The global games market is expected to reach over $108B in 2017. Just as with great power comes great responsibility, with big money comes high risk. Namely, the risk of fraud of various kinds. So, what threats for your boldly thickening bottom line are there, dear GameDev? How to effectively protect your business against fraudsters? How to keep risk at bay while boosting sales? In the following article, I describe the most common perils to your business and show how to leverage AI to stay always one step ahead of fraudsters and scale up safely.
A pocket bestiary
Let’s start with a handy overview of threats for your GameDev business. As your merchandise is purely digital, delivered in real time and purchased with credit cards, you are a perfect target for crooks specialised in extorting goods and money from online merchants. So, here are some bullets that might strike your sitting-duck-company anytime, unless you take care of appropriate prevention measures.
- Friendly / chargeback fraud
It occurs when a player (your customer) carries out a transaction using their credit card, yet as soon as the item/service is delivered, they claim chargeback — stating that they have either never received the purchased item or carried out the transaction purely by mistake.
Although your infrastructure is probably equipped with certain mechanisms capable of proving that the customer’s story is nothing more but an extortion attempt, as long as most of the items you sell are relatively cheap, arguing with the customer is a game not worth the candle.
Calm down. Though the loss is irreversible, it is — as you will soon figure out — preventable.
- Payment fraud / credit card fraud
Have you ever wondered what happens with all the credit card data acquired by criminals each time you hear about a massive breach?
In many cases, those are used by fraudsters to extort goods and money from companies like yours. Organised crime groups buy databases containing card numbers, cardholder details and CVV codes on the black market and use these pieces of information to illegitimately buy your products and sell them cheap on some shady third-party platforms.
As soon as legitimate cardholders figure out that their cards have been charged for purchases they have never made, they contact their banks and demand chargebacks. As you are the one who had accepted fraudulent transactions, you are also the one to give the money back.
Unfortunately, this does not happen immediately after the incident but several months later, once the whole chargeback procedure is concluded. So, for quite a time you might be erroneously convinced that your business is booming until you receive the obituary chargeback report from a card organisation. In other words, a massive fraud attack might be lethal for your business and reputation.
Fortunately, there are some ways to prevent this from happening.
Most players do not protect their game platform credentials as well as they protect their e-banking details.
But wait…they have their credit cards linked with in-game profiles, don’t they?
Do you know how many of your user accounts have been hijacked so far? Sometimes it is really hard to detect an ATO incident as hijacked accounts are not necessarily used by fraudsters to carry out illegitimate purchases, at least not immediately after the takeover.
They might be used to help fraudulent players in the game, making it more difficult to detect extortion. A fraudster might, for instance, hijack an in-game account of a skilful player and sell their digital belongings cheap to some other players (accounts controlled by the crime group). As those “players” become actual owners of the cheaply purchased items, they resell them on third-party platforms with noticeable profit. If there is a victim’s card linked with their in-game account, criminals might additionally purchase certain easy-to-sell items, so the hijacked account becomes an extortion proxy.
As the administrator of the whole playground you can possibly track suspicious buyers, but remember that there is nothing illegal in buying items from other players and if the game is really popular you cannot possibly embrace and x-ray thousands of in-game transactions carried out within the ecosystem.
- Virtual items grey market
Have you ever been to a middle-eastern bazaar? Besides fresh fruits and vegetables, flavorous spices and some really nice carpets, they oftentimes offer fake designer handbags, shirts etc. As you probably know, there is a worldwide network of online bazaars with game keys and other digital items, except they do not sell fake products but full-value digital goods, usually of questionable origins.
While a seller of fake handbags is not a serious competitor for global fashion brands, a person who sells digital items issued by your company for a fraction of their original price is actually causing certain economic damage to your business. Sure, there is a number of legitimate, high-quality marketplaces that cooperate closely with games publishers, help players trade in truly unique items and make a perfect additional sales channel for your company.
However, those marketplaces are in the same boat. They also struggle to fight fraud. The more digital items fraudsters manage to extort and place on the grey market, the lower their prices get, and as long as there is no difference between original-sourced digital goods and “second hand” ones, game companies like yours are forced to lower their margins to effectively compete with “digital bazaars” (shady forums).
To cut a long story short, you need to join forces with quality marketplaces and apply effective tools to prevent ATO incidents, that is to verify the player’s identity whenever they act awkwardly, yet with no harm for user experience. And yes — there are the right tools for the job.
And don’t get me wrong — marketplaces are not your enemies. In fact, they are your potential allies in the fight against fraud and black hat underground exchange of digital goods.
Cheating is an issue as old as games and sports. You can be sure that among ancient Egyptians playing the Game of Twenty Squares some 3000 years BC there were cheaters trying to “outsmart” other players by violating the rules. Playing any game with individuals of that kind does not make sense. As you probably know, in the world of online games and e-sports, cheaters remain one of the most serious threats for the business.
Remember the doping scandal in Russia?
Just as athletes who inject steroids, there are players who modify games by “injecting” forbidden pieces of code in the app. Those make them “run” faster, see more, aim more accurately, and so on. Unfortunately, it is not that easy to spot them, if they know how to use “doping” right.
But it is your duty to keep the game free from the scam. Just like in the case of ATOs — you need appropriate tools for that task.
Trust is hard to earn and easy to lose. And reputation is all about trust. All the pointed out threats might cost you much more than extorted money and digital goods. Players want to feel safe while playing. Rumours spread faster than the truth. Just a couple of ATO incidents combined with open access to original game items on sale for peanuts might damage your reputation in a blink of an eye.
Therefore, you really need to do your utmost to make them feel safe and comfortable while playing your game. You need to make them trust you that while in your digital world, they have no reasons to worry about their non-digital financial security. Moreover, they need to know that the in-game competition is fair, that the game is slyboots-proof.
And this can be achieved only by applying top-grade security measures.
Get to Know Your Players
Once you know how wild and dangerous this industry of yours actually is, you would probably like to know how to deal with all the above-listed threats, wouldn’t you?
If you think about what all the 6 threats for your GameDev business have in common, you soon realize that they all stem from the fact that game companies either do not know their players well enough or lack the right tools to truly leverage the knowledge they have.
Here are some examples.
- If you knew how to recognize a player likely to commit friendly fraud, you could, for instance, add to your in-game purchasing system a “purchase abort” button active for, say, 15 seconds from the purchase and visible for potential “friendly fraudsters” only.
- If you knew how to tell a legitimate cardholder from a criminal, you could block fraudulent transactions instead of sending them to your PSP.
- Furthermore, if you could recognize the unique way each of your customers plays the game, you could activate some additional authorisation layers or kick cheaters out of the game whenever an anomaly is spotted.
- If you could detect various geo-spoofing attempts and recognize in-game purchases made purely for “investment” purposes, you could prevent the outflow of digital items from your in-game marketplace to third-party platforms.
Finally, if you could address all the 5 issues, the 6th (reputation damage) would no longer be a threat to your company.
Easier said than done, right? Not necessarily…
Gather, enrich, process, repeat
As a game maker and administrator you probably collect rich data about your players — about what they do while logged in, how they explore the map, what operations they undertake, how they compete with each other on many different levels, how they trade with each other etc.
This data is very precious. In the digital realm, you usually know about your customers only as much as they tell or show you. Therefore, you need to be a truly careful observer, notice more than others.
Have you ever heard of user profiling?
It is a process of collecting rich data about each individual playing your game. As noticed above, you are probably collecting a lot of information already. However, there are special tools known as profilers, that collect thousands of data points about each user’s hardware, software, network environment and behaviour (including actions, reactions, activities). By combining such pieces of information with your data and insider knowledge, you can finally assemble a comprehensive digital image (profile) of each and every individual playing your game.
One might ask what for.
The answer’s: to predict everything relevant.
But how to embrace, analyse and understand such big and complex data? The answer is Artificial Intelligence (probably you are already using it for some purposes) — Machine Learning (ML) in particular. As you know, nowadays, machines are much better than humans in analysing big data and finding interdependencies between numerous apparently unrelated variables. And understanding your players is all about doing so — linking the dots in real time. ML models learn about your players’ as much as possible and accurately predict their future actions. The more players they x-ray, the more effective they get.
One size does not fit all
As described in the first part of this article, many different types of fraud peril your business and as your game is unique, each of the above-listed problems differs slightly from all the other in many aspects. Credit card fraud, for instance, looks different in the case of MMORPGs than at MOBA games. Fortunately for you, top-notch FDP solutions providers provide their clients with custom ML models, created and trained per business case. So, when someone is telling you that they have a great ML anti-fraud model for the games industry, don’t believe them — ask about a model for your company/game.
Hubert Rachwalski, CEO of Nethone
Originally published at nethone.com on September 20, 2017.
