Online Game, Social Network Sites Confront Unique Fraud Challenges

Most of the public attention on online fraud centers on traditional merchants seeking to identify fraudulent orders, detect and prevent data breaches, and the like. But fraud also is a major concern for the online-game publishers and social networks that operate exclusively in the virtual world.

Because of the unique aspect of their operations, online game publishers and social networks face threats not found at the average online retailer, which typically operates domestically or in a limited geographical area. And while the average Internet merchant deals with physical products and services, online game publishers and social networks operate solely in the digital realm.

That’s the case with Adknowledge, a privately owned Kansas City-based ad network that offers advertising for online games and social networks.

Adknowledge’s SuperRewards platform delivers targeted advertising offers to millions of global Web site and social network users. Online gamers can earn in-game points or virtual currency by completing offers, such as filling out surveys, watching videos, or subscribing to online services that are of value to them. The points or virtual currency can then be used in the online game or social network.

As in the physical world, fraudsters seek out ways to acquire points or virtual currency illicitly.

“We work with thousands of publishers with hundreds of millions of users around the world,” says Adam Caplan, vice president of virtual currency, Adknowledge, in a statement. “Some users are so passionate about the games they play that they will go to extraordinary lengths to acquire excess virtual currency, including abusing advertising offers that we make available on our platform.”

Fraudsters also will use stolen credit cards or other abusive payment mechanisms to accumulate virtual currency to sell to others in the game for profit, Caplan says.

“It’s critical for us to separate the abusers from the vast majority of users who are interested in the brands and the products they sign up for, or validly pay for the virtual currency they use,” he says. “When users sign up for specific advertising offers without having any real interest in the associated brands or products, we risk degrading the quality of leads that we provide to advertisers.”

Because of the unique nature of the online gaming world and social networks, the fraud-detection and -prevention methods used by the average e-commerce merchant usually don’t work as well.

“The real big challenge SuperRewards has that other typical e-commerce merchants don’t have is that they have a global audience—they’re not just selling domestically,” says Alisdair Faulkner, chief products officer of the Los Altos, Calif.-based ThreatMetrix Fraud Network, which provides fraud control for Adknowledge. “They’re one of the providers to Facebook and Facebook publishers and also MySpace.”

Previously, merchants just looked to the IP address to decide whether a transaction posed a fraud risk, Faulkner says. “If it wasn’t from the U.S., we shouldn’t trust it,” he says. “But what happens if your audience is global anyway? That doesn’t help.”

In addition, users are immediately credited with the virtual currency or points once they fill out a form or complete a survey, giving SuperRewards no time to verify information about the transaction. And because no physical goods change hands, SuperRewards can’t use anti-fraud measures such as an address verification service that can be used to validate delivery addresses against cardholder information, Faulkner says.

“The third problem these guys face is just the sheer scale,” he says, noting that online game sites and social networks can see anywhere from 10 times to 100 times more transactions than the typical online merchant “just because they have tens of millions of people that would see and get exposure to these monetization networks.”

That means that Adknowledge and similar businesses operating solely in the virtual world must use a fraud-prevention system that focuses on information about the device used to generate the transaction and other transaction-related data to score a transaction.

Adknowledge uses data gathered by ThreatMetrix’s Web-based system, including intelligence about the device used by the user, key transaction details, and past behavior, both onsite and globally.

“ThreatMetrix enables us to instantly review and analyze transactions based on date, score, status or any other attributes across their global fraud network,” Caplan says. “We can also identify new and returning users to see how they are interacting with our system.”

While most anti-fraud systems collect information on which browser is being used in a transaction, ThreatMetrix also collects information on the packet signature—the Internet connection over which the browser is working.

“We can tell the difference between if the browser says Internet Explorer but the packet signature tells us that it’s a Linux computer,” Faulkner says. “And we can bypass that proxy which says its IP address is in the U.S., and tell them based on the packet signature that it’s actually in Romania.”

ThreatMetrix also looks for other anomalies such as if the browser language is in English, but the true IP address is in Romania or the time zone belongs to a Romanian computer but the transaction is coming through a proxy pretending to be in the U.S.