Thieves Targeting Online Games Prompt Tighter Security

The popularity in fantasy online hosted massive multiplayer online game (MMOG) sites like Blizzard and K2 Network has led organized crime rings and hackers to highjack gamers' personal data, credit card numbers, and virtual game pieces and accessories that many spend years building on.

Organized crime units in Turkey, Russia and the Ukraine will hack into the online game database to highjack accounts, stealing user names and passwords, and either attempt to sell the characters and the accessories back to the original owner, or to other players at a discount price.

Securing the online game site, K2 Network Inc. has added a security platform from NetContinuum to protect the more than 7 million registered gamers that play on the site against virtual and real-world ID theft, an executive said Friday. K2 Network senior director of infrastructure and engineering David S. Lee said people will pay between $2,000 and $8,000 for an account because of the money and time put into developing the characters in the game. "Online gamers typically stick with one game from eight months to three years, putting money into characters and accessories," Lee said. "About 60 to 70 percent of game publishers and hosting sites suffer from hacking every day."

K2 Network licenses many games from Asia, localizing them for markets worldwide. Many of the games focus on sorcery. People can create a virtual online societies and economies they build-on for years. By purchasing in-game currency, they buy swords, shields and potions that allow them to move up into higher game levels.

Scott Crawford, senior analyst at Enterprise Management Associates, has begun "to see intangible assets in the game, for example status, secrets and virtual real estate, given tangible value."

And it's not surprising that people have found ways to hack into the game databases and sites, said Colin Sebastian, senior research analyst with Lazard Capital Markets LLC. "On one hand it's a business model for the game site because it allows them to sell extra content like swords and uniforms, but on the one hand you want to have an open environment where players can experience balance that maintains the integrity of the games," he said.

Thieves hacking into the Web site use a method called sequel injection in hopes of discovering a hole in the application to highjack the database and retrieve customers' personal data. "Every other day I'd come into the office, and here we go again with another hacking coming out of some country halfway across the world," Lee said.

Putting up a firewall to block IP addresses wasn't an option. It would alienate a too many honest players. And a proxy server could always hide the person's true location if someone wanted to hack into the system.

It isn't enough that K2 built an application to recognize where the IP address originates. Nor to redesign parts of the Web site by reducing the length of characters required for user name and password, though Lee said it prevents thieves from entering harmful syntax that could wreak havoc on the site.

Losses mounted to nearly $1 million in one year, Lee said. "It's not lost money generated daily, but lost customers that wouldn't come back. We'd have to take down the site to fix things," he said. "The 11- to 35-year olds who play on the site are very smart, great programmers, and will take down the system if they get angry."

Part of the solution came with in the NetContinuum's NC-2000 Application Gateway. Typical firewalls concentrate on the network layer and don't inspect all the data packets. NetContinuum provides a Layer 7 firewall, so it reviews every packet, including the application layer. Lee said it scans the information coming in before it ever gets to the Web server, as well as provides SSL acceleration and load balancing.

Pete Abrams, vice president of marketing at NetContinuum, said users comes in thinking they're connecting to end server, "but we intercept the session between the browser and the Web site, and run security checks. If there's no problem, we let the session pass. It's all done in less than five milliseconds, so the online gamer can't tell."

Calling them "juicy targets" for hackers and thieves, Abrams has seen an increase in game publishers and hosting sites request demos in the past six months. He said it's because MMOGs have built huge customer databases to take in name, address and credit card information required by the customer before game play can begin.