Coming face to Facebook with cyber identity theft

Coming face to Facebook with cyber identity theft

Virtual worlds, while a popular playground for a growing number of internet users, are also proving a fertile field for fraudsters.

You meet an investor in a virtual world. Attractive and friendly, he also seems to be very astute and says your business idea shows great promise.

All you need to do to advance your proposal is exchange contact details with his avatar: phone number, address, mother's maiden name - mother's maiden name?

Chances are you'd steer clear of responding but a recent test by the security firm, Sophos, on Facebook subscribers has revealed that 41 per cent would readily hand out personal details to complete strangers, with 84 per cent disclosing their date of birth and 87 per cent their school and workplace.

Gradually collecting pieces of personal information is a common tactic for those bent on assuming someone's identity to perpetrate fraud or criminal activities and it's a growing practice.

Virtual worlds are the new frontier for identity theft, which cost Australians between $1 billion and $4 billion in 2001, according to estimates by the Commonwealth Attorney-General's Department.

By 2011, more than 10 million people are expected to subscribe to massive multiplayer online environments, according to Screen Digest's games analyst, Piers Harding-Rolls.

With the market for online games now worth more than $US1 billion, it is an enticing parallel universe of opportunity for criminals.

Hacking, spamming, keylogging, phishing and viral infecting - virtual worlds are at risk from every category of internet crime, according to senior security analyst at Auscert, Matthew McGlashan.

"People congregate in World of Warcraft forums and offer tools to help play but they are not tools - they're trojans," McGlashan says.

Others send links to websites that appear legitimate but are designed to defraud.

Most violations occur when players neglect established security procedures or through misguided trust.

In virtual worlds, you can't use multiple senses to assess danger or verify the identity of players and you have no recourse to action if things go wrong, says David Sykes, Pacific vice-president for Symantec.

"In cyberworld, you're flying partially blind. It's far easier [for criminals] to extract information from trusting players by signing up as a member in massive multiplayer environments than to execute a brute-force attack on a closely monitored site."

Nevertheless, attacks from the inside do occur. Late last year, hackers exploited third-party software used on the Second Life database to break into its servers, accessing unencrypted personal details of its 650,000 players, including passwords as well as payment information.

In July, another cyber criminal with privileged information hacked into Second Life's fictional securities exchange, made false deposits, and then disappeared with the equivalent of $US10,000.

And last month, a long standing virtual bank in Second Life holding hundreds of thousands of Linden dollars closed shop and disappeared, along with everyone's money.

"There's a growing black market for this activity as people steal digital assets for real dollars," says Sykes, citing exchanges that convert gold from World of Warcraft, Project Entropia Dollars from Entropia Universe, Isk from Eve and Acorns from South Korea's Cyworld.

Businesses with a presence in virtual worlds are not immune to such threats. With a gross national product of $US64 million in 2006, Second Life is an increasingly desirable venue for a corporate presence.

Telstra, Philips, Reebok, Nike, Coca Cola, Toyota and Adidas all have virtual sites where people can see and try out products.

"The idea of being able to virtualise interactions has great potential for business but Second Life is an experiment and there are a lot of areas that need to gain in maturity," says Gartner's research analyst, Andrew Walls. In May, the ABC's site was subject to "griefing" or vandalism.

Other companies have suffered by having their corporate space populated with clutter, staff and legitimate customers attacked, and duplicitous avatars with multiple identities and no credit card attached seeking business.

"Those wanting a presence have to be careful before jumping in because you have to position yourself differently based on the risk you're willing to take on. There are no regulatory structures in virtual worlds. You have to train staff to deal with attacks and have escalation procedures in place."

So far, corporate offensives have been largely confined to attacks from subscribers but Walls says it's only a matter of time before breaches occur that penetrate the corporate gateway.

"One of the scarier issues of complex environments is that we all develop on tools provided by people we know nothing about and which may have inherent weaknesses," Walls says.

Virtual worlds call for multiple ports to be opened to connect to the complex online environment, which increases exposure.

As a result, staff working in virtual worlds should be isolated. Walls warns: "Do not provide live or privileged linkages between objects or avatars and your backroom systems."

However, as people push for real-life transactions to be completed without leaving virtual worlds, more companies will take chances with security, Walls says. "There will be more opportunities for mistakes as time goes by."

© Fairfax Business Media

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags FacebookWeb 2.0innovations

Show Comments