Meet Sam (not his real name), an employee of a large game studio who is tasked with, among other things, handling security and fraud issues. He has some advice for you: stop trying to pretend your grandmother stole your password. (This is seriously a thing.) They are onto you.
The core job of any game studio is to create video games. My job is to support our customers and our developers, so that the customers are happy with our games and our developers can keep making games. That can take any form: relaying feedback to our development team, telling our development team what issues are critical, or acting as a brake on their wilder ambitions.
I work on many online games, specifically games that have an online component as their primary game mode. That has meant games that are primarily multiplayer, games that have a multiplayer component, or online-only games. Unlike other major customer service industries (insurance, bank account management, tech support) you rarely have a script you can work off of.
We, as humans, like to believe in the best in people. Many of us believe that people are inherently good.
But whenever there is a way to get money out of a system, you’ll see exploitation. For online games, that usually takes the form of account selling, account hacking, in-game item selling, and stolen credit cards. If the online game is an inherently closed system (meaning there are no approved mechanisms to transfer assets out of the game world), then these activities occur on a black market, usually on registration-only forums, auction websites, or private conversations. If the online game is an open system (meaning you may transfer in-game items or actions into real-world money), like Second Life or Everquest 2, there may be legitimate ways to cash out.
In every case, the goal is to transform in-game items / accounts / actions into real-world money through fraudulent means.
Some standout exploitative schemes: The spam many people receive from “Legitimate Game Company” saying their account has been compromised or banned continues to be sent out because it works. People follow those links and input their account information. I cannot say this enough: we will never ask for your username or password, and you should always check the URL after clicking a link. Better yet, contact the customer service team directly if you get an email saying your account has been suspended. The sheer size and persistence of this spam keeps it on my radar.
Once, there was a specific person that was creating accounts to sell. We had our own mini arms race, as I found and removed their accounts. Then they began to get better, which forced me to improve my methods, which forced them to vary their actions and activities. This continued for a good year, as we sparred back and forth. Ultimately, they left for other games, but the experience and tools I built to combat them would continue to prove useful against other fraudulent players.
There was one person in particular who refused to admit they did wrong, and contacted us many, many times, through mechanisms like the EU consumer protection divisions and the Better Business Bureau. They even sent legal documents, trying to prove they were innocent. Of course we had all the data, but it got so bad that we had to contact several members of their clan and say that this person was lying, just so our side could get out. (Clans are groups of players that band together and play together across games — online friends that will talk on private forums, VOIP services, and sometimes get together in real life.) It can get really ugly when people have invested months or years into the game, yet persist in breaking the rules that we set up to protect their fellow players.
It’s never their fault. We inevitably caught the wrong person; someone else was using their account; they were swimming on the beach; their cat jumped on their keyboard and posted their account for sale, etc. I’ve heard it all. Some are very creative, others falsify documents or e-mails to try and convince us we were wrong.
Over the years you build up a good gut feeling for when a customer is lying to you, and it’s important to go with that gut. I’ve had people that I banned many years ago come back and admit that they did, indeed, break the rules. Feels good, man.
Some exploiters or hackers don’t worry about making money off of their actions. Their goal is to stretch the boundaries of the game world that we create. Some of the earlier players we encountered would alter client code to falsify their actions, change their move speed, attack with incredible accuracy, etc. Their goal wasn’t financially motivated; rather, they wanted to be the big fish in their pond, to show off their skills and become (in)famous.
Other players will pit their skills against the developers, breaking code or exploiting behavior faster than the developers can fix it. It’s a meta-game for them, testing our developers’ coding ability against their hacking. Some of the more impressive efforts I have seen over the last decade involve sniffing the packets sent from their client to our server, identifying the packet contents and then sending malformed packets back to the server in order to manipulate their actions. Others figured out ways to host private servers and grant themselves administrator powers, exploring hidden areas developers put in for testing. The sky is really the limit, and I’m impressed by their ingenuity.
What I’d love for people to understand is that 98 percent of the people out there that play online games are great players. The people who are banned or exploit online games have everything to gain by maligning our process, our methods, and our accuracy, but our jobs are on the line and we make sure all of our actions are backed up.
And with apologies to Toy Story, “From now on, you must take good care of your accounts, because if you don’t, we’ll find out. Players! We admins can see EVERYTHING …. so play nice.”
This is the third of an occasional series of interviews with tech workers that one doesn’t often hear from — the kind who don’t take the stage at conferences and yet play a crucial role in the internet economy. This interview has been edited and condensed and some identifying details have been changed. If you have any interest in talking to us (or know someone who might), please be in touch: firstname.lastname@example.org.