ITsecurity
twitter facebook rss

In-Game Currency

Posted by on April 2, 2015.

A topic that crops up more and more in modern gaming, with varying degrees of controversy, is the
concept of In-Game Currency. But what exactly is meant by the term? After all, there are in-game
houses, in-game guns, in-game pets; why is currency more of a relevant issue than any other
everyday concept you might find in a game?

Gamers of the pre-Facebook era might have their minds instantly leap to Gil or Zenny, the fictional
currencies in the Final Fantasy and Breath of Fire games. While these are one form of In-Game
Currency, the term in current parlance can refer to several different things, and often carries a
deeper relationship to transactions carried out in real life.

In the case of mobile games, there may be two levels of In-Game Currency, such as gold and
gems, where one is earned free of charge through gameplay and the other can be bought for real
money. In this sort of arrangement, the paid-for currency is often referred to as “Premium
Currency”. Despite the distinction, the two terms are more or less interchangeable, and any time
In-Game Currency is mentioned it’s more than likely to be Premium Currency as well. Another way
of distinguishing between the two is to use the terms ‘soft currency’ and ‘hard currency’. The former
applies to IGC that can be earned through normal gameplay, and the latter refers to currency that
is much more sparingly granted, and usually encourages the player to buy more. Both forms of
IGC come with their own economics, problems and vulnerabilities.

As soon as gaming became advanced enough to track the statistics of the main character, In-Game
Currency began to develop. In its early days, it was nothing more than a mechanic; the
character had his money and could buy new 16-bit swords or potions, and that was that. It was so
innocuous that it didn’t even merit its own term like ‘In-Game Currency’, and in purely single-player
games today it has no more relevance than it used to.

However, as gaming advanced, games began to be able to depend more on post-release
downloads. At first, this merely helped developers to patch a game’s flaws and bugs after release,
but it soon began to open up an entirely new distribution method for games. The Xbox Live
marketplace was at the forefront of downloadable content on platforms other than the PC, and it
adopted a model which did not directly use real money for the transactions. Instead, users could
buy ‘Microsoft Points’, and use those to purchase content for games or downloadable copies of full
games.

This points system would soon be adopted by other game publishers, and was especially popular
as a model with Facebook games and free-to-play mobile games; thus the rise of Premium
Currency goes hand-in-hand with microtransactions. The potential profitability of this model was so
great that markets were soon flooded with ‘free-to-play’ games, which often based their entire
design around enticing players to purchase Premium Currency. This caused a great deal of
controversy among gamers, ending with a ruling in the European courts that no game could market
itself as ‘Free to Play’ if contained any such microtransactions.

Purchasable in-game currency is most popularly used in casual and mobile gaming, social network
gaming and MMOs, but almost any game with a multiplayer element can make use of this model.
In the case of mobile gaming, Premium Currency almost forms the entire basis of the market.
Many games are offered to download and play for free, but offer purchasable currency to speed up
various facets of the game, or for special effects. Facebook and other social games tend to operate
along similar lines.

In the case of MMO gaming, there is a far greater variety of IGC systems. Almost all such games
use a ‘soft’ In-Game Currency, but there are those that don’t make use of Premium Currency. Of
those that do, some even have multiple forms of ‘hard’ currency; perhaps Gems that can be bought
for money, like traditional Premium Currency, alongside another special currency that might only be
given out during special events. How the MMOs handle their In-Game Currency is equally mixed,
with some reserving it for mainly cosmetic and ‘prestige’ purposes, and some allowing players to
get a large advantage over others if they’re willing to pay, often leading to accusations of ‘pay-towin’
style gameplay.

Finally, many multiplayer FPS games are beginning to use Premium Currency as well. Soft
currency tends to be less significant, since the gameplay revolves around short, arena-style
competitions, and building a character over the long term tends to be more restrictive. However,
hard currency in shooters is sometimes used, and is even more prone to creating pay-to-win
situations than in MMO games.

In-Game Currency, especially Premium Currency, as something that is purchased with real money
and subsequently used in exchange for special game features, has value. However, it is entirely
intangible, and the purchaser is effectively just buying data. When you have valuable data, you
need to consider its vulnerabilities and security against cyber-theft very carefully.
Because of the user-locked nature of IGC, attacks on a central server to steal other players’
resources are rarely feasible. In most cases, Premium Currency is non-transferable, so it is usually
fairly secure once a player has completed the transaction. However, in games where Premium
Currency is transferable to other players, users must beware of phishing and social engineering
attacks, as access to the user’s account can result in everything of value being stripped from the
account and being sent to the scammer.

It is usually fairly easy to spot illegitimate sums of IGC, as the users in possession of it will stand
out from others. It’s possible that this can be circumvented with a network of ‘disposable’ accounts,
each one flying under the radar by only having a reasonable amount of currency for a player, and
this is how a lot of ‘gold farmers’ in MMO games avoid automated detection.

One particularly interesting example of the theft of In-Game Currency comes from EVE online, and
is incredibly recent, as well. Using something more akin to a level of espionage seen in a less
action-oriented spy movie, a player spent months gaining trust and a good reputation in one of the
game’s larger corporations (a collective of players like guilds or clans in other MMOs) until he
gained a position of power within the virtual organization. He then proceeded to take as many ingame
assets from the corporation and its members as he could, transferring them to his own
account and disappearing from the corporation. For their value in Eve’s In-Game Currency (known
as ISK or Interstellar Kredit), the stolen assets were estimated to be worth around $13,000 in real
money.

(Please note that the ‘CEOs’ and ‘Corporations’ in the article refer to the in-game corporations and
ranks, not to actual organisations in the real world)

In December 2013, Rockstar confirmed that Grand Theft Auto V Online had been subject to
hackers or exploiters, with one user known as ‘epiicmoddingtobi’ having amassed in excess of
1,000,000,000,000 in-game dollars. Since GTA V Online’s base in-game currency can be
purchased for real money, the value of this sum was estimated at about £12,000,000 in real
pounds sterling. Whether this money was obtained via hacking or by exploiting flaws in the game’s
code is unknown, but it’s certain that so many in-game dollars could not be obtained legitimately.

Rockstar have taken a quarantine approach in the case of GTA V Online; rather than attempt the
impossible and try to completely eradicate the possibility of cheating, they move known cheaters to
a separate server. The ‘cheater server’ is becoming more popular among developers; this method
ensures that cheating players are not able to use their unfair advantage against legitimate users,
but it does create problems if a player is sent to that server wrongfully, and it can be very difficult to
return to a normal server if the cheating behaviour is corrected.

As with many security issues, there is very little that can be done to prevent attacks and
exploitation when it comes to IGC. It’s important to have a sensible framework in place; making
sure a player’s hard currency is account-locked and cannot be manipulated from a central server
will discourage most direct attacks, but any ways to exploit the system or steal from other players
need to be discovered before they can be fixed. Usually, these flaws are only discovered after
unscrupulous users have already taken advantage of them.

However, there is rarely any great cause for alarm; people can only lose as much as they are
willing to spend on the Premium Currency in the first place. Any other risks come from
compromised financial information, which, although serious, is not directly a flaw with In-Game
Currency as a concept. As with all things, users must be careful to buy IGC from reputable
sources, and companies must take all the usual security precautions to protect their customers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Josh Townsend | Tags: , , , , , ,