Glorious Alpha Two Testers!
Alpha Two Phase II testing is currently taking place 5+ days each week. More information about testing schedule can be found here
If you have Alpha Two, you can download the game launcher here, and we encourage you to join us on our Official Discord Server for the most up to date testing news.
Alpha Two Phase II testing is currently taking place 5+ days each week. More information about testing schedule can be found here
If you have Alpha Two, you can download the game launcher here, and we encourage you to join us on our Official Discord Server for the most up to date testing news.
Exploits and ...bans?
Volgaris
Member, Alpha Two
For a game that will rely on a player ran economy and pvp exploits, botting, such as exp gain from glitchy mobs, duping of assets, basically any exploit or cheat that gives a player or guild an advantage will be a game killer. There's even open recruitment to "Exploiters" guilds, this could be a troll, I don't know. At the end of the day the common player is going to have to have trust that the game is fair, even if the game is fair if that trust is gone then those players will leave.
I don't know what defenses are in place and I shouldn't know. But they can't balance exploits, and balancing an economy to offset bots kills half the life skills in the game. You can build the most wonderful game with pretty graphics, amazing mechanics, and top notch systems, but cheaters will destroy it if they can, just because they can.
Two big things they could do and they should do is:
1. No time cards. These are used by exploiters/botters/cheaters.
2. Verify actual ID like what's done in Korea. This is extreme I know, but there's too much money to be made in exploiting MMOs. No matter the resources that Intripid throws at combatting this, they won't win without extreme measures.
I don't know what defenses are in place and I shouldn't know. But they can't balance exploits, and balancing an economy to offset bots kills half the life skills in the game. You can build the most wonderful game with pretty graphics, amazing mechanics, and top notch systems, but cheaters will destroy it if they can, just because they can.
Two big things they could do and they should do is:
1. No time cards. These are used by exploiters/botters/cheaters.
2. Verify actual ID like what's done in Korea. This is extreme I know, but there's too much money to be made in exploiting MMOs. No matter the resources that Intripid throws at combatting this, they won't win without extreme measures.
2
Comments
I recall having a friend "Rent" a KSSN(Korean Social Security Number) to play a Korean MMORPG before it came out over here years ago. I am not sure if this is still possible.
I think it may help, but it's a not a perfect solution.
This is my personal feedback, shared to help the game thrive in its niche.
There's a reason Arch Age didn't have the same issues in Korea as it did in the west. A lock is just a deterrent for the honest thief.
Assuming you paid for the game yourself and used your credit card, wouldn't they already have it?
There are third party ID verifiers that could be used too.
Point is the cheaters will hide behind anonymity, time cards, vpns, false ID, ect. Some easier to do than others.
XL could do it in South Korea, but not Japan, not North America, not Europe.
The reason for this is simple, there is no universal identification system. A company would need to use different systems from different countries, a different system for each country. You would need to maintain your verification systems as each country updated their individual systems, and you are also relying on the least secure of these systems for your game as a whole.
I mean, what system could Intrepid use to verify the identity of a player in Fiji, or in Luxemberg, or in San Marino?
There are third party companies that could be used, but as these companies are already targets for hacking, I wouldn't be suggesting anyone use them.
No, cardholder information is encrypted via a hosted 3rd party solution to prevent Intrepid’s system from falling into PCI scope (payment card compliance). I imagine that a similar model might be used for encrypted SSN verification, but I wouldn’t want that kind of PII used for something as trivial as a game. From a data protection perspective SSN is much higher priority than PCI, and has much more severe consequences for Intrepid for data breaches.
Indeed.
The thing many people seem to forget with this kind of thing is that internet security/identification would be a trillion dollar business, if someone was able to actually make it work.
Based on this, the notion that a small game developer with barely more than a few dozen employees would crack this is amusing.
Microsoft, Apple, Google, Facebook, police, military and intelligence services can't do this, but surely Intrepid can!
Disclaimer; my info here is a few years old, I don't have anyone I am willing to check in with about it today.
The problem with banning VPN's is that the way they do this is that they ban all IP addresses thst are known VPN's.
Since it isn't all that hard to set up your own VPN, with your own IP addresses, VPN bans only really affect legitimate players, as opposed to botting companies.
This is an area @PirateSoftware is far more qualified to speak than I am, but you need to keep in mind that with bots, you are dealing with multi-million dollar organizations (likely bigger than Intrepid, all told), not just some random guy in his parents basement.
At the end of the day if the players feel like the game has lost its integrity then players will leave.
My opinion on this matter is - as you kind of hinted at in your earlier post - that we should have no idea at all about any of this.
This is because if we know what game developers are doing to combat cheating, the cheaters definately know as well. The more they know, the easier it is for them to circumvent.
What we should be doing is stating often and loud that we do not want cheating, commenting on the amount we are seeing in game, and (most importantly) canceling subscriptions if it crosses our own personal line.
This last one is the only action players can take, but is often overlooked.
If players are going to remain paying for a game that has rampant cheating, developers have no incentive to spend money stopping it from happening.
That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.
Blown past falling sands…
Yep, there are tons of ways to verify identity. Different regions will have different solutions. But for most western nations paypal would probably work. Asia might have others. Are there ways to fake identity? Well yeah identity theft is big business too, but that's an actual crime, not just a violation of a games policy. The consequences are much greater to get an edge in a virtual world. People still will, but there will be much less.
Can it be done? I think so. How effective will it be? I'm not sure, but I do believe the juice is worth the squeeze. Will they do it? Probably not.
I mean, I have 4 PayPal accounts, and access to another half dozen or so.
That is without actually trying to create excess accounts.
There is no identification verification that works in an online setting. If there was, everyone would already be using it.
yes making a paypal account is easy, but verifying it with a bank account is a little more involved. and pay pal is only one example. you can look into "id.me" <- url. google it and you'll see there are other ways to verify identity. can it be cheated? yep. is that a crime? yep. really goes into risk vs reward.
yes the world is full of people like you. the "can't be done" types. the nay sayers, the stonewallers, the gatekeepers. progress will still happen with or without you.
Yes, here we talk considering the present and willing to trigger some progress.
Trying to predict what and when that progress will occur, it pushes me into a future where not only IDs might be available but also the AI will advance and might reside in physical human like shells or we will have implants which makes the richer people be more skilled at memorizing or faster to analyze and react. Maybe some will play from bases on Moon.
If you tell me not to look so far into the future, then what I see is a different picture, where companies make displays with embedded software where you can run addons to help you while playing games, which might be against the developer's EULA but not detectable by any anti-cheat solution.
So if we want to go on that path, to reach a point where we might be able to detect if a player cheats or not, the path leads me into a future quite similar to some books I used to read many years ago.
I'm literally just talking about having to use an verification process to buy and subscribe to this product. The list of products that require an ID are endless. If you think an MMO requiring ID to play a game will lead to Skynet AI Moon Base Bot Human Extermination, well... I'll be here on Earth if you want to actually discuss the merits of and challenges of an identification system.
At the end of the day cheaters hide behind anonymity. Time cards, vpns, false id, ect. Because we can't stop it all or the outcome tickles someones sense of AI Terminator take over isn't a reason to not fight for the games integrity.
It isn't that hard to do everywhere.
Just because it may work where you are from, doesn't mean it will work in the other 190+ countries Intrepid want to sell the game to.
Again, if it was as easy as you seem to think it is, literally everyone would be doing it.
I don't know where cheaters hide. I used cheats in offline games years ago where I gave myself infinite lives or to pass through walls
But I guess a similar concept like in Korea which you mentioned can be implemented everywhere, if there is enough desire. Somehow the rest of the world was not motivated enough yet.
Even if it will not completely stop cheaters, it could reduce their numbers and maybe would reduce the player count too for some games.
What's stopping you? Go grab a book!
Cheaters (bot farms, gold sellers, exploiters, ect...) all hide behind vpns, time cards, ect. It's actually stupid easy to do. Tons of blogs, discords, videos, ect on it. Ashes won't be any different in this respect than WoW or any other MMO. How long before there's an Ashes token? Ashes gold is already being advertised on these sites... 1g for 13.99~ . Quite steep right now, but I guarantee it will drop after launch once botting programs like MacroGoblin get updated or someones basement cpp program gets done.
Good question.
I've not tried to read sci-fi books anymore because overtime I shifted to fantasy books and then I stopped reading. The fantasy worlds were easier to accept (being fantasy) than the sci-fi worlds.
But maybe I have to grab a book. Maybe I get addicted and I'll test less AoC... but then I'll catch fewer bugs
It worked in Korea because that system exists in Korea.
It doesn't exist everywhere. Not every nation assigns it's population numbers. In fact, most don't.
Intrepid could not have any system like this for an EU server. It wouldn't be possible, and if it were possible it wouldn't be legal (for three different reasons that I can think of off the top of my head). If it were legal, the cost associated with data security requirements would make it a financial burden to Intrepid.
In the US, it may be possible, but 75%+ US players would not want Intrepid having access to that level of information on them, and so it wouldn't function. Third party companies that specalize in this have a habbit of selling up as soon as the value of the data they have on file is worth more than they are gaining from operating the service itself - and that data is now in the hands of whom ever wishes to purchase it.
Again, you need to ask yourself why Google, Microsoft, Apple or Facebook aren't doing these things. They stand to make exponentially more money from it than Intrepid would ever make from this game - they also have expenentially more resources to put towards making something like this work. So if they aren't able to make it work, why would you think Intrepid can?
75% you say? Did you do a survey recently? Made up stats aside. Lets look at a market, the US market. They can use ID.ME or something like that. Your name is NOT PPI/PII nor is your address, if that were the case every county in the USA would need to take down their GIS sites. ID.ME would be the ones holding that information anyways. Doesn't it cost? probably, didn't look into it. But generally you pay for tokens for access to the api, which i'm intrepid is already familiar with. It'd be similar to the payment systems they have setup. They didn't setup a whole bank to take payments, they don't need to setup a whole system to verify ID. So Yes the system does exist in the US and many other countries. You say it wouldn't be legal in the EU, but didn't state your 3 reasons. I don't know EU law and really don't care about it or for it, nor would I be playing on an EU server. I still think it can be done and should be done for the EU servers, they wouldn't need a special security system for guarding the PII because it's not PII nor would they even be the holders or verifiers of the PII.
Only thing I'm not sure about is how many people would actually NOT play because of this? Would it be 75% hell I don't know, nor do you. But given an option between a verified server for $20 a months or a no verified server for $15 a month? I'd choose the verified one.
This isn't a new concept...
There's a quick list of ID verifications sites I got from google and chatgpt.
Jumio
Onfido
Trulioo
IDology
LexisNexis Risk Solutions
Socure
Experian IdentityWorks
ID.me
You seem to be misrepresenting what I am saying.
I am not saying this is a new idea, and no one can do it. I am saying no one can do it well.
Do a little bit of a deeper dive in to your list above, and look at how many key people involved with those services have been charged for things like fraud. Look in to how many similar companies have existed, been sold and had the data they collected used or sold off.
There are - as I have been saying - reasons what you are talking about has not been done. You are not the first person to think of doing this, people at companies like those I have listed above have considered it and have decided against it - because it is bad for their consumers (even Facebook considers it a privacy concern).
The entire idea you have around these companies is bad. These companies are bad.
If you track gold trading and remove all the wealth accumulated by the account when it gets banned, within a few months there won't be any point left to paying for that stuff.
Track all trades made by gold/resource/item farmers, undo all the trades that drastically favour one side in value and cleanly reverse all equal-value follow-up trades made with uninvolved third parties. That doesn't even have to be a ton of data to store (though it would probably help to have additional data once suspicious activity has been flagged.)
Banning credit cards and verifying identities is an expensive extra step that fails to extinguish the problem at the root: If the result of cheating is reliably being worse off than you were before you did it, no one's going to do it.
The only reason gaming companies don't eliminate cheating is because they don't want to.
I'm sure some of the decisionmakers believe their own excuses but that's again just because they don't want to think about it any deeper. X to doubt? "Banning known VPNs" doesn't mean banning any IP that has ever served as a VPN, it means banning any VPN that is known to have served as a public paid VPN. You identify them on the market, not in their network
protocol header or through tracing, that's not what's of interest to you.
You ban the top providers, problem fixed. Maybe you pay a security company that has a list.
Personally I don't think it's a necessary step, but there's no way that accidentally banning someone whose personal IP happens to function as a VPN is the issue.
PS: This part of the discussion has been about real-money trading (and any associated exploits) while the main thread is about punishing all forms of cheating. While I acknowledge that difference and that my suggestions don't apply to the other aspects, I think it's obvious why real-money trading is the only situation where you really *need* rigorous systems. A private cheater might spin up 4 different accounts and cheat on each one, but there are only so many times you'll need to ban an exploiting player's max-level account before they'll give up on either cheating or more likely the game.
Also, the 80:20 rule applies to all of these suggestions. You don't need to eliminate the problem for good or follow every piece of wood traded by a goldseller or buyer, in order to make it unattractive for the customers and unviable for the providers.