The Next Level

On Robbing Banks

“That’s where the money is!”
– Attributed to Willie Sutton, Non-Traditional Withdrawals Specialist

Willie Sutton was quoted as having said the above (he denied coining the phrase) in response to the question, “Why do you rob banks?” At the time, it was an obvious choice; in a pre-networked world, value was primarily transmitted by moving physical objects around the world, whether they were bars of precious metals, mineral crystals, or slips of paper. A non-traditional account withdrawal, then, relied on transporting physical objects from point A (a location controlled by the bank) to point B (a location controlled by the attacker).

These days, robbing a bank doesn't require moving objects about; while it’s not true (and never was) that someone can whistle into a pay phone and start WWIII, there are certainly sophisticated attackers capable of stealing money in transit, either from financial institutions themselves, or from merchants, payment processors, or Nigerian princes. Banks know this—and while banks themselves certainly have major digital security breaches from time to time, overall, their security has improved.

Banks are not, however, the only place in which money changes (virtual) hands. Non-banks have to follow standards like PCI-DSS to begin to secure the fiat currency <-> goods gateway, whatever type of goods they may be selling; whether it’s the new Taylor Swift single or a two-handed claymore, PCI-DSS adherence ensures that the most basic security precautions are being followed (at least with respect to payment card information).

What happens when you acquire a digital two-handed claymore, however? (For now, let’s say you acquired it by completing an Epic Quest and obtaining it from the Azgoths of Kria.) It’s not quite the same, because the sword isn’t a thing you keep in your house. Instead, it’s kept on a server, which is owned by a games company, and you get to use the sword in exchange for your fees: it’s Sword as a Service (SaaS).

SaaS is a well-understood model, encompassing much of the online gaming space. The security for these types of games is designed to protect not the sword itself, nor any objects in and of themselves, but the service as a whole; it prevents attackers from compromising the game, makes sure legitimate players can connect, and generally defends the same objectives as security for the other SaaS. That seems appropriate; if I lose my Sword of Improbable Size and Majesty (SoISaM), the SaaS provider could refund my access fees, or give me another SoISaM, or some combination of the two. The risk profile isn't exactly “no blood, no foul,” but the potential loss from a breach is limited. The SoISaM, and other valuable objects in the SaaS, only have value as a function of time spent playing the game.

The situation changes, however, once you introduce item purchases—or indeed, any micro-payments—into the game. Now my SoISaM has a value, be it $1, $10, or $9000, and losing it has a direct, easily calculable, financial cost (even if I get it back). The game has now become a repository of objects with significant financial value—and it turns out that we have a name for those: banks.

On Robbing Games

“It’s like the joke about the post-modernist gangster who makes you an offer ye canna understand.”
– Charles Stross, “Halting State

Charles Stross wrote about combined financial industry and video game crime in his 2007 novel “Halting State,” and he has noted that his two novels in that series have come true in part. We have already seen large-scale crime—with significant financial consequences—in video games, such as the 1 trillion ISK (approximately US$55,416, according to historical exchange rates) stolen in an historic Ponzi scheme in EVE Online. That’s just dealing with the theft of in-game assets (like the SoISaM), however; what about other avenues for collecting money?

In the past couple of years, a few different companies have been experimenting with “skills-based wagering,” or allowing players to bet money on their own in-game performance; for instance, Capcom allowed these “money matches” as a launch feature for Super Street Fighter 4 (SSF4). There are even start-ups offering to integrate these features into more applications; one such company, Skillz, has received $8 million dollars in the past three months, and $16.3 million overall, in venture funding. As these types of games become more common, and the stakes grow higher (SSF4 allows a maximum $1,000 per-match bet), it will become common to use external means to influence the outcome of the game—whether that’s DDoSing an opponent, as has happened repeatedly in the Starcraft community, or even physically attacking an opponent.

Online gambling—another form of gaming—is already a reality in other parts of the world, with major providers like Paddy Power serving customers throughout the world. While within the United States, only two states (Nevada and New Jersey) allow real-money gambling on games of chance over the Internet, that is likely to change soon; the World Trade Organization has authorized trade retaliation against the United States for prohibiting Internet gambling.

Here’s the issue: even though these games are now handling bank-like money, they don’t have bank-like security measures. Most games are secured on the basis of securing fun, not securing billions of dollars of money flow. In general, we secure games as though they’re somehow separate from “the real world.” This needs to change.

What Comes Next

It’s gonna be the future soon
And I won’t always be this way
When the things that make me weak and strange get engineered away
– Jonathan Coulton, “The Future Soon”

At Leviathan, we think that the recent crackdown on Bitcoin as a money laundering service means that not-exactly-money transactions, such as in-game currencies with exchange rates with “traditional” forms of money, will be the next point of heightened scrutiny. Whether that means requiring USA PATRIOT account-holder verification, including Know Your Customer and Senior Foreign Political Figure checks,  for every game with in-game currency, or even requiring games companies to register with New York State before they sell games with micro-payments, will remain to be seen—but it doesn't have to be this way. We think that if games demonstrate real security measures, now, instead of waiting for regulation (or a disastrous security breach destroying hundreds of millions of dollars of currency-like objects), it will allow innovation to continue in the gaming space, and allow companies of all sizes to create games—from small indie studios, to repeat players, to AAA studios and other big players. While PCI-DSS is often poorly regarded in the security community, this form of industry self-regulation, when used as a baseline, has made it much safer to spend money online; it would be a significant achievement if the gaming community could foster, define, implement, and monitor an equivalently proscriptive across-the-board base level of security.

I’d be remiss if, at this point, I didn't point out that Leviathan has been working in these areas for years. Our employees have secured financial institutions, power plants, video game consoles, nature preserves, online games, novel security hardware, and some of the hardware that powers the core of the Internet. We’re also gamers; we have a Senior Security Consultant with a degree from DigiPen, an Ingress Level 11 player, and gamers of all stripes (including some who were playing multiplayer online games when 9600 baud was "high-speed" Internet) in our ranks. We love to help game companies—or indeed, anyone—secure the work they value most, and we've been particularly involved in helping non-traditional targets, such as law firms and games companies, design their long-term defenses as they meet their new challenges. Sound like something you need? Give us a call.