Friday, August 18, 2017

Global War On Illicit RMT - Albion Online's Rough Start

When a new MMORPG launches, a lot of people get excited. Players. Developers. Gold sellers. That's right, every new game launch is another opportunity to make a quick buck. For some reason a sizable minority of players do not want to play the game except for the "fun" stuff. To bypass the "not fun" stuff, those players pull out their credit cards and look for sellers of game currency.

For brand new games, gold sellers don't have a lot of stock (i.e. gold) in the beginning, but until gold farming accounts become skilled up, gold sellers resort to other means such as hacking and credit card fraud. A World Bank report published in 2011 noted that one of the negative externalities secondary real money trading market brings to games is:
"Secondary markets create incentives for cybercriminals and scammers. Virtual goods are among the most sought-after commodities in the general hacking scene (Krebs 2009). This forces game publishers to spend more on security and increases their customer service costs (although one retort is that indeed any market where goods can be resold is an incentive for crime)." (p. 18)
The same report estimated that 20% of all virtual currency sold on the secondary markets came from hacked accounts.



Into this environment, the German game studio Sandbox Interactive launched the crowd-funded MMORPG Albion Online. Access to the game is acquired by purchasing a starter pack, which provides gold and 30 days of premium access as well as unique items at the higher tier of packages. Players could pay for continued premium access as well as purchase additional gold from the cash shop. Sandbox also offered the option of acquiring additional premium access time by trading their silver for gold in the game (aka the PLEX model).

Theoretically, offering gold with the initial purchase is a good idea. Not only does Sandbox entice people to buy larger packages, but hopefully players will not feel to immediately go out and purchase gold. The only problem was that the packages made credit card fraud more attractive. After all, if the gold sellers needed to buy a copy of the game anyway with a stolen credit card, why not buy the biggest package? Think of the situation as one-stop shopping for gold sellers.

On 20 July, three days after launch, Community Manager Talion announced the banning of 250 accounts involved in buying or selling gold. Talion explained Sandbox's rationale for the bans:
As most of you know, and those accounts now learned the hard way, we are taking a "No tolerance" stance towards anybody involved with 3rd party currency transactions. Why? Glad you ask!

The Gold that these 3rd Party sellers offer comes, in nearly all of the cases, from purchases with stolen payment data. So: fraud.

This will always cause economic damage. Either to the owner of the misused credit card, if he did not notice the charge. Or to us, because not only is the money for these fraudulent payments then charged back, we also get to pay a chargeback fee on top. And I won't even start with the influence it can have on the economy if left unchecked.

We will continue with our efforts to make the game a fair playground for everyone - and shall nuke again.
Unsurprisingly, people continued to buy and sell gold on the grey/black markets. On 25 July, Sandbox announced another 350 account bans. Still, the next seven days saw more than an additional 800 accounts banned. Sandbox responded in Launch Patch #2 on 4 August by removing the ability of players to directly trade gold or deposit gold into guild accounts. Talion explained on the forums:
Hello everyone,

we have made a few posts announcing that we’re banning 3rd party currency sellers and buyers in the past. We did so again today.

More than 800 accounts that acquired currency from 3rd parties have been permanently banned.

Keep in mind that currency that these people “sell” has been acquired with stolen credit card or Paypal data. This makes it a financial problem for all involved - the people whom these cards belong to, the banks - and us. Hence, we reinforce our stance that we fight this on every level.

On top of permanently banning accounts that are involved in these trading schemes somehow, we are taking steps towards making this kind of currency trades much more difficult. The first step for this is removing the ability to directly trade Gold with another player, or donate Gold to guild wallets. Withdrawing will still be possible, however no new Gold can be donated.

This will happen during today’s maintenance. The only way to trade Gold will be through the player-driven Gold market.

This is only the first step we will take to make it as difficult as possible for these criminals to keep doing their “business”.

Important: we will continue to permanently ban all accounts involved in 3rd party currency transactions!

To quote myself from a later post in the thread but also make it visible here:

"The bans are obviously not just because “someone accepted Gold / Silver”. Else, probably half of the game would be gone now. Giving a friend a leg up with some currency, or even giving a guild or a friend a larger amount is a standard procedure in MMOs.

We don’t want to make it easier for the criminals, so I cannot go into too many details about how exactly we do it, but:

We only ban in cases where we are certain that the persons received the Gold from 3rd party sites."
To change a mechanic so closely tied to Sandbox's business model is an indication of how much the credit card fraud hit the studio. According to LexisNexis Risk Solutions, every dollar of credit card fraud cost merchants $2.40. So, for example, every fraudulently purchased Legendary pack cost Sandbox almost $240 in addition to the lost revenue. If Sandbox sold 2,000-3,000 packages later reversed due to fraud, the fees alone would run over $500,000.



Sandbox's moves did not go unnoticed the the gold sellers. Distributed denial-of-service (DDoS) attacks, a common response when an RMT operation becomes particularly upset, began almost immediately. On 6 August, Sandbox posted the following:
Fellow Adventurers,

as you might already be aware, Albion Online is currently being targeted by so called "Gold Sellers". These are criminal enterprises who obtain stolen credit cards and paypal accounts, use them to buy gold from us and then sell on that stolen gold (or now, silver) to players of the game at a discount. This is very damaging to everybody who has their credit card or PayPal stolen, and of course to us as a company. It's also damaging to everybody who purchases gold or silver from these websites as their accounts will be permanently banned.

To combat these activities, we have tightened up our internal protection measures and will add additional measures going forward.

More importantly, we will try to go after the gold sellers funding source. What really surprised us when researching these websites - involved in credit card and PayPal fraud on a massive scale - is that they actually accept PayPal and credit cards as a form of payment. We are certain that if PayPal and the credit card companies knew about these activities, they'd quickly shut down their merchant accounts. Hence, we have started collecting and compiling evidence of their conduct and are going to directly report the fraudulent websites to the payment processing companies such that hopefully their funds will be frozen and they won't be able to accept credit cards and PayPal on their websites any more. If us contacting the payment processors ourselves is not effective, we will directly contact their headquarters through a specialized law firm. We are not trying to go after the gold sellers directly, as that usually won't work, but rather shut down their means of getting paid and we are eager to find out how successful this will be.

Finally, when it comes to black mail attempts by some of these companies, it goes without saying that we will never give in to them. As every black mailer will know, it's the worst thing you could ever do. Of course, every blackmail attempt and DDOS attack is being reported to the relevant law enforcement agencies, too, though realistically the chance to catch somebody is quite slim. Having said that, sometimes it does happen, and if it does, we will pursue every case to the fullest extend possible, no matter where the offender is based - above activities are a crime in every jurisdiction in the world and it's always possible to find a local law firm to represent you.

Your Albion Online Team
In the midst of the DDoS attacks, Sandbox began to name and shame buyers in response to claims of unfair bans.





The detection process is pretty simple in cases of credit card fraud. Once the account is identified, all the fraud team has to do is follow the transactions. Sandbox doesn't even need to write a detection script that might have a bug.


On 11 August, Sandbox deployed Launch Patch #3 which introduced more changes to combat the gold/silver trade. The most noticeable change involved a pop-up screen informing players that buying/receiving any illicit currency would result in a permanent ban. Less flashy changes included the introduction of a report player function and a new requirement for using the gold market: "at least one character on the same account must have been logged in since this patch while having Journeyman Adventurer unlocked."

Yesterday marked one month after the official launch of Albion Online, but the developers are not getting the expected inflow of money for the start of the second month. Due to issues at launch and the DDoS attacks, the company is giving out compensation. Bercilak, the CEO of Sandbox Interactive, made the announcement on the forums:
Dear Albion Community,

In the first two weeks post launch, our servers had some performance issues, causing frequent reboots and some zones in the game being unavailable due to overcrowding. We have dealt with these issues and announced compensation for this here.

Unfortunately, on Saturday, August 5th, we had a short DDOS attack followed by an extortion attempt, which we of course did not comply with and immediately reported to the relevant law enforcement agencies.

This was followed by heavy DDOS attacks from Sunday, August 6th onwards. Properly defending against well-executed DDOS attacks is a very challenging task, and far harder than a quick Google search might suggest. In close collaboration with leading experts in the field, we are making significant progress. Recent attacks have impacted the server's performance, but generally were not successful in bringing it down. Our defenses are constantly being optimized and fine-tuned. Having said that, we are not in a position to give the "all clear" just yet.

To compensate players for the outages caused by the past days' DDOS attacks, we are awarding an additional 7 days of premium time to all characters that played with active premium any time between July 17th and August 11th (UTC time). This means that those premium characters who had also been affected by the server issues immediately post launch will now get 14 days extra premium time in total.

The compensation will be given out during the daily maintenance tomorrow, August 12th.

The ongoing server attacks are extremely frustrating for all players. Tackling them is our utmost priority. We will certainly get them under control, and expect to make further progress of the coming days.

Some of you might be worried about the long-term impact of the server issues on the future of the game. Our philosophy here is quite simple: We have always believed and consistently communicated that Albion Online is a game with a long-term focus. We have been working on the game 5 years, with the goal that it shall be successful 5 or even 10 years down the road. What counts is the longstanding quality and longevity of the game, and not just riding the hype wave around release. While the release hype has of course taken a hit due to the attacks, in the long term, it won't matter, as the lasting success of a game is solely dependent on how good it is.

So, let's fix the current issues, and get on with it!

Your Albion Online Team

Albion Online still has a lot of problems with hacking of the client and botting, but the grave damage credit card fraud did to the corporate wallet required Sandbox to take drastic actions on that front. But will the damage caused by the server instability caused by the DDoS attacks irreparably harm the game in the long run? The answer to that question as well as will Sandbox eventually suppress illicit RMT activity to manageable levels are yet unknown.

Thursday, August 10, 2017

Jumping To Conclusions

Sometimes following Twitter leads to some amazing things. Last night I saw this Tweet in my timeline.


So I wound up logging into the Singularity test server last night to see for myself. Sure enough, the crate item does indeed state that the manual for unpacking and assembling the ship seems to be missing.


The assumption that Ashterothi made is that these event prizes will require some sort of real money payment to open. Reaching such a conclusion doesn't pass the smell test. Lockboxes are traditionally just a random drop item. Making someone pay to get the prizes from a progression event like what I saw on Sisi is such an idiotic concept that CCP would deserve to lose half their customers if they even thought to do such a thing. But perhaps I'm wrong and someone in Reykjavik put a drooling imbecile in charge of monetization.


Something I noticed about the redeem window is that the left half is transparent. I marked in red where the window actually extended. Usually I would expect half the area to have some sort of graphic that would make opening the crate a fancier experience. The one thing I do expect is that the ships earned while doing the events will show up as the race of the pilot opening the crate so that alpha players receive ships they can use. The character I used is Minmatar and received a Minmatar industrial ship.

As the final screenshot shows, the event is still under construction, so I can't definitively state that CCP is not using the event to introduce lockboxes. Perhaps the missing part of the window will explain what the text in the item window means. But at this point, using the text of the crate to indicate that CCP is introducing lockboxes is a tremendous leap of logic.

Friday, August 4, 2017

CCP's War On Illicit ISK: Ghost Training

Ghost Training, as defined by CCP, "is defined as the use of alpha account status to accrue skill points at a more rapid rate than they are gained through normal alpha account gameplay, and/or train omega skills on an alpha account." Basically, any player whose subscription lapsed following the introduction of CCP's version of an extended trial in November unwittingly benefited from the exploit. The exploit impacted the secondary markets due to the ability to extract the skill points and convert them into ISK, or just selling the injectors themselves.

Demonstrating the hazard discount

What was the impact of ghost training, if any, on the price of ISK on the secondary markets? Outside of last month, no clear evidence exists. As always, the major driver of prices on the black market is the price of PLEX in The Forge. Beginning in September 2016, the hazard discount settled into a range of $8-$10 USD/billion ISK. The hazard discount is the amount of a price reduction ISK sellers must offer buyers relative to the price of ISK purchased through CCP-approved means in order to entice those buyers into risking CCP banning all of their accounts. For example, the average hazard discount for December, the first full month the exploit existed, was $8.94/billion ISK. Six months later, the hazard discount was still $8.90/billion ISK. The most likely impact of the exploit on the black market was to protect profits as the rising ISK price of PLEX forced ISK sellers to drop their prices to compete with CCP.

So what happened in June that exposed the influence of Ghost Training on the secondary market? Quite simply, CCP acted to shut down the practice, forcing those ISK sellers to react.

Notable events in June and July

The first public indication of CCP attempting to shut down Ghost Training occurred on 8 June. CCP ran a script that had the unfortunate effect of pausing the skill queues of players not engaged in using the exploit. While the script failed to permanently stop Ghost Training, some of the smaller players in the black market dropped their prices fairly significantly in case the release on 13 June instituted a permanent fix.

Apparently, any fix included in YC 119.6 failed to work as CCP publicly declared Ghost Training an exploit on 15 June. CCP's next move involved contacting all players detected taking advantage of Ghost Training in some way and giving them the option of either extracting the skill points and giving the SP back to CCP, or handing over a set amount of ISK and/or assets. What is known is that CCP started contacting players on or about 26 June.

Either some of the major ISK sellers taking advantage of the exploit were contacted earlier, or the public declaration declaring Ghost Training an exploit because the market took a noticeable turn downward starting on 20 June. Over the course of the next 10 days, the 7 day rolling average cost of 1 billion ISK dropped 15.7%, from $4.27/billion ISK down to $3.60/billion ISK.

Some of the wreckage from the Ghost Training banwave

The price chart indicates that CCP began banning accounts in some of the larger RMT operations around 30 June-1 July. One seller stood out as the shop was the largest seller on Player Auctions in the first half of 2017, selling over $65,000 worth of ISK and skill injectors. The seller disappeared from the listings from 28-30 June and around the same time was banned from 2 RMT forums where ISK sellers often go to buy their stock.

Bought from a shop using stolen credit cards

The second largest seller of ISK and skill points on Player Auctions in the month of June also appeared to take advantage of the Ghost Training exploit. That belief came into question on 5 July when the shop's customers started complaining about the shop using stolen credit cards and receiving unusually harsh punishments from CCP. The shop may have left the EVE black market soon after, as the last time it listed ISK for sale was on 24 July.

Finally, did the vast amount of cheap ISK sold in June result in vastly larger profits for the ISK sellers? Overall, the ISK sellers on Player Auctions sold nearly 4.8 trillion ISK in June compared to 3.6 trillion ISK in both April and May. The result? The data I collected indicates ISK sales were down $120 from May's total and $2700 compared to April. When selling over 1.1 trillion ISK more in a month doesn't bring in more real life money, maybe EVE's illicit ISK sellers should try find a more profitable business.