Watch out, there are thieves about. That’s as true in virtual worlds as it is anywhere else. Theft of players’ accounts has blighted large multiplayer online games for years. But a new approach that automatically spots suspicious activity could help catch crooks in the act.
Online games and sites like South Korea’s ItemBay, which let people trade virtual items for real money, turn over hundreds of millions of dollars a year. But such sites can be targeted by hackers because they tend to have weaker security than a shopping site or online bank.
If thieves can get their hands on someone’s user id and password – by phishing, say – they can take over that person’s account and make off with the virtual items, which are often worth real money, or credit attached to it.
In 2015, it was reported that Steam, the world’s most popular online store for PC games, had around 77,000 of its accounts hijacked every month. And online message boards for games like World of Warcraft, Final Fantasy XIV and League of Legends are littered with stories from users who have had their accounts, virtual items or digital currency stolen.
“They commonly say it happens at lightning speed,” says Huy Kang Kim of Korea University in Seoul. “When they log back in to the game server after taking a toilet break, they’re shocked to find all their things are gone.”
Kim used to work in the security division at NCsoft, the publisher of Aion, a fantasy themed online role-playing game popular in South Korea. Now Kim and his colleagues have come up with a way to police online games automatically.
By analysing several months’ worth of data from Aion, the researchers noticed that hackers often log in and out of stolen accounts repeatedly, checking to see if the victim has realised that something fishy is going on.
Thieves then tend to siphon off virtual items to a network of other accounts they control, often also stolen. The items are in effect shared out between an in-game criminal gang of characters, which usually makes them hard to trace.
But studying the data revealed that these characters often started behaving differently themselves. Instead of taking part in battles, they might suddenly begin trading items, for example. After training their software on the Aion data, Kim’s team found it could detect suspicious activity with more than 80 per cent accuracy.
Despite stealing being so common in many online games, it has taken some time for it to be recognised as genuine theft. In 2008, US police refused to investigate when a Final Fantasy player reported that virtual items worth $3800 had been stolen from his account, for example. But authorities are catching up. In 2012, the Dutch Supreme Court upheld a conviction for the theft of items in a game called RuneScape.
The technique of monitoring people’s online behaviour for security purposes is now booming, says Laurent Heslault at information security firm Symantec. He is interested to see it applied to video games. Monitoring how people play could also provide a form of ongoing authentication for legitimate players. “If we can detect your behaviour as you play, we can use this to make sure it’s really you and not someone else,” he says.
The tactic might not work for long, however. “Once people know that you’re investigating behaviour, they can adapt it,” says Richard Bartle at the University of Essex, UK, who studies online games.
But Kim is not deterred. Thieves may try to throw detection software off their tracks by acting differently. But as long as the ultimate goal is to profit from stolen goods, they will have to transfer items between accounts and out of the game eventually, says Kim. “Their final behaviour will not be changed so easily.”