Security and privacy in massively-multiplayer online games and social and corporate virtual worlds

Abstract

2007 was the year of online gaming fraud - with malicious programs that specifically target online games and virtual worlds increasing by 145% and the emergence of over 30,000 new programs aimed at stealing online game passwords. Such malware is invariably aimed at the theft of virtual property accumulated in a user’s account and its sale for real money. With 217 million regular users of MMO/VWs (Massively Multiplayer Online Games and Virtual Worlds) and real-money sales of virtual objects estimated at nearly US\$ 2 billion worldwide at the end of 2007, this is a serious issue. The failure to recognise the importance of protecting the real-money value locked up in this grey-zone of the economy is leading to an exponential increase in attacks targeting online MMO/VWs. Another important area of risk is the disclosure of private data. MMO/VWs are commonly perceived as being completely separate from the real lives of their users and therefore immune to privacy risks. In reality, representing yourself as an avatar is little different from using any other form of online persona. The inclusion of IRC and VOIP channels, along with the false sense of security created by MMO/VWs, leads to significantly increased disclosures of private data such as location and personal characteristics. The main body of this report describes in detail these risks and others, including in-game access-control vulnerabilities, scripting vulnerabilities, denial of service, spam and threats to minors, before making a number of recommendations on how to remedy them