Anyone who's played an online game in the last ten years will have experienced game-related crime, though they might not know it.
That man hawking gold repeatedly in the chat channel; that group of dwarfs killing all the monsters in an area, over and over; whoever sent that friendly email purportedly from Blizzard warning you about fraud and providing a handy account link; that blinged-up low-level Orc with all the best gear.
All of these people could be breaking the law, some passively, some deliberately, and some hand in hand with organised crime.
Crime in games is both oddly ubiquitous and mostly silent, and the online game companies are mostly loathe to talk about it, and admit how pernicious and pervasive it is. We caught up with a couple of them to find more about the state of play of in-game crime and how they cope with it.
Gold farming was a huge problem in the first twenty years of online gaming, as most games were closed economies and time sinks. Players had to commit many hours to levelling up their characters and getting the best equipment; the only way to do that was to play the game.
Given the disparity in the value of time between an Eastern wage and a European wage, say, it seems entirely sensible that in Russia and Asia sweatshops were set up to exploit that difference.
Will Leverett, NCSoft's Senior Manager of Customer Service, explains; "We're convinced that groups on the seedier side of the Internet run in parallel to each other, with many offenders in China and Russia.
The simplest thing players could exchange for real-world cash was in-game currency, which would then hugely unbalance the in-game economy and auction systems; essentially, those people buying currency were using their real-world wealth to employ a tribe of servants to do their work for them, as opposed to their compatriots who were attempting the same thing by the sweat of their brow.
Leverett again "Gold farming exists as a function of any real world economy. As in real world macroeconomics, demand incentivizes production and supply drives price. In some games, such as City of Heroes, real-money trading (RMT) doesn't have much incentive as there is almost no value to an account within the game world, nor are there services to provide (save for powerleveling). However, in our economy-based games, there is a very real transactional and trading element, and thusly, RMT looks to capitalize."
The advent (and now dominance) of Free-To-Play massively multiplayer games has changed the mechanics significantly. Most games feature an in-game currency that's directly convertible to real world currencies, which can be used to buy a range of goods, ranging from the cosmetic in World of Warcraft to character classes in Bloodline Champions to customized weaponry in Planetside 2.
Anyone with a Facebook or Paypal or online banking account who's checked their spam folder will have seen a hundred clumsy efforts at phishing their log-in details.
On the game side, this has been ten times worse, with criminal organisations industrialising the process, spamming lists of email addresses scraped from the internet or stolen, distributing viruses carrying keyloggers to steal passwords, or even employing hackers to break into major corporations and steal account details directly.
"Account information stealing is largely preventable" says Leverett. "Many "hacked" players actually lose their game accounts and email accounts simultaneously because the same login information is used for both. It's made worse when so much personal information is readily available on forums and social media sites. Brute force attempts are also common, though we have specific measures to counter that."
Aside from this conning method, larger organisations are often targetted for their databases. The ultimate aim is to get credit card details, which most companies encrypt, but user contact information and passwords can be just as useful for phishing.
Sony's PlayStation Network was hacked and personal (and possibly credit) information acquired, the dominant PC gaming platform Steam was hacked, and many big-name developers too; Eidos, Epic, Bethesda, Square Enix...
MMO companies like Trion Worlds employ multiple systems to endlessly check the vulnerabilities of their games and sites.
As their Chief Creative Officer Hal Hartsman said earlier in the year, "We've got our own internal security teams, as well as two outside independent security companies that we work with on an ongoing basis. Us and our outside companies, we have very close relationships with the main domain registrars as well as many of the ISPs out there.
"So what happens is that a user gets some phishing mail; they forward it to our abuse mailbox and then all three teams pick it up. If it's fraudulent, a lot of the time we'll have the domain shut down within 24 hours."
Virtual item theft
Once an account is stolen, the criminals tend to strip it of anything valuable - anything rare will be sold, and in-game currency transferred away. Your character itself is unlikely to be transferred to another account (as that would involve paying money to the MMO owner) but it's likely to be left in the same state that a car is after a joyride; burnt out and distressing to behold.
It's hard for the game companies to identify when an accounts been stolen, but they are getting better at it as Leverett explains; "There are a variety of measures – some proprietary, some licensed – that we can use to identify legitimate players while reducing the risk of surreptitious activity.
"We're excited about a couple of cool features in 2012 that will really help us better understand who our players are and thus provide better service (but we're not ready to talk about it yet!)"
Curiously, it's harder for the game companies to help with this. Many will reinstate any items that they can, and will take regular snapshots of a player's characters to do so, but not all of them are as careful and conscientious with their data as they should be.
For example, the Japanese MMO M2 suffered a catastrophic server failure late last year, and the game could not be recovered from back-up. All the players of the game lost all of their characters - and the developer lost their game!
Even Leverett admits that NCSoft, one of the world's biggest MMO companies, can't help out with lost characters or deleted items; "On most games, we help players by restoring access to their accounts and then provide them with a "starter kit" of sorts to get back into the game. However, we also have functionality for one product that allows us to "restore" an entire account, much as you would a save game." After ten years playing as a character in, say Ultima Online, starting again would not be an option for many players.
Online gaming is getting more sophisticated and more profitable every year, so it's little wonder that criminals are trying to take their cut. It's all to do with the crossover between the deliberately egalitarian virtual worlds we play in and the highly-unequal world we live in. These problems aren't ruining online games yet, thanks mainly to the strenuous efforts of the game developers; but where there's billions of dollars sloshing around inside a single computer program, criminals are going to turn up.