Credit card thieves attack OpenSim grids

Credit card thieves have figured out a way to steal money from OpenSim grid owners.

They take the credit cards, and use them to purchase virtual currency from the grids. Then they turn around and redeem the currency for cash before the card holder notices the theft and complains. The credit card company reverses the transaction and now the grid is out the full amount — plus the time spent dealing with the issue.

Any grid that issues its own virtual currency and allows it to be redeemed is potentially vulnerable. Second Life, for example, to combat against this kind of fraud, has a security API in place for third-parties that trade its currency, such as outside currency exchanges, as well as internal controls.

One grid hit recently is InWorldz, OpenSim’s most popular commercial social grid.

To combat this menace, the grid has put controls in place about how much currency new residents can buy, and halted outbound transfers via third parties.

Bellissima Square on Bella region of InWorldz is just one of many shopping destinations on OpenSim's most popular grid.

“The non transfer out of InWorldz is a temporary blockade,” InWorldz LLC partner Beth Reischl (also known as Elenia Llewellyn in-world) told Hypergrid Business. “We have already scheduled a timeframe to work our ATM providers and allow established residents a method of transferring.”

More information about this is available on the InWorldz forums discussion on this topic.

The blockade has most affected merchants using the third-party InBiz platform to transfer money to their Second Life accounts at a lower rate than available through official InWorldz channels.

“At this point, I have reluctantly cashed out via the InWorldz cash out,” said texture merchant Rosie Sampang (also known as Adaarye Shikami in-world). “We don’t like doing that as we make more by transferring via InBiz and cashing out via Second Life when we cash out there, but under the circumstances, we want our money out of InWorldz any way possible.”

Sampang and her partner Tony Durose (also known as Toni Friller in-world) run the Panther 3D shop, and have been in the texture business in Second Life for years. They closed down their Second Life shop a few months ago, due to the high cost of having a presence on the grid, and now sell in Second Life through the marketplace.

The partners have also tried doing business in Avination.

“We were in Avination briefly but found it to be very inactive and basically, we lost money there,” she told Hypergrid Business.

OpenSim grids are significantly smaller than Second Life, and offer even fewer opportunities for creators to show a profit.

“We don’t make much money,” said Sampang.

Any increase in costs, or worries about being able to redeem currency can cause merchants to withdraw from OpenSim grids or avoid them in the first place.

“I don’t think we are the only ones affected,” Sampang added.

Crooks not targeting in-world retailers

One thing that merchants don’t need to worry about, however, is the thieves buying virtual goods — and leaving the merchants hanging when the payment is reversed due to fraud.

“This does not happen,” said Reischl. “Someone who steals a credit card number are not here to buy furniture, textures, sculpts for in the grid. They are using it for one reason and one reason alone.”

Typically, she said, these are international crooks, using stolen American cards, working out Internet cafes and wireless hotspots, almost impossible for the authorities to track. Their accounts are banned the minute the fraud is identified — so there’s not much point for them to buy any virtual goods. They wouldn’t be around to enjoy them, anyway.

But if it does happen?

“If by some chance they do, we would not force our merchants to take that hit,” said Reischl. “Our goal is always to make sure that our business decisions do not negatively impact our merchants for the long term.”

Currency alternatives

Smaller grids may be better off not issuing their own currencies at all, Reischl said.

Some grids, for example, use the OMC currency from Virwox, one of the largest Linden dollar exchanges in Europe. The exchange reports that it traded $5.9 billion in Linden dollars — the equivalent of  17 million Euros or US $23 million — so they know their way around money. The OMC currency is currently in use on over 30 grids.

Other options include PayPal and PayPal Micropayments.

“Especially when dealing with sensitive information such as financial information and being small staffed as so many virtual worlds are, it may be a better option for some of them,” she said. “Otherwise, take it one step at a time. It took InWorldz well over a year to provide what we have, and while we’d like to make it more robust, I can say that only having two methods for money removal in our world has taught us quite a few things we will use when looking at other options now for our residents.”

She said the grid is willing to share its experience with other grid owners.

“If there’s a grid owner who wants to talk to us privately about what pitfalls await them and how to avoid them, we’re always open to hearing from them,” she said. “This can only serve the greater good of the virtual world community, as I don’t think any grid wants to be known for being lax on these types of issues.”

For example, as a result of measures that InWorldz has already put in place, less than 1 percent of attempted fraudulent currency buys actually went through, Reischl said.

“Not every grid owner can devote that kind of time to a single issue when dealing with the other myriad issues that come with running a grid, so having someone who’s been down that path to talk to, can be immeasurable in terms of help,” she said.

Meanwhile, since this problem isn’t limited to any particular grid, Reischl said she hopes that grid owners can work together.

“I hope, in the future, as more grids start to bring in their own currency methods and allow cashing out, that we can see some symbiosis between grid owners to put an end to these criminal activities,” she said.

 

Last updated by at .

maria@hypergridbusiness.com'

Maria Korolov

Maria Korolov is editor and publisher of Hypergrid Business. She has been a journalist for more than twenty years and has worked for the Chicago Tribune, Reuters, and Computerworld and has reported from over a dozen countries, including Russia and China.

  • http://twitter.com/iliveisl Ener Hax

    gee, that really stinks  =(

    i’m all for PayPal micro payments but that means real identity at a point in the transaction. in-world money is certainly the most convenient and leads to a more robust economy since it’s easier to use

    i feel badly for people needing to deal with this kind of crap because it’s such an emotional drain

    • http://westernprairie.net WesternPrairie

       You might do a google search for “Paypal fraud” and  “paypal sucks”,  paypal is not a bank, and according to their user agreement you sign, they can lock your money up for 180 days for any reason they want to.
      After thousands of iTunes accounts were hacked into and paypal paying the  fraudulent purchases, it took almost a week, 3 phone calls, and multiple emails to them and to iTunes to get MY money refunded-  $39.95 and $19.98, which paypal at first refused to refund, and then 3-5 more days for the funds to become available again from iTunes refunding it to paypal, plus now I either have to pay the withdrawal fees $3 total- to get it out of the ATM, or wait 3-5 more days for it to transfer back to into my checking acct.
      Oh and by the way… while the above was going on, I was UNABLE to unlink or remove my credit card backup source from my paypal account while the dispute and transaction was “in process”, I was also unable to remove or unlink my checking account as well, so while they were “investigating” the fraud, both of these payment links were kept active for several more DAYS by paypal after the first fraudulent charge came in.
       I filed a dispute with the first one, and the next day the second fraudulent charge came in!

      Paypal is neither secure, nor safe, and there are far too many people out there who posted about their bad experiences, locked accounts, lost money etc to dismiss them as a few cranks.

  • Yoshiko Fazuku

    Avination now uses a fraud API similar to Secondlife for all transactions

    • http://westernprairie.net WesternPrairie

       Very good Yoshiko!

  • Anonymous

    This is terrible but I guess inevitable as criminals look for easy ways to cash in on stolen credit cards. On a brighter note this may also indicate that the open Metaverse is growing in trade and economic activity which is a good sign. Personally, I am considering OMC pocket money if I ever open up my grid service in any commercial sense. For small grids like mine only concerned with running a role play game I think it safer to leave the banking to professionals.

    Gaga

  • http://virtualhighway.us/ Gene Call

    One thing we have done at Virtual Highway is limit all our buying and selling of in world currency  transactions though Pay Pal.  If someone wants to use a credit card they have to go though the pay pal website.
     Also all our out going transactions are done manually .

    • Elenia Llewellyn

       InWorldz, is also set as strictly through PayPal. Be aware, no matter how you set your fraud filters, it won’t end fraud. The best you can do is limit the amount by which it’s done, and negate the biggest risk factors. This has to be done via both sides, your own website and PayPal.

  • Anonymous

    Thanks for the great article Maria. It is a shame that crooks are doing this. Having been a part of the MMORPG community for years and having seen how crooks operate in that venue, I suppose it was only a matter of time until virtual worlds became a target as well.
    I hope the situation in IWz is sorted soon but in the meantime, we are looking at repairing our website and linking vendors directly to the items we have for sale on our site thus providing direct delivery. We feel that may be the least disruptive and smoothest way for us to do the little bit of business that we do there. At the moment, we are having delivery issues. This issue should be repaired soon so that we may again service our IWz customers as well as serving other grids with extended and professional licensing.

    • http://twitter.com/TranquillityIW Tranquillity Dexler

      I have been working all day with the affected vendors and the APIs they need will be available shortly. I just want to let you know in case it affects your plans.

  • http://twitter.com/TranquillityIW Tranquillity Dexler

    The fraud detection API implementation is complete and testing looks good. It will be up tomorrow for further testing by merchants 

    • http://www.kitely.com Ilan Tochner

      Good luck Tranquillity,

      I hope this will significantly reduce the fraud rate on your grid. It’s very unfortunate that we all have to deal with people who will gladly hurt others just to make a quick buck.

      • http://twitter.com/TranquillityIW Tranquillity Dexler

        Thanks Ilan.

        I agree wholeheartedly. I think if people worked at making money legally as hard as they do trying to steal it, they’d find they would have a lot more opportunity.

        Tests look great. We’re taking a lot of data into account to come up with a risk factor. It looks to be correctly identifying account risks on known bad and known good avatars.

  • http://westernprairie.net WesternPrairie

    “One grid hit recently (by credit card cashout fraud) is InWorldz”

    I knew this would eventually happen there.

  • http://joey1058.wordpress.com Joey1058

    This is a good example of how international commerce is changing.  As long as there is a loophole to exploit, the crooks are gonna find it.  Pennies are just as good as dollars as long as they add up for them.