The gaming world presents a number of unique challenges when it comes to preventing fraud.
The very nature of the product—an immersive customer experience—means that fraud hits players on not just one, but two levels. First, when a fraud like gold farming or selling stolen in-game goods occurs, it breaks the all-encompassing experience of the game. This creates an extremely poor user experience and affects player loyalty to the product. Second, when a fraud like an account takeover happens, it has consequences in the game and the real world.
Who controls the environment?
Fraudsters use stolen usernames and passwords to access accounts. They usually then change the address and passcodes on the account, lock the rightful account owner out and take control.
In gaming, account takeover creates a number of serious consequences for players and game developers. Account takeover can happen on two different levels because most games have both a service and game login. The service login is where players manage their account including credit card information. The game login logs players into the game itself. The username and password for each login are often the same so once a fraudster has access to one, they have access to both.
Fraudsters take over game accounts to gain control over all the in-game goods that a player has acquired. Once a hacker controls the account they can sell off the goods for real-world money. They can also use the account to run bots for gold farming. Once in the service account, the credit card can be used to buy in-game currency and resell it as well. For game developers, this illegal activity creates chargebacks and hurts their reputation. For players, account takeover completely ruins the experience of the game.
It’s much better for the longevity and success of a game if the developers proactively defend against account takeover. There’s nothing more disconcerting for a player than to discover a friend's character has been hijacked by a fraudster mid-play. Games can live or die based on the player experience and when fraud visibly begins to take over the game environment, the news will spread quickly through the gaming community.
Getting fraudsters out of the game
It’s extremely important to have excellent fraud prevention software tools so that fraud managers have the ability to research and stop fraud before it happens. Strong device recognition is an important part of that equation. At iovation we’ve been told by our gaming clients that certain tools, in particular, help them stop account takeover.
Flexible business rules that flag the following behaviors are vital to stopping account takeover:
- Account Velocity—how many accounts are being opened in a certain period of time by one device
- Device Velocity—how many different devices are logging into one account within a specific time frame
- IP Velocity—how many transactions originate from the same IP address in a given amount of time
It’s important to quickly be able to discern if the stated IP address matches the actual IP address. A spoofed IP location can indicate fraud or other high-risk behaviors.
One of the most important tools when it comes to stopping account takeover is knowing the past behavior of a device that connects to a game site. If a device has been marked with previous fraud, including account takeover or credit card theft, iovation clients can deny that device access.
Linking Devices to Accounts
It’s one thing to find a single bad guy by researching transaction history. What makes that find even more valuable is the ability to flag their device with a record of fraud. That “evidence” of fraud propagates out to every other device and account associated with the fraudster’s device. This lets fraud managers uncover and stop whole rings of related hackers and keep them out of the game.
Log-in is one of the most important touch points in the customer lifecycle. It’s the point of entry for many hackers and if you can stop them there, they never have a chance to commit fraud. Fraud managers use iovation’s device-based authentication to register customers’ devices to their accounts. Each time someone attempts to log-in to an account, a check is run in the background to make sure it’s the same registered device. If it’s not, then the log-in can be denied, reviewed or escalated to another level of multifactor authentication.
The reputation and success of a game are closely linked to players’ experience of the environment. If fraud in any way intrudes on the game world it will ultimately test the loyalty of the players. Game developers spend a great deal of time and resources creating the perfect game. If they don’t take fraud prevention seriously hackers can quickly ruin the immersive experience as word spreads through the gaming community. A strategy to deal with fraud, such as account takeover, should be part of every game developer's go-to-market plan.
Additional Resources: Read our SG North case study and found out how we helped them shut down over 1,000 fraudulent accounts.