games design games industry massively multiplayer mmo signup processes security web 2.0

Online Services Problems: Credit Cards

This week, I was at the Virtual Goods Summit in San Francisco (my session writeups should appear on over the coming days). A couple of things struck me during the conference, including the large number of “payment providers” (companies that specialized in extracting cash out of your users via credit card, paypal, pre-pay cards, etc and crediting direct to you) and the large number of white-label “virtual goods system providers” (companies that were providing a turnkey (or near-turnkey) solution to “adding virtual goods to your existing facebook app” etc).

Which brings be to a recurring problem I’ve seen for a long time with the online games and MMO industry, which I suspect is going to cause a lot of damage to a lot of social games and virtual worlds companies in the coming years: online service providers are – in general – shockingly bad (lazy or plain stupid, usually) at handling their customers’ money.

And the result? Ultimately, it could drive increasing numbers of consumers back to preferring to purchase their games and other online content via retail, where the companies and transactions are more trustworthy. OH, THE IRONY!

The knock on effects include:

  • Good companies get tarred with the same brush (c.f. Daniel James frequent comments about the pain that Three Rings has been through with payment-processing, especially ridiculous attitudes to chargebacks, where the company regularly got shafted)
  • Good customers stop paying for your service, and probably quit the service completely
  • “could-have-been” customers stop paying for ANY online services before they even start using your service, and will never pay for yours
  • Pre-pay cards are going to get even bigger, much bigger than most mainstream games companies and MMO companies have realised

What’s the problem?

Well, firstly, the problem is that most online companies have terrible security. For instance, I just tried buying something on iTunes. Apple’s security people should be ashamed of themselves, IMHO. I was horrified to discover that this is how iTunes still works:

  1. You are forced to tie an iTunes account to an Apple ID, and that requires an exclusive email address. If you already have a completely unrelated Apple ID (e.g. I had an Apple iPhone Developer ID), you are forced to convert it into an iTunes account; there’s no option to keep them separate (unless you have other email addresses you’re happy to use)
  2. To buy something in the UK iTunes store, you have to provide Credit Card details
  3. These details are immediately saved and are used automatically every time you try to purchase something, without you needing to fill them in again
  4. Apple forceably prevents you from removing the Credit Card (there is no “delete CC details” option, and if you try to manually wipe the number, the “intelligent” web-backend decides to ignore your input and leaves the details in place)
  5. Any time you login to the account from now on, you can spend as much money on the CC as you like, without needing to know the CC number.

(in those 5 points there are several red-flag issues that leap out to anyone with a background in security, I’m not going to go through them all – suffice it to say, Apple has clearly made a decision that the amount of (I suspect: “substantial”) money they lose in fraud claims is made up for by the amount they gain in getting more consumers to make more purchases more often) – and I’m going to look at the most obvious attack only)

As an online game developer, I can immediately tell you that stealing accounts by guessing passwords is not merely “possible” but is “common”. Companies I’ve worked at have experienced upwards of thousands of accounts being stolen this way while I was there. This is a *common attack* and has been for many many years!

What happens if someone guesses your apple itunes password and logs in? Yep – free music. They can drain your credit card dry.

Surely, there is some secret piece of security going on here to prevent this invisibly, OR this must have happened by now, I thought. Some quick googling suggests that yes, it’s happened recently.

In fact, googling suggests that Apple has had at least one flaw in the password recovery that until recently made it even easier than normal to steal accounts by grabbing passwords.

(NB: as soon as I realised that the CC was so weakly protected, and that Apple refused to let me remove it, I converted my already “hard to guess” password to a random string of letters and numbers. And I sent Apple an email requesting that they manually remove the number or else take full responsibility for all future purchases, without contesting any claims of fraud that I make. They’ll probably ignore it :()

In passing, while googling, I found a bunch of CD-sized torrents titled “hacked itunes accounts”. I’m sure that’s a side-effect of some warez marketing rather than actual username/password details for iTunes accounts – the filesizes are way too large – but it was quite interesting to see.

What does all this imply?

  1. Apple can’t, actually, be trusted with your CC details (in particular, read the “$450 stolen from paypal account via Apple’s weak security” link to see their alleged response when they were apparently at fault)
  2. Apple is one of the most trusted consumer brands right now; when even Apple treats customers this unfairly, the backlash from that individual (and anyone who knows them) is likely to be quite substantial
  3. Many consumers have no idea what to do when they are the victims of fraud; in the PayPal/Apple example, *if* you know how liability for this stuff works, you would ignore PP and go after Apple – but this is not something consumers understand or care about

“Credit Card Required for Free Game”

Another example: NCsoft’s billing system

Working for NCsoft, with some knowledge of the billing, payment, and account-management system they use for US and EU, and being a suspicious person who’s been the victim of CC fraud before, I made the decision to never put my credit card number in the system (I don’t put my CC into any system unless I have good reason to – all NCsoft staff get all games and all subscriptions for free after they’ve worked there long enough, so this shouldn’t have been needed).

Due to that decision – even as a relatively senior employee – I was never allowed to use my free, company-provided, Tabula Rasa account. Because the same system, plus some quirks of how TR was configured, would not allow NCsoft’s own account-management staff to make my TR account free until I used my Credit Card number to first pre-authorize the account (the other games were all fine, it was only TR that was a problem, due to quirks in the system).

Oh, how we laughed.

And I kept thinking: if this is how screwed-over I am, as an internal employee, one who actually works in development (and who can understand all the technical details of the system) … what’s the experience that our customers go through?

As an internal employee, I was able (although not encouraged) to complain. It got me nowhere (even internally). Later on, I had other problems with the same system, which got bigger and bigger. Ultimately I stirred up some trouble, and ended up (accidentally) greatly offending the team that was responsible for the payment systems internally. I went to visit them and apologise in person the next time I was in their office (it was a 10,000 mile roundtrip, so I had to wait until I was flying out there anyway), and spent some time understanding their setup. Basically, in a word: “under-resourced”. Or, in several words: “chronically under-resourced and massively over-loaded”. IMHO they had a snowball’s chance in hell of ever fixing that system or doing much more than keep it limping along and praying every day that nothing “too bad” would go wrong with it. Good guys, but hung out to dry by a trickle of a budget.

And NCsoft is one of the better, more accomplished, online game companies, with (in most areas) hundreds of support staff.

The Customer

Rather than break out into any more lengthy examples, I’ll leave those two personal experiences hanging, and suggest that further interesting reading can be found by looking at PayPalSucks, or googling for “hacked account” and just about any major game, and seeing what you find in forums.

Of course, this is online games, so … I have to assume that a percentage of the raving about fraud etc from “Irate Customers” is in fact idiots who think they can lie their way to free money (another standard piece of knowledge in the MMO industry: most complaints to customer service that mention lost money or items are themselves a very low-brow form of fraud, or “trying it on”).

The key point here is that Credit Card fraud is something most consumers have little or no experience of, and when they become a victim it’s a confusing and often difficult experience for them. And that even the “good” online services companies really struggle to make it bearable for the innocent consumer.

Meanwhile, Credit Card companies can (and do) make life excessively hard for companies, punishing them inappropriately severely for fraud, and siding with the consumer wherever they can. The same consumer that we often know to be a lieing cheater (and that’s just the normal consumers “trying it on”; the professional fraudsters are far far worse…). Everyone loses! (except the Credit Card companies; which makes the developer in me bitter – but it also makes sense, since the CC companies are the lynchpin of most of the online payment in the world, and logically if any actor in the system is to be more protected than the others then it should be them: if they falter, the whole system might collapse. Even if it feels grossly unfair at times how weighted in their favour everything is).

So, as more and more companies move to add more game-like elements to their systems, especially Virtual Goods and Item-Trading, payment is going to be a nasty shock for a lot of them (not just CCs, but plenty of the payment systems too, depending upon how the operator integrates payment). (of course, first of all they’re going to get a nasty shock when they find out how many payment systems there are in the world, and that Sulake’s claim of using well over 100 different payment systems for Habbo Hotel is, if anything, probably on the small side).

And to give a hint of the joys to come for people fleeing Credit Cards, I saw another source of probable nasty shocks at the conference – there was a mobile payment provider who integrated many different mobile phone networks, allowing the game operator to just deal with them without needing to know about all the networks. This can be exceptionally dangerous, and I’m sure some of their customers (game operators) will make the obvious mistake of assuming it actually works that way. No – each cellphone network charges a different commission on each amount billed, so the “integration” is really just skin-deep (I asked the payment provider’s staff, they confirmed this). Since operators will want to know how much money they’re getting when they sell something (they want to set a price!), some will use the option this payment provider offers of setting the “price the operator receives”.

That fixed price causes each consumer to be billed a different price to the others. That’s going to be fun to deal with when consumers start talking to each other about how much they’ve paid… Ugh.

Parting thoughts

Just one, really: Pre-Pay Cards FTW!

Hey, wait – does this mean that the “Retail is Dead” folks might have struck a bit too early?

Uh, yeah, I guess so ;)…

2 replies on “Online Services Problems: Credit Cards”

Comments are closed.