If you read the gaming blogs and forums of the world, and hey, who doesn’t, you might have seen rumors swirling about something called session ID hijacking in the latest gaming sensation, Diablo III. It’s gone mainstream:
(Forbes) — At first this looked like it might have been yet another glitch on the Blizzard servers. Now it looks like we’re dealing with something far more nefarious: hackers exploiting security flaws in Diablo 3 and stealing peoples’ virtual items in order to sell them later in the Real-Money Auction House.
What is a real money auction house and why would gaming hackers care about it? It’s exactly what it sounds like: a sort of gamer Ebay, an exchange of in-game items for in-game currency. What makes it a real money auction house is gamers can sell their in-game items — or convert their in-game money — to real money.
That means, if a hacker collected enough items, s/he might be able to sell them on the RMAH and turn virtual items into hard cash as a worthwhile commercial venture. And that has a lot of people really concerned about rumors of nefarious hacking regimens and speculating on session ID hijacking as a method of compromise in Diablo III. This kind of hacking isn’t new, but many countries don’t consider stealing virtual money a crime, it is after all fake money used to buy better swords or flying mounts and stuff like that in game. There are lots of nations where you can’t have any real money besides The Real Money, so fake money is a real weird, weird, newish commodity. Hackers accumulating it by hacking into gamer’s accounts, laundering it, and selling the fake money to players who have real money might conceivably operate in the open as a completely legitimate business. This practice is known in the gaming industry as gold farming.
Gold farming is a huge business in large online communities with an in-game economy. And it can damn near ruin a gaming experience, because it involves ripping off in-game wealth that might take a gamer years to accumulate through regular, honest play. It sucks all the way around; fixing that damage for the hacked player costs online community developers very, very real money and it can injure customer loyalty. It’s so bad in Blizzard’s blockbuster game, World of Warcraft, that I wonder if Blizzard highers up went with a real money auction house in Diablo III in part thinking, ‘to hell with it, if players want to buy fake money, here, now they have an open market and transparent conversion rates for it. Problem solved.’
If you’re lost on the session ID bit, basically, right now you are talking to the Internet, specifically, the FTB server for this blog. You two are having a conversation, a handshake between two machines, aka a session, with data flowing back and forth instead of words, and that session has an ID number. Hackers have been known to get ahold of that ID or fake it, and with other bytes of info, they can sometimes make the session flow through their machines where they can see both sides of the conversation, say between a gaming server and a player’s computer, including passwords and user names. Hypothetically, the session hacker might even be able to knock the player out of the session and slide right in where the player was. Bingo presto, now they are the player. Incidentally, this could in theory skate right past anti-hacking devices used by gamers, like Blizzard’s authenticator.
The legit player will only know s/he got kicked off, and when s/he tries to log back in, the hacker can just set up a bot that pings the real player’s IP like little mini DoS attacks to keep them out until the hacker has done his grisly work. Which doesn’t take long. In mere seconds, an experienced game hacker can strip that player’s items and in-game currency, dump it on a nearby auction house for fake, in-game currency, and use the in-game mail system to send it to other player’s hacked characters, and so on, round and round she goes, like laundering money, except the spin cycle never ends until the fake money can be converted into real money. It must be quite a juggling act.
That they have to keep this huge chunk of stuff and/or money in motion through hacked accounts may turn out to be the Achilles Heel of D3 hacking no matter how it’s happening. Or, in the end, if the hackers are hugely successful, massive amounts of in-game dollars will overwhelm the real money auction house and create a commercially non viable exchange rate. I suppose, if someone wanted to try to start a sort of futures exchange or forward contracting arrangement on the Fake$/Real$ rate for a piece of the action, your hackers and other in-game speculators could even hedge and speculate. This would work especially well for such an innovator if they had a large site where you could feature such a cyber exchange.
::: Light Bulb On :::
Call it the Virtual Merc, Vmerc; I like it (I also might own it, so hands off!).
Anywho … no one has said officially, for sure, if session ID hijacking is the culprit behind the Forbes report on D3 (A Blizzard post went up overnight downplaying that possibility and credible sources tell me they are skeptical of the whole idea). Besides, there are security solutions for session hacking even if it turns out to be valid, and the real money auction doesn’t start for a few days. … Still, it will be interesting to see how this all plays out.