Kicking Fraudsters Out Of Online Games

How To Stop Fraudsters Target Gaming Platforms

It’s been said cybercriminals look for the path of least resistance when they target businesses or online marketplaces to steal data or money.

And, increasingly, online gaming platforms — attractive to the bad guys due to their scale and relative anonymity — are in the crosshairs.

In one recent event that grabbed headlines, video game developer Valve Corp. said it was halting the trading of “container keys” between players facing off in games like Counter Strike, which is available through the online marketplace Steam.

In an announcement late last month, Valve said “nearly all” trading of the keys was “believed to be fraud-sourced.”

The Economist noted that the announcement is a “rare admission of the growing problem of using video games to facilitate financial crime.”

The overall utility of the container keys has been players buying the keys with money and using them to gain rewards in the Counter Strike game, such as weapons. The keys, according to reports (but unconfirmed thus far by Valve or Steam), were bought with stolen cards and traded on the Steam marketplace. While money cannot be taken from the Steam accounts, it appears that a secondary market took shape, as other sites featured “loaded” cards for sale — by the fraudsters for real money.

The practice may have been halted there, at least, but it shines a bit of light on how black markets for (stolen) assets and credentials continue to proliferate around the world and target virtual verticals.

In an interview with PYMNTS, Peter Cavicchia, senior vice president of General Services at Fiserv (where his role includes oversight of the firm’s cybersecurity and enterprise fraud organizations), said the Valve/Steam news comes as gamers (and gaming sites, of course) are embracing a greater number of trading and funding mechanisms across various platforms.

The goal for the bad guys is to monetize the trading and funding, either by draining bank accounts or by selling the assets that have been compromised.

In the Steam case and elsewhere, the methods used to gain access have likely been the same: stealing passwords through phishing and even malware. The fraudsters are able to collect hundreds or thousands of credentials across games and platforms, then go elsewhere to advertise those credentials (perhaps stored in digital wallet form), and make $25 or $100 or more in a quick sale.

Just relying on a username and password is no longer enough, Cavicchia said. There need to be additional layers of defense, spanning the use of trusted devices, and alerts sent to gamers about new logins (or attempts) or changes to accounts.

The same principles apply, then, to virtual and real currency and commerce alike, and require the joint efforts of merchants, platforms, financial institutions — and gamers, too.

The tools are there, but mindset matters. Consider the findings of Fiserv’s 2019 Cybersecurity Awareness Insights Study, which found that 55 percent of respondents know their online financial data is vulnerable, but only 6 percent are doing something to protect it.

The challenge of spurring safeguarding on the part of gamers themselves is a bit greater than might be seen elsewhere, given the fact that younger participants, including teens, might be less informed about how to protect their data.

“There’s going to have to be a bit of proactivity on the gaming platforms” to incorporate and offer the same controls that already exist with online merchants and banks, Cavicchia told PYMNTS, especially with real-time alerts through push messages, biometrics and analytics.

Those lines of defense, useful in any setting, are especially important across gaming platforms that include online gambling, where a number of factors converge to make sure users are authenticated before they’re allowed to participate. Once inside the platform, Cavicchia said, merchant analytics and artificial intelligence (AI) can help determine suspicious behavior.

“Gaming transactions and the funding mechanisms that go into them need to be protected the same way that eCommerce transactions would be protected,” he said.