When is a game “just a game,” and when does it become something more? We all come up against this question sooner or later – but no player quite experiences this question like the MMO gamer. And now there’s a new question, sharper than the last: When you invest weeks, months, even years into a single game, what happens when someone robs you of your efforts?
Account theft is not a new phenomenon, but because of the increased monetary value of these accounts – accrued from the labor of honest players – hacking has reached monumental heights.
Dave Weinstein, formerly of Red Storm fame, now speaks on the huge prevalence of unregulated character theft and the black market sale of virtual goods. Weinstein addressed game developers at Gamefest 2006, warning that organized crime had targeted MMOGs as an easy method of generating cash in a largely unregulated market. Part of the problem is a lack of law enforcement infrastructure in dealing with the value – and following the theft – of virtual property. “The police are really good at understanding ‘someone stole my credit card and ran up a lot of money,'” Weinstein said. “It’s a lot harder to get them to buy into ‘someone stole my magic sword.'”
Square Enix, at least, hasn’t gained much traction on this problem in the last two years. Earlier this year, the company came under heavy fire when thousands of Final Fantasy XI accounts were hacked – stolen from their owners with keyloggers, rapidly stripped of high value items (often totaling in the thousands of dollars for max-level characters) and returned, denuded and worthless, only months later.
Michelle kept detailed notes. She even knows exactly when it all began – August 27, 2005, the day she signed up for Final Fantasy XI. “Like any first-time gamer, I began playing the game a couple hours here and there and maybe a few hours on the weekend,” she said. She’d never played an MMOG before.
“Through time I began to develop friendships and a character that would become as much to me as ‘real life’ relationships are. The amount of time I devoted went from five or six hours a week to almost 60 to 80 hours a week. When I wasn’t playing, I was working or sleeping.” It’s a familiar story to anyone who has gotten sucked into the world of an online game; a story that, these days, millions of people are experiencing.
The game became a part of her real-world social life.”Often times while at my job on break, I would talk about what we had done the night before. A funny thing is my friends, family and co-workers came to enjoy the tales I would come in to tell,” she said. Her character, a Paladin we’ll call “Mali,” had become as real to her as another side of herself. “Folks who don’t play don’t understand the amount of work players invest into their characters.”
On December 14, 2007, a hacker broke into Michelle’s account and changed all of her personal information: name, location, credit card account. Her virtual identity had been stolen and rewritten. At 9 P.M. when she attempted to log in for an evening’s adventure, her username and password failed. “My heart sank a thousand feet,” she said. She called up customer service – but it was a Friday night, and Account Services wasn’t there.
There’s Nothing We Can Do
She called again first thing on Monday morning. “They told me if I could not give them the ‘current‘ information on the account, there was nothing they could do.” When they asked her how they could be sure she wasn’t in fact a hacker trying to break into someone else’s account, she argued with passionate logic that if she was a hacker she wouldn’t be able to provide her comprehensive account history, including payment records dating back two years. Sorry, Square Enix said – it’s Just Against Our Policy.
Michelle was hardly alone. By the time her account was hacked, thousands of other players had suffered the same fate. Theft victims circulated an online petition to attract Square Enix’s attention and recover what they had lost, while the community whispered urban legends of players whose characters were stolen and never returned, sold like abducted children on the black market for real-world cash.
Michelle frantically scanned these unauthorized auction sites daily, looking for a character that matched Mali’s description – a high level paladin worth, according to her research, between $1500 and $2000 in these markets. That estimate didn’t even including the huge cache of rare armor Michelle had accumulated and stored in Mali’s inventory, collectively valued, she estimates, at well over $5000.
She started on the white-hat side, looking up contact information for internet lawyers. When she found one, “I explained to [him], if someone stole Yahoo people would have the suits flying. Yahoo isn’t a tangible item, and does have value. My character is basically the same thing.” But he wasn’t interested. “He … explained there was no one he knew of that even attempted such litigation, and believed it would be fruitless. I was becoming more and more desperate to get help … or to find someone that would listen and understand.”
When the white hats failed, she turned to other options. “I [started] looking for a hacker to steal the account back,” she said. If a hacker had broken into the account in the first place, she reasoned, another person with similar abilities should be able to get it back. And Square Enix clearly didn’t have a problem with the hackers doing it. She didn’t find one, but she did find Dave Weinstein and his security talks.
Weinstein counseled her against “stealing” the account back, for legal reasons, and advised her to keep trying with Square Enix – that if she was persistent, customer service would relent and give her account back. “I realized very quickly David did understand how I felt,” Michelle said. “Finally, someone who at least cares!“
Weinstein turned out to be right. In February, nearly three months after Mali and all her holdings were stolen, Square Enix agreed to return Michelle’s account. But her digital Odyssey wasn’t even close to over.
No Legal Right
Even after Square Enix’s customer service determined that Michelle was, in fact, the rightful owner of the account, getting Mali back was no simple enterprise. Square Enix’s legal office sent her a “Final Fantasy XI Notarized Account Verification Declaration,” which she would have to sign, notarize and send back – just to allow for the possibility of reclaiming her account.
The wording of the declaration, however, made Michelle hesitate, in spite of her desire to get her account back. Most of the language was standard – she was required to state that she was the original owner of the account, it had never been transferred and it had been compromised against her will. But item number seven was a doozy:
7. I understand that I have no legal right to the return of my compromised PlayOnline account, and that the submission of this signed and notarized form to Square Enix, Inc. is no guarantee that I will obtain a return of this account.”
In order to get her account back, Michelle had to sign a statement that it wasn’t legally hers.
She called another lawyer – this time a friend of the family. His response was sad, but pragmatic: “He said, ‘What do you have to lose? You’ve already the lost the character … just sign it and hope for the best.’ “
Michelle agreed, signed the form, and shelled out for overnight shipping to El Segundo.
On February 5, 2008, Michelle got her account back. Before she let herself log on, she took her computer to a repair shop to have it scanned for viruses. They found not one, but 22 unique keylogger viruses. They cleaned up her machine, installed a full battery of protective software and instructed her only to visit protected sites. She brought it home, fired it up, and started playing.
The damage was severe. “What little money I had was gone, my armor – treasured pieces of armor given to me over the years – gone. I had no shield to use as a paladin, nor money to get another. I was quickly realizing how difficult it would be for me to play with a character not suited to perform.” But she had Mali back.
Three days later, her account was hacked again.
“I felt defeated, broken,” she said. “How could I win, if they could just take it from me whenever they wanted? I’d done everything within my power to protect my account.”
Back to the repair shop Michelle went. “They accused me of going to a page that had the keylogger program. To their surprise, I had not gone anywhere. I had only been on PlayOnline. The store’s position was [the hackers] must have hidden it so well their systems didn’t locate it [the first time]. They recommended I reformat the hard drive and reinstall everything.”
So she did. And then it was back to Square Enix – where it was back to square one.
After several more trips through the Customer Service gauntlet, she finally had Mali back again – but when it came time to log back in, she couldn’t bring herself to use the account. “Don’t get me wrong – there’s a side of me that is itching to get back on to game and enjoy it as much as I did. But now there is another side that just can’t see putting so much heart and love into something, just to have it ripped away.”
The kicker: Once Michelle’s account was restored and attached to her credit card, Square Enix hit her for fees associated with the hacker’s invalid credit card number.
Michelle wants to educate players on how to protect their accounts – and she wants MMOG developers to take responsibility for what they create. “Players need to change their passwords often. Too many times we get used to the ‘ease’ [with which] games allow us to log on. Companies with online games need to be active. I would think they would be one of the first to hear a rash of accounts are suddenly being taken. They could put up a warning to players to change passwords or at least be aware.”
FFXI actually does this on occasion – but it isn’t enough. “They need to have a way where accounts that have been hacked can be locked immediately, until the correct owner is determined. Companies need to use common sense. If they are looking at information changed on an account and it is obviously wrong, it should be addressed immediately.”
“MMO companies need to remember it is the players that makes them exist. I know many players who have told me if their account was stolen, they would quit and never return.” And this is, indeed, what a lot of hacked players do – especially the ones who have experiences like Michelle’s. Once she had her account back, she petitioned Square Enix to have her stolen items returned. Sorry, they said, it’s been too long. Square Enix has a seven-day time limit on the return of stolen online goods.
Michelle’s odyssey brings to mind Julian Dibbell’s famous “A Rape in Cyberspace,” often cited as a defining moment in the brave new world of online interaction – and as an early stimulus for cyberlaw itself. Dibbell attacked head on the ultimate question at issue here and in all online spaces: is it a crime if it’s “just online”? How do we classify Michelle’s experience? Was it “just a game”? Was it “theft”? Was it, as it felt to Michelle, “abduction,” “robbery” and, ultimately, extortion?
While we attempt to answer these questions, stretching how far into the realm of the virtual we can extend our real-world ethics, the raw facts are that perceived injury is resulting from this online exploitation. Individuals and institutions in meatspace can, when pressed, parse her financial loss, but not her status as a victim of criminal activity. When the life of a mind takes shape in a society suspended in the ether, where is the ruler for Michelle’s injury? Do we mechanically dissect her expansive virtual life experiences, compress them into our worldview and then stretch them against the cold table of our real-life objectivity?
If we do, is it justice?
Erin Hoffman is a professional game designer, freelance writer, and hobbyist troublemaker. She moderates Gamewatch.org and fights crime on the streets by night.