Fraud is No Game

The Iceland-based computer game developer CCP hf has discovered that it can fight credit card fraud in the real world by cracking down on fraud committed with the virtual currency used in its computer game, EVE Online.

EVE is an online game in which players can earn a virtual currency called ISK and trade it among themselves. Like many games with a virtual economy, EVE has fallen victim to real-money trading, or RMT, the term for using real-world money to buy the virtual kind, the tech news Web site Ars Technica reported on Aug. 20. Since this practice is against the rules, the game accounts used by RMT players are typically suspended as soon as their activities are discovered.

CCP noticed a link between the RMT players and credit card fraud. "Practically all credit card fraud we suffer stems from the RMT element which uses stolen credit cards to register expendable accounts that they know we will ban as soon as they start using them," Einar Hreioarsson, a CCP employee who polices the game, told Ars Technica.

"Real-money trading and most of the activity involved with it is against our published policy," he said, "and even international law in the case of credit card fraud."

CCP responded to the fraudsters by developing a program to find and ban RMT users' accounts en masse, which would also eliminate most card fraud for the company, Hreioarsson said. It ran the program during server maintenance and killed 6,000 accounts in one weekend — with only 12 known false positives.

The good news is that this was only 2% of registered accounts. These were among the most active accounts, however, so as a side benefit, banning fraudsters freed up server capacity for EVE's law-abiding players.

To Catch a Hacker

An anti-spamming company hopes to cut down on data breaches by taking banks to court.

Unspam Technologies Inc. in Murray, Utah, has filed a "John Doe suit" in which the defendant's name is unknown but a third party, such as a bank, can be subpoenaed for information on the defendant's identity, The New York Times reported Aug. 20.

Unspam's lawyer, Jon L. Praed, told the Times that he has had success with this strategy to help Internet service providers identify spammers that were sending e-mail to their clients.

In the instance of the data theft lawsuit, which was filed last week in the U.S. District Court for eastern Virginia, Praed said he intends "to provide all those being victimized by this massive criminal enterprise the opportunity to come together to gather the data we need to fix the problem at a systems level."

The article said he is hoping to unmask those behind the Eastern European gangs that orchestrate financial fraud from overseas.

Banks may try to fight the subpoenas out of privacy and liability concerns, the article said.

 


When the Australian Federal Police alerted the members of an online hacking forum that it had penetrated their security, the hackers responded by hacking the police computer used to gain access to their forum.

Police boasted of their accomplishment — taking control of the administrator account of the r00t-y0u.org hacker forum — both on television and on the forum itself, The Sydney Morning Herald reported Aug. 18. The computer that police used to enter that account held sample names of compromised credit card numbers and other evidence the police had collected, the article said.

The one police mistake was forgetting to set a password for the database application, the paper said. Once a hacker discovered this, compromising the police server was "done within 30-40 minutes," the hacker wrote online. "Could of been faster if I didn't stop to laugh so much."

Though the hacker claimed to have gained access to actual evidence, including credit card numbers, a police spokeswoman insisted that no actual evidence was on the compromised computer, which could not be used to access the machines that do hold such evidence. What the hacker found were "directory file names of previously compromised credentials," she told the Herald. "No information or files exist that have, or could have, been compromised."

Exposures

Small businesses are the targets of big fraud, according to a notice from the Financial Services Information Sharing and Analysis Center.

The industry group sent a confidential notice to its members last week to tell them of "a significant increase in funds-transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the letter said, according to an article in The Washington Post on Tuesday.

The scam begins when a fraudster sends an e-mail to the controller or treasurer of a small business, the article said. The e-mail includes an attachment or link that, when clicked on, installs malicious software on the user's computer. The software then initiates repeated wire transfers of less than $10,000 — small enough not to require reporting under banks' anti-money-laundering regimes, the Post said. These transfers can add up to more than $100,000 — or in one case, $1.2 million — before being caught and stopped.

Since businesses lack the protections consumers have, some have taken to suing their banks to recover stolen funds.

The analysis center attributed the scam to Eastern European organized crime rings, which operate through people hired in the United States to receive the money.

 


Radisson Hotels International Inc. discovered this spring that its customers' credit and debit card data had been exposed in a breach since late last year.

Radisson, a unit of Carlson Hotels Worldwide Inc., discovered the breach only after it was contacted by several credit card companies and processors, Network World reported on Aug. 19. It said the hotelier is still investigating to determine which of its properties were affected, though it has already determined that the breach affects hotels in both the United States and Canada. Radisson said it is working with law enforcement agencies in both countries.

The incident took place from November 2008 to May 2009, Radisson said. Though it has not yet determined the breach's full extent, the hotel company said it would offer affected individuals a year of credit monitoring.