Online Games a 'Playground' For Organized Crime 73
New submitter cadenceaniya sends this excerpt from Polygon:
"Online games are a 'playground' for organized crime and cyber criminals, JD Sherry, vice president of technology and solutions at Trend Micro said following the news that League of Legends accounts were compromised. Earlier this week, account information — usernames, email addresses, salted password hashes, and some first and last names — for some North American League of Legends players were 'compromised' by hackers. Riot was also 'investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.' The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.' The simple and functional systems created so players can spend money effortlessly creates 'playgrounds' for cyber criminals take advantage of. 'Game platforms can have millions of users all storing sensitive information or code access for more features,' Sherry said. 'These are highly sought after in the cyber-crime underground for trading and selling in the black market. These platforms can fall victim to cyber-attacks just like any organization, especially if they have vulnerabilities that go unpatched.'"
I'm shocked!!! (Score:3, Insightful)
VP of online security firm warns people the internet isn't safe.
What's next? Glock's VP says streets aren't safe?
Re: (Score:1)
Armed with a gun or a knife? Guns kill 30,000 people a year. We don't need more guns, or people with them.
Less guns means less gun violence.
It's true.
Re:I'm shocked!!! (Score:5, Insightful)
Cars kill 30,000 people a year too. We don't need more cars, or people with them.
And there are fewer cars in the US than there are guns. That means more deaths per car than per gun.
It's true.
Re: (Score:1)
I bet you that all the cars in the US get more operation time than guns in the US.
Unless you believe the whole population shoots off rounds while driving to and from work everyday.
It's true.
Re: (Score:2)
Road rage season already?!! BLAM! BLAM!
Re: (Score:2)
Why stop there? Giving birth is a death sentence. We should put a stop to it!
Re: (Score:1)
This one I think we should all be issued guns and teams and lined up in rows to shoot at eachother.
Spare no one.
Re: (Score:2)
Yep, nonspecific allegations of ignorance are a surefire way to demonstrate your case. Thanks, AC!
Way to sensationalize (Score:5, Informative)
Re:Way to sensationalize (Score:5, Insightful)
Indeed. And it's more about accounts than it is about games (though of course most MMOs have issues with this).
If you have a Steam account these days and you aren't using the Steamguard added security, you're mad. The trade in compromised Steam accounts is quite terrifying (and unsurprising given the value of the games stored on many of them). The same is true for PSN accounts. It's even more true for XBox Live accounts where there are fewer additional layers of password security you can bolt on (unless they've added them since I last checked) and where there are FIFA Soccer DLC packs that are tradable and essentially allow "real money" to be laundered through the accounts.
Re: (Score:2)
Re: (Score:3)
Why on earth would one store hashed and salted credit card information? If you're going to bill people, you need the original credit card number, no? Hashing isn't reversible.
Re:Way to sensationalize (Score:4, Insightful)
Trend Micro saying "Online Games a 'Playground' For Organized Crime" is like ADT saying "Private Homes a 'Playground' For Organized Crime".
Re: (Score:2)
When I was playing EVE, it was widely rumored that the Russian mafia were also playing - using game/real currency exchange as a form of money laundering to hide the income from their real-world criminal activities. Not sure how much truth there was to the rumors.
Re: (Score:2)
When cargo ships routinely get ganked with in excess of $15,000 worth of ISK or ETC I think it's rather obvious someones doing something other than playing the game with all that. The only logical use for all that ISK/ETC is money laundering. They're buying up ETC cards with illegal funds then selling them for ISK, then selling the ISK for cash on a website and count the proceeds as legitimate income.
Re: (Score:3)
You know, this sounds like the beginning of a plot for a possibly amazing movie.
To wit: A teen and his friends gang up on a ship on EVE that is carrying an absurd amount of money. The Russian mafia tracks the IP of the teens and then goes after them, and the teens have to run for their lives.
Or even better, the Russians kidnap their parents or something, and hold them for ransom, and the kids have to go back online in EVE and capture even more ships to save their parents. Or something like that.
Re: (Score:2)
I suggest the 'something like that' is to have them forced to attack a rival syndicate - if they can destroy one money-laundering convoy, the operators might see how such skills could be put to use.
You can get a really triumphant finale when word gets out and a fleet of five legitimate thousand players descend to suicide-gank the laundering ships, costing the mafia so much they have no option but to abandon their money-laundering operation.
And the leader of the money laundering can then get killed by his bo
Re: (Score:2)
Pretty much REAMDE.
(Apparently, Fox is going to adapt that as a TV series. Not sure if it'll be any good, but if it is, it'll probably get canceled early.)
(No, I'm not still bitter about Firefly, why.)
Re: (Score:2)
They might buy the ISK for cash on the grey market too - it might offer a better exchange rate.
If you just buy and sell money with one character it's stand out like a sore thumb in the audit logs, and records could be easily subpoened. So they probably need to have multible accounts, and shift the value between them using in-game-legitimate operations like a hauler-full-o-goods. Simple matter of avoiding easy tracking by hideing it in the noise of EVE's frantic economy. Even if investigators work out which
Re: (Score:1)
Seems a dubious method to laundry money, at best.
CCP doesn't allow real-world transfers of ingame assets for non-game assets. Not everyone is caught, but its taken seriously and many are caught and removed from the game.
Such risks do not make EVE a very viable money laundering facility, sorry. I wouldn't do it there. Second Life maybe, but not EVE.
Re: (Score:2)
It has absolutely nothing to do with the fact that it is a game
On the contrary, I think it has a great deal to do with it being a game. One of the problems with online crime involving MMOs, is that it is hard to get people in the real world to acknowledge internet spaceships as serious business; unfortunately this can include law enforcement. So even though hacked and looted accounts can be converted into real currency, it doesn't carry quite the same degree of real-world risk for the criminal.
As a result, an MMO operator may ends up needing better security practices
Re: (Score:2)
There is rarely a single motive for obviously bogus claims like this. It also distracts from current criminal actions by the Government, distracts from police illegally arresting people for protesting, distracts from banking criminals, etc... In addition, it plays on the typical gamer stereo type adding suspicion to those "gamers" that must all be like the obese griefer with no life in South Park and generates some FUD regarding a certain type of person.
Re: (Score:1)
Fucking stupid ass wankers that don't know shit wants to tell us what is up.
Thank you, Nyder, for that report from Slashdot's Tourette Syndrome news desk.
Up next, authorities say a common network protocol used every day could kill you. Find out which one after this commercial break!
Stephenson (Score:3)
Well... (Score:2)
At least they've got a hobby!
MADLIB TIME! (Score:5, Interesting)
Replace FOO with some type of online service in the following soundbite:
"FOO a 'playground' for organized crime."
Congratulations, you are now a security expert! Let's try it out:
"Social network services a 'playground' for organized crime."
"FTP servers a 'playground' for organized crime."
"VoIP providers a 'playground' for organized crime."
See! Wasn't that easy!?
hashed and salted credit card info (Score:3)
why would you bother storing hashed and salted credit card information? The only thing you could do is match it against the credit card used on the next transaction - but what does that really get you? The hashed/salted card number would be usable again (if hashed+salted properly)
to authenticate in game purchases (Score:4, Informative)
One use would be for ongoing purchases in / for the game. When you sign up, they store the CC on a protected payment system that's not directly accessible from the internet. The internet-accessible server has only a secure salted hash of the CC. For a purchase, the client prompts for the CC to use, then sends the hash of it to the public server. That confirms that the user truly has presented the correct card number. The public server can then call the one and only function exposed by the payment server, billcard(hash,amount).
That way they can prove that the customer entered the card number into their game, without sending the card number over the internet.
Re: (Score:2)
That would be too easy. It'll never work.
On a more serious note. While that is a good idea, the secure payment system would still need the whole CC. While you can harden a system that only does one thing much more thoroughly, you're putting all the valuable data in one place for the attacker. It's still a good idea though, and companies should something like this.
Here's another thought. While some larger corporations have lax security for no explainable reason, cough Sony cough, many games that are bei
yes, normally experts 4 security sensitive stuff (Score:2)
Yeah, that's what the vast majority of web sites do. PayPal or Google checkout for one-time purchases, CcBill or Verotel for subscriptions. That's not a bad idea.
Most site operators truly need assistance just securing the interfaces to payment processors, and securing passwords. For example, most store passwords using DES hashes (1972) or plaintext until we fix it for them. I think they are correct to focus on their core competency and let professionals with time-tested solutions handle difficult issues
not necessarily, by definition but secured, stoned (Score:2)
A) It doesn't necessarily require that the CC be sent over the internet. You COULD phone it in. On some sites, we used to have an applet for your modem to call the payment system directly. Today's version of that would befor the game setup to include a VPN-like client. That can be followed by a confirmation call or other one-time security measures. Even if it WERE sent over the internet with no extra security, doing that once is better than doing it every time you buy a game token.
B) unsecured? You oo
Not surprising ... (Score:3)
I've always avoided any game which relies on these in-game purchases.
Firstly, because I'm cheap and have no interest in having to pay for baubles in a video game with real money. But second, because I don't necessarily trust that companies put enough effort into safe-guarding my financial information -- they put a lot of work in the glossy bits and setting up a way to get my money, but they're not as interested in keeping it secure.
If you know that a system has a vast number of credit card details stored in it, it's going to be an attractive target, because any exploit of it is going to yield a lot of stuff. In this case, it's a big giant database of credit cards and names, stored by a company who may or may not have put enough effort into protecting that.
This is why I'm of the opinion that companies need both restrictions on the kind of data they collect and use, but also some steep penalties for failure to safeguard it once they have it.
If someone can do an incompetent job of security and have their users be the ones affected by it, it has to be a lot more than "ooops, sorry".
Re: (Score:2)
Re: (Score:3)
It's much harder to compete in pay to win games if you don't pay yourself. That's why I don't play them at all.
Re: (Score:2)
Next headline from VP JD Sherry: (Score:1)
No Security but Monitoring? (Score:5, Interesting)
Get an IP sniffer.
When I play StarCraft II, which insists on being online even for single-player, I get tons of connection attempts going places other than Blizzard. I block them, and gameplay does not suffer.
* www.reuters.com
* www.googleanalytics.com
* akami (OK, that's for downloading updates)
* sevreral other all-digit IPs, which I also block.
Re: (Score:1)
That's interesting. Infuriating, even. Fucking blizzard.
Re: (Score:1)
A bit off-topic, but if games with online playability lack security, it by their choice. They certainly spy on their players enough.
Get an IP sniffer.
When I play StarCraft II, which insists on being online even for single-player, I get tons of connection attempts going places other than Blizzard. I block them, and gameplay does not suffer.
* www.reuters.com
* www.googleanalytics.com
* akami (OK, that's for downloading updates)
* sevreral other all-digit IPs, which I also block.
First, all IP's are all digits.
Second, you're seeing the connections to reuters and google because the launcher is just a wrapper which opens up a web site, it's the web site pinging those places for tracking purposes. (Side note- this is why it's better to do IP blocking on your firewall/router than using a blacklist plugin like adblock).
Third, you'll only hit Akamai servers if your ISP uses them for web caching. Mostly you're pulling updates from them, sometimes it's the web pages... either way that's not
Re: (Score:3)
Out of curiosity, have you ever run a reverse DNS lookup on those IPs? Or is that how you figured out who the outbound connections were attempting to talk to to begin with? Google analytics sounds like SC2 is rendering a web page somewhere, and triggering the javascript. I don't own the game, so I can't check.
This is why per process firewalls are so important. I'm personally using Comodo Free myself. It pains me to admit it, but this is actually one area where Windows is ahead of Linux.
Yes, that's righ
Re: (Score:2)
Yes, that's right, Windows is ahead of Linux when it comes to security. We need to fix this.
Go for it, bro. Write one.
Money Laundering (Score:2)
Sounds like an excellent way to launder money, as well. Virtual goods with no real inventory....
Re: (Score:2)
Sounds like an excellent way to launder money, as well. Virtual goods with no real inventory....
Not so much. It's easy to buy the things from the company, but as soon as you try to sell them it becomes "Real Money Trading." Game companies have always tried to stop RTM. Traditional games at least have a valid reason for this. RTM encourages criminals to use bot farming. Meanwhile, games with micro transactions don't like it because it's a secondhand market eating into there profits.
The ethics of RTM are actually quite interesting. For any game where you can buy something in game with real money,
Why care? (Score:1)
Any fool can learn a name a postal address an email address a birthdate a social security number. Those things therefor have no value and there is not much point in obscuring them. Passwords (disgusting method, relies on users and communication cryptography, neither of which is reliable) are perhaps another matter - but hopefully if the access a password guards matters, that password is NOT used elsewhere by that user. Well, one might hope I suppose.
Biometric has a chance, at least to guard access at the en
Re: (Score:2)
The passwords where hashed and salted, making them hard to crack and probably worthless, the same goes with the CC numbers. Its really a step up in security compared to other recent security breaches with other company's. I was glad to see that this company thought ahead and planned for a breach...The article doesnt mention how the breach happened and it doesn't mean that it was the company's fault.
Passwords are good if you know how to use them, biometric has the same disadvantage as a physical key does, it
Wrong impression (Score:2)
At first I thought they were talking about actual organized crime like the mafia "meeting up" in World of Warcraft or something, to setup hits on witnesses and stuff.
Frankie: "Hey Tony, I need to speak to you about last nights heist real quick."
Tony: "Yeah sure thing boss. Gimme a minute and I'll jump on my Paladin so we can do business."
An excuse for any kind of monitoring. (Score:1)
Seriously, NSA, Really? Thanks for finding an excuse to monitor the potheads in my everquest chat box?
You guys are fucking pathetic.
cheap jordan shoes jordan shoes wholesale handbag (Score:1)