02 September 2014

As risky as it gets

Ohad Samet - PayPal

12 | posts 36,811 | views 3 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Deconstructing Zynga: what's up in Social Gaming fraud

13 January 2010  |  4170 views  |  1

Talking to friends in a party I had to hold myself from becoming too smuggy-smug-smug. Yep, the lot of "I'm too good for Mafia Wars" geeks fell prey to the eggplant-growing rhythm of Farmville. Eggplants. My friends. I don’t even like eggplants, but still felt responsible in a way, though they’re only a drop in Zynga’s estimated 15M+ daily users (the numbers keep growing...). But things were only getting better for me that day.

“You know”, said one of the guys, “this social gaming stuff is really worth a lot of money. I know someone who made $100K off this thing”.

KACHING!!! Immediately he had my full attention. You don’t just MAKE $100K playing social games by the book, even if you break a finger playing Texas Hold’em. I had to know.

So, obviously, the guy was committing fraud. Using a bunch of scripts that worked on his command (also called a “bot net”), he opened numerous poker accounts on Facebook and collected the free chips you get when you do so (sometimes referred to as Chip farming, and something I wrote about in the past). Then, he needed to aggregate all these chips to one account and sell them. The way he did it was amazingly simple: he played poker games where he was controlling both players, and intentionally lost all his chips to – basically – himself. Then, after finding a buyer for the chips and getting the money, he would pass the chips to that player using the same method.

Ok then, what have we learned? First of all, where there’s money there’s fraud. It’s comforting for people in the business, maybe less so for people who’d want to believe in the goodness of mankind; but, then again, we’re not having an ethical discussion. The psychological angle is interesting, though – this normative (judging by my friend’s testimony) person is committing big scale fraud, uninterrupted neither by conscience nor by law enforcement, and the only effect he sees is a slap on the hand in the shape of an occasional banned account, immediately replaced by another bot. It’s so simple, it’s genius. Not that I at any way support fraud, but you have to commend a good operation once you hear about one.

The second highly interesting thing is the speed in which secondary markets evolve. I can’t imagine this guy advertizing his stolen chips in his Facebook status message – he had to go somewhere where people knew chips trade was on. This isn’t such big news for long lasting games in the MMORPG arena like World of Warcraft - trade has been going on for years and the MMO Gold exchange was active even in our NPX days, back in 2005. On a side note, what I personally don’t understand is why gaming companies do not endorse secondary markets; definitely not for “game fairness”, since paying for items in the game is part of their own business model. If you have a solid argument, let me know.

The most interesting issue for me, however, is the simplicity and ease of the actual fraud case. In trying to learn about Zynga’s risk management capabilities, I came across a short quote of Zynga’s CEO, saying that they had to develop everything in-house. Looking at the market (even in PayPal, I have to admit) I understand why: when you get recommendations like “Use SSL and remember you’re accountable”, it’s hard not to get depressed. But what is that “everything” they developed in house? Zynga has many fraud challenges, and chip farming is only one of them. Legitimate accounts taken over to drain their chips (a challenge they share with Facebook), stolen credit cards used to buy in game items and even click fraud (though the latter might be the least of their problems) are others. My uneducated guess is that Zynga is at the beginning of their risk management career, currently using a basic rules engine to limit risky purchase profiles, some IP black lists, a very basic velocity control system and a lot of manual review. Next step is industry standard statistical models, not such a bad idea compared to nothing but, as I’ve noted on quite a few blog posts in the past, far from ideal when dealing with low information instant delivery transactions. The ease of a fraud case as I’ve heard about it proves that there’s still a long way to go. Lucky for Zynga, they work on Facebook. Harnessing the power of user data available in this network allows top notch user verification; the only question is using the right practice.

What are best practices for controlling fraud in Digital Goods commerce? I strongly suggest a closed door system requiring layered user verification, a signup page that doesn’t make a cult out of not requiring user info, and a thought out user interaction mechanism, all governed by highly trained analysts. This won’t solve the problem, but will definitely lay the foundations for a risk management system that can evolve into something that really works. Based on the stories and some simple analysis, it’s clear that Zynga and other social gaming companies desperately need real life barriers that will not kill their business. It’s possible; you just have to do it right.

TagsPaymentsRisk & regulation

Comments: (2)

Uri Rivner - BioCatch - Tel Aviv | 14 January, 2010, 08:11

Two comments:

First, the reason companies like WoW ban secondary trade in virtual items is that they try to prevent an unstable in-game economy and inflation. They try to fight gold farming by making it illegal. Second Life’s whole economy is based on trading Linden Dollars for real dollars in-game, and they have a team of economists working hard to keep control of the virtual world’s financial system. A stable economy is important for trust, and allows in-game financial institutions such as banks, credit agencies and stock exchange markets to grow. Eve Online has virtual banks with assets that mimic real life financial institutions. But if someone just prints money by paying a sweat shop a cent for a virtual dollar, it skews the virtual economy badly.

Not everyone agrees that banning virtual item trades is the right thing: Sony has a legal virtual item trading platform for Everquest: the argument is “if you can’t beat them, join them” and try to control the situation.

Second note is around balancing security and usability. From Zynga’s perspective, it’s probably right to keep fraud controls at bay and focus on offering a user friendly experience. As long as their account takeover fraud remains low, they can treat the fraud losses from fake applications as cost of doing business, at least until losses reach a painful level. Meanwhile they can prepare the defenses, but use them only when needed.

The real challenge is going to be defending against account takeover because this has a totally different impact on users: you don’t want to wake up and discover your chips gone with the wind or your reputation ruined because some crook signed in as yourself and lost games on purpose. Since authentication in social networks is quite exposed, this poses a serious problem that is more difficult to address than fighting fraudulent new accounts.

A Finextra member | 17 January, 2010, 07:38

Hi Uri, thanks for your comment.

To me, both your points are actually one: the industry is nascent and at this stage they don't see the value in risk management for various reasons.

I understand that: growing at hundreds of percents a YoY it's easy to just ride the train, think happy thoughts ("I have zero cost of goods produces. I don't care about fraud") and treat losses as an acquiring budget. But growing pains are coming - some of them already hit publishers (the whole "scamville" shebang http://fraudbackstage.blogspot.com/2009/11/offer-walls-and-marketplaces-real.html ) and others are on their way (regulation, realizing that the true cost of loss - refund processing, card association fines, etc).

Now, you don't to actually sacrifice usability and your virtual economy if you manage risks intelligently. That's one of the themes of my blog and this post, I don't believe in risk managers being a group of bureaucrats trying to cover their asses by enforcing regulations and passing liabilities to users.

As for virtual economies - some companies beg to differ. Personally, I believe that the market will see it's next huge wave (in 1.5-2 years) in p2p (or u2u, depends what terminology you use) trade of goods. Yes, it will make virtual economies harder to manage, but it is doable, and has many advantages. The risk of fraud is an obvious disadvantage - but if we don't try to solve that, where's the fun? :)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Ohad

Why don't you become a payments provider? Part 2

22 September 2010  |  2468 views  |  0  |  Recommends 0 TagsCardsPaymentsGroupInnovation in Financial Services

Is there a Silver Bullet for Mobile Payments security?

07 June 2010  |  4083 views  |  0  |  Recommends 1 TagsPaymentsRisk & regulationGroupInnovation in Financial Services

Dealing with International Fraud - a Few Basics

03 March 2010  |  3294 views  |  0  |  Recommends 0 TagsPaymentsRisk & regulationGroupInnovation in Financial Services

New York under zero: some thoughts on the Engage! Expo

23 February 2010  |  3176 views  |  0  |  Recommends 0 TagsPaymentsRisk & regulationGroupInnovation in Financial Services

Fraud detection and UE: why are Millennials slower?

14 February 2010  |  3106 views  |  0  |  Recommends 0 TagsPaymentsRisk & regulationGroupInnovation in Financial Services
name

Ohad Samet

job title

Sr Manager ARS Business Solutions

company name

PayPal

member since

2010

location

San Jose

Summary profile See full profile »
Responsible for conceiving, designing and delivering innovative risk management solutions that re...

Ohad's expertise

Ohad writes about
CardsPaymentsRisk & regulation
Ohad's blog archive
2010 (12)

Who is commenting on Ohad's posts