Exploits and ...bans?

For a game that will rely on a player ran economy and pvp exploits, botting, such as exp gain from glitchy mobs, duping of assets, basically any exploit or cheat that gives a player or guild an advantage will be a game killer. There's even open recruitment to "Exploiters" guilds, this could be a troll, I don't know. At the end of the day the common player is going to have to have trust that the game is fair, even if the game is fair if that trust is gone then those players will leave.

I don't know what defenses are in place and I shouldn't know. But they can't balance exploits, and balancing an economy to offset bots kills half the life skills in the game. You can build the most wonderful game with pretty graphics, amazing mechanics, and top notch systems, but cheaters will destroy it if they can, just because they can.

Two big things they could do and they should do is:
1. No time cards. These are used by exploiters/botters/cheaters.
2. Verify actual ID like what's done in Korea. This is extreme I know, but there's too much money to be made in exploiting MMOs. No matter the resources that Intripid throws at combatting this, they won't win without extreme measures.

Find more posts tagged with

Comments

Noaani

Volgaris wrote: »

Noaani wrote: »

Volgaris wrote: »

ThevoicestHeVoIcEs wrote: »

CROW3 wrote: »

I wouldn’t trust a gaming company to secure that level of PII.

They wouldn't have to deal with PII data directly, just the person's identifier. Think Paypal for anti-cheat purposes, or even a payment gateway from a bank, to which you end up getting redirected when making a purchase from a digital service.

That gaming industry does not leverage a proper anti-cheat solutions, which track people's actual financial identity and allow them to bar them from their services. To me it just shows unwillingness to address that issue, because its "costs money". There is clearly a market gap here.

Yep, there are tons of ways to verify identity. Different regions will have different solutions. But for most western nations paypal would probably work. Asia might have others. Are there ways to fake identity? Well yeah identity theft is big business too, but that's an actual crime, not just a violation of a games policy. The consequences are much greater to get an edge in a virtual world. People still will, but there will be much less.

Can it be done? I think so. How effective will it be? I'm not sure, but I do believe the juice is worth the squeeze. Will they do it? Probably not.

I mean, I have 4 PayPal accounts, and access to another half dozen or so.

That is without actually trying to create excess accounts.

There is no identification verification that works in an online setting. If there was, everyone would already be using it.

yes making a paypal account is easy, but verifying it with a bank account is a little more involved. and pay pal is only one example. you can look into "id.me" <- url. google it and you'll see there are other ways to verify identity. can it be cheated? yep. is that a crime? yep. really goes into risk vs reward.

It isn't that hard to do everywhere.

Just because it may work where you are from, doesn't mean it will work in the other 190+ countries Intrepid want to sell the game to.

Again, if it was as easy as you seem to think it is, literally everyone would be doing it.

Otr

Volgaris wrote: »

Otr wrote: »

Volgaris wrote: »

Otr wrote: »

I miss the days when I used to read science fiction books :'(

yes the world is full of people like you. the "can't be done" types. the nay sayers, the stonewallers, the gatekeepers. progress will still happen with or without you.

Yes, here we talk considering the present and willing to trigger some progress.
Trying to predict what and when that progress will occur, it pushes me into a future where not only IDs might be available but also the AI will advance and might reside in physical human like shells or we will have implants which makes the richer people be more skilled at memorizing or faster to analyze and react. Maybe some will play from bases on Moon.
If you tell me not to look so far into the future, then what I see is a different picture, where companies make displays with embedded software where you can run addons to help you while playing games, which might be against the developer's EULA but not detectable by any anti-cheat solution.
So if we want to go on that path, to reach a point where we might be able to detect if a player cheats or not, the path leads me into a future quite similar to some books I used to read many years ago.

I'm literally just talking about having to use an verification process to buy and subscribe to this product. The list of products that require an ID are endless. If you think an MMO requiring ID to play a game will lead to Skynet AI Moon Base Bot Human Extermination, well... I'll be here on Earth if you want to actually discuss the merits of and challenges of an identification system.

At the end of the day cheaters hide behind anonymity. Time cards, vpns, false id, ect. Because we can't stop it all or the outcome tickles someones sense of AI Terminator take over isn't a reason to not fight for the games integrity.

I don't know where cheaters hide. I used cheats in offline games years ago where I gave myself infinite lives or to pass through walls

But I guess a similar concept like in Korea which you mentioned can be implemented everywhere, if there is enough desire. Somehow the rest of the world was not motivated enough yet.
Even if it will not completely stop cheaters, it could reduce their numbers and maybe would reduce the player count too for some games.

daveywavey

Otr wrote: »

I miss the days when I used to read science fiction books :'(

What's stopping you? Go grab a book!

Volgaris

@Noaani I'm not saying it's easy. I'm saying it's do able. Verifying ID works, it's why Arch Age worked in Korea but got totally screwed in the west. They could easily implement Koreas SSN system for their Korea servers. Or implement an ID verification system for the US using any number of third party ID verification systems. Maybe not all servers need it, like the ones they plop down in China or Russian. Given the choice I'd easily choose a server that had ID verification and I'd even pay extra to use that server. Just because it's "not easy" doesn't mean it can't be done or shouldn't be done.

Volgaris

@Otr Yep you're right it could reduce the player count. I'm not sure if it can actually be implemented everywhere, who knows what can be done in say African nations but at least for their large markets like the US, EU, East Asia, it could be done. Which is probably the vast majority of their revenue.

Cheaters (bot farms, gold sellers, exploiters, ect...) all hide behind vpns, time cards, ect. It's actually stupid easy to do. Tons of blogs, discords, videos, ect on it. Ashes won't be any different in this respect than WoW or any other MMO. How long before there's an Ashes token? Ashes gold is already being advertised on these sites... 1g for 13.99~ . Quite steep right now, but I guarantee it will drop after launch once botting programs like MacroGoblin get updated or someones basement cpp program gets done.

Otr

daveywavey wrote: »

Otr wrote: »

I miss the days when I used to read science fiction books :'(

What's stopping you? Go grab a book!

Good question.
I've not tried to read sci-fi books anymore because overtime I shifted to fantasy books and then I stopped reading. The fantasy worlds were easier to accept (being fantasy) than the sci-fi worlds.
But maybe I have to grab a book. Maybe I get addicted and I'll test less AoC... but then I'll catch fewer bugs :'(

Noaani

Volgaris wrote: »

They could easily implement Koreas SSN system for their Korea servers.

It worked in Korea because that system exists in Korea.

It doesn't exist everywhere. Not every nation assigns it's population numbers. In fact, most don't.

Intrepid could not have any system like this for an EU server. It wouldn't be possible, and if it were possible it wouldn't be legal (for three different reasons that I can think of off the top of my head). If it were legal, the cost associated with data security requirements would make it a financial burden to Intrepid.

In the US, it may be possible, but 75%+ US players would not want Intrepid having access to that level of information on them, and so it wouldn't function. Third party companies that specalize in this have a habbit of selling up as soon as the value of the data they have on file is worth more than they are gaining from operating the service itself - and that data is now in the hands of whom ever wishes to purchase it.

Again, you need to ask yourself why Google, Microsoft, Apple or Facebook aren't doing these things. They stand to make exponentially more money from it than Intrepid would ever make from this game - they also have expenentially more resources to put towards making something like this work. So if they aren't able to make it work, why would you think Intrepid can?

Volgaris

@Noaani
75% you say? Did you do a survey recently? Made up stats aside. Lets look at a market, the US market. They can use ID.ME or something like that. Your name is NOT PPI/PII nor is your address, if that were the case every county in the USA would need to take down their GIS sites. ID.ME would be the ones holding that information anyways. Doesn't it cost? probably, didn't look into it. But generally you pay for tokens for access to the api, which i'm intrepid is already familiar with. It'd be similar to the payment systems they have setup. They didn't setup a whole bank to take payments, they don't need to setup a whole system to verify ID. So Yes the system does exist in the US and many other countries. You say it wouldn't be legal in the EU, but didn't state your 3 reasons. I don't know EU law and really don't care about it or for it, nor would I be playing on an EU server. I still think it can be done and should be done for the EU servers, they wouldn't need a special security system for guarding the PII because it's not PII nor would they even be the holders or verifiers of the PII.

Only thing I'm not sure about is how many people would actually NOT play because of this? Would it be 75% hell I don't know, nor do you. But given an option between a verified server for $20 a months or a no verified server for $15 a month? I'd choose the verified one.

This isn't a new concept...

There's a quick list of ID verifications sites I got from google and chatgpt.
Jumio
Onfido
Trulioo
IDology
LexisNexis Risk Solutions
Socure
Experian IdentityWorks
ID.me

Noaani

Volgaris wrote: »

This isn't a new concept...

There's a quick list of ID verifications sites I got from google and chatgpt.
Jumio
Onfido
Trulioo
IDology
LexisNexis Risk Solutions
Socure
Experian IdentityWorks
ID.me

You seem to be misrepresenting what I am saying.

I am not saying this is a new idea, and no one can do it. I am saying no one can do it well.

Do a little bit of a deeper dive in to your list above, and look at how many key people involved with those services have been charged for things like fraud. Look in to how many similar companies have existed, been sold and had the data they collected used or sold off.

There are - as I have been saying - reasons what you are talking about has not been done. You are not the first person to think of doing this, people at companies like those I have listed above have considered it and have decided against it - because it is bad for their consumers (even Facebook considers it a privacy concern).

The entire idea you have around these companies is bad. These companies are bad.

Laetitian

Volgaris wrote: »

Seems ID verification would be really tough to implement. I'm probably just jaded, but it's hard to see success for any MMO without something drastic being done about those that exploit/cheat. Maybe employing more GMs and tons of checks/logs. But once a bot or cheater is banned they'll open a new account, adding a box price would be added overhead for them. Since CC info is encrypted and they don't have it, banning a CC couldn't be used. Maybe blocking VPNs too from connecting.

This talking point is so old and lazy. Blizzard and other gaming corporations reinforce these excuses so they don't get the backlash they deserve for going soft on gold farmers in order to profit on both sides.

If you track gold trading and remove all the wealth accumulated by the account when it gets banned, within a few months there won't be any point left to paying for that stuff.
Track all trades made by gold/resource/item farmers, undo all the trades that drastically favour one side in value and cleanly reverse all equal-value follow-up trades made with uninvolved third parties. That doesn't even have to be a ton of data to store (though it would probably help to have additional data once suspicious activity has been flagged.)

Banning credit cards and verifying identities is an expensive extra step that fails to extinguish the problem at the root: If the result of cheating is reliably being worse off than you were before you did it, no one's going to do it.
The only reason gaming companies don't eliminate cheating is because they don't want to.
I'm sure some of the decisionmakers believe their own excuses but that's again just because they don't want to think about it any deeper.

Noaani wrote: »

The problem with banning VPN's is that the way they do this is that they ban all IP addresses thst are known VPN's.

Since it isn't all that hard to set up your own VPN, with your own IP addresses, VPN bans only really affect legitimate players, as opposed to botting companies.

X to doubt? "Banning known VPNs" doesn't mean banning any IP that has ever served as a VPN, it means banning any VPN that is known to have served as a public paid VPN. You identify them on the market, not in their network
protocol header or through tracing, that's not what's of interest to you.

You ban the top providers, problem fixed. Maybe you pay a security company that has a list.

Personally I don't think it's a necessary step, but there's no way that accidentally banning someone whose personal IP happens to function as a VPN is the issue.

PS: This part of the discussion has been about real-money trading (and any associated exploits) while the main thread is about punishing all forms of cheating. While I acknowledge that difference and that my suggestions don't apply to the other aspects, I think it's obvious why real-money trading is the only situation where you really *need* rigorous systems. A private cheater might spin up 4 different accounts and cheat on each one, but there are only so many times you'll need to ban an exploiting player's max-level account before they'll give up on either cheating or more likely the game.

Also, the 80:20 rule applies to all of these suggestions. You don't need to eliminate the problem for good or follow every piece of wood traded by a goldseller or buyer, in order to make it unattractive for the customers and unviable for the providers.

Volgaris

Noaani wrote: »

Volgaris wrote: »

This isn't a new concept...

There's a quick list of ID verifications sites I got from google and chatgpt.
Jumio
Onfido
Trulioo
IDology
LexisNexis Risk Solutions
Socure
Experian IdentityWorks
ID.me

You seem to be misrepresenting what I am saying.

I am not saying this is a new idea, and no one can do it. I am saying no one can do it well.

Do a little bit of a deeper dive in to your list above, and look at how many key people involved with those services have been charged for things like fraud. Look in to how many similar companies have existed, been sold and had the data they collected used or sold off.

There are - as I have been saying - reasons what you are talking about has not been done. You are not the first person to think of doing this, people at companies like those I have listed above have considered it and have decided against it - because it is bad for their consumers (even Facebook considers it a privacy concern).

The entire idea you have around these companies is bad. These companies are bad.

lol that list was a quick search. an after though addition... it's funny you cherry picked that out of everything and lean so heavily on the 'it's too hard to do'. if all you have is wild claims like 'even facebook won't do it' and 'it's too hard' i don't think we have much to talk about. you have your opinion and i have mine. if you show me an example or two or three of a company trying to implement something like this and it failing than please do. Or an article or something. At I'm not saying it'd even work or have the desired out come I'd like to see, but just because "it's too hard", "people don't want it", "facebook doesn't do it", is just farts in the wind.

Volgaris

@Laetitian lol yeah i'm old. i've been screaming on this hill a long time. we do need to hold the game studios/publishers to a higher standard. I think, I hope Steven and Ashes is different. He doesn't want cheaters in the game, he will take a hard stance against them, he's not just looking at the bottom figure. So much of the game will be tied to the economy, once the cheaters get their teeth in it'll be hard to undo the damage. Despite is desires and efforts if extreme measures aren't put in place it's going to fail, and I don't want that.

To track every asset generated by a player you'd need every generated asset to be saved in the database with a unique ID of the player who generated it. Such as a piece of common copper. So if the player that generate that copper from the copper node was banned as a bot that piece of copper could be removed, regardless of who has it at the time of deletion. If that ore was used to make a weapon do you delete the weapon? This solution is more difficult to the Nth than other solutions to combat cheating. I'm not sure if that's exactly what you were getting at.

Great points though. 80/20 rule is real and effective. There lists of VPN Ips out there that could be used, but likely they would use a license on one of their network appliances. Detecting VPN type connections is fairly straight forward too, but this would add to an administrative overhead that would affect the bottom line. I don't know where or how they host their servers, but I'm sure even AWS has these options, in their paid tiers because Jeff needs another yacht..

Noaani

Laetitian wrote: »

You ban the top providers, problem fixed. Maybe you pay a security company that has a list.

I have no doubt that this is a viable way to do this now.

The thing is, it has the same issue. You can set up your own VPN fairly easily, there are a number of tutorials on YouTube for how to do it. If all you are doing is blocking the top providers, all you are doing is preventing honest (or lazy) cheaters.

This does absolutely nothing at all to prevent those exploiting as a business. Nothing at all. Ot won't even slow then down.

Noaani

Volgaris wrote: »

if you show me an example or two or three of a company trying to implement something like this and it failing than please do.

Again, you are mis-understanding what I am saying.

I am not saying it can't be done. I never said that. I said (many, many times, you should learn to read) that the companies that are doing it are all set up to be sold off to capitalize on the data they collect. The data they have on hand is worth more than the service they offer, so that data WILL be sold off.

That is why people with a fraud background are so attracted to these kinds of businesses. The entire industry is set up to be sold off to profit from the information they collect.

Thus, any company that asks its users to use one of these services is guaranteeing that all of its users are giving their personal identifying information to anyone willing to pay for it.

Do I really need to give you examples of companies that have collected information on people, only for that information to end up with others for various reasons? 23 and me and Ashley Maddison would be the two big name examples if you want some. They perform a different function, but the the end result of *collect data for function of business > realize that data is worth more than the function of business > monetize data* is the same.

Volgaris

Noaani wrote: »

Laetitian wrote: »

You ban the top providers, problem fixed. Maybe you pay a security company that has a list.

I have no doubt that this is a viable way to do this now.

The thing is, it has the same issue. You can set up your own VPN fairly easily, there are a number of tutorials on YouTube for how to do it. If all you are doing is blocking the top providers, all you are doing is preventing honest (or lazy) cheaters.

This does absolutely nothing at all to prevent those exploiting as a business. Nothing at all. Ot won't even slow then down.

Yes setting up a VPN is simple as simple as detecting connections via a VPN. It would help a lot. Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect. Blocking access to a service via a VPN connection is done quite often. Detecting bot farms connecting through a VPN would be really easy even if it is a private/custom VPN.

Volgaris

Noaani wrote: »

Volgaris wrote: »

if you show me an example or two or three of a company trying to implement something like this and it failing than please do.

Again, you are mis-understanding what I am saying.

I am not saying it can't be done. I never said that. I said (many, many times, you should learn to read) that the companies that are doing it are all set up to be sold off to capitalize on the data they collect. The data they have on hand is worth more than the service they offer, so that data WILL be sold off.

That is why people with a fraud background are so attracted to these kinds of businesses. The entire industry is set up to be sold off to profit from the information they collect.

Thus, any company that asks its users to use one of these services is guaranteeing that all of its users are giving their personal identifying information to anyone willing to pay for it.

Do I really need to give you examples of companies that have collected information on people, only for that information to end up with others for various reasons? 23 and me and Ashley Maddison would be the two big name examples if you want some. They perform a different function, but the the end result of *collect data for function of business > realize that data is worth more than the function of business > monetize data* is the same.

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID. Not about companies that leaked PPI because of bad security or shady employee. Also again your name is NOT PPI, nor is your address. This information is public record.

At the end of the day if you want to be completely anonymous on the internet (maybe go back to the 90's) fine go for it. Given the option I'd play on a server with verified players. Enjoy playing in the sea of bots and gold sellers. Or possibly given your stance and the strength of your arguments enjoy botting and selling gold in the sea of bots and gold sellers. Your basically saying don't use a tool to protect something from criminals because the tools used to protect may be abused too. Like don't put locks on your home because criminals might lock you in. I mean damn Meta, Google, Apple, Amazon, and more are already watching you poop. XD but nope lets not require ID verification because a company bound by law and severe punishes might abuse my name. A better argument is that people won't want to do it and that extra step would deter new players and lower sales... but then Verizon is still in business and doing quite well lol. So...

Noaani

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

Volgaris

Noaani wrote: »

Volgaris wrote: »

Maybe this is the crux of the disagreement, you believe security doesn't work completely so it's not worth doing and/or these efforts will have no effect.

No, in regards to VPN's i believe some people have perfectly valid reasons for using them, and since they aren't going to do anything at all to stop serious offending, on balance, it isn't worth it.

If there were no valid reasons for using them, then there would be no harm in blocking them.

Detecting bot farms using a custom VPN is indeed quite difficult. That is why those companies do this

No need for a strawman argument... Give me an example of a company requiring valid ID to gain access to a service or product that failed because they required valid ID.

I uave a better idea - name a company that operates online and does what you say.

The reason I am flipping that around is because I can't think of a single company that actually uses identification services as a hard requirement. The only organizations thst do are government based.

Given the option I'd play on a server with verified players.

Intrepid have no way to verify who I am.

okay, cool cool cool

OrcLuck

I believe giving a temp ban for a testing session would be an appropriate punishment. I don't think they should be in any way banned long term. They did a goof, and messed up a serious test environment. This is a vulnerability that was open in it's ability to be exploited...but it's also adding noise to useful data. Securing the errors creating those exploitable situation pushes back timelines for gathering data on that. Nothing to sweat, but certainly worth telling players to knock it off with a sincere gesture of a reprimand.

Volgaris

OrcLuck wrote: »

I believe giving a temp ban for a testing session would be an appropriate punishment. I don't think they should be in any way banned long term. They did a goof, and messed up a serious test environment. This is a vulnerability that was open in it's ability to be exploited...but it's also adding noise to useful data. Securing the errors creating those exploitable situation pushes back timelines for gathering data on that. Nothing to sweat, but certainly worth telling players to knock it off with a sincere gesture of a reprimand.

For an in game exploit like leveling via a glitch monster pawn. Exploit was really referring to cheaters, bots, gold sellers, as well as people using exploits to cheat their way to whatever victory is for them. You're not going to give a temp band to an account that bots or gold sells. That's perma ban territory.

Child Item