Fraudsters target video games for credit card fraud

In online gaming, both your credit card and your game accounts are at risk. Here's how to protect them

Taylor Tompkins
Staff Reporter
Former newspaper reporter now focused on rewards and fintech.

Fraudsters target video games for credit card fraud

Fraudsters have found the cheat code to your credit card, and it’s through your favorite video game.

The $100-billion video game market – from PC and consoles to the addictive gaming apps on cellphones – is a prime target for digital thieves looking to snatch a player’s credit card or identity.

“In the gaming industry, where digital goods are prevalent, fraud risks and fraud rates are very high due to the ease of the transaction, and it happens very quickly,” said Emma Lee Yijiao, marketing lead for CashShield, a machine learning fraud management company, where about one-third of their customer base is gaming companies. “Fraud in the digital landscape for the gaming industry is extremely high compared to e-commerce, because [in] e-commerce you have to have a shipping address, a billing address and all these things” that, in the wrong hands, enable fraud.

When it comes to gaming, an unregulated industry in which technology is the product and there are not many investigations into fraud, fraudsters can compromise sensitive information in a variety of ways. Whether it is taking over accounts through phishing, processing stolen credit cards or trying to steal the cards connected to in-app purchases, thieves have a variety of different avenues of attack.

However, gamers and the gaming industry alike have their own lines of defense. This is how they fight back – and how you can protect your data against online game fraud.

PROTECT YOUR CREDIT CARD
WHEN PLAYING VIDEO GAMES
  • Check statements regularly.
  • Don’t visit shady websites.
  • Know the company you’re giving your data to.
  • Be wary of phishing in emails and links.
  • Rotate passwords and use a different one for each account.
  • Report fraud activity to your issuer and the game operator.
  • Watch out for breaches.
PROTECT YOUR CREDIT CARD WHEN PLAYING VIDEO GAMES
  • Check statements regularly.
  • Don’t visit shady websites.
  • Know the company you’re giving your data to.
  • Be wary of phishing in emails and links.
  • Rotate passwords and use a different one for each account.
  • Report fraud activity to your issuer and the game operator.
  • Watch out for breaches.

Account takeover
Much like with a bank account, a gaming account can be taken over by a fraudster and used for all it’s worth. In gaming, the account itself is worth a lot of money, including all the in-game goods the player has invested time to earn.

In account takeover situations, fraudsters get hold of a player’s user ID and password for a game. Typically, they obtain the login credentials either from a malware program or through a phishing scam. Once the account is accessed, fraudsters have reign of everything, from the attached credit card number to virtual goods.

While the convenience of storing your information on a gaming console or an online market makes purchases easier, it also comes with some risk, said Diarmuid Thoma, director of fraud at TransUnion.

“What happens when they gain access to your account? One of the things I have learned about gaming specifically is, it’s not all about the credit card. The account itself is worth money,” Thoma said.

Some accounts can go for hundreds, if not thousands of dollars, according to Matthew Cook, co-founder, Pantopticon Labs.

“Once they had access to the account … they could also access, in some cases, assets that the player had maybe spent months or years of their time amassing. In a game where time is really the only factor you can never get back again, that’s a hugely valuable thing,” Cook said.

“One of the things I have learned about gaming specifically is, it’s not all about the credit card. The account itself is worth money.”

Phishing
Another fraud tactic that translates well to the gaming world is phishing. Fraudsters will often use emails that look as if they are legitimate communication from a gaming creator, publisher or distributer. However, the email will contain a link that will ask and capture a player’s user name and password.

Thieves are also using overtaken accounts to send in-game mail of a similar type, according to Thoma from TransUnion. It is typically more prominent in games where credits can be transferred between players, because fraudsters will ask for money or goods for the game’s virtual economy.

“Let’s say you and I have been playing together for two years, and you get an in-game email from me all the sudden,” Thoma said. “I ask you something, you’re not really going to think twice about it; generally, if you can, you’ll probably facilitate it. And you have no way of knowing that account is compromised.”

 

Processing stolen cards
Many times, criminals will use a stolen credit card to turn a profit in video games. The cards – which are either stolen by account takeover or by purchasing a card number on the dark web – are tested with tiny transactions in the video game.

Often turning a profit involves buying access to a game of goods in the game’s virtual economy. These are then sold for a deep discount, which essentially wash the thieves’ hands off the money from the stolen card while still earning and sometimes even getting new card numbers.

The practice, according to Cook from Panopticon Labs, is prevalent online.

“A lot of times what fraudsters will do is offer discounts on virtual goods that are essentially stolen,” said Jason Oxman, CEO of the Electronic Transactions Association. “What they’re looking for really is your card number so that they can sell it to someone else.”

In-app purchases
While many games on your cellphone are free to download, there are in-app transactions for extra spins or for getting rid of time restrictions. Once your credit card is in, you could be compromised.

Similar to other online games, anything bought in the apps can be sold at a discount online.

“Once you translate that into actual transferable assets, like currency or items ... it could endlessly money launder things until the cardholder shuts it down,” Cook said. “Obviously, these are small transactions in great numbers and it’s for an item oftentimes that they can resell on an unauthorized website.”

What’s being done?
Companies such as Cook’s Pantopticon Labs and Thoma’s division at TransUnion are working with publishers and developers to identify fraudsters before they can cause harm to players.

At Pantopticon, the team works by monitoring in-game behaviors of players, exposing those who aren’t there for the fun of it. Cook said players who are there to scam or benefit off other players aren’t interacting with the virtual world like the rest, making them easy to detect.

Thoma’s team uses factors such as IP addresses and identifying information from TransUnion to shut down fraudsters before they can even complete their game account. By allowing players to tie their identifying information to only one account, it effectively shuts down fraudsters who need many accounts to pull off their scams.

“A lot of times what fraudsters will do is offer discounts on virtual goods that are essentially stolen ... What they’re looking for really is your card number so that they can sell it to someone else.”

What can you do?
If you are a player, there are ways to protect yourself in the virtual world.

  • Check statements regularly. Look for any gaming activity that doesn’t belong to you. If you notice anything suspicious, report it immediately to your credit card issuer. “If you don’t see it and don’t report it ... you can’t do anything to stop it,” Oxman said. This is especially important after a breach, like that of virtual market place Steam or brick-and-mortar Gamestop, he said. “Even if you don’t see any fraud on your statement today, if you were one of the victims. you may want to keep watching,” Oxman said.
  • Use safe web browsing practices. Don’t visit websites that don’t look legitimate and be conscious of the gaming company you’re dealing with. Researching the company, website or market place you are considering buying from can help ensure that your card information is in good hands.
  • Be cautious when clicking links in messages. Keep an eye on URLs you’re being redirected to and make sure it’s exactly the same as the site you’re used to, especially if being asked for credentials. The safest practice to avoid phishing, Thoma advises, is to type the website URL in without following a link in a communication like an in-game message or email.
  • Rotate passwords and avoid having the same password for different accounts.
  • Report any fraud activity to the game’s operator. “If you’re seeing bad things, not only report them to the operator, but do it in a very positive way. Show that you know,” Cook said.

Simple precautions can help video game players vanquish a much more realistic evil – credit card scammers.

See related: Startups use tech to put cardholders in charge of security, Know your fraudster: 8 types of card criminals


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 11-25-2017