Data breaches happen every day. Identity theft is part of the common vernacular. Every other week a major attack is in the news. Target, Home Depot, Sony hacks all made major headlines in 2014.

It would not be controversial if I were to say that stealing credit cards is big business. If bad guys can steal a million cards then they can profit by using the cards directly or selling them on the black market.

What if I told you that hacked video game accounts can be worth more than stolen credit cards? Would that surprise you? Well, it’s true. This has meaningful ramifications for both gamers and developers.

Words

Blizzard Entertainment launched the highly anticipated Diablo 3 in May 2012. The internet was immediately flooded with reports of hacked accounts. It was big news with dozens of press articles. Forum threads grew to hundreds of pages. It was a disaster.

I had a friend who was a hacked. A fellow professional game developer who keeps his computer secure. He had a strong password that wasn’t used for any other service. One afternoon I saw him log in and out real quick. Less than a minute. I even said hi but he ignored it. That evening he came back and messaged me in shock. He had been hacked. His account was completely empty. I realized I saw it happen. I even messaged the bad guy who cleaned him out. It was surreal.

Black Market Prices

How much are stolen credit cards worth? It depends. It has a wide range. Anywhere from $1.50 to $50 seems common. Most of the following information comes from KrebsOnSecurity posts¹.

Stolen cards are bought online². Raw CC numbers with no additional information are the cheapest. If you want the cardholder’s date of birth or maiden name that costs extra. If you narrow your search to state or even city that costs even more.

The now infamous Target hack appears to have be wildly successful. Cards from that breach, chock full of personal information, initially sold for $27 to $45 with a 100% success rate when used. Once Target publicly admitted to being hacked the success rate dropped to 60% causing prices to fall to $8.

Now imagine a bad guy with a million stolen cards. How much money can they actually make off that? It’s gotta be hard to fence that many cards all at once. Once the fraud is detected they rapidly depreciate. The final sum could be relatively low. My gut says they’d only average a few dollars per card at most. That’s just a guess.

Digital Gold

What makes a Diablo 3 account valuable? Gold. Digital video game gold. When bad guys break into an account they take all the gold and sell it on sketchy third party sites for cash³.

The gold economy in Diablo 3 inflated rapidly. During the first two weeks of launch it cost $300 per million gold. A few week later it was $10 per million. When the real money auction house went live it was $2 per million. Today it’s about $.70 per million⁴.

Diablo 3 sold 6.3 million copies in it’s first week. Based on my playing experience I’d estimate in the launch window there were several million accounts worth at least $20. That’s a target rich environment.

Bad Guys and the FBI

What happens when corporations are hacked and credit cards are stolen? It’s a big frickin deal. The FBI investigates. Interpol gets involved. People are arrested. They go to jail. It’s serious business.

What happens when a video game account is hacked and fake digital gold is stolen? No one gives a shit. Well, players and developers do. But the FBI couldn’t care less. There are no international manhunts. No one goes to prison. Basically, the bad guys get away scot-free.

We know that bad guys go to great length to steal credit cards. We see it all the time. They’re worth a lot of money so it’s apparently worth the risk. What do you think happens when there are millions of video game accounts each worth more than a credit card but stealing them comes with zero risk? I’ll give you one guess.

How It Happens

How were the Diablo 3 accounts hacked? People claimed to have strong, unique passwords. Blizzard responded that after a thorough investigation all compromised accounts with accessed by using the correct password.

How did bad guys get the password then? Great question! No one knows for sure. There’s lots of way that can happen. Weak passwords, keyloggers, social engineering, wrenches, etc.

Source: XKCD

Keyloggers and Trojans and Malware Oh My

Due to the experience of multiple friends I think, but don’t know, that keyloggers were involved with Diablo 3. Keyloggers are incredibly easy to write⁵. The hard part is installing it on the target’s machine. This can be done a few ways. Tricking them into installing it for you is the simplest.

A more difficult way is to exploit a vulnerability in some piece of software. Adobe Reader and Microsoft Office are notoriously vulnerable. Phishing e-mails often attach a .pdf or .doc file that if merely opened can infect you with malware (which include keyloggers).

Web browsers are a major attack vector⁶. If there exists an exploit in your browser (Chrome, Firefox, etc) or something that runs inside your browser (Adobe Flash, Adobe Reader, etc) and you visit a malicious site then you can be infected with malware. This could happen if you accidentally click a fake download link.

Reputable sites can be hacked and loaded with malware which spreads to vulnerable users who visit. This route may require two separate exploits. One to access the server and one to install malware on clients.

Exploitable web ads are great for bad guys because they can run on specific sites. If a bad guy wants to hack Diablo 3 accounts then running a malicious ad on Diablo 3 fansites is a surefire way to infect people who play Diablo 3. In 2008 there was a nasty ad that installed a trojan if a user merely moused over it. You didn’t even have to click! The ad appeared on multiple World of Warcraft fan sites (Wowhead, Thottbot, and Allakhazam) and caused a lot of trouble.

Security Patches

Your computer updates itself all the time. Chrome updates regularly. Windows has Patch Tuesday. Adobe Everything patches daily. I believe Java patches every three minutes. Many of these patches are security fixes. They tell you as much. What they don’t tell you is how long the security hole has existed. It could be days or years. They may have even found the issue simply because they caught someone using it!

Running unpatched software is incredibly dangerous. Sometimes even patching isn’t enough. Zero-day exploits are exploits that are either unknown to developers or known but not yet patched. Anti-virus and security are helpless against such exploits.

Stealing credit cards and stealing digital gold are both big business. Would it surprise you if I said selling zero-day exploits is also big business? Kevin Mitnick has a company that sells them for over $100,000. Forbes cites prices of $50,000 to $200,000 for browser exploits. The NSA spends millions of dollars a year buying such exploits.

Now I am not saying that Diablo 3 was keylogged via exotic zero-day exploits. I’m not saying that games in general are targeted using zero-day exploits. A bad guy is probably better off mining bitcoins or running an encryption extortion scheme than chasing digital gold. What I am saying is that it’s possible. It could happen. The more valuable the digital gold the more extravagant the lengths bad guys will be willing to go. When that value hits millions of dollars it becomes, I believe, a legitimate concern.

Two-Factor Authentication

Assume for a moment that bad guys can’t be stopped from installing keyloggers. That operating systems are fundamentally insecure⁷. Fortunately there are still things a user can do.

Blizzard offers two-factor authentication in the form of an authenticator. Most people use the free smartphone app. It works by tightly associating with your Battle.net account. The authenticator generates a new number every 30 seconds. Every single time you login with your username and password you also have to punch in that number⁸. If a bad guy has your username and password but not your smartphone then they can’t access your account.

Blizzard’s authenticator is exceptionally secure. They claim not a single compromised Diablo 3 account had an attached authenticator.

Changing the Game

There are also things developers can do. They can change the game. Literally.

Game accounts are hacked because they are worth money. Therefore if an account isn’t worth money then it’s not worth hacking. Problem solved! I don’t think Blizzard has said so publicly but I strongly believe many of their recent design decisions took this into consideration.

Take Hearthstone for example. There is no financial value in a hacked account. None. You can’t trade or sell gold or cards. There’s nothing that can be given to another player. A bad guy could play the game and use whatever cool stuff is on that account. That’s it. There’s no money to made. Bad guys don’t care⁹.

Diablo 3 is now in a similar place. The auction house is dead. Gold is account bound. Legendary items are account bound. There’s nothing to trade or sell to other players. There’s nothing that can be stolen and converted to cash.

Developers can also restrict in-game trade. Don’t let players trade with accounts unless they’ve been friends for at least 30 days. This prevents bad guys from moving your gold if they do hack in¹⁰.

Conclusion

Stolen games accounts can be worth more than stolen credit cards. When this happens the bad guys take notice.

To consumers: guard your accounts carefully. Especially any account that is worth money to a bad guy. Use strong passwords generated by 1Password or LastPass. Use two-factor authentication. If you have a Blizzard account add an authenticator immediately. Triple protect your e-mail. Many accounts can have passwords reset with just e-mail access. Your e-mail account probably contains the keys to your kingdom.

To developers: give consumers the tools necessary to protect their accounts. Carefully consider the potential value of an account. The higher the value the bigger than the target. Strongly consider designs that prevent account content from being convertible cash. If there’s no cash to be made then bad guys will have no interest.

Thanks for reading.

Bonus

If you made it this far then I’m quite happy. You’ve read all the key points that I wanted to make. I have a few more thoughts that I’d like to share. They aren’t critical to the core narrative so they didn’t quite fit in above. They’re a little scatterbrained but if you’ve enjoyed reading so far then please continue on.

Bonus: Non-Isolated Events

For the most part I only referenced a few specific instances. Largely the hacks of Target and Diablo 3. Don’t be mistaken and assume these are isolated events. Here are three more events of note.

Ubisoft recently had to deal with a major issue. Keys for the just released Far Cry 4 were bought off EA’s Origin. Those valid game keys were resold on questionable third party marketplaces similar to eBay. The only problem? The game keys were bought with stolen credit cards. Oops.

In 2012 players noticed suspicious trading activity on Steam. Team Fortress 2 has crate keys which cost a few dollars. These keys are a de facto currency for trading other items. Fan sites track the average value of various items in keys. A group of Russian players bought over 5000 keys. They used those keys to buy items well above market price. Those items were immediately sold for cash well under market value. They were intentionally taking a clear and immediate loss. Why? The crate keys were bought with stolen credit cards. Oops.

EA Sports added a game mode to FIFA called Ultimate Team. It’s a collectible card game. There are in-game packs of player cards. Gamers build their team from cards they’ve collected. Card packs are bought with either in-game currency or real money. Players can trade cards and currency with other players. Better player cards, such as Messi or Ronaldo, are rarer and thus more valuable. A top tier Messi card sells for $15 on eBay. A full team of top players is $150. Can you see where this going? Accounts are hacked to steal currency and cards to sell for cash. Oops.

Bonus: Beating the Authenticator

Blizzard’s authenticator is secure. Really secure. Almost unbeatable even. However I know of at least two instances where it’s been beaten.

The first is so simple it’s almost boring — an inside job. When World of Warcraft was new there were a lot of issues GMs abusing their power. Especially when it came to helping their friends beat raids¹¹. Good help is hard to find. Power must be strictly limited to only employees who truly require it. Those powers must be logged and closely monitored so illegitimate use can be caught and punished.

The second is so elaborate it almost impresses me. Authenticator numbers are required to login and change every 30 seconds. This makes a keylogger useless… almost. An exceptionally determined bad guy can install a keylogger, wait for a user to login with username/password, wait for the user to try to login with the authenticator number, block that number from being sent to Blizzard’s servers [footnote], and then login within the next 10 to 15 seconds from a remote location.

Bad guys managed to widely install a trojan that did exactly this. They copied the website of an extremely popular World of Warcraft mod manager, Curse Client. Then they gamed Google to get their fake website to the top of the search results. Users who downloaded the program got a real working copy of Curse Client, but they also got a trojan. The fact that bad guys go to such great lengths is testament to the real money value of these game accounts.

Bonus: Theorycrafting Three-Factor Authentication

Strong two-factor authentication is good. The Curse Client trojan shows it can be beaten. Not easily, but it can happen.

Now I’m in speculatory theorycrafting mode. Here’s an idea but what I’m calling three-factor authentication. It’s almost certainly not an original idea. That said I’ve never seen it in use. Imagine the following:

1. Enter username/password on PC
2. Look at authenticator on smartphone, read number, type on PC
3. Look at PC, read a new number sent from the server, type on authenticator, authenticator sends to server, server grants access to PC.

I believe this defeats the PC based trojan. With the prevalence of internet connected smartphones this seems very achievable.

There are options for the bad guys, of course. The trojan could be installed on a higher level. Up from the PC and onto the router. That’s extra difficult due to the variety of routers in use. However our three-factor authentication can do better. If the smartphone app communicates via cellular data, even if Wifi is available, then a router trojan is bypassed.

The other option for bad guys is to install two trojans. One on the client PC and one on the authenticator app. That’s hard. It’s extra hard because they’d have to target the same user two different ways. The PC was probably infected through a fan site or game-related software. How do they target the same user’s smartphone? That’s an incredibly high hurdle to overcome.

Keep in mind that all of these defensive measures only stop run-of-the-mill independent bad guys. State-sponsored bad guys are on a whole other level. The NSA is gonna hack whatever they want and you can’t stop them. Fortunately I don’t think they care about digital gold. It’s just important to remember that computer security is a matter of degrees.

Final Conclusion

Now I’m done. This has been super fun to write. Thanks to all three of you who made it this far. Stay safe out there.

Footnotes

1. Additional reading: here, here, and here
2. Amusingly they don’t accept credit cards.
3. With more effort they can steal loot to sell for gold to turn into more cash.
4. Gold can’t be traded anymore. When buying gold you give someone account access and they farm it for you. Talk about risky!
5. A friend wrote a debug tool keylogger in a mere 245 lines of code. It feels wrong to share the link on this type of post though.
6. Browsers are increasingly difficult to exploit due to sandboxing amongst other efforts. It can still be done but may require multiple exploits to fully expose an end user.
7. There’s a strong argument to be made here.
8. Some people don’t check “use authenticator every single time”. This is a bad idea. The only way to be secure is to require it EVERY SINGLE TIME.
9. Bad guys can delete your stuff just to be mean. Bypassing secure two factor authentication requires is generally too much effort for that.
10. Bad guys could hack in, add a friend, and wait 30 days. They’d have to do this for every single account. That’s a lot of work. Developer could likely detect this fraud in time.
11. Which isn’t hacking but is still a problem.
12. I believe Blizzard blocks the second login in this case. To login remotely bad guys not only need to steal the authenticator number but also prevent that user from completing their login.