Sunday, September 27, 2009

Deconstructing Zynga: what's up in Social Gaming fraud


Talking to friends in a party I had to hold myself from becoming too smuggy-smug-smug. Yep, the lot of "I'm too good for Mafia Wars" geeks fell prey to the eggplant-growing rhythm of Farmville. Eggplants. My friends. I don’t even like eggplants, but still felt responsible in a way, though they’re only a drop in Zynga’s estimated 15M+ daily users (the numbers keep growing...). But things were only getting better for me that day.

“You know”, said one of the guys, “this social gaming stuff is really worth a lot of money. I know someone who made $100K off this thing”.

KACHING!!! Immediately he had my full attention. You don’t just MAKE $100K playing social games by the book, even if you break a finger playing Texas Hold’em. I had to know.

So, obviously, the guy was committing fraud. Using a bunch of scripts that worked on his command (also called a “bot net”), he opened numerous poker accounts on Facebook and collected the free chips you get when you do so (sometimes referred to as Chip farming, and something I wrote about in the past). Then, he needed to aggregate all these chips to one account and sell them. The way he did it was amazingly simple: he played poker games where he was controlling both players, and intentionally lost all his chips to – basically – himself. Then, after finding a buyer for the chips and getting the money, he would pass the chips to that player using the same method.

Ok then, what have we learned? First of all, where there’s money there’s fraud. It’s comforting for people in the business, maybe less so for people who’d want to believe in the goodness of mankind; but, then again, we’re not having an ethical discussion. The psychological angle is interesting, though – this normative (judging by my friend’s testimony) person is committing big scale fraud, uninterrupted neither by conscience nor by law enforcement, and the only effect he sees is a slap on the hand in the shape of an occasional banned account, immediately replaced by another bot. It’s so simple, it’s genius. Not that I at any way support fraud, but you have to commend a good operation once you hear about one.

The second highly interesting thing is the speed in which secondary markets evolve. I can’t imagine this guy advertizing his stolen chips in his Facebook status message – he had to go somewhere where people knew chips trade was on. This isn’t such big news for long lasting games in the MMORPG arena like World of Warcraft - trade has been going on for years and the MMO Gold exchange was active even in our NPX days, back in 2005. On a side note, what I personally don’t understand is why gaming companies do not endorse secondary markets; definitely not for “game fairness”, since paying for items in the game is part of their own business model. If you have a solid argument, let me know.

The most interesting issue for me, however, is the simplicity and ease of the actual fraud case. In trying to learn about Zynga’s risk management capabilities, I came across a short quote of Zynga’s CEO, saying that they had to develop everything in-house. Looking at the market (even in PayPal, I have to admit) I understand why: when you get recommendations like “Use SSL and remember you’re accountable”, it’s hard not to get depressed. But what is that “everything” they developed in house? Zynga has many fraud challenges, and chip farming is only one of them. Legitimate accounts taken over to drain their chips (a challenge they share with Facebook), stolen credit cards used to buy in game items and even click fraud (though the latter might be the least of their problems) are others. My uneducated guess is that Zynga is at the beginning of their risk management career, currently using a basic rules engine to limit risky purchase profiles, some IP black lists, a very basic velocity control system and a lot of manual review. Next step is industry standard statistical models, not such a bad idea compared to nothing but, as I’ve noted on quite a few blog posts in the past, far from ideal when dealing with low information instant delivery transactions. The ease of a fraud case as I’ve heard about it proves that there’s still a long way to go. Lucky for Zynga, they work on Facebook. Harnessing the power of user data available in this network allows top notch user verification; the only question is using the right practice.

What are best practices for controlling fraud in Digital Goods commerce? I strongly suggest a closed door system requiring layered user verification, a signup page that doesn’t make a cult out of not requiring user info, and a thought out user interaction mechanism, all governed by highly trained analysts. This won’t solve the problem, but will definitely lay the foundations for a risk management system that can evolve into something that really works. Based on the stories and some simple analysis, it’s clear that Zynga and other social gaming companies desperately need real life barriers that will not kill their business. It’s possible; you just have to do it right.

No comments: