A Gamer’s Perspective on Fighting Fraud: Why it’s So Hard & Why Deeper Collaboration May Be the Answer
- Prime Target. With 2.5B Gamers, over $150B in revenue, and an almost fully digital economy, the gaming market is a prime target for fraudsters.
- Many Lines of Attack. Platforms, publishers, distributors, storefronts, marketplaces and even gamers themselves — are all targeted on a daily basis.
- Friction Isn’t Feasible. Adding friction for good users will encourage them to go somewhere else, given the range of digital distribution platforms available.
- The Fraud Fighters’ Konami Code. This industry has an incredible and unique advantage — the huge overlap of users between the platforms, storefronts and marketplaces. Good gamers have a long history and are trusted by a wide array of companies.
- Challenges of Cooperation. Until now, privacy and natural competition has meant that companies were unable or unwilling to share data.
- Privacy For The Win. Privacy Enhancing Technologies mean gaming companies can work together, without sharing any data, finally enabling these companies to collaborate for the first time.
- TLDR-TLDR: Create an amazing experience for known, trusted gamers, and keep bad actors out of your ecosystem.
For those of you interested in reading the full article, it starts below — glhf!
As someone who’s been an avid gamer for more than 20 years now, and a follower of the industry as a whole, I’ve watched the gaming industry evolve dramatically.
There are very few industries with a following as loyal, passionate and enthusiastic as gamers. We don’t just love our games, but the platforms, publishers and marketplaces that create and distribute them. It’s not just a hobby, for players, modders, alliances, clubs, fanboys and die-hards, it’s about being part of a community.
Of course, this comes with some challenges for the companies in the industry. Gamers have incredibly high expectations of the companies who create, maintain, develop and distribute their beloved games. This adds extra pressure for professionals in the industry: How can they deliver a perfectly seamless experience for good gamers, while blocking bad actors from their ecosystems?
A Delicate Balance: Blocking the Bad Without Annoying the Good
Fraudsters like online gaming almost as much as good gamers do — meaning fraud prevention teams are constantly on the front lines.
It’s a pressing challenge all the time, though it certainly hasn’t become any easier during the current crisis. Good new users are flocking to gaming, many for the first time — but fraudsters are following suit. One recent study found both a 21% increase in gaming transactions and that 27% of all transactions on online gaming platforms are fraud attempts, making it a top attacked industry.
The Witcher might have a silver sword that’s just for monsters, but there’s no such easy distinguisher for fraud teams. As fraud fighting teams know, fraudsters specialize in looking just like normal users — until it’s too late.
Moving at the Speed of Play
In gaming, everything has to be instant for the user — including purchases. That means manual reviews, which are a default protective step in other industries, are more problematic here. Even if you use them for some situations, you don’t usually have a shipping address to verify, making identity validation harder than in other industries.
On the other hand, this need for speed is a huge bonus for fraudsters, since it makes it more difficult to identify their strategies. Moreover where digital goods are concerned, the fraudster can cash out immediately — they have the item at once, so they can resell it or misuse it straightaway.
The real-time aspect is hard for companies which deal with in-game purchases, be it on PC, console or mobile, but it’s important for marketplaces and distributors as well. In a sense their challenge is even greater, since their average transaction value is typically much higher than the latest skin, but gamers have the same expectations of instant delivery.
Protecting Accounts and Your Ecosystem
Fraudsters are as likely to target your account integrity as to attempt payment fraud — and, in some cases, more likely.
There are two kinds of vulnerability here: new account fraud, and account takeover (ATO). Both of these sorts of fraud affect all kinds of gaming companies, but in different ways.
New Account Fraud
New account fraud is when a fraudster sets up a fresh account using data you haven’t seen before, looking as much like a good gamer as they possibly can. Sometimes they use the real information of a victim whose information they have stolen. Sometimes they combine real information with fake data, to create a synthetic identity.
Sometimes, they barely give any information at all. Often a company will learn little more than the user’s email address, easily “validated” even when fake, before they see a credit card for the first time, and before a digital item is bought or — if it’s a fraudster — stolen.
Account Takeover (ATO)
The second kind of account attack is Account Takeover — when an account belonging to a real user is taken over by a fraudster. Often, these login details are stolen through phishing, sometimes exposed in data breaches, or the subject of brute force or other attacks. This kind of attack is especially pernicious as your ecosystem loses out in three ways.
My Steam account stats — thousands of hours (and dollars) of investment
No I don’t have a problem, why do you ask, Mom?
Firstly, there’s the material damage that the fraudster can do, using the account. I myself have thousands of dollars worth of games in my Steam account, along with numerous items, skins and hats can be stolen, and sold, if a hacker takes it over.
Secondly, they can commit further theft using the financials attached to the account itself, or they can add a new stolen payment instrument and use it to make purchases — which they can then resell faster than the best Good Games Done Quick Any% Speedruns.
Finally, there’s the damage done to the merchant’s reputation with the user. If a marketplace account is breached, and the gamer loses trust in the marketplace as a result, there’s a real risk that they’ll just go elsewhere next time. And if it’s in-game, they might stop making in-game purchases altogether; one study found that approximately 33% of players were completely abstaining from in-game purchases to avoid being cybercrime targets.
Fortnite made recent headlines for hosting a Travis Scott concert in-game. That’s a whole new level of gamer engagement, and it only comes when gaming has a community feel, so that gamers feel like it’s a real and natural part of their lives. On average, gamers spend 7+ hours a week gaming, and I think I’m certainly not alone in admitting that sometimes it’s a lot more at the moment.
Don’t forget, this is an industry where your real identity is not normally front and center. In my personal MOBA of choice, I’ve been known as “shmuls” for years, and have made great friends without ever learning people’s real identities (shoutouts to Madanor, BigErn, Doughnut, Blind and many others). You might choose not to use your IRL name — and you wouldn’t be the only one.
“The people who are playing the game who are often more valuable than all of the animations and models and game logic that’s associated with it.” — Gaben
But fraudulent accounts pollute your ecosystem — and that harms the gaming environment for everyone, even those not targeted by the fakes in phishing schemes or thefts. And that’s a problem. To quote Gaben, “If you look at a multiplayer game, it’s the people who are playing the game who are often more valuable than all of the animations and models and game logic that’s associated with it.” It’s all about the people. So you need to have the right ones.
Solo Queue Doesn’t Work Here
Working alone, fraud prevention teams face a very high level of difficulty.
The fraudsters who attack gamers and gaming companies tend to specialize in this industry. They know where vulnerabilities are, and can use and reuse stolen details on one platform after another. They can create new attacks quickly, and scale them faster than your system can adapt.
Two (or multi) factor authentication might seem like a solution (though it’s not infallible). But in-game, 2FA can break the flow of a purchase, especially when purchases are made quickly, with a sense of urgency, say while queuing or waiting for an update to download.
Gamers who don’t have their device with them, or who put the code in incorrectly, may be locked out of their accounts… and when you’ve finally got your kids to bed, the baby stops crying, and you’ve got maybe two hours at most to play Assassin’s Creed Odyssey for the first time in days before she wakes up for her next feed, nothing is more irritating.
Collaboration is the Key
Fraud prevention teams in the gaming industry have always been particularly open to collaboration — sharing trends, techniques, best practices and even sharing email blacklists. But this data sharing has been limited to negative data. And with fraudsters moving quickly between sites, changing IPs and clearing their trails, it hasn’t brought much relief.
Sharing data about the good and loyal customers has never been an option. Even though there’s huge overlap between the users on different gaming sites, privacy and competitive concerns have always, and rightly, stood in the way of direct data-level collaboration.
Identiq has the answer: a completely anonymous verification network that allows its members to validate new users, and vouch for ones they already know, without sharing any customer data or identifiable information whatsoever.
Identiq: Peer-to-Peer Collaboration Without Sharing Any Data
A gamer signing up to your platform, storefront or marketplace might be new to you — but there’s a 90% chance that if they’re real, they’ll already be known and trusted by other gaming companies. Speaking for myself, I have dozens of accounts, including one with every major digital distribution service, and a couple of indie ones for good measure!
The same is true for a user signing in; if something changed from what you know, such as IP or device ID, does it match what other companies know to be typical for this gamer? By working together, you can leverage the knowledge and trust of the industry, not just your database.
Given that there are companies from other industries on the network as well, the chances are good that a user will never really be new again. That’s much better for an industry where providing a frictionless user experience is crucial to the nature of the business.
What makes this possible is the fact that with the Identiq network, my personal user data never leaves the company I gave it to. No data is shared, copied or transferred. Not in hashed form, not in encrypted form — not at all. In contrast to all third party provider systems, no sensitive user data is shared. Ever. At all.
Rebooting Identity Validation
So this is our rallying cry to all the digital distributors out there, all the publishers with their own storefronts, all the platforms and marketplaces. We, your gamers, your communities and die-hard fans are demanding better.
We want a better purchasing experience, we want to know our accounts aren’t going to be taken over, we want you to keep fraudsters out of your platforms, and we want you to do all this without sharing our data or breaching our privacy.
Start working together, and be able to trust a good user the minute they sign up. No need for friction, no need for long processes. And at the same time, put a barrier in the face of fraudsters who steal identities, credit cards, or user accounts.
It’s time the fraudsters called GG this time, instead of the industry we love.
About the Author
Shmuli Goldberg is the CMO at Identiq. A self-professed “fraud-tech nerd”, he has spent an unhealthy amount of time focusing on fraud strategy, execution, analytics, and optimization. Shmuli has worked with hundreds of technology start-ups in the Israeli ecosystem and has been a featured speaker at industry conferences all over the world. Shmuli has spent over 4,000 hours in DOTA 2, has bought The Witcher 3 on three separate platforms (Steam, GOG & Switch), and still remembers the layout of the Statue of Liberty level in Deus Ex by heart. He is still not good at DOTA 2.