Exploits and ...bans?

For a game that will rely on a player ran economy and pvp exploits, botting, such as exp gain from glitchy mobs, duping of assets, basically any exploit or cheat that gives a player or guild an advantage will be a game killer. There's even open recruitment to "Exploiters" guilds, this could be a troll, I don't know. At the end of the day the common player is going to have to have trust that the game is fair, even if the game is fair if that trust is gone then those players will leave.

I don't know what defenses are in place and I shouldn't know. But they can't balance exploits, and balancing an economy to offset bots kills half the life skills in the game. You can build the most wonderful game with pretty graphics, amazing mechanics, and top notch systems, but cheaters will destroy it if they can, just because they can.

Two big things they could do and they should do is:
1. No time cards. These are used by exploiters/botters/cheaters.
2. Verify actual ID like what's done in Korea. This is extreme I know, but there's too much money to be made in exploiting MMOs. No matter the resources that Intripid throws at combatting this, they won't win without extreme measures.

Find more posts tagged with

Comments

Vhaeyne

I think Verifying ID is an extreme step that may not actually work.

I recall having a friend "Rent" a KSSN(Korean Social Security Number) to play a Korean MMORPG before it came out over here years ago. I am not sure if this is still possible.

I think it may help, but it's a not a perfect solution.

CROW3

I wouldn’t trust a gaming company to secure that level of PII.

Volgaris

Vhaeyne wrote: »

I think Verifying ID is an extreme step that may not actually work.

I recall having a friend "Rent" a KSSN(Korean Social Security Number) to play a Korean MMORPG before it came out over here years ago. I am not sure if this is still possible.

I think it may help, but it's a not a perfect solution.

There's a reason Arch Age didn't have the same issues in Korea as it did in the west. A lock is just a deterrent for the honest thief.

Volgaris

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

Assuming you paid for the game yourself and used your credit card, wouldn't they already have it?

There are third party ID verifiers that could be used too.

Point is the cheaters will hide behind anonymity, time cards, vpns, false ID, ect. Some easier to do than others.

Noaani

Volgaris wrote: »

Verify actual ID like what's done in Korea.

This only works if the publisher is only operating in a handful of countries.

XL could do it in South Korea, but not Japan, not North America, not Europe.

The reason for this is simple, there is no universal identification system. A company would need to use different systems from different countries, a different system for each country. You would need to maintain your verification systems as each country updated their individual systems, and you are also relying on the least secure of these systems for your game as a whole.

I mean, what system could Intrepid use to verify the identity of a player in Fiji, or in Luxemberg, or in San Marino?

There are third party companies that could be used, but as these companies are already targets for hacking, I wouldn't be suggesting anyone use them.

CROW3

Volgaris wrote: »

Assuming you paid for the game yourself and used your credit card, wouldn't they already have it?

No, cardholder information is encrypted via a hosted 3rd party solution to prevent Intrepid’s system from falling into PCI scope (payment card compliance). I imagine that a similar model might be used for encrypted SSN verification, but I wouldn’t want that kind of PII used for something as trivial as a game. From a data protection perspective SSN is much higher priority than PCI, and has much more severe consequences for Intrepid for data breaches.

Noaani

CROW3 wrote: »

Volgaris wrote: »

Assuming you paid for the game yourself and used your credit card, wouldn't they already have it?

No, cardholder information is encrypted via a hosted 3rd party solution to prevent Intrepid’s system from falling into PCI scope (payment card compliance). I imagine that a similar model might be used for encrypted SSN verification, but I wouldn’t want that kind of PII used for something as trivial as a game. From a data protection perspective SSN is much higher priority than PCI, and has much more severe consequences for Intrepid for data breaches.

Indeed.

The thing many people seem to forget with this kind of thing is that internet security/identification would be a trillion dollar business, if someone was able to actually make it work.

Based on this, the notion that a small game developer with barely more than a few dozen employees would crack this is amusing.

Microsoft, Apple, Google, Facebook, police, military and intelligence services can't do this, but surely Intrepid can!

Volgaris

Seems ID verification would be really tough to implement. I'm probably just jaded, but it's hard to see success for any MMO without something drastic being done about those that exploit/cheat. Maybe employing more GMs and tons of checks/logs. But once a bot or cheater is banned they'll open a new account, adding a box price would be added overhead for them. Since CC info is encrypted and they don't have it, banning a CC couldn't be used. Maybe blocking VPNs too from connecting.

Noaani

Volgaris wrote: »

Seems ID verification would be really tough to implement. I'm probably just jaded, but it's hard to see success for any MMO without something drastic being done about those that exploit/cheat. Maybe employing more GMs and tons of checks/logs. But once a bot or cheater is banned they'll open a new account, adding a box price would be added overhead for them. Since CC info is encrypted and they don't have it, banning a CC couldn't be used. Maybe blocking VPNs too from connecting.

Disclaimer; my info here is a few years old, I don't have anyone I am willing to check in with about it today.

The problem with banning VPN's is that the way they do this is that they ban all IP addresses thst are known VPN's.

Since it isn't all that hard to set up your own VPN, with your own IP addresses, VPN bans only really affect legitimate players, as opposed to botting companies.

This is an area @PirateSoftware is far more qualified to speak than I am, but you need to keep in mind that with bots, you are dealing with multi-million dollar organizations (likely bigger than Intrepid, all told), not just some random guy in his parents basement.

Volgaris

@Noaani : Yeah I figured the botting companies have massive resources. But the more overhead we can throw at them the better I say. The idea would be to make it less profitable. I'm not a economy guy, assume it just needs more electrolytes when it's broken. But blocking commonly used VPNs would be simple. And detecting when several connections come from the same IP could be flagged and investigated for legitimacy. Similar to how they blocked the ddos ips from china at the launch of phase 1. But got to give them more overhead than they give Intripid.

At the end of the day if the players feel like the game has lost its integrity then players will leave.

Noaani

Volgaris wrote: »

Noaani : Yeah I figured the botting companies have massive resources. But the more overhead we can throw at them the better I say.

Sort of.

My opinion on this matter is - as you kind of hinted at in your earlier post - that we should have no idea at all about any of this.

This is because if we know what game developers are doing to combat cheating, the cheaters definately know as well. The more they know, the easier it is for them to circumvent.

What we should be doing is stating often and loud that we do not want cheating, commenting on the amount we are seeing in game, and (most importantly) canceling subscriptions if it crosses our own personal line.

This last one is the only action players can take, but is often overlooked.

If players are going to remain paying for a game that has rampant cheating, developers have no incentive to spend money stopping it from happening.

SmileGurney

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

They wouldn't have to deal with PII data directly, just the person's identifier. Think Paypal for anti-cheat purposes, or even a payment gateway from a bank, to which you end up getting redirected when making a purchase from a digital service.

That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.

CROW3

I know how they would do it, I just wouldn’t trust them to do it well, and once we’re using SSN to access a game - the game is too expensive.

Volgaris

ThevoicestHeVoIcEs wrote: »

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

They wouldn't have to deal with PII data directly, just the person's identifier. Think Paypal for anti-cheat purposes, or even a payment gateway from a bank, to which you end up getting redirected when making a purchase from a digital service.

That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.

Yep, there are tons of ways to verify identity. Different regions will have different solutions. But for most western nations paypal would probably work. Asia might have others. Are there ways to fake identity? Well yeah identity theft is big business too, but that's an actual crime, not just a violation of a games policy. The consequences are much greater to get an edge in a virtual world. People still will, but there will be much less.

Can it be done? I think so. How effective will it be? I'm not sure, but I do believe the juice is worth the squeeze. Will they do it? Probably not.

Noaani

Volgaris wrote: »

ThevoicestHeVoIcEs wrote: »

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

They wouldn't have to deal with PII data directly, just the person's identifier. Think Paypal for anti-cheat purposes, or even a payment gateway from a bank, to which you end up getting redirected when making a purchase from a digital service.

That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.

Yep, there are tons of ways to verify identity. Different regions will have different solutions. But for most western nations paypal would probably work. Asia might have others. Are there ways to fake identity? Well yeah identity theft is big business too, but that's an actual crime, not just a violation of a games policy. The consequences are much greater to get an edge in a virtual world. People still will, but there will be much less.

Can it be done? I think so. How effective will it be? I'm not sure, but I do believe the juice is worth the squeeze. Will they do it? Probably not.

I mean, I have 4 PayPal accounts, and access to another half dozen or so.

That is without actually trying to create excess accounts.

There is no identification verification that works in an online setting. If there was, everyone would already be using it.

Otr

I miss the days when I used to read science fiction books :'(

Volgaris

Noaani wrote: »

Volgaris wrote: »

ThevoicestHeVoIcEs wrote: »

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

They wouldn't have to deal with PII data directly, just the person's identifier. Think Paypal for anti-cheat purposes, or even a payment gateway from a bank, to which you end up getting redirected when making a purchase from a digital service.

That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.

Yep, there are tons of ways to verify identity. Different regions will have different solutions. But for most western nations paypal would probably work. Asia might have others. Are there ways to fake identity? Well yeah identity theft is big business too, but that's an actual crime, not just a violation of a games policy. The consequences are much greater to get an edge in a virtual world. People still will, but there will be much less.

Can it be done? I think so. How effective will it be? I'm not sure, but I do believe the juice is worth the squeeze. Will they do it? Probably not.

I mean, I have 4 PayPal accounts, and access to another half dozen or so.

That is without actually trying to create excess accounts.

There is no identification verification that works in an online setting. If there was, everyone would already be using it.

yes making a paypal account is easy, but verifying it with a bank account is a little more involved. and pay pal is only one example. you can look into "id.me" <- url. google it and you'll see there are other ways to verify identity. can it be cheated? yep. is that a crime? yep. really goes into risk vs reward.

Volgaris

Otr wrote: »

I miss the days when I used to read science fiction books :'(

yes the world is full of people like you. the "can't be done" types. the nay sayers, the stonewallers, the gatekeepers. progress will still happen with or without you.

Otr

Volgaris wrote: »

Otr wrote: »

I miss the days when I used to read science fiction books :'(

yes the world is full of people like you. the "can't be done" types. the nay sayers, the stonewallers, the gatekeepers. progress will still happen with or without you.

Yes, here we talk considering the present and willing to trigger some progress.
Trying to predict what and when that progress will occur, it pushes me into a future where not only IDs might be available but also the AI will advance and might reside in physical human like shells or we will have implants which makes the richer people be more skilled at memorizing or faster to analyze and react. Maybe some will play from bases on Moon.
If you tell me not to look so far into the future, then what I see is a different picture, where companies make displays with embedded software where you can run addons to help you while playing games, which might be against the developer's EULA but not detectable by any anti-cheat solution.
So if we want to go on that path, to reach a point where we might be able to detect if a player cheats or not, the path leads me into a future quite similar to some books I used to read many years ago.

Volgaris

Otr wrote: »

Volgaris wrote: »

Otr wrote: »

I miss the days when I used to read science fiction books :'(

yes the world is full of people like you. the "can't be done" types. the nay sayers, the stonewallers, the gatekeepers. progress will still happen with or without you.

Yes, here we talk considering the present and willing to trigger some progress.
Trying to predict what and when that progress will occur, it pushes me into a future where not only IDs might be available but also the AI will advance and might reside in physical human like shells or we will have implants which makes the richer people be more skilled at memorizing or faster to analyze and react. Maybe some will play from bases on Moon.
If you tell me not to look so far into the future, then what I see is a different picture, where companies make displays with embedded software where you can run addons to help you while playing games, which might be against the developer's EULA but not detectable by any anti-cheat solution.
So if we want to go on that path, to reach a point where we might be able to detect if a player cheats or not, the path leads me into a future quite similar to some books I used to read many years ago.

I'm literally just talking about having to use an verification process to buy and subscribe to this product. The list of products that require an ID are endless. If you think an MMO requiring ID to play a game will lead to Skynet AI Moon Base Bot Human Extermination, well... I'll be here on Earth if you want to actually discuss the merits of and challenges of an identification system.

At the end of the day cheaters hide behind anonymity. Time cards, vpns, false id, ect. Because we can't stop it all or the outcome tickles someones sense of AI Terminator take over isn't a reason to not fight for the games integrity.

Child Item