Gamers in Disguise: Protecting Online Gaming from Account Takeover Fraud

Fraudsters use bots and human sweatshops or ‘click farms’  for account takeover fraud of genuine online gaming user accounts–especially those with big money–and to farm in-game assets so they can be resold for hefty profits

Perhaps no industry has been affected by changing consumer habits brought upon by the pandemic-related lockdowns more than gaming. With a massive influx of new users and increased play time on gaming platforms, every day became a weekend in terms of digital traffic. 

While users are playing a fair game of head-to-head combat, fraud and security teams are busy fighting their own battles with a shapeshifting opponent: fraudsters. 

Our 2021 Q1 Fraud and Abuse Report confirmed gaming platforms are under serious pressure:  

• Online gaming was the most attacked industry in 2020
• Highest attack rate at 33% (10 percentage points higher than the average 23%)
• An astounding 65 attacks per second

Fraudsters have an unfair advantage in online gaming

The current market conditions have created an unfair game for fraud teams, who must fight cybercriminals while trying to uphold fair play and a frictionless user experience.

Fraudsters take advantage of the spike in traffic to merge with and hide amongst the legitimate players. With easy access to sophisticated tools they can efficiently deploy bots to farm more money from the gaming platforms, resell in-game assets, and take over genuine user accounts.

On the other hand, fraud teams find it increasingly challenging to quickly identify trust signals and action on. They need more resources and tools that can help them filter out actionable information from noise and ban bad actors accurately to prevent negatively impacting user experience. 

This often translates into a greater strain on support resources and investments. In a recent Arkose Labs poll, nearly 30% of companies claimed account takeover incidents cost over $200 each. Beyond direct costs, nearly half claimed each account takeover consumed 1-5 hours in support time.

Protecting a critical fraud target: User Logins

Our 2021 Q1 Fraud & Abuse Report also illuminated a major attack vector in online gaming: logins. Lucrative in-game economies entice fraudsters to deploy credential stuffing attacks at scale that allows them to take over real accounts and steal in-game assets. And with the recent influx of gamers and in-game economies, fraudsters are enticed by the big earning potential to be persistent. 

Compromised user accounts are often those where the money is big. These can be sold for anywhere between a few dollars per 1,000 accounts and a whopping few thousand dollars for particularly valuable accounts, such as gamer profiles that have rare or costly items. 

Account takeover is achieved by a wide range of malicious activity such as obtaining combolists and credential stuffing that enable fraudsters to harvest user credentials and break into accounts at scale. Fraudsters tailor their attacks to maximize profit using bots, human labor, or a combination of the two. They also leverage low-cost human labor in ‘sweatshops’ or ‘click farms’ to bypass fraud prevention systems and launch more nuanced attacks. 

Catching account takeover attempts without impacting players requires a different approach

Every gaming company seeks to find a balance between spotting compromised accounts and accidentally banning legitimate players. This poses a huge challenge for fraud teams as fraudsters are making it harder to be spotted. 

Unfortunately, fraudsters have detailed knowledge of various parameters that gaming platforms use to spot fraud and use this against them – therefore holding the balance of power. Mitigation-focused solutions tend to be reactive, aiming to limit the damage rather than long-term prevention. 

Many gaming platforms implement out-of-band authentication to make the barrier too high for fraudsters and prevent them from achieving scale. However, just as it disrupts fraudsters, good users face unnecessary friction as they are forced to leave the workflow. Additionally, fraudsters have developed ways to circumvent these at scale, and authentication priced per token can be very expensive. Periodic ban waves also don’t scare fraudsters away and provide only temporary respite.

While MFA and downstream banning can weed out fraudsters, detecting the behavioral differences of bad actors and creating targeted friction can make all the difference in reaching that balance.

Beyond mitigation: Fraud deterrence

How can a business stop account takeover attempts from an attacker that seems to have an unfair advantage? By making the attack too expensive, which deters them from attacking altogether. 

The Arkose Labs Fraud and Abuse Prevention Platform accurately identifies the intent signals of sophisticated automated threats and human-driven attacks. Based on this risk assessment, it intelligently stages the right trap for the opponent to sabotage their ROI without inadvertently blocking authentic users.

A unified approach combines risk decisions with adaptive enforcement challenges to accurately distinguish fraudsters from genuine users and incrementally depletes the returns from the fraud attacks. This provides a long-term strategy for stamping out fraud and abuse, protecting the sanctity of their online gaming environment, and enabling good users to engage in meaningful interactions. 

To learn how you can stop the fraudsters right at the entry gates, without jeopardizing the gaming experience for authentic users, book a demo now.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Julianne Rose. Read the original post at: https://www.arkoselabs.com/blog/gamers-in-disguise-protecting-online-gaming-from-account-takeover-fraud/