Fraud Fighter – CCP Games on Gaming Fraud

Einar, Security Analyst at CCP Games sheds light on how risk management works for a massively online multiplayer game.

CCP Games, founded in 1997 in Reykjavik, is a game developer famous for its MMORPG Eve Online.

The game truly puts the word “massive” into “massively multiplayer”. Known for its complexity as well as its 500,000 subscriber count, it is a technical feat of engineering. It also involves in-game transactions and exchange of goods, which requires sophisticated security analysis – to protect players and the company.

Their lead security analyst, Einar, has been with CCP Games since the game started. He sat down with our COO Jimmy Fong to discuss fraud prevention in online gaming. Here are 5 takeaways:

#1 Every Game Update Brings New Fraud Challenges

Because Eve Online is ever-evolving, the team needs to anticipate risk. But there are always unknowns, as shown when a major update attracted a new wave of fraudsters. As Einar puts it:

“Account takeovers, for example, those increased a lot when we made some changes in the game. Before you could just exchange your skills and that was it. Then a few years back we made it possible to extract those skill points and sell them. And, you know, obviously, that led to a major increase in account hacking and stuff like that.” 

In this particular case, the company was well aware that the change would bring unwanted attention from fraudsters.

“It’s all interconnected. We do something about credit card fraud, then we see an increase in bots. We have success in one area and we see a problem increase in another area. It’s a whack-a-mole sort of thing that goes on. You hit one down and there’s like another one popping up.”

#2 There is a Strong Collaboration Between the Devs and Risk Team

Einar explained that risk management at CCP Games is both reactive and proactive Luckily for his team, they benefit from good cross-department synergy.

“It’s a good cooperation with development, so what we need we always get. If you start trading an item that wasn’t tradable before, you’re going to see stuff like this, and there’s not gonna be any input from us to change it. It’s just, you know, we know [fraud] is going to happen and it does.”

#3 There is Virtually No Community Moderation

“As long as it’s within the game mechanics then we’re fine with it. People are trusting and give you a lot of money and you run away with it. That’s, you know, not really our problem.”

And it does happen a lot. 

#4 Even the Pros Make Mistakes

In a particularly insightful segment of our interview, Einar goes on to explain that – even with the best tools – security analysts sometimes make mistakes. 

“What I’ve learned is to trust a gut feeling. A lot of the time, the first thing you think is usually the right thing. But also, you know, you sometimes end up banning somebody who shouldn’t be banned. So you looked at payments and you’re just like, that looks suspicious – ban. And that turns out to be perfectly legit. And you just pissed off a very nice customer.”

#5 Excited About 3DS

In the past, when we’ve heard about 3DS, the latest security measure to confirm a cardholder’s identity, it has been negative. But Einar is pretty happy to see how it will help their fraud rates.

“We have a 3D secure thing going on. So that’s going to be very interesting. Getting the banks in on this is a very interesting thing. So, you know, banks should be securing their payments more than they have done so far. I’m very excited to see this happen.”

Still, that’s only one small part of all the transaction fraud the company has to fight.

“Of course, there are different payment types of payments, like PayPal and all that. So you see problems pop up every now and then for anything basically that needs to be fixed. But the card payments and 3D secure and the banks involved. That is quite an interesting development.”

Key Takeaway: The Cat and Mouse and Cheese

Every company’s fraud challenge is unique in some way. But what really sets CCP Games and Eve Online apart, according to Einar, is that the company has a very good idea of where risk will arise.

This is why he put an unusual twist on our question of whether fraud fighters are the cat or the mouse. 

“For one thing we put out the things that we sell. So that’s basically our decision to sell things that are subject to fraud. It’s not super random. We know where they are. So we are the cheese and the cat I’d say.”

You might also be interested in reading about:

• SEON: Data Enrichment: What is it and its Importance
• SEON: What is Browser Fingerprinting & How Does it Work?
• SEON: Why Your Business Needs a Fraud Detection API
• SEON: Top Fraud Management Systems