Online Gaming, Fraud & Stolen Credentials

Posted by:

admin 13 years, 11 months ago

Symantec has a blog post about a 17GB flat file of stolen game credentials they have analyzed. The file included 44 million sets of stolen usernames and passwords for at least 18 gaming websites.  The entire post is interesting and worth a read, in particular for how an attacker can use a botnet to validate the credentials and thereby increase their value.

My take-aways:  At least 18 sites were targeted, but only 4 are listed.  They should all be listed so users can change their passwords. 

Aion, a game from NCSoft, is listed having 60,000 stolen credentials worth $150-1420. I haven't found recent numbers for the sales of Aion, but according to this article in the Korea Times, sales were at 700,000 by the end of Q3 and expected to be 1,000,000 by the end of the 2009.  If they kept adding 300,000 users a quarter, they would have about 1.6 million users. This means that 3.75% of their userbase is in just this one file.  They may not seem like much, but according to the company, things are bad and they are at war:

In the game industry, we have also seen an increase in attacks by third parties in an attempt to steal your account information by any means necessary, including phishing, obtaining passwords from third party sites/systems, and using account information provided by those engaged in power-leveling services and other prohibited activities. Recently, the number of these attacks has risen dramatically.

 As a result, our game support queues have drastically increased, with thousands of support tickets from players who have lost access to their game accounts and are suffering extended wait times for help. Our game servers, account databases, and support sites are under constant attack and being probed for any vulnerability. It’s a war that by no means is over.

So, you can estimate the real-world value of the stolen virtual identities, but only NCSoft knows their cost of using static passwords. But for the sake of argument, let's say 60,000 people call the helpdesk. At say, $20 per call (which is probably generous for a call where the user's credentials have been stolen) that would be $1,200,000 for that batch.  What we don't know iswhat the 'batch' represents in annualized costs.  But there is at least anecdotal evidence that account fraud can cost more. That it can cost the entire lifetime value of a customer:

They were not very helpful. I explained the situation and tendered that while I was not actually subscribing at the moment it was not as if I hadn't quit and come back before, and such a return would be far less likely if my characters had been scattered, stripped and left picked clean. The guy's major contribution was to send me an e-mail to various support articles which basically were "computer safety for dummies," as well as a webform to initiate an inquiry and request a repair of the damage. Not that he could put in that request or anything, being a blizzard employee. That 300 meg patch was still coming, so I went ahead and did that.

By the time the patch was done, "Account Management" had locked my account and scrambled my password, due to "character interaction with another account known to be in use by someone intending to exploit WoW's systems." If I wanted my account back, I could fill out yet another form and fax it to them to start the process. By this point, my supply of give-a-shit had run out. I'm content to let it just stay locked forever. It certainly seems blizzard is content as well, and with over 10 million paying junkies, it's entirely understandable (though not laudable) that they've become complacent and apathetic toward each individual subscriber. They don't need you, they have 9.999 million more just like you.

• ← Analyzing the Costs of Open Source Software in the Enterprise
• Southeast Linux Fest review →