Slide 1
PANOPTICONLABORATORIESHow Fraudsters Are Following The Money
Into Online Games
www.panopticonlabs.com
March xx, 2016
Screenshot of Watchtower UIPANOPTICON LABORATORIES is the first
and only in-video game cybersecurity company, built to protect
online video game publishers from the financial and reputational
damages that can result from cyber attack. Through proprietary
technology that is uniquely focused on gameplay itself, Panopticon
sets a baseline of activity for every player who participates in
online play. Upon discovering anomalous behavior, Panopticon alerts
publishers with more than 99% accuracy, along with providing
recommendations for incident investigation and immediate
remediation.
ABOUT USPROTECTING ONLINE GAMES FROM IN-GAME THREATS
WHT DOES GAME FRAUD LOOK LIKE?
FRAUDSTERS = WORLD KILLERSHackers, cheaters, and fraudsters are
a cancer that kills virtual worlds.
+2,000%increase in account takeoverSteam Trading allows players
to exchange virtual items.77,000accounts are hacked every month
Cheap Only $30 gets script kiddies source code, manuals, and
tutorial videos.
Effective uses state of the art obfuscation techniques,
rendering it invisible to most AV.
Evolving leaked source code has lead to a development arms
war.
Defeats Multifactor Kaspersky has shown that Steam Stealers can
neutralize Steams primary defense against unauthorized trades.NEW
MALWARE: STEAM STEALER
MONEY IN GAMESThe evolving video game business
model:DISC/CARTRIDGE
ONLINE
FREE-TO-PLAY
8
Online games generated$63 billionIn 2015.WHY FRAUD?Global movie
box officegenerated$38 billion.
10
Fraudsters always follow the money!It was true in banking.It was
true in eCommerce.Now its happeningin video games.
11
http://kasperskycontenthub.com/securelist/files/2016/03/Steam_Stealers_research_ENG.pdf,
or Google Kaspersky Steam Stealers
12
MORE THAN ACCOUNTTAKEOVERGold FarmingBottingCredit Card
Fraud
13
WHATS NEEDED?WHEN SURVEYED, GAME PUBLISHERS AND DEVELOPERS HAD
VERY SPECIFIC IDEAS ABOUT WHAT THEY WANTED AND NEEEDED
SURVEY OF 50+ PUBLISHERSOver 18 months, online game publishers
were asked:
What are you doing now to fight fraudsters, cheaters, and
hackers?
How effective are those solutions?
What other solution(s) do you wish you had access to?
15
COMMON SOLUTIONSMANY TOOLS WERE INITIALLY DEVELOPED FOR OTHER
INDUSTRIESMulti-factor, IP/GEO, Black/WhiteListing, challenge
questions, and device fingerprinting and reputation tracking have
all been attempted.
List-based solutions draw from years of institutional wisdom and
databases.
The problem with using tools built for banks to secure games is
that bad guys have had years to figure out how to break them.
16
DIFFERENT GENRES; DIFFERENT PRIORITIESMMO: Account Takeover
Free-To-Play: Account re-selling; gray markets
Social Casino: Cheating; collusion.
Real-Money Casino: Money laundering; cybercrime
17
MOST-COMMON SOLUTIONMany publishers create rules-based reports
based on what has happened in the past.OBSERVECONFIRMFORENSICSADD
RULES
The most common tool
Explain the Reporting Life Cycle
18
ALL AGREE:Lots of overlap bad actors from across the spectrum
are constantly looking for advantage.
It should be addressed even most arent exactly sure HOW to fight
back.
Its about more than money reputational damage, player
dissatisfaction leading to churn, and premature shortening of the
games life are also important.
19
"One of the most important things you have as a developer is the
community you can take with you."
20
CASE STUDYHOW ONE LARGE, DATA-DRIVEN PUBLISHER FOUND ITSELF AT
THE MERCY OF CYBERCRIMINALS DESPITE THE USE OF CUTING-EDGE
TECHNOLOGY
SOCIAL CASINOPlayers cannot cash-out chips; play in large,
social settings through mobile and Facebook
22
13 MILLION PLAYERSHalf on Mobile; half connecting via
FacebookHad the advantage of Facebooks authentication controls
paired with Apples app-level validation tools and a variety of
traditional front-end services.
Employed cutting-edge back-end transaction security controls via
their credit card processor.
Very data-centric since the company was founded; prided itself
on the quality and quantity of its player data.
23
WORLD-WIDE COVERAGEEmployed teams around the globe to watch out
for playersAs fraud and gray market losses mounted, more employees
were tasked with manually monitoring player behavior.
Rules-based reports generated suspect lists, which were in turn
reviewed by game play experts.
Many things were tried; every time, the bad guys simply adjusted
their activities to get around the systems created to detect
them.
24
NO IDEA OF SIZE/SCOPEBY THE TIME WE WERE ENGAGED, CRIMINALS HAD
A 24-MONTH ADVANTAGEPanopticon Labs was tasked with determining the
size and scope of gray market activities operating in-game.
Behavioral analytics models were built to model 100% of all
player activities over a 90-day period of time.
First pass: 88% accuracy rate. Second pass: 98.7% accuracy
rate.
Thousands of bad actors were participating every month in a
complex ecosystem.
25
40% REVENUE LOSSPANOPTICON LABS ESTIMATED THAT 40% OF THE
PUBLISHERS MONTHLY REVENUE WAS BEING LOST DIRECTLY TO THE GRAY
MARKET
THIS WAS ON TOP OF THE LOSS FROM REPUTATIONAL DAMAGE, EARLY
PLAYER cancelations, AND LOSS OF CONVERSION.
RECOMMENDATIONS
TECHNOLOGYBE LIKE BANKS; EMPLOY A LAYERED SOLUTION THAT UTILIZED
ANALYTICS WITH TRADITIONAL CONTROLSRecognize that any observable
system is porous when faced with a dedicated attacker.
Be skeptical of results; make sure the right things are being
measured.
Measure early; measure often.
Assume the bad guys are already inside.
28
ANALYTICSMore than just a buzz wordStudy good and bad events -
not all anomalies are created equal).
Classify anomalies differently than suspects - understand how
publishers can make best use of these data elements.
Intelligence is useless unless paired with timely and efficient
action.
29
GAMING REALITIESGames have very different needs than most other
industriesGames are very sensitive to lag dont expect to be
embedded in the client OR the server.
Game developers hate overhead if your tools require changes to
the game itself, they probably wont be used, or will be abandoned
early-on.
Games are constantly changing unlike banking, retail,
manufacturing, or eCommerce, games radically change over time by
design.
30
ANOMALY DETECTION
DEFINITIONAnomaly detection(oroutlier detection) is the
identification of items, events or observations which do not
conform to an expected pattern or other items in adataset.
- Wikipedia
32
WHY ANOMALY DETECTION?Rules are expensive both to set up as well
as to maintain.
Rules are slow must be manually maintained and changed as player
and fraudster behavior changes over time.
Rules are reactive by definition, rules can only be created as a
reaction to something bad thats already happened.
33
THE HUMAN FACTORHUMAN BEINGS ARE THE BEST PATTERN RECOGNITIONOur
support team knows our players better than anyone, and can usually
tell right away exactly whats happening; they just need to know
which players and events to look at first.
Every Operations Executive Ever
34
WATCHTOWER
WATCHTOWER is Panopticon Laboratories premier in-game security
product, using proprietary anomaly detection and behavioral
analytics to provide online video game publishers with a 360
overview of player behavior over time. The SaaS-based products
real-time, actionable alerts and research tools allow analysts to
make quick and informed decisions that stop malicious in-game
behavior before damages can occur. Its powerful machine learning
system enables the engine to grow smarter and more powerful over
time.PROVIDING A 360 VIEW OF PLAYER BEHAVIOR
Protecting ONLINE GAMESFROM IN-GAME THREATS.MATTHEW
[email protected]
