How To Level Up In Fraud Prevention For Video Games

06-November-2018

It was striking to see one of the first things that Epic Games did with its pile of money from the enormously successful battle royale game Fortnite. With a billion dollars in cash or more, Epic Games acquired game security and player services firm Kamu in Helsinki. Stopping fraud, cheating, and other attacks has become a big deal in the $139 billion game market.

We talked about the problem of fraud in video games at a session entitled “Hate the fraudster, not the game” at the recent Money 20/20 event on the future of money in Las Vegas.

Brad Wiskirchen, CEO of Kount, moderated the panel. I served as a speaker on the panel, as did Scott Adams, former director of risk management at Riot Games and fraud expert at FraudPVP; and Nina Diatchenko, fraud operations supervisor at Linden Lab.

Our panel touched on the explosive growth of games and the return of fraud as criminals and others follow the money. I spoke about the history and context behind the fraud while Adams and Diatchenko talked about specific problems like fake account creation, account takeover, cheating, and what to do about it.

Here’s an edited transcript of our conversation.

Brad Wiskirchen: Joining me on the panel today, we have three other individuals. We have Dean Takahashi, lead writer for GamesBeat at VentureBeat. We also have Nina Diatchenko. And Nina has a background in banking but is now with Linden Labs, the creators of Second Life, which is pioneering the virtual world and home to the world’s largest digital goods economy. We also have Scott Adams, the former director of risk management at Riot Games, and he’s been consulting with a lot of gaming companies now in his new life as a post-Riot games consultant, helping gaming companies overcome fraud problems. Thanks for joining me, everybody.

I think I’ll start with Dean. You’ve been covering the gaming industry for over 20 years now. How has the prevalence of fraud in gaming evolved over the years?

Takahashi: [I’ve been writing about games for decades.] Fraud seems to have stuck around. I think that things that everybody is familiar with, you can summarize in a few short ways. There’s the one everyone in the room knows, which is children play and parents pay. There’s the entitled or entrepreneurial gamers, who twist the rules like with the gold farming in China. There’s fraud in that perpetrated, depending on your POV, by either the gamers or the companies. There’s the usual currency fraud and cheating as well. So, these things were around a while ago and are still around.

Wiskirchen: Nina, you’ve been in this game a long time. What about you? How have you seen this evolve?

Nina Diatchenko: I would say with digital goods, you can buy goods digitally in Second Life, but it’s … similar to a brick and mortar — people try to steal things from you. People will try to social engineer your account and take over your account and make purchases with your existing information on file. And with that, they keep trying to get in. That’s never going to change. They’re not going anywhere, and if you don’t see them, that means you’re not looking hard enough.

Wiskirchen: Scott, how about you? Has the growth of the industry overall lent this to becoming a bigger target?

Scott Adams: Yeah, I think if you go back five or six years ago, kind of the advent of esports added a whole new dimension to this. Most of us who’ve dealt with fraud a long time, will see things like credit card fraud and its high impact. But now, mixed in with esports and now the big, social side of gaming, I think you tie it just as much back to say you’ve got rank fraud. When you have [rankings in games], you get all the rewards, and people want to have that rank, which leads to other means of fraud.

Wiskirchen: Interesting. So Nina, we’ve been talking so far about keeping fraud rates down and types of fraud. Is there a way for gaming companies to improve their acceptance rates in addition to fighting fraud?

Diatchenko: Well, you have to first think about what your risk appetite is. What are you willing to accept with declines? What are you willing to accept with fraud actually getting approved? You want to find a nice balance. It’s all about balance. You want as many as good customers to go through and be able to buy things.

You want them to be engaged, and you don’t want to put too much friction to keep them from doing so. So, I think you have to first understand who your good customers are, but you also have to understand who your bad customers are and differentiate — make profiles about them. So, you can let as many good customers through, and that will increase your acceptance rates and you know how to keep your chargeback rates down.

Wiskirchen: Dean, you interact with a lot of gaming companies. How do you find, from what you’ve seen, how do you find them balancing that growth and addressing fraud?

Takahashi: Well, if you remember, Zynga was one of the biggest meteoric rising game companies from 2008 onward. But a lot of people may not remember that when Zynga Poker came out, it got hacked. It got hacked so bad that they were potentially going to go out of business. They were losing so much money trying to deal with the poker chips that they were supposed to be selling for real money. Instead, people were stealing.

If they had not solved that problem, they would have never become a multi-billion dollar company. So, there’s a lot at stake — especially at the very beginning when you’re just getting started. Fortunately, they did solve it within a matter of weeks, but I think it’s a good lesson for any company.

Wiskirchen: Scott, how about you? What do you think about the rise of fraudulent accounts in gameplay, like account takeover? You think those things have turned players … the legitimate players, I guess I should say.

Adams: No, I don’t think they’ve really deterred players. As a consultant, I like to see the other side and lot of the other parts. What I see a lot is that I don’t think it really deters the player during gameplay. Especially, as you said earlier, there are a lot of young people playing, and they don’t even realize it. If you go back, you can ask people how many accounts they have.

They’ll say a lot. You probably have just a very high percentage — that same password is [used in every one of the accounts]. People have to realize that they can protect themselves, and they can use two-factor authentication, and other things so that they [can be safe]. Make sure that their good, important accounts are protected along with their gaming accounts.

Wiskirchen: Nina, how about you?

Diatchenko: To add to that, I would say that education of your customers is important. If they don’t know what a good password is — I know, yes, we still have passwords, and they still exist, and that’s a lot of what is securing you from a hacker. And if you want to avoid just basic brute force hacking of accounts, you have to make good passwords.

And if you don’t tell your customers, especially people who spend a ton of time, money, building their accounts and have communities, they have things of value attached to that account. If they have a password123 on it, they’re going to come to you — come to me, why didn’t you do something sooner? Why did you let this happen? And then, we’re gonna try to scramble and try to retain as much as we can.

Adams: And that goes back to your comment earlier — optimizing friction and what risk the company is willing to take. Because really, you can solve this with two-factor authentication. But, that’s too much friction for the marketing team. How do you balance that? Every company that I work with — that’s a fight every time. Do you give up verification?

Do you require verification on sign-on? No, you don’t. None of us do. We should but we don’t. So, I think in a lot of ways, it’s just as much our problem, and if we would all talk about this and will say our companies are doing that, it’d be great. That would be educating the consumer and more of us taking responsibility in protecting those accounts.

Wiskirchen: Do you think the players have a role in combating fraud or ever report fraud to the organization?

Diatchenko: Definitely, yeah. In Second Life, you have in-world reporting tools. The [reports] directly come to us. We get to review it at our leisure, depending on how urgent it is. And we can really take a deep-dive and find out something. And they try to call us. We have a fraud line for exactly these reasons. If you suspect your account is hacked, let us know. We want to fix it for you. Don’t just chargeback all those fraudulent charges. Let us know so that we can keep that from happening to another customer in our system.

Wiskirchen: Scott, what are you seeing on that front?

Adams: If you have a good community — that’s one of the things I liked best about Riot. Their community was incredible. One time we had, I was on the East Coast, and Riot’s West Coast, and my team is on the West Coast. One time, some guy was going to forums, saying, “Hey, my account was banned, but I didn’t do anything wrong.” Our founder was up early, so I get an email from him at 6 a.m. my time, and said, “Hey, check this out.”

Before LA woke up, before my team woke up and could actually dig into it, the community had chimed in. They looked up the guy’s account. They basically told him and wrote in to tell him, “Here all the ways you’ve been hacked.” And by the end of it, the guy’s admitting, “OK. Yeah, sure. That was me.” The better your community, the more interactive you are with your customers, the more that happens. And that’s why in gaming, especially, people get really passionate about the game. So often times, you will have an active community if you engage with them. It’s really valuable.

Takahashi: I also see a very different type of phenomenon where the company and its programmers leave a door accidentally open and the gamers will take advantage of it. And then, at some point, the company figures out, “We’re losing stuff this way.” Or, “We set up a rule in a bad way,” and then, they shut it down. And then, the entitled gamer effect comes about. “What, what’s going on? You made this available to us. We figured out how to take advantage of it, and now, you’re taking it away from us? We’re in an uproar and have a revolution.”

And that’s when they call me. I’m sort of their outlet for frustration when companies are overwhelmed with too much to do or too many complaints. They band together sometimes and form a community to protest against a company. All these mobile game companies in particular have had revolts from gamers who felt wronged in some way when they felt like the company took away something that was there by accident.

Wiskirchen: Interesting. We have a couple of audience polling questions, and now is a good time to go to the first one. Do you think gaming companies are more likely concerned with PC or mobile fraud? Go into your iPads to answer that question. While the audience is answering that question, I think I’ll ask you that same question, Dean. What type of gaming fraud do you think gaming companies are most concerned with — mobile or PC fraud?

Takahashi: I think we’ve seen headlines on both sides. Most recently, I did an interview with one of the anti-fraud experts at Adjust, the mobile ad measurement company. And they had so many concerns about it that they formed a coalition against mobile ad fraud. A consortium of companies is getting together to deal with the what they glean as the what they blame as the multi-billion dollar problem. Mobile gaming is a $70 billion mobile game business. It’s pretty significant.

Wiskirchen: So, it looks like the audience — 74 percent believes that game companies are more concerned with mobile over PCs; 26 percent for PCs. So, interesting results. Scott, let’s ask you a question here — how much are game companies concerned with authenticating the user than protecting individual accounts from your experience?

Adams: What I’d like to see is a whole lot more concern with it. Really, those gaming companies aren’t as concerned as I think they ought to be with authentication. But the problem is how do you authenticate someone if they’re underaged? It’s not hard authenticating an adult. Technically, we have IDs. We have bank accounts. We have credit cards. But, our data is out there, and when you talk about kids, the problem is if you want to take a stance and hard on authentication, that’s great, but how do you identify kids? Most of the time, I’d say half the time, I’m not dealing with the cardholder, I’m dealing with the player. And if the player is not the cardholder, it’s harder to get through authentication. Is email really gonna get it? I think it’s really difficult. And the direct answer is that the game companies aren’t nearly as concerned with it, partially because they can’t.

Wiskirchen: What about you Dean, what are your views on that? Are gaming companies concerned enough with authenticating the user and protecting individual accounts from your perspective? Or, do you hear a lot about that?

Takahashi: I just remember the Sony PlayStation Network hack. They lost how many accounts? They lost tens of millions of accounts. I think Facebook, also a big game company, got 30-50 million accounts hacked? I think it’s still a huge problem, and I don’t know whether or not they’re doing enough about it or not. It seems like a cat-and-mouse game that keeps on escalating, and you fix one thing, and people attack another. But I have not seen stats on this subject that would clarify that.

Wiskirchen: Nina, how’s Linden Labs handling [authentication]?

Diatchenko: I think with that, we have multiple layers that we approach fraud. We try to recognize it on all the levels. By the time it comes to my desk, it gets picked up, and it’s my job to take a deeper dive and look into what’s going on. How far does this one particular incident go? It really depends on how much damage they’re doing. Like, the way you’re going to react to it depends on how bad is the instigator. Like, is it someone brute forcing, or is it account sharing? One of the things I deal with is cleaning up the messes for people sharing accounts. And that’s not necessarily a hacker. That’s like two people fighting over an account that they both put time and effort and money into together, so who’s the owner of that account when it’s shared? It’s not something that you can predict.

Adams: Right. Culturally too — here, it’s not prevalent to share accounts. In Latin America, Eastern bloc countries, it’s completely normal. So, they don’t say it’s fraud.

Takahashi: Yeah, I remember in Game of War, the largest factions in that game that spent the most money were the whales — 2 percent of the users account for a huge percent of the revenues coming in. The top plans in that game — they shared accounts across the globe so that they could keep the account defending against attacks 24 hours a day, seven days a week. And they could not have handled the demands that kind of play without having a whole team sharing that single account. I think their number one guy was in Dubai, and he was like financing a bunch of other players through his one account, so that was interesting.

Wiskirchen: Dean, are there emerging areas of gaming that you think are going to be particularly vulnerable targets in the near future, from what you’re seeing and hearing?

Takahashi: Well, I think the launch of Fortnite is very instructive. It’s 125 million users that’s become a cultural phenomenon. Football players are doing the Fortnite dance when they get a touchdown, and they recently launched on Android.

They got like 15 million players right off the bat, but they did so in a way that reflected the values of the CEO, Tim Sweeney — who’s a big believer in open source, open systems. And he felt like the app stores weren’t doing their job earning the 30 percent take that they take from in-app purchases. So, they launched on Android without going through the Google Play store. They did a side-loading of the game through the Epic Games site — and they’re big enough to do that.

But then, they introduced the challenge of security problems. A bunch of fake Fortnite games surfaced, and they tried to take advantage of this. They said, “Oh no, you can sideload through us instead of Epic Games.” They were just side-loading viruses. Epic, no surprise — they’ve made a billion dollars out of this. One of the first acquisitions out of this they did was Kamu, a security and anti-cheat, anti-fraud company. Scott, I think knows a lot about that.

Wiskirchen: Scott, you consult with the biggest of the big when it comes to games. How about you?

Adams: Not really, I think it’s going to be the same that we’ve been seeing for quite a while. We’ve already talked about account security, and I think that’s going to become more and more important, especially as we have more cross-console games coming out, which is what Epic’s doing, and that’s what other game companies are trying to do.

We just have to as an industry work together and remember that we’re not competitors, right. We’re not competitors. Epic and Riot aren’t competitors. Even if you’ve got a game or if you’re not a game company, if you have competing products, fraud people are not competitors. We can share a friendship. I’m not going to tell a competitor in the game what the next game is or what the next item or whatever it’s gonna be, but I can say, “Hey, I just saw this happening in fraud.” I don’t think there’s going to be a lot of “new” that’s to come, but I do think we can combat it a lot better if we can find a way to work together.

Wiskirchen: That kind of tees up the next poll question. Do you think (and I’ll ask the audience so that they can go to their iPads), do you think gaming companies have what it takes to outplay fraudsters and prevent fraud better than other industries? It’s a yes/no question, but I’ll go and ask the panel the same question. Dean, what do you think? Do you think game companies have what it takes to outplay fraudsters?

Takahashi: You know, I kind of have a mixed opinion about that. No, I don’t think it’s possible for outright defeat. They just have to stay ahead of them.

Wiskirchen: Nina, what about you?

Diatchenko: I would say that just as you study the fraudsters in your system, they study you. And they’re not going to stop studying and find out other ways to try to get into your system so you need to go to these conferences to talk to your peers, keep learning. Something that might have been prevalent a year ago — carding, whatever you have it. It’s gonna be different somehow. That’s why people out here are talking about AI, machine learning because they’re gonna be able to adapt to change. Humans can adapt to change, too, so keep upping your skill set for sure.

Wiskirchen: Scott, how about you?

Adams: Really good, same thing. I’m going to very much disagree with this. I do think game companies do have the ability to beat the fraudsters. But, basically, what I said separately — we have to work together. We have to share data, and we also have to work with other outside groups. With people like me, people like Kount, and all the companies that you see over at the exhibit hall. Individually, it’s tough because as if I’m say, working at Epic, they see a lot of transactions, but they don’t see them all.

So, you need other parties involved that they see multiple, more transactions than we do as an individual merchant. So, if we work together as merchants, as an industry, we can definitely beat it. As Nina said, there’s whole buildings, businesses built around defrauding American companies, defrauding game companies over in China, Eastern bloc countries. We have to remember that they are talking with each other. Why aren’t we?

Wiskirchen: And that’s Scott, who zealously disagrees with the audience who came in at 79 percent who don’t think that gaming companies have what it takes to beat fraudsters. And 21 percent do. So, with that, we have very little time left and have one last question for the entire panel. I’ll start with Scott and work our way down to Dean. What are some of the best practices that gaming companies can deploy to mitigate fraud? Just some advice to everyone in the audience in this space.

Adams: We don’t have a lot of time but a few things — we mentioned here a lot about account security, I think we need to do a better job of that. Email verification, two-factor authentication, and gating — it doesn’t have to be at sign up. I think everyone needs to be using some form of preforce protection as well. It could be as simple as putting a small delay or could be a much more advanced solution like device ID at sign-on and also at the transaction level.

Diatchenko: Just to bring it back, Know Your Customer, KYC. You need to know who you’re expecting to be good and give them … we want them to spend. Figure out who your good customers are and let them spend and then figure out who the bad ones are and give them a lot of friction. Then, I would say, invest in your team. Have conversations with people outside of the fraud team. Make sure you have legal, CEO knows what’s going on. You all have the same goal, to provide the best experience with as little risk as you’re willing to accept.

Adams: To weigh in on top of that — she went to CEO, to legal. I would go the other way from what other companies think, talk to your customer support. Talk to player support. They talk to your customers every day, all day. I like to look at them as the front lines.

Diatchenko: Yeah, agreed.

Takahashi: I am encouraged by some technologies that are coming. Helpshift has some very interesting automated help functions that they have built into FAQs for games, and they can handle complaints from lots of people and spot things much more quickly.

Then, also blockchain technology seems like it has to apply here in a big way. I mentioned this problem earlier of player entitlement, and you know the notion that they’re always fighting with the game companies over what they own and what should be theirs.

And blockchain with things like non-fungible tokens and uniquely identifiable collectibles that you can say for sure belong to a particular gamer, and even that gamer say, wants to leave and take that thing to another game, blockchain can settle that kind of question or dispute. So, the transparency, security of blockchain, I think, is very encouraging, and there’s a company startup out there out called Authentic out of Scandinavia. They’re using both blockchain and face identification to figure out whether somebody, let’s say on Twitter, is a problem. As someone who’s been banned from playing a game, whether they’re trying to come back and just open another account. And Authentic thinks they’ve found a way to stop that. So, I’m encouraged by some of the tech that is coming in.

Wiskirchen: Well, Scott, Nina, Dean, thank you very much. Appreciate your time and comments and thank you all.