Schneier on Security
A blog covering security and security technology.
« RFID Passport Security Revisited |
| Xbox Security »
August 10, 2005
Stealing Imaginary Things
There's a new Trojan that tries to steal World of Warcraft passwords.
That reminded me about this article, about people paying programmers to find exploits to make virtual money in multiplayer online games, and then selling the proceeds for real money.
And here's a page about ways people steal fake money in the online game Neopets, including cookie grabbers, fake login pages, fake contests, social engineering, and pyramid schemes.
I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace. Perhaps every method of stealing real money will eventually be used to steal imaginary money, too.
Posted on August 10, 2005 at 7:36 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Is there really a distinction?
Items of value are items of value whether physical assets, or intellectual property or game assets (really a form of intellectual property). As long as people view them as valueable, taking them is theft.
Another article I read some time ago discussed the reselling (for real money) of assets and powers in large multiplayer role games and estimated that this virtual market rivaled the economy of a small nation. The reporter even found virtual brothels operating within the game in which characters would engage in interactive 'cyber sex' in exchange for game goods.
Even real money is imaginary. (Ish)
The money itself may be imaginary, but the time and effort spent to generate money is real and measurable. If I can generate 1 gold peice per hour in World of Warcraft, and I make $55/hour in Real Life, what is the comparison?
I get annoyed when people say that mmog farmers are selling "imaginary things".
What people pay the mmog farmers for is, in reality, time. You pay the farmers to gain items for you in a virtual world so that you don't have to spend the time to do so yourself. It's no different in that respect than buying a novel,paying for someone to take care of your lawn , or paying someone to play sports while you watch.
When someone steals these "imaginary" things, what they are stealing is time, plain and simple. The item's value is measured in time and sometimes skill -- how difficult it is to get, how hard it is to extract it from the game system, how useful it is in the context of the game. This is similar in some respects to stealing intellectual property, a book or movie for example. Most of what goes into making a movie is skill and time; money is only there to get skill and time together in the right place (in theory). What results from the creation of a movie is very much an ephemeral, imaginary thing, but it still can be immensely valuable.
A difference is that movies and books are created for many people to enjoy, while mmog characters are created en masse for individual people to enjoy. These thefts are thus very personal and very devastating, as (usually) nothing remains of the creation developed by the player in the context of the game.
The first point is that unlike "real wealth" imparted by base minerals etc, "monetry wealth" is based on what people are prepared to exchange their labours for (that's why we get inflation etc).
The second point to note is that paper and coin money are tokens, that represent units of work (labour). Credit cards are likewise tokens but they are not exchnged, only impressions of them (or their data) are. It is only peoples "faith" in the tokens that gives them "monetry wealth" that they will exchange goods and services for.
Therefore any token that people have faith in can be used as money, even if it's is just the movment of a few electrons down a wire.
About ten years ago I was involved with an MSc. course, and one of the parts of it was about the "information economy".
The suposition was that money could be effectivly replaced with information and then see what effects it would have.
One interesting fact about information is that you can unlike money spend it several times ;)
It kind of got interesting when trying to work out the equivalent of seniorage, or the cost of information in transit.
The upshot was that we realised that you actually need more safegaurds and checks on information than you do on "real wealth" items or "monetry tokens"...
So I am not surprised in the slightest, that a person of criminal intent would apply existing techniques used against an existing token system, against a new token system that has not yet developed sufficient safe gaurds.
I think the process was documented by Darwin a few years ago ;)
Pretty soon we will create the imaginary police, who will become extremely corrupt. Then we will need the imaginary national guard to instill martial law. In this heat I will become the first imaginary president and quickly become the imaginary dictator. By this time, all thing imaginary will be tradable for real.
"Pretty soon we will create the imaginary police, who will become extremely corrupt. Then we will need the imaginary national guard to instill martial law. In this heat I will become the first imaginary president and quickly become the imaginary dictator. By this time, all thing imaginary will be tradable for real."
And if we object to any of this, the imaginary terrorists will win.
Since when did asset value have to be absolutely tangible as opposed to relative? Is that even possible? It is critical to understand value to the owner (not only from your own perspective) in order to calculate risk...
For example, I can just imagine telling a client "Those $200 shoes you are trying to protect, yeah, those are actually only worth about $30 in absolute terms...all that 'imaginary fashion' stuff is just to make your world seem more vivid and to obscure the shoes' pathetic origins."
OK, that's not funny anymore! :-)
"And if we object to any of this, the imaginary terrorists will win."
But what about the sqrt(-1) terrorists?
Well said. The bottom line is people will spend money on things they find valuable. Just because you can't put it in a safe deposit box or under your bed at night doesn't mean it isn't valuable. I can't do that with my bank account / PIN number...
Protecting yourself in game can be as hard or harden then in real life. If I fall for a scam in real life, I have some action that I can take. If I fall for a scam in WoW, at most I can report it to a GM who doesn't really care and more then likely is laughing at me.
I've heard about (never validated) that in certain Asian countries they are creating virtual police that will investigate online crimes related to MMOGs. I don't think that future is too far off.
Here's a link you might find relevant to this discussion:
"Qiu Chengwei, 41, repeatedly stabbed Zhu Caoyuan after discovering that Zhu had sold the "dragon sabre" for 7,200 yuan (£464). Qiu had lent his friend the cybersabre last February, later reporting it as "stolen" when he learned of the transaction. Police, however, told him that - as the disputed weapon was virtual property - he had no recourse to law."
"China Daily notes that the sorry affair raises something of a legal poser regarding online "possessions". Wang Zongyu, an associate law professor at Beijing's Renmin University of China, told the paper: "The armour and swords in games should be deemed as private property as players have to spend money and time for them.""
And there is another link in the story to an even more interesting one where a woman was charged with illegal access rather than the issue of damage to assets...
Most games make you agree to an EULA that, in my experience, has always included something to the effect of: "All characters, items, currency, etc. Belong to us."
So in many cases people are technically paying for permission to play with said corporation's online world and its contents, not own pieces of it.
Good point. This calls out some simple political science and economics. I mean if you can never own something in a virtual world you may still find it valuable enough to rent, lease, sub-lease, etc.. But if there is significant risk of repossession, then obviously the value of the assets is lessened. Now, if your friendly gaming corporation confiscates everything on the market...
Excellent subject. All I can say is the sooner we mere mortals with our silly money and need for demonstrable evidence accept the validity of the Flying Spaghetti Monster, the better:
As a former online gamemaster, claims of 'x stole my sooperwidget!' or 'I lost my sooperwidget because of a bug!' were almost routine. We had procedures to document when such items were issued or sold or won as the result of a quest ... and the first thing we would have to verify is whether or not the character actually owned said item. For every player willing to put in time and effort to develop their characters and gain higher-value items ... there were those who would REPEATEDLY try to con their way to fame and fortune. (Bear in mind, these calls also came in while I and other gamemasters are working on developing new areas in the game.) And, yes, password sharing/theft was a problem in 1995, too.
I had another thought on the matter: Since players are essentially leasing or renting the game content that their character may posess, shouldn't that entitle them to the same legal protections afforded to people that rent or lease other "virtual" properties and services, such as web hosting?
For example, writing a virus that brings down multiple corporations' websites generally results in huge financial damages, which is attributed to the downtime and labor involved in getting things back up.
However, writing a virus that resides on someone's machine, pulls personal information (game account info), and transmits it (presumably off-shore, but even across state lines would make it a federal crime, would it not?) yields no punishment to the creator, nor reimbursement to the victim. Yet, the damage is almost worse in this case, because generally if an account is stolen, there is no chance of recovery. At best, the game company will track down the person's account and ban/cancel it.
Is it because the perceived monetary damages are so much less than those encountered with corporations?
> Is it because the perceived monetary damages are so much less than those encountered with corporations?
No, it's probably because the authorities think of this as "just a dumb game."
That EULA that specifies the game-owner actually retains ownership of all the virtual goodies in the game, what rights in those goodies DOES it convey to the player? The player invests not only gaming time (the chief source of the goodies' market value), but also the fee paid to the game owner. Said owner must be conveying SOMETHING of value to the player... what is it? In the answer to that question lies the beginning of untangling this.
So, what's the functional difference between virtual money and real money? My child has Neopoints (or whatever Neopets money is) and real money. In one case, there's an entry in the Neopets files, in the other there's an entry in the credit union files. He can't buy a new video game with Neopoints, but he can't buy a Neopets item with money. It's not quite symmetric, but it's pretty darn close.
"And if we object to any of this, the imaginary terrorists will win."
But what about the sqrt(-1) terrorists?"
That's a complex problem with no real solution.
Note that there are also a market for cultivated avatars/characters. Since people are too lazy/got little time etc, getting a character in a MMORG that have all gone through the early struggles needed to get the stuff needed, there is a real-money market for ready-made characters.
This have lead to the proliferation of game sweatshops where people spends their days creating new characters, playing with them until the character have amassed enough important items. Then the character is sold on eBay .
As sweatshops jobs go, this one is probably one of the better. But I'm amazed at the way virtual worlds affects real life and how crime, fraud, etc follow the money into the virtual worlds.
Also, remember the guy that bought a virtual island for lot's of real-life money .
 Third-World Sweatshops Producing Virtual Goods
 Gamer buys $26,500 virtual land
Game money is no more imaginary than "real money", which even in its most tangible form is nothing more than fancy paper.
What makes money valuable is nothing intrinsic to the money itself - it is valuable because most people agree that it is valuable. That is, the reason you accept payment for your work in money rather than gold pieces is because you have a reasonable confidence that you will be able to spend that money later on the things you need, because the shopkeepers also have reasonable confidence that they will be able to spend it as well. Game-money is no different in that regard.
One important security concern with money in online games is its use in money-laundering. Criminals such as drug-dealers need to move bundles of dirty cash from the point of sale through a complicated set of cross-border transactions until it arrives, sparkling and clean, in their bosses' bank accounts. Conversion into online game cash could form an important link in such a chain, because the real world identities of the players who handle the money are almost certainly impossible to verify.
The game companies are obsessed with their EULAs claiming that they own the pixels because they (or their lawyers) are terrified of legal and tax consequences of what they might do. If a player gathers 5 gold per hour, and that gold sells for $5, are they required to collect income tax on that? If the person sells that gold for $5, are they required to collect VAT/sales tax? If the person loses that $5-value of gold, are they liable for any real loss? If that sword of uber nerdness sells on the open market this year for $1000, but a new sword of supernerdosity comes out, and the sword of uber nerdness now only sells for $50, is the game producer liable for the $950 in loss you've sustained? If a bug in your game makes my $1000 doohickey vanish, what is your liabilty for that loss?
You see, a lot of these questions vanish if you close your eyes and pretend that online pixels are either worthless, or belong to the game company. Which is why those companies go out of their way to make you believe that: they can't afford the liability for their (in)actions.
Just look at how Flooz was crippled by organized criminal activity: they would steal CC numbers, use those to purchase Flooz, then cash in the Flooz for material goods, when the CC companies reversed the charges, Flooz would be left with huge negative balances. Every micropayment system will be subject to similar attacks.
People used to set up fake websites and hack into real websites based on Everquest, since they knew that many people used the same login information for their EQ account as for their message board account.
I can't believe someone hasn't already made the "iTerrorists" joke.
Value is just another communal belief system. Intrinsic value is just a commonly held belief around items that are more universally believed to have value. How is it surprising that bits on a gaming server are just as valuable/valueless as bits in a banks computer?
isn't all the time spent gathering virtual wealth and power in these games necessarily subtracted from the time available to advance in the boring, humdrum real world? some people seem to have lost sight of the difference. something there is out there that loves these games because they distract players from real world injustice. if days were 34 hours long, i might enjoy taking 30 minutes to feed some virtual christians to some virtual lions so i could exult at their screams of terror, but this just isn't a high enough priority in a 24 hour day.
@ Neil Bartlett: "What makes money valuable is nothing intrinsic to the money itself - it is valuable because most people agree that it is valuable."
True but not complete. The above applies to most valuable items, but not all of those are usable as money per se. Another condition is fungibility, that is to say, all dollars are equivalent. The real kicker, however, is a precondition to both fungibility and popular support: The money must be verifiable, and/or guaranteed in some fashion.
Consider that even gold coins can be counterfeited (by casting your own coins containing base metal). If an area's government was weak or inattentive, an industrious criminal could seriously hurt the public's faith in the local coinage. (I've seen mention that this actually happened in Florence around Dante's time, and the guy responsible got the proverbial "special place" in his _Inferno_.)
Of course, Archimedes figured out one way to spot that trick, but how many people would be willing or equipped to measure the density of their cash? See also the "paper fingerprints" thread, and consider how many merchants could afford the scanner. Right now, those merchants have a bunch of eyeball checks for paper currency, with some using special testing pens and even the occasional UV lamp.)
The value of our modern money is supported in part by our governments' assurance that counterfeiters will be tracked down and thoroughly stomped, and partly by providing means for the cautious to do at least some checking. (Anybody fooled by a single-sided copy on plain paper is probably beyond help. ;-) ) For token-based money (such as US dollars), you also need an extra guarantee: Assurance that not only merchants, but also the government itself will honor the money, e.g. for taxes. (This may *sound* obvious, but some governments have been known to "devalue" their currency. There are repercussions, but it does happen.)
Virtual money is similarly supported by the efforts of the game engineers to make it reliable and difficult to fake. But to keep its value, it also needs a comittment by the game management that they will continue to recognize people's virtual property as "theirs". If the gamekeepers ever use their EULA to dodge either of these comittments, the value of gamestuff will rapidly drop through the floor. Unfortunately, this means they may also need to recognize in-game thefts, scams, etc. as real events -- perhaps punishable, but still real. This corresponds to the fact that a RW government can't just "revoke" a thief's ill-gotten gains, they need to actually confiscate them -- which may first require *finding* the money.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.