Online gaming payments leave lots of room for fraudsters
Recently there has been a rash of fraud-related incidents with online games, specifically, Facebook allegedly allowed and encouraged friendly fraud with games it hosts, and the wildly popular online game, Fortnite, has been used by criminals as a platform for a variety of fraudulent activities.
Cybercriminals target online games because the nature of their payment systems opens the door to a variety of fraud practices, including account takeovers, friendly fraud, card testing and true fraud, that can result in a crippling number of chargeback claims.
Some of their users have the most basic password credentials, and those accounts are easy targets for hackers. As a result the real account holder sees their in-game credits are being used and purchases are being made, which then turn into chargeback disputes. This is a major reason chargebacks are on the rise for these kinds of systems.
Right now many games, including Fortnite, offer the option for two-factor authentication, but unless it is mandatory, a large number of account users will chose convenience over security and use single-factor authentication. Normally, companies want to make it easier to log in and play, so they often only require eight-digit passwords, which can be hacked in minutes by any professional hacker. So requiring 12- to 16-character passwords and two-factor authentication will be positive steps to reduce account-takeover fraud.
Friendly fraud is a result of children using their parents credit cards to make unauthorized online purchases, which result in purchases that the parent then make chargeback claims. Friendly fraud also occurs when the cardholder is well aware of the transaction and yet files a dispute with their issuing bank to scam the merchant. The dark side of friendly fraud is that software tools and AI are not evolved to predict human emotions and their intentions when a transaction happens online.
Creating a blacklist database to filter the bad players will help gaming companies reduce their friendly fraud chargebacks. It has been estimated that friendly fraud will be repeated at least three times if merchants do not take any action in preventing them in the future. Also, internal issues such as poor customer service or deceptive practices can lead to friendly fraud chargebacks. Merchants must analyze these chargebacks closer to know the root cause of chargebacks.
Online games are particularly good targets for card-testing fraud because so many of its in-game purchases are in very small amounts — $1 or $2 increments. Typically, a thief gains access to a stolen credit card number, or thousands of them, they begins making test purchases. These are small, incremental purchases at first, but then grow into much more expensive, costly ones once the fraudster knows they’re possible. Each of these charges, big or small, can become a chargeback filed by the credit card’s real owner.
One of the ways to prevent card testing is to have a fraud prevention tool in place. A good tool can do a velocity check and it can put a restriction on the number of instances that a transaction can come from a particular IP and see how many cards are being used on a single account. This will help block those accounts, and prevent card testing from happening.
True fraud, in which a credit card is stolen, is another threat. The card is used to build up a game account, then the account is sold on an online trading site. When the real card holder discovers these charges, they will be able to file a chargeback dispute. The criminals can sell the accounts for much less than the amount they charged to the card because it is all profit to them, and the harm falls on the card owner and online game publisher.
One of the best ways to fight this kind of fraud is to have fraud filters and use external tools such as a PCI-compliant payment gateway. It should come with fraud screening features, as well as AVS and CVV matching. This is one area where gaming companies are failing because they turn off these filters by default. Having the AVS and CVV will require the card owner provide an address and CVV. This will help cut into identity theft since criminals are likely to only have part of this information.
Because of the volume of virtual, in-game transactions, publishers accept some level of chargebacks, even fraudulent chargebacks, as a cost of doing business. That shouldn’t be the case because there are ways for online game publishers to take on chargebacks and fraudsters while preserving their revenue flow and customer experience.