if possible.

This implies that as we ban these accounts, they rapidly go into the CS queues for us to put back into the hands of the original owners.  We've been prioritizing these, but it does mean delays in other queues as we work through it.  We've made some tool improvements on the dev side for CS to help out, as well as helping out with a variety of other teams in various ways (from answering tickets to prioritizing automated fixes for things like the riding skill reimbursements).  It's a whole team effort to get things wrangled.

Also this implies that as we ban/suspend accounts, the farmers compromise new accounts to keep the bot army flowing.  Please protect your account - if not with 2FA then with a unique account and password combo (keylogging does occur though; we don't have confirmed reports of it now but it will happen at some point if not already).

On the CS fronts, we've freed up some CS to folks patrol to get reports from folks in zone chat in real time as well - if you see one online, please do feed them names for banning action.

We're attacking this with a full-spectrum approach as a placeholder until we get to the better tools that should help in the short-medium term.  We acknowledge it sucks when you see obvious cheaters, and we're working to eliminate it.  Hopefully you've noticed a difference already, but regardless we'll keep updating as we move forward as well.
First, I'm not going to criticize the team at Carbine for not having a "Report Bot" or even "Report Spam" button at launch.  Although many individuals at Carbine have experience making MMORPGs (including World of Warcraft), this is the company's first game in the genre.  I don't think they really expected to get hit as badly as they were, despite evidence from games going back to RIFT's launch in 2011.  Since then, the situation has only gotten worse.  Just ask people who played Elder Scrolls Online at launch.  The fact that they are doing so a month after launch instead of six months is a positive for me.

Second, the fact that players were making their own methods for reporting bots just shows how many players feel about bots.  Such a player-run reporting website had just launched for EVE Online when CCP put in "report bot" functionality.

Next, I like the fact that Carbine has introduced an automatic detection system.  Hopefully that will keep Wildstar relatively bot-free during the Christmas season.  Some other games have had problems with that.

The fact that so many of the accounts banned for botting were hacked is a development I'd never heard before.  I know my account was hacked, but that's because I made the mistake of thinking I needed to use the same password as I did for other NCSoft published games.  You know, single sign-on?  Yeah.  NCSoft doesn't use it.  Combine that with Carbine asking me to use Google Authenticator and that was a situation ripe for a hacker.  Needless to say, it happened.

As for a game needing an authenticator?  The hackers also tried to get into my Guild Wars 2 account.  They failed.  No authenticator needed as the hacker couldn't get past the password.  Not reusing passwords works.  But with all the problems with Wildstar, I went and got Google Authenticate.  Besides, 2 factor authentication IS a good thing.

Finally, the post demonstrates the cost to a game developer in dealing with issues caused by botters/hackers/RMT sellers.  I'm sure Carbine would rather have their customer service reps working on things like helping players resolve login or account issues instead of babysitting zones looking for cheaters.  Not only is that diverting resources (including money) away from their main task, but poorer customer service for those core issues could result in more unsatisfied customers.  And unsatisfied customers are more likely to unsub, costing Carbine even more money in lost subscription fees.

We are only a month past launch, the time that players are finishing their free month that comes with the game.  How Carbine is dealing with illicit RMT, including the associated issues of botting, hacking, and exploiting, will go a long way towards determining the success of Wildstar.  The question now is, are Carbine's actions enough to satisfy the current player base?


  1. You're pretty easy-going about not having a "report spam" button at launch. Personally, I reckon that if you think your MMO doesn't need a report spam button, then don't even bother launching it. The only MMO that doesn't need one is one that nobody plays.

  2. I regret buying it. I normally don't buy on launch. It just seemed awesome. I just don't have the taste for classic MMOs like this. Sub's canceled.

    1. I know what you mean. I'm having trouble being excited. Maybe I'll feel differently if I ever get to housing and a mount.