Cyber Security Incidents, Hacktivism and Cheating
in Massively Multiplayer Online Role-Playing Gaming Industry (MMORPGI)
This industry of multi-user games, which I call MMORPGI, started in 1974 under the MUD genre (Multi-User Dungeon/Dimension/Domain) and with the progress in modern technology and high-speed internet connections, it gained popularity from 1996 as MMORPGs. Since then development of a single MMORPG title often cost Millions of Dollar. It was regarded as an emerging lucrative venture with fast growing worldwide revenues racing into Multi-Billion Dollars .
Assets acquired in the virtual worlds (VW) have no physical manifestation other than data records that they exist. But they are regarded as intangible assets, in accounting term, and have proven to have considerable value in global economy that is so significant to ignore. Thus, it is not surprising that Korean government is subsidizing and tapping up their talents in the development of MMORPG titles published globally. Their support to this industry has been rewarding as their annual revenues worldwide could very well fund two or more annual appropriation act of some countries.
VW economy transcends beyond its boundaries and into the real world economy. VWs currency and assets, though intangible, have profitable value in real world market. Real money trade (RMT) of virtual assets was estimated by the Wall Street Journal to reach 5 Billion Dollars in 2007. This made MMORPGs, beside other motives, the forecourt of cyber attacks like game account hacking and virtual mugging, including cheating to accumulate virtual assets.
Virtual criminals are restless and blissfully eyeing into the untapped game accounts of prospective victims and devising methods to exploit for profit the uncharted territories of VWs alongside host servers of third party services associated with the industry.
Cyber Security Incidents
MMORPGI is not at all about title development, corporate secrets, game codes, new platforms, compatibility with new technologies, graphics, design, game server enhancements, data storage, recommended security, tracking systems, publishing, support services, updates and patches, management, promotions and marketing, services and events, end-user satisfaction and amassing revenues. Like that of the Moon, it has dark side and that side is equally booming, engulfing, and progressively sophisticated. That dark side is being spread by cyber crimes, which are now defined by various local legislations and are already acknowledge as a menace above global drug trade.
The European Network and Information Security Agency (ENISA) describes in details the incipient risks in MMORPGs that includes in-game access control vulnerability, scripting vulnerability, denial of service, spam and threats to minors, and others, thereby provides important recommendations. It reported that:
2007 was the year of online gaming fraud - with malicious programs that specifically target online games and virtual worlds increasing by 145% and the emergence of over 30,000 new programs aimed at stealing online game passwords. Such malware is invariably aimed at the theft of virtual property accumulated in a user's account and its sale for real money. With 217 million regular users of MMO/VWs (Massively Multiplayer Online Games and Virtual Worlds) and real-money sales of virtual objects estimated at nearly US$ 2 billion worldwide at the end of 2007, this is a serious issue. The failure to recognize the importance of protecting the real-money value locked up in this grey-zone of the economy is leading to an exponential increase in attacks targeting online MMO/VWs.
Another important area of risk is the disclosure of private data. MMO/VWs are commonly perceived as being completely separate from the real lives of their users and therefore immune to privacy risks. In reality, representing yourself as an avatar is little different from using any other form of online persona. The inclusion of IRC and VOIP channels, along with the false sense of security created by MMO/VWs, leads to significantly increased disclosures of private data such as location and personal characteristics.
2011 Cyber attack on Sony costs the company nearly 175 Million Dollar. Thereafter, similar incidents took place, with even greater damage, that were reported as breach and crack down of password databases that burden and caused panic to end-users worldwide. In August 27, 2012, ENISA released a report arguing that there are gaps in the implementation of cyber security legislations while cyber incidents remains undetected and most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes. The report cited five examples of cyber security incidents that did significant impact to individual users, governments, economy and the society in general:
- In June 2012, 6.5 million (SHA-1) hashed passwords of a large business-focussed social network appeared on public hacker forums. The impact of the breach is not fully unknown, but millions of users were urged to change their passwords and their personal data could be at risk.
- In December 2011, the storm Dagmar affected power supplies to electronic communication networks in Norway, Sweden and Finland. As a result millions of users were without telephony or internet for up to two weeks.
- In October 2011, there was a failure in the UK datacentre of a large smartphone vendor. As a result, millions of users across the EU and globally could not send or receive emails, which severely affected the financial sector.
- Over the summer 2011, a Dutch certificate authority experienced a security breach, allowing attackers to generate fake PKI certificates. The fake certificates, the result of the breach, were used to wiretap the online communications of around half a million Iranian Citizens. Following the breach many Dutch e-government websites were offline or declared unsafe to visit.
- In April 2010, a chinese telecom provider hijacked 15% of the world's internet traffic through Chinese servers for 20 minutes, routing traffic to some large e-commerce sites, such as www.amazon.de and www. dell.com as well as the .mil and .gov domains, et cetera. As a result, the internet communications of millions of users were exposed (to eavesdropping).
The recent ENISA report explains that:
The large outages and large data breaches receive extensive media coverage, showing the importance of cyber security in society. Many breaches, however, remain undetected and if detected, are not reported to authorities and not known to the public. There is no overall view across the digital society of the incidents, the root causes of the impact for users.
Lack of transparency and lack of information about incidents makes it difficult for policy makers to understand the overall impact, the root causes and possible interdependencies. It also complicates the efforts in the industry, to understand and address cyber security incidents. And finally, it leaves customers in the dark about the frequency and impact of cyber incidents.
Challenges Facing MMORPGIs
These cyber security incidents were indicative that MMORPG service provider (SP) database (DB) is breakable at any given time, whether man made attack or due to natural disaster, if enhancement of security measures is undermined and if the indispensability of a run-on multi-partner security detection system, investigation and research is not taken seriously. And even if those precautions were at work, measures for systems efficient recovery and restoration have to be addressed constantly in readiness to deal with the inevitable.
Security in MMORPGs is turning out to be a risky trade-off as services offered by the game sites not only allow changes to game accounts but is becoming more of an access to the game as well. As game patches are being integrated into the automated security patches hosted by a third party, so exploitation makes recommended security vulnerable. Security vulnerability becomes more undetected and new exploits open up as a third party services (i,e., e-commerce transactions via game item shop and game sites, commercial advertisement/promotion feeds, and access to popular social networks) were integrated into the game client/interface and the game sites.
Consequently, MMORPGs being advanced as business and social platform requires the engagement of open-source services and exchange formats. Though this setup maybe convenient and appealing, end-users were not fully aware about its complexity that is ensuing security vulnerability. Trustworthiness and reliability of the involved third party services and their hosting servers will always be an issue. Risks of avatars and game accounts being lured into unknown variants of phishing and virtual mugging in the devious areas of virtual realities will always be haunting. Then, as it is prevailing in most MMORPGs, deniability of security incidents to have occurred, than have not detected, will continue to be more of an excuse.
Conveniently for most SPs, frequency of cyber incidents like game account/avatar hacking, robbery, hijacking, and stealing is just brushed-off as mere outcomes of end-user negligence, even if reports and records show that the incident took place while the accounts were hibernating, banned permanently, inactive, or were not logged in. Request for viable actions and investigations of these cyber incidents were treated confidential, results given were usually just automated response, and oftentimes a dead-end by reiterating that such pursuit is forbidden or not required by the game policy.
SPs mindset that whatever time and money spend by end-users in the VW doesn't confer ownership or legal title over acquired or purchased virtual items is part of the problem of promoting vigilance against cyber attacks. It encourages SPs practice and perception that they are not required to inform customers about: detected cyber attacks affecting their databases; found vulnerabilities of game system parameters; and, cyber threats and security vulnerabilities affecting third party services.
It further perpetuates the irresponsibility over end-user hacked accounts or mugged virtual assets for anyway those assets were just pixels and don't belong to the end-users in the first place. Request for investigation, compensation or recovery of virtual assets are just brushed off as nuisance, and regarded only as a matter of prerogative. After all, it is already determined that those reported exploited data don't belong to the concern end-user anyway. Consequently, SPs mindset over end-user virtual assets makes advocacy of "be aware, be secure" upsetting and the practice of "end to end security" just a peppercorn.
That kind of mindset is too remote to emulate the banking practice of calling a customer if he did use his account for online purchase, the soonest possible opportunity, and immediately defer/reverse payment if not confirmed. It is nearly impossible for SP to inquire an end-user if he did activate account transfer service, or did transfer all his virtual valuables to another account, with the intent of stopping or reversing the action if not confirmed. Eventually, in any case of hacking and mugging, victim end-user will be confronted with the issue - "Who cares?". A perennial question end-users should have asked themselves before creating a game account and a question more vital than deciding whether or not to assume risks before hitting the "I Agree" button.
It is quite evident that revitalization of MMORPGI as flourishing venture and an overwhelming social activity, as shown in post 2006, needs to reassure end-users confidence with respect to privacy and investment security. And with the growing variants of cyber incidents, denial of said reassurance, more so in "free to play" (F2P), doesn't only erode customer confidence but raise the perception of mistrust that MMORPGs are becoming fraudulent, scam, bubble, cheat tolerant, having unreliable DB security, poorly managed, a waste of time and resources, a worrisome and stressful undertaking, and most likely, short lived.
Game developers and publishers, in their endorsed contract of adhesion, have to forged a viable new commitment which acknowledges accountability over customer's acquired and purchased virtual assets, despite the absence of a particular local legislation that indubitably define end-user rights, possession and sense of ownership in a virtual world. The industry has to upgrade and expand their operating infrastructure commensurate to the competing needs of securing data, reliable tracking system, and maintaining data restoration points for longer period than six months.
Maintaining account/avatar restore points will always prove useful and significant for both SPs and end-users. This measure is not only vital for system recovery, after severe cyber attack, but a practice that will deter RMT and will be disappointing cyber criminals and cheaters. The money, effort and time invested by the victim end-user will not be futile, instead it will be the cyber criminals and cheaters who will be wasting time and efforts. Likewise, buyers in RMT will be discouraged to engage. Besides, SPs doesn't have to opt recreating virtual assets for compensation that will later on cause adverse effect to game balance and virtual economy.
Moreover, with the rising variants of undetected cyber attacks, the industry has to adopt a system of transparency involving end-users in the detection, reporting and investigation feedback mechanism. It has to open up and coordinate competent authorities for the formulation of institutional policies and implementation of appropriate regulations. SPs have to engage in a forum with others partners in the industry to promote vigilance, protocols and practices to combat cyber attacks, without however exposing their respective trade secrets and end-users information.
Hacktivism
Early form of computer was thought to have existed since 3500 B.C while 1820 is thought to be the year cyber crime was first committed. Vigilance towards cyber attacks has to begin with the awareness that it's been changing its faces, motives, fury and forms of invisibility.
Hacktivism was originally identified with political protest and civil disobedience to achieve political gains or reforms but now includes cyber attacks like: stealing data; design, endorsement or promotion of unauthorized automation and illegal modification programs; game code exploitation, and, other forms of security bypass to express discontent against the practices, policies and decisions of a target service provider.
It's not surprising that due to the unfair terms of the EULA - that were constructed and regularly modified to insure deniability, confidentiality, and no-liability as to loss of customer data, poor service and DB security breach - it thus invite and indirectly encourage hacktivism besides other motives like monetary gains and adventurism.
Many third-party-program (TPP) users and those with hacking skills begin their hacktivism the moment they click "I agree" button without even reading the contents of the EULA. They presuming that it is all designed as a waiver of whatever rights they have contrary any of its unfair terms. For them the EULA means: assuming the risk and penalty, and agreeing to be pathetic and be estopped at some point in time. However, the EULA will not hinder them from trying to gain what they believe are just and fair. They will answer every sanction with another renewed hacktivism, even to the extent of destroying the game or causing mass quitting.
Hacktivists are distinguished from other gamers who actually clicked the agree button to rush to the game, spend time, money and use any available implements to whatever extent, legitimate or not, and unmindful of whatever consequences there be in the end, including quitting, regretting, crying, flaming, and trolling.
Hacktivists are distinguished from other gamers who actually clicked the agree button to rush to the game, spend time, money and use any available implements to whatever extent, legitimate or not, and unmindful of whatever consequences there be in the end, including quitting, regretting, crying, flaming, and trolling.
Many victims of game account hacking and virtual mugging usually turn hacktivists when they realize that their time spent, resources invested into the game, and displayed patronage turn to waste or ignored without any possibility of exacting justice, fair treatment and consideration. Others just simply turn hacktivists when they join the ranks of cheaters upon conviction that their vigilance and campaign against TPP users and cheaters have no effect at all. Moreover, some disappointed gamers with regards to game management and policies, knowingly or unknowingly, by their use of TPPs and other forms of cheating, are already into the ranks of the hacktivists.
However, hacktivism is less with MMORPGs having complex and resilient platform against cyber attacks, with high regard to best practices in MMORPGs, which include trustworthiness, reliability and candidness - in the treatment of end-user virtual assets and investments; in detecting cheat engines; in tracking gamers behavior to individually forewarn them of violative conducts; in managing in-game and off-game interaction with end-users; in maintaining in-game justice and fair play; in the practice of transparency and participatory feedback mechanism; and, in nurturing profound VW gaming culture.
Hacktivism could eventually destroy the game, if it managed to turn the game ugly, and if the concern SP does not have the guts to sacrifice profit, expel undesirable gamers, maximize resources to track gamer's behavior, and rethink its policies, to curve it.
Cheating
Cheating in VW, on the other hand, is about state of mind, self-worth, strength of character, social influence, personal circumstances, beliefs and attitude. Usually it is motivated by monetary gains, or gaining advantage over other gamers, or adventures, or in the case of roboting, by justification to spend time for better use in the real world than setting in front of a computer . Nevertheless, the invention of unauthorized automation, injected or running with the game clients (TPPs) is highly regarded as cheating as distinguished from tactics and legitimate exploits.
SPs often declare actions that cause game imbalance, disrupting the game, rendering some component of the game unplayable, destroying virtual economy, and disappointing gamers or causing them to quit as acts of cheating and violative of the game code of conduct.
Oftentimes, as long as statistics shows that gamers are not leaving the game even if they are disappointed or despite the presence of other forms of cheating, violations are just ignored and not timely dealt with appropriate sanction. This flexibility is actually the face value of a "double standard" motivated by business profit analysis or just a manifestation of incapability due to inadequate resources that detects the operation of cheats, inept system that tracks gamers in-game behavior, poor security and supervision. And in justifying that "flexibility", a form of supposed justice system is introduced and put in place whereby gamers have to provide some form of evidence that the cheating occurred or is happening and then they wait indefinitely.
Other service providers, however, are prompt and consistent in detecting cheating and providing sanctions. This type of service providers, despite the existence of automated detection system, have time to warn cheater in-game before the sanction, prompt in reversing sanctions if found inappropriate or erroneous, and always has interactive representatives present in-game. If the offenders are still eligible for bail or waiting for the resolution of their request for record review, an in-game bailing system is available for convenience. They treat hacking and mugging seriously and conscientiously, as if they are the victims, and prompt in following violators' trails to reverse the damage done and take steps to pursue offender in the real world. They even accommodate scam reports with similar resolve to deter devious in-game conducts.
What constitutes cheating and what constitutes tactics per se is still a valid subject of debate. Many gamers consider legitimate any tactic and action not prevented by the game client. Others stretch it so thinly to include exploits not prevented or detected by the game security. Game development at any point is never perfect, it is a work in progress, as such there always exist bugs and errors that need fixing and so for new exploits that need new deterrent updates or patches.
Cheating, like hacktivism, could destroy the game if concern SP is not consistent, vigilant, strategically progressive, and fair in dealing about it from the start.
Expectations and Suppositions
Conducts of gamers in a virtual world are to be governed by various sets of regulations. Above the provided EULA and game code of conduct is the applicable local legislations and regulation, if there is one for MMORPG. Absence of this particular law makes written terms about the application of local laws, in the EULA, a mere nominal statement. What we often see passed into law relates to online gambling which involves risks and conducts different from that of MMORPGs.
Other relatively regarded in-game conventional rules, that determine what may seem to be right, good or acceptable, are that enjoin by the community of gamers (like having a by-laws and an elected council that is recognized by the SP as gamer's legitimate representative) which is rare at most; the guild rules and their respected common values; and, those understanding between player to player. Eventually, what are quite influential to gamers conduct in a virtual world, knowing that avatar is a "virtual alter ego", are their individual circumstances, priorities, outlook, beliefs, principles in life and social influence.
Admirable social expectations, are not difficult to experience and neither are they impossible in VWs. They are already there, even in the given virtual combat engagements. The game storyline is actually leading gamers to easily acknowledge the global positive impact of in-game constructive attitudes, and be drawn into groups that likewise respect common positive values, sense of sacrifice and honor.
Ultimately, gamers, individually or by group, will find that the beauty of their virtual world, it being playable and a relaxing retreat is what they make of it, how they conduct themselves, and how they treat each other. That discovery is the ultimate challenge, the main quest, and the key to virtual survival, which is gratifying each play, for indeed virtual world is just one huge dungeon for all.
What is easy for everybody is making that huge dungeon dirty and disappointing. And when that tide of ugliness happened, the easiest part is blaming the game developer and the publisher.
Nonetheless, admirable expectations in VW are possible if empathetic human spirit is invested more into the industry, above corporate priorities and material gains, whereby corporate entity and individual end-user are both partners and stakeholders. A reality whereby intellectual property generated in VWs is appreciated as collaboration effort and creativity of both stakeholders.
Virtual realities created by corporate entities compete devising prisons to held end-user's minds captives for profit have to be demolished and be superseded by realities whereby both partners acknowledge the importance of risk-sharing, together they fought hampering cyber threats, and whereby declaration of avatar rights is contemplated, recognized and cherished.
While human liberties are declining in the real world, it is unthinkable that human being are shackled and incapable of even raising the essence of liberty and pursuit of happiness in a fantasy world. It is awful to admit that exploitation and injustice are encumbering human being even in their created dream worlds, in their use of creative imagination, and still impotent to do anything to resist them.
The fact is that MMORPGI is already integrated among the dynamic fibers of human society, particularly those multitude of young and hopeful hearts, and is turning the tide of competition as to which among VWs can offer dependable privacy and investment security, reliable reputation, cultivating service-driven culture, and lighthearted-relaxing experience.
Content Sources-
- Insights and experiences shared by the community of gamers of the CabalPH Forum
- ENISA publications
- Wikipedia
- Google images
- jokersybdicate.com (cover image)
No comments:
Post a Comment