Gamers beware: The risks of Real Money Trading (RMT) explained
Any game with an online component can be at risk from a practice known as Real Money Trading (RMT), where in-game items, artefacts, characters and the like are sold for real money. It’s a big problem for developers, especially in competitive and / or massively multiplayer online role-playing game (MMORPG) circles. Some games even explicitly allow you to report it as a prohibited in-game activity.
One major developer recently took sustained action against this practice, so we thought we’d take the time to explain what is it, and why it’s such a big deal.
Real Money Trading
RMT generally falls into two distinct camps: Power-levelling, and in-game item or currency purchases. Messages related to RMT sites are spammed across in-game chat, and also directly to other players if the game allows it. Sometimes games restrict what new accounts can do, so scammers find that hijacked accounts with more permissions are useful for this activity.
Here’s some examples we’ve seen in Final Fantasy 14. Note that one doesn’t place a link into the chat directly. Instead, they tell gamers to search for a specific phrase. This will likely be an attempt to avoid tripping spam filters.
Power levelling
This is very common in MMORPG circles. It’s in the game’s interest to keep you playing as long as possible. This is especially true if the game comes with any kind of monthly / yearly subscription. Once the content is fully exhausted, people will naturally move on to other things. A few of the biggest titles have been around for a decade or more. They contain so many activities and pieces of gated content, you could essentially play them forever. Even so, some people want to rush as fast as they can to what they consider late-game “good stuff”.
RMT gives them an alternative to grinding out hundreds of hours levelling up. After all, why do it yourself when you can pay real money to somebody else and they’ll do it for you, right? It’s a bit like passing your friend the controller when you can’t get past a level in Super Mario, except you’re handing your friend a pile of money and also breaking a bunch of terms and conditions. So, not really like that at all.
Item, account, and currency buying and selling
Real money trading of in-game currency involves third-party services that act as a broker for selling your rare items to other players, for real money, outside the game. People will also do this to buy large chunks of in-game fictitious currency with real money via RMT websites. Once the payment goes through, the player will find the money in their gaming account via whatever method the RMT site operates by.
Inflation risk
This is a hotly-debated topic, but generally folks seem to think that RMT causes some inflation in gaming currencies over the short term, if not the long term. A lot of RMT activities involve the use of bots (computer programs that play in place of humans), cheats, and hacks. This gives rise to piles of illegitimately-generated money floating around the gaming environment.
The use of bots also often denies other players the ability to harvest materials found in the game world. If four bots spawn in at a resource location, harvest everything in sight in seconds and then vanish, it’s problem time. Legitimate players can’t generate real virtual currency, they’re denied materials they need to craft and/or progress in the game, and they can’t buy or sell on the in-game marketplace as a result.
When all the resources, and all of the money is going to RMT, that’s a recipe for killing off a title.
Security implications
Some of these RMT services are very slick. You could be assigned one specific player who’ll follow the exact steps / levelling requirements you give them. You can set up calendars so they’ll log out at specific times and let you play for a while before handing control back. A few will simply take your money and run, but that’s the price you (may) pay.
Make no mistake, sites offering RMT services know they’re not supposed to be doing it. They’ll even tell you as much before you sign up for anything.
Alongside the risk of being kicked off the game you like, using an RMT service is also comes with security risks too, if you have to share your login credentials with them. The second you share a password with somebody else, you lose control of it, and you lose control over decisions about who else it’s shared with and how it’s stored.
Some provide security reassurance and tips. They may promise not to leak your details, though they don’t say where or how they’re stored. Some will advise you to change your login once the service is complete, which is at least nice of them. A lot of MMORPG titles plagued by these services offer multi-factor authentication (MFA) or similar. One presumes that RMT services make arrangements for you to send them the short-lived MFA codes in real time and then login to the game platform.
This would make the whole arrangement quite an endeavour. Final Fantasy 14 will save your username, but not your password, in its launch client. You also have to punch in your OTP code—assuming you have it enabled—every single time you load the game up.
How much money do these sites make?
It varies. One site we saw offered multiple forms of powerlevelling / item harvesting in Final Fantasy 14. A high end set of armour was estimated to take 2 days to grind out, at a cost of $399.99. We saw an offer on certain types of weapon for a cool $699.99 over 7 days. The biggest time investment / cost we saw was for a whistle. We assume it’s to summon…something. How much?
A little over $2,600, covering a solid month of playing.
That’s one impressive whistle.
What can developers stop RMT?
It’s a tough one, and bad activities will always slip through the cracks.
- Limit the abilities of low-level characters. Developers have to balance out restrictions carefully. If a “solution” hinders a new player more than an RMT operation, it’s not worth it. You can prevent spammers from being able to shout to those around them to prevent chat spam. However, this means low-level characters in need of assistance can no longer call for help on the map. They’ll probably just get frustrated and not come back to the game.
A more reasonable suggestion is to keep shouts, but prevent new / low-level characters from whispering (sending direct messages) to other gamers. This will reduce the risk of hidden spam / phishing attacks. On the other hand, this could interfere with other essential systems such as trading. Not an easy problem to solve!
- Dedicated teams shutting down RMT activities are a boon for game developers. If you want to see how seriously Square Enix takes this, check out their news update page. Wall to wall takedowns of RMT accounts. The last three updates alone report a total of 10,539 accounts terminated for RMT antics, with more taken down for advertising. This is an astonishing number, and you have to consider they may have missed a few.
What are the dangers to gamers from RMT activities?
- Account bans. Nobody wants to lose access to accounts with hundreds or even thousands of dollars sunk into them. It’s pretty easy for the RMT groups to pick up some cheap accounts in games. Not so easy for regular people to start from scratch. If the game is tied to a gaming platform such as Steam, they may have to set up a second Steam account to get back into the action. This is a lot of hassle for one game.
- Account lost. If you purchase an account from somebody else, it doesn’t actually belong to you, and that person can reclaim it at any time. If enough people start saying “that account is mine” after some pass-it-around activity, the vendor will just shrug and close it. Sorry everyone, the only winner here would be the developers.
- Account compromise. We’ll go back to the incredibly popular Final Fantasy 14 as an example. Spam messages will typically claim important information has been posted to the forum. It could be a fake missive about updates, as per the linked discussion. Either way, scammers direct victims to fake FF14 portals. These sites also ask for MFA codes. There’s likely some automation involved to punch these short-lived digits into the real site along with the stolen password. Nobody is sitting at the other end waiting to do it in real time 24/7. (Or perhaps they are?)
- Loss of money. Remember, you have no real idea who you’re paying, and hundreds of dollars going AWOL isn’t unusual.
- Enabling crime. You could be. As Lineage 2 developers NCSOFT explain, “in-game currency for sale most often comes from stolen accounts and other internet fraud”.
Conclusion
If you see a tempting message drift by in a public chat, don’t reply. Report it. At best you’ll waste time and money on dubious websites offering services they freely admit aren’t allowed. At worst, your accounts may be shut down and you could wind up being phished, hacked, or talking to law enforcement about goods supplied with stolen credit cards.
It simply isn’t worth the risk.
The post Gamers beware: The risks of Real Money Trading (RMT) explained appeared first on Malwarebytes Labs.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.