Online video games are a multi-billion dollar business, as well as a huge opportunity for cyber criminals, money launderers, and hackers. Matthew Cook, the co-founder of Panopticon Labs, spent 18 months interviewing executives at game developers and publishers in the US and around the world about why games have become such an attractive target for these bad actors, the unique challenges (and opportunities) that technology companies face in trying to secure this space, the tools and techniques that game operators have developed internally to respond to these threats, as well as the tools they wish they had access to.

1. PANOPTICON
LABORATORIES
How Fraudsters Are ‘Following
The Money’ Into Online Games
www.panopticonlabs.com
March xx, 2016

2. Screenshot of Watchtower UI
PANOPTICON LABORATORIES is the first and
only in-video game cybersecurity company, built
to protect online video game publishers from the
financial and reputational damages that can result
from cyber attack.
Through proprietary technology that is uniquely
focused on gameplay itself, Panopticon sets a
baseline of activity for every player who
participates in online play. Upon discovering
anomalous behavior, Panopticon alerts publishers
with more than 99% accuracy, along with
providing recommendations for incident
investigation and immediate remediation.
ABOUT US
PROTECTING ONLINE GAMES FROM IN-GAME THREATS

3. WHT DOES GAME FRAUD
LOOK LIKE?

5. FRAUDSTERS = WORLD
KILLERS
Hackers, cheaters, and
fraudsters are a cancer
that kills virtual worlds.

6. increase in account takeover
Steam Trading allows players to
exchange virtual items.
accounts are hacked every month

7. • Cheap – Only $30 gets script kiddies source code,
manuals, and tutorial videos.
• Effective – uses state of the art obfuscation
techniques, rendering it invisible to most AV.
• Evolving – leaked source code has lead to a
development arms war.
• Defeats Multifactor – Kaspersky has shown that
Steam Stealers can neutralize Steam’s primary defense
against unauthorized trades.
NEW MALWARE: “STEAM
STEALER”

8. MONEY IN GAMES
The evolving video game business
model:

10. Online games generated
In 2015.
WHY FRAUD?
Global movie box office
.

11. It was true in banking.
It was true in eCommerce.
Now it’s happening
in video games.

12. http://kasperskycontenthub.com/securelist/files/2016/03/Steam_Stealers_research_ENG.pdf,
or Google “Kaspersky Steam Stealers”

13. MORE THAN ACCOUNT
TAKEOVER
Gold Farming
Botting
Credit Card Fraud

14. WHAT’S NEEDED?
WHEN SURVEYED, GAME PUBLISHERS AND DEVELOPERS HAD
VERY SPECIFIC IDEAS ABOUT WHAT THEY WANTED AND
NEEEDED…

15. SURVEY OF 50+
PUBLISHERS
Over 18 months, online game publishers were asked:
• What are you doing now to fight fraudsters, cheaters,
and hackers?
• How effective are those solutions?
• What other solution(s) do you wish you had access to?

16. COMMON SOLUTIONS
MANY TOOLS WERE INITIALLY DEVELOPED FOR OTHER
INDUSTRIES
• Multi-factor, IP/GEO, Black/WhiteListing, challenge
questions, and device fingerprinting and reputation
tracking have all been attempted.
• List-based solutions draw from years of institutional
wisdom and databases.
• “The problem with using tools built for banks to
secure games is that bad guys have had years to
figure out how to break them.”

17. DIFFERENT GENRES;
DIFFERENT PRIORITIES
• MMO: Account Takeover
• Free-To-Play: Account re-selling;
gray markets
• Social Casino: Cheating; collusion.
• Real-Money Casino: Money
laundering; cybercrime

18. MOST-COMMON SOLUTION
Many publishers
create rules-
based reports
based on what
has happened in
the past.
OBSERVE
CONFIRM
FORENSICS
ADD RULES

19. ALL AGREE:
Lots of overlap – bad actors from across the
spectrum are constantly looking for advantage.
It should be addressed – even most aren’t
exactly sure HOW to fight back.
It’s about more than money – reputational
damage, player dissatisfaction leading to churn,
and premature shortening of the game’s life are
also important.

20. "One of the most important things you
have as a developer is the community
you can take with you."

21. CASE STUDY
HOW ONE LARGE, DATA-DRIVEN PUBLISHER FOUND ITSELF AT THE
MERCY OF CYBERCRIMINALS DESPITE THE USE OF CUTING-EDGE
TECHNOLOGY

22. SOCIAL CASINO
Players cannot cash-out chips; play
in large, social settings through
mobile and Facebook

23. 13 MILLION PLAYERS
HALF ON MOBILE; HALF CONNECTING VIA FACEBOOK
• Had the advantage of Facebook’s authentication
controls paired with Apple’s app-level validation tools
and a variety of traditional front-end services.
• Employed cutting-edge back-end transaction security
controls via their credit card processor.
• Very data-centric since the company was founded;
prided itself on the quality – and quantity – of its player
data.

24. WORLD-WIDE COVERAGE
EMPLOYED TEAMS AROUND THE GLOBE TO WATCH OUT FOR PLAYERS
• As fraud and gray market losses mounted, more
employees were tasked with manually monitoring player
behavior.
• Rules-based reports generated suspect lists, which
were in turn reviewed by game play experts.
• Many things were tried; every time, the bad guys simply
adjusted their activities to get around the systems
created to detect them.

25. NO IDEA OF SIZE/SCOPE
BY THE TIME WE WERE ENGAGED, CRIMINALS HAD A 24-MONTH
ADVANTAGE
• Panopticon Labs was tasked with determining the size
and scope of gray market activities operating in-game.
• Behavioral analytics models were built to model 100%
of all player activities over a 90-day period of time.
• First pass: 88% accuracy rate. Second pass: 98.7%
accuracy rate.
• Thousands of bad actors were participating every month
in a complex ecosystem.

26. 40% REVENUE
LOSS
PANOPTICON LABS ESTIMATED THAT 40% OF
THE PUBLISHER’S MONTHLY REVENUE WAS
BEING LOST DIRECTLY TO THE GRAY MARKET
THIS WAS ON TOP OF THE LOSS FROM
REPUTATIONAL DAMAGE, EARLY PLAYER
CANCELATIONS, AND LOSS OF CONVERSION.

27. RECOMMENDATIONS

28. TECHNOLOGY
BE LIKE BANKS; EMPLOY A ‘LAYERED’ SOLUTION THAT
UTILIZED ANALYTICS WITH TRADITIONAL CONTROLS
1. Recognize that any observable system is porous
when faced with a dedicated attacker.
2. Be skeptical of results; make sure the right things
are being measured.
3. Measure early; measure often.
4. Assume the bad guys are already inside.

29. ANALYTICS
MORE THAN JUST A BUZZ WORD
1. Study good and bad events - not all anomalies are
created equal).
2. Classify ‘anomalies’ differently than ‘suspects’ -
understand how publishers can make best use of these
data elements.
3. Intelligence is useless unless paired with timely and
efficient action.

30. GAMING REALITIES
GAMES HAVE VERY DIFFERENT NEEDS THAN MOST OTHER INDUSTRIES
1. Games are very sensitive to lag – don’t expect to be
embedded in the client OR the server.
2. Game developers hate overhead – if your tools
require changes to the game itself, they probably won’t
be used, or will be abandoned early-on.
3. Games are constantly changing – unlike banking,
retail, manufacturing, or eCommerce, games radically
change over time by design.

31. ANOMALY
DETECTION

32. DEFINITION
“Anomaly detection (or outlier
detection) is the identification of
items, events or observations
which do not conform to an
expected pattern or other items in
a dataset.”
- Wikipedia

33. WHY ANOMALY
DETECTION?
Rules are expensive – both to set up as well as to
maintain.
Rules are slow – must be manually maintained and
changed as player – and fraudster – behavior changes
over time.
Rules are reactive – by definition, rules can only be
created as a reaction to something bad that’s already
happened.

34. THE HUMAN FACTOR
HUMAN BEINGS ARE THE BEST PATTERN RECOGNITION
“Our support team knows our players
better than anyone, and can usually tell
right away exactly what’s happening;
they just need to know which players
and events to look at first.”
–Every Operations Executive Ever

35. WATCHTOWER
WATCHTOWER is Panopticon
Laboratories’ premier in-game security
product, using proprietary anomaly
detection and behavioral analytics to
provide online video game publishers
with a 360° overview of player behavior
over time. The SaaS-based product’s
real-time, actionable alerts and research
tools allow analysts to make quick and
informed decisions that stop malicious
in-game behavior before damages can
occur. Its powerful machine learning
system enables the engine to grow
smarter and more powerful
over time.
PROVIDING A 360° VIEW OF PLAYER BEHAVIOR

36. PROTECTING ONLINE GAMES
FROM IN-GAME THREATS.
MATTHEW COOK
CO-FOUNDER
matt@panopticonlabs.com
614.580.7003