Het European Network and Information Security Agency (ENISA) heeft een grondig onderzoek uitgevoerd naar de gevaren van de moderne online virtuele werelden. Het 80 pagina’s tellend rapport geeft een goed overzicht van de stand van zaken en gaat in op de relatie tussen virtual worlds en harde munten.
In de executive summary worden de volgende 14 risico’s opgesomd:
1. Avatar identity theft and identity fraud: theft of account credentials (username and password). The main motivation is real-money financial gain, but identity fraud can also be used to damage reputation (real-life or, more commonly, in-world) and to avoid responsibility for crime.
2. MMO/VW privacy risks: In privacy terms, avatars are no different from other forms of online persona. Users may even disclose more personal data because the MMO/VW gives a false sense of security. There is also a trend towards behavioural marketing by “eavesdropping” on avatars.
3. Automation attacks: Some forms of automation are very problematic for service providers because they allow attackers to obtain objects or services “for free”. This leads to loss of in-game value for other users, disruption of game-play and loss of revenue for service providers.
4. Cheating, security issues: Cheating can be a serious problem both for users and service providers. We look at categories of cheating from an information security point of view, eg, illegal object duplication (duping) and insider trading.
5. Harassment: In-game harassment, such as ganking and verbal harassment, can be just as serious a threat to real-world people and resources as any other kind of online harassment.
6. Trading and financial attacks – credit card chargebacks: Whenever an ingame purchase is made with an online payment service (eg, credit card or Paypal), a full refund can be claimed from the payment company (usually within a month). Retailers then lose money – even if the consumer has already made full use of the service paid for. For instance, in Second Life, it is possible to spend tens of thousands of dollars on a single purchase of land, and then split it into a large number of sub-plots, which are sold on. If a chargeback is issued, reversing these transactions is technically and administratively very problematic.
7. Risks to intellectual property: Original works can be created in-world using official tools provided by the service provider. Original work can even be created by arranging virtual objects, eg, sculptures from virtual coke cans. The actual rights held by the user are often only vaguely defined and may be invalidated by underlying rights. Also, users of virtual worlds often import copyrighted material without the permission of the copyright owner.
8. Information security related risks for minors: Minors can be exposed to inappropriate content in MMO/VWs either through the circumvention of ageverification techniques or the failure of content rating systems. This exposes them to risks such as disclosure of real-world contact data and pornographic or violent images.
a. Failure of age-verification techniques: No currently available technique performs satisfactorily in MMO/VWs. We look at problems with existing methods.
b. Weaknesses in content-rating schemes: Effective age-based contentrating systems are particularly challenging when applied to MMO/VWs because some content is determined by the end-users and the (dynamic) game culture.
9. Problems with online dispute resolution (ODR) in MMO/VWs: Effective ODR is particularly problematic in MMO/VWs because many disputes are raised in order to gain advantage over other players or residents. In 2006, Second Life received one ODR request per day for every 15 users.
10. MMO/VW spam: many bots (scripted avatars) exist within MMO/VWs, which peddle unsolicited marketing as well as offers and/or advertising services or products banned by the service provider.
11. MMO/VW specific denial of service (DoS) attacks: Scripted objects and avatar action in MMO/VWs provide novel variants of DoS attacks. MMO/VWs are especially vulnerable to DoS attacks because of their centralized architecture and poorly authenticated clients.
12. Malicious game servers: Malicious game server software can be used to perform “virtual mugging” – theft of account details or objects of value. This risk is especially important in the emerging open MMO/VW architectures where MMO/VWs may be hosted on unauthenticated servers.
13. Attacks on user’s machine through game client: A game client is a piece of network software with specific vulnerabilities that may allow an attacker to control a user’s machine.
14.Access and authorization problems in MMO/VWs: Attacks on access control restrictions to parts of the MMO/VW world can allow attackers to access private sectors or data. On the other hand, avatars may collude to “physically” block other avatars from a sector of MMO/VW space.
Het rapport is als PDF te downloaden.