Security in Virtual Worlds: Blurring the Borders

What if we told you that there was a country — an economic powerhouse with a population the size of Austria’s — where millions of dollars change hands daily, but with no police, no extradition laws and where exchanges can happen anonymously?

What if we tried to convince you that money from that nation could be readily exchanged into dollars, euros, rupees or any other currency you’d care to name?

Sounds like a pretty good place to be a thief, right? As you probably suspected, this is all hypothetical and there is no country exactly like that. There are, however, some places where all of those things are true. They exist without the geographic boundaries. Those places are the in-game virtual economies of massively multiplayer online role-playing games (MMORPGs) like “World of Warcraft” and virtual worlds such as Second Life.

Just a Game?

First, let’s set the stage. The virtual worlds of “World of Warcraft” and Second Life are “persistent” (existing and evolving when a player is not logged in) and highly popular (with millions of people participating.) Within these worlds, players exchange goods and services just like they would in the real world — they acquire and sell virtual items, they provide services to other players such as transportation and “crafting” (construction of items from raw materials — very much a foundation for an active, round-the-clock, virtual economy).

The effect of these economies permeate beyond the the virtual world. Linden Lab, the publisher of Second Life, provides an online market exchange (Lindex) where Second Life currency (Linden dollars) can be bought, sold or exchanged into more traditional, non-game currencies.

For instance, as I write this, yesterday’s Lindex currency market represented US$250,000 exchanged, and the overall virtual money supply is just under $10 million. While that doesn’t sound like much compared to more traditional currency markets, the market statistics published by Linden point to non-linear and dramatic growth in both the volume of currency and the amount of currency changing hands.

If this trend continues, there is a potential for these markets to become significant — potentially representing billions of dollars. “World of Warcraft” is no different. While the currency market in this case is more difficult to track given that exchange of in-game material for real world currency is against the game’s terms of service, we can expect the currency market to exceed that of Second Life by at least an order of magnitude.

The Potential for Fraud

What’s important to recognize about both the Lindex and the unsanctioned “gold exchange” outlets for “World of Warcraft” are the unregulated aspects of these economies.

Traditional markets have regulatory oversight — activities that might be criminal are more difficult to achieve due to protections put in place by regulators, for example, recording and record-keeping, both to ensure taxes are paid as well to work as an anti-money laundering measure (i.e., to help track point of origin). While it is difficult to know for certain how and if transactions within virtual communities are recorded, it is likely that there is little or no record keeping being done. If that’s the case, these exchanges are an anonymous, international channel for transferring currency with little or no oversight.

That’s problematic, to say the least.

Even more concerning is the potential for deliberate market manipulation. While deliberate manipulation of a market like the New York Stock Exchange is illegal, manipulation of virtual markets such as these may not be — and the likelihood of lax record keeping would make deliberate manipulation difficult to spot from the outset.

Petty Theft

Wholesale exploitation of the markets aside, there’s also petty theft to worry about. Profiteers can use the games themselves as vehicles for more “personal” forms of theft.

Typically, account information associated with the account includes stored profile information such as home address, e-mail, phone number(s), and credit card information (for billing purposes.) Stealing this information can be done through “phishing” attacks (where users receive e-mails designed to trick them into giving away account information) or through automated means that target game participants.

The years 2006 and 2007 for example, have seen an increase in the number of malware and Trojan programs written with the primary purpose of stealing passwords from online players. These malicious programs piggybacked on exploitable vulnerabilities (for example, the Web browser) to install password stealing software or account “harvesting” programs.

Exploits on the Loose

Aside from fraud that can be committed within the technological constraints of the virtual community, there is also the potential for exploitation of scenarios that the developers never intended when designing the game world.

For example, we’ve already seen malicious attacks against Second Life such as the “Grey Goo” infestation (where replicating objects brought about tremendous negative consequences to the community). A similar exploit, which allows a user to replicate objects (also called “item duping”), was found to plague “World of Warcraft” and “Everquest 2” before the developers implemented a patch.

If we assume that virtual objects within the community have value, obviously unintended replication of the object can become problematic. Even if the goal is not to “clone” items and sell them, imagine the impact on the in-game currency market if it can be affected at will by a prankster.

One Path Forward

Convinced there’s a problem? We are. There are a number of places and a number of avenues where the unscrupulous can capitalize.

However, if that’s the case, what can we do about it? First, we need to start taking these communities seriously and start educating people — users, developers and regulators alike — about the possible consequences and what they can do to help prevent exposure scenarios.

We have described scenarios targeted against users such as keystroke loggers or phishing e-mails. The same methods used in traditional anti-malware education — teaching users not to divulge passwords, keeping their systems patched, and having security software installed — apply in this context just like they do in others. Users need to keep alert so they do not become a victim. They should also realize that while they might just be playing a game, someone else might view the stakes as much higher.

Developers also have a role to play. They need to take these communities seriously too, rather than viewing the products they put out as just another “time-waster.” Good security design and practices should be built in right from the beginning; developers should implement methodologies to track large in-game monetary transactions, and they should ensure adequate testing and quality assurance of their product. With more and more publishers looking to get MMORPGs out the door quicker, there is a push toward middleware solutions to offload some of the more intensive game mechanics (physics, asset tracking, etc.). How about middleware components with a focus on security?

Lastly, and most importantly, regulators need to start taking these communities seriously. Today, it’s just a few million dollars here and there, but it doesn’t take a rocket scientist to see the writing on the wall. The expansion of the economies coupled with unregulated and anonymous movement of funds makes this a prime target, and it pays to think ahead and look down the road to how criminals might make use of it.

Anand Sastry is a senior consultant forCTG’s information security practice.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels