Archive for the ‘Social Networks’ Category

In case you haven’t heard, there’s real money in virtual goods—serious money. Just read this weeks’ TechCrunch article on how the big three (Zynga, Playfish and Playdom) rake in a combined $335M in estimated revenue. The combined number of monthly users named in the TechCrunch article pushes 300 million. Need more proof that virtual goods are hot? For the second day in a row virtual goods made TechCrunch in a report about Live Gamer, an online marketplace for players to trade and buy video game virtual goods. The TechCrunch article says “Live Gamer has over 72 customers and supports over 56 million registered users across all of partner implementations, exceeding 3 million micro-transactions per month.”

The TechCrunch article goes on to explain the revenue model for social gaming like this: “Get new users playing for free, give them incentives to message all their friends to signup, hit them hard for cash or lead generation for revenue, and move them up the levels. Rinse. Repeat.” Of course the hard cash exchanges hands in the form of an online credit card transaction—and whenever lots of money, credit card purchases and millions of transactions come together on the Internet there’s online fraud.

This interview by Michael Zenke of MMO web daily Massively with John Smedley, CEO of Sony Online Entertainment reveals one of the areas where fraud rears its ugly head in online gaming: gold farming. Gold farming describes when a player tries to acquire items of value in a massively multiplayer online role-playing game (MMORPG) to sell for in-game currency. SOE’s Smedley comments on the high cost of chargebacks in gold farming:

Massively: Earlier you mentioned the problem of farmers with regards to Station Access. I know that’s something the company feels very strongly about?

John Smedley: I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card–sometimes stolen, sometimes not – to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it’s getting extremely expensive for us. What’s happening is that when they do this all the time, the credit card companies come back to us and say “You have a higher than normal chargeback rate, therefore we’ll charge you fines on top of that.” We’re really trying to get on top of that. We’re taking our current efforts up about five notches to Defcon 1 on this issue. They bug us even more than they bug our customers, and we’re definitely taking steps to implement rigorous anti-farming efforts.

It’s actually really amazing to sit and watch these people work. I’ve personally sat with them as they’re tracking a farmer, and you’ll see a mob spawn – this guy’s got a bot that within half a second has them moving towards the creature even if it’s halfway across the zone. It’s a serious problem.

Massively: And you can’t fight the chargebacks with the credit card companies?

John Smedley: No, and the reason for that is very simple. Visa and MasterCard have these rules about chargebacks, and I personally think they’re antiqued. Digital delivery isn’t covered by their rules very well. So if you order something from Amazon and pay thirty bucks for a book, if it doesn’t show up at your house you can fight it because you can say “I never received that thing.” They do not cover that with digital delivery. In my opinion the world has changed a lot and I think that needs to be addressed.

ThreatMetrix device identification can (and does) help detect and prevent in social networks, social gaming and virtual goods payments—to stop fraud and authorize good customers more quickly with less hassle.

Virtual goods is on the news radar this week because the Virtual Goods Summit hits San Francisco on Thursday and Friday. VG Summit 2009 is definitely on ThreatMetrix’s radar since we’ll be there both days as a sponsor.

The 3rd annual Virtual Goods Summit will take place in San Francisco, CA on October 29-30, 2009. The event will bring together thought leaders in this space to talk about what’s changed, what’s working, and the key challenges facing the industry. This year’s lineup features executives from the leading companies in the virtual goods ecosystem, including Tencent, Playfish, DeNa Global, Nexon, Zynga, Playdom, Bigpoint, IMVU, Outspark, Zong, PayPal, Perfect World, MyYearbook, InComm, NHN, Ning, TrialPay, Super Rewards, Viximo, Offerpal Media, Serious Business, Slide, Giant Interactive, and many others. An assembled panel of experts will share their thoughts on key issues such as trends in monetization in the United States and Asia, key learnings on how to best drive revenue from social games via virtual goods, market sizing estimates for the US and global virtual goods opportunities, and similarities and differences between user behavior in the United States and Asia

In addition to the exciting lineup at this year’s edition of the annual must-attend event in the virtual goods space, the Virtual Goods Summit is expanding in 2009 with the creation of “Virtual Goods Summit University” or VGSU. VGSU will offer attendees the opportunity to go in-depth on the fundamental business practices and capabilities required for success with a virtual goods business model. The Virtual Goods Summit University will cover some of the most important issues facing publishers today, including how to get started with virtual currencies, how to manage a virtual economy, key decisions when rolling out a payments infrastructure, and how to manage multiple virtual currencies.

If you’re thinking of going but you haven’t purchased tickets yet, you can save 15% on tickets by using the code THREATMETRIX at checkout when registering at Eventbrite.

- Tom

If someone told me a few years ago that people would pay real money for goods that aren’t real—virtual goods that only exist in digital form—I would have joked that I had a virtual Brooklyn Bridge to sell them. Well the laugh’s on me if the buzz at the Virtual Goods Conference in San Jose this week is any measure of where the VG industry is today and where it’s heading. There’s real money changing hands for virtual goods in social gaming and lots of people are working hard to figure how to make it pay even more.

If you’re new to the world of virtual goods, here’s a great overview written by Lora Abe, director of marketing for Gambit, a leading payments engine for online games. Gambit’s booth was right next to ours at the conference (thankfully they let us play their pinball machine during the low-booth-traffic intervals). Read the rest of this entry »

“Will your mystery date be a dream…or a dud?” That was a line I remember from a commercial for a board game called Mystery Date that was popular in the late sixties. I remember my sister playing the game with her friends, each trying to assemble the perfect matching outfit for a shot at a “dream date.” Forty years ago game maker Milton Bradley’s idea of a dream date was bowling, skiing, beach or a formal dance. Now with online dating the norm, a dream date would mean your mystery date isn’t a fraud trying to fool you into sending them money.

Trust is the bedrock on which online dating services are built. If members start to feel unsafe in the dating pool then they’ll opt out or try a different service. Online dating services understand this dynamic and some go to great lengths to try and keep the criminal element out. These are often sophisticated criminals working from offshore. CTO and co-founder of Date.com Chris Covino told Inc. Magazine that they “found many crime rings employed multiple teams that focused on different parts of a fraud operation. Read the rest of this entry »

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?

What’s the difference between a fraudster scamming an airline and one scamming a social gaming site…or an etailer or a dating site? Fraud is always a game of deception for some purpose whether it’s stealing money or online gaming for free. But the strategy and tactics employed by a fraudster can be quite different depending on the target and objectives.

In the past two weeks ThreatMetrix attended or sponsored several industry focused events: Internet Retailer Conference and Exhibition, The Airline Reporting Corporation (ARC) Fraud Prevention Conference, The Social Gaming Summit and iDate 2009. Each industry gathering had its own spin on fraud concerns but they all had this in common: everyone is more concerned than ever about the rapid spread online fraud.

At the ARC conference I heard about the latest and greatest schemes to defraud airlines. They illustrate the complexities unique to online ticketing. The number of entities in the chain between consumer and merchant combined with the complexities of booking travel on a global scale in real-time pose serious challenges to fighting fraud. Credit card fraud was top of mind at ARC, but there are three possible points of entry online that present fraudsters with opportunity to pursue their objectives: new account sign-ups, account logins and online purchases.

Which of the three poses the highest fraud risk to your business depends on your business. For example, online dating and social gaming services are exposed to all three types of fraud, whereas etailers focus most of their fraud detection effort on preventing credit card fraud. This difference points to an important advantage in real time device identification: it’s very effective at detecting fraud across all industries, applications (new accounts, logins and card not present), fraud schemes, geographies and devices. Organizations typically employ multiple fraud fighting tools-device ID stands out for its unique ability to detect fraud (and identify customers) before you know anything about the person visiting your web site.

- Tom

IT PRO has some interesting musings on a Global Fraud Report from RSA that brings new chilling predictions for online fraud. This report brings more than just the usual bad news we typically hear about. Findings in the report cast online fraud in a new light that underscores the monumental challenge fraud poses to the worldwide web. ‘Fast-flux botnets’ capable of hiding the content servers that serve up the malware and phishing content that fuels online fraud are expected to increase in the next year. Fast-flux botnets can change addresses much more quickly making them much harder to catch. The technology aspect is chilling, but the rapid commercialization of online fraud it ushers in is what makes this story noteworthy.

The means and expertise to commit online fraud have reached a tipping point where they are easy to learn and operate, more powerful, affordable (even free) and broadly available to just about anyone who wants to get into the business. IT PRO spoke with RSA’s Andrew Moloney who stated the problem in clear terms:

Moloney said: “Fundamentally what we’re seeing is a commercialization of the fraud industry at a level really greater than what we’ve ever seen before.

“The barrier for entry, if you’re a non-technical kind of person, has been significantly lowered.”

This was seen with ‘fraud-as-a-service’, which meant that people didn’t need technical expertise to infect a machine with a trojan or other type of attack, as they could simply buy what they needed.

Fraud-as-a-service has the potential to be a game-changer in favor of online fraudsters and against those conducting legitimate business on the worldwide web. The worldwide volume of account logins, new accounts, and online credit card purchases (CNP) increases year after year—and thanks to fraud-as-a-service the number of people willing and able to commit online fraud is likely to grow at a faster rate.

Increasingly coordinated fraud attacks and better tools available to anyone with the desire to steal will require even more vigilance on the part of etailers, banks, online social networks, web payment facilitators and governments in order to stay ahead of fraudsters. The rise of fraud-as-a-service makes an even more compelling case for device fingerprinting—the only fraud prevention method that can detect fraud before it occurs by profiling the computer instead of the person.

Does Geoffrey Moore’s famous chasm theory apply to fraud-as-a-service? Will it push online fraud across the chasm from early adopters to an early majority?

- Tom

I recently heard someone say that preventing online fraud required an approach more akin to a maze than a wall. In that view, fraudsters are more likely to fail or give up if they have to spend too much time going in and out of blind alleys trying to break a system in order to gain entry and commit their crime. Captchas — those annoying picture puzzles you encounter on web sites that ask you to type the characters you see in the distorted picture are a good example of this.

Fraudsters use automation like bots to achieve their goals but captchas get in their way. So naturally the fraudsters employ automation to defeat captchas. It’s a game of cat and mouse between the fraudsters and those who invent new, more challenging captchas to stay ahead of them. According to a new report by Symantec’s MessageLabs, the fraudsters have held the high ground lately in the realm of spam (ThreatMetrix has its roots in spam prevention; the pioneering work for the Australian government pointed the way to using device fingerprinting as a weapon to attack the root causes of spam).

The trends cited in the report provide plenty to be concerned about. One of the more disturbing trends in the news report on CNET is “…rather than just hijack disreputable Web sites, cybercriminals now favor older and well-established domains to host their malware.” They go on say that “web sites where users create most of the content, such as social networking domains are more at risk.” ThreatMetrix is working with several social networking sites who are doing their part to help keep cyber criminals out and serve their customers desire for a trusted social network.

It just goes to show (again) that fraud prevention is a game of cat and mouse that requires constant vigilance by web site businesses to employ anti-fraud solutions to stay ahead of the bad guys.

If you want to read more on the latest approach for building better captcha, check out this article about Google’s newest big idea. They’re testing a new captcha “that requires people to turn upright randomly rotated images, like that of a parrot perched temporarily upside-down on a leafy branch.”

- Tom

The embed video below shows teenage hacker CMZ walking through his attack on Twitter using a brute force password attack. CMZ exploited the fact that Twitter did not put time-outs on login attempts by running a series of dictionary attacks against the admins account to correctly determine the password as ‘Happiness’. The admin’s details were posted on digitalgangster, which were then used to send spam through Barack Obama and Britney Spears accounts.

This kind of brute force attack using a guessed user name and password generator by a teenager should send chills down any company that thinks that a user name and password is sufficient to keep their crown jewels safe.

Device Intelligence and Device Identification can’t fix bad admin security practice but many social networks are now turning to the device as a form of transparent two-factor authentication to determine whether an account is being accessed from an unauthorized computer, or to detect when the same computer is accessing multiple unrelated accounts.