Virtual Worlds and Information

Replies to This Discussion

Permalink Reply by Jeri C on March 21, 2008 at 8:21am

I look at it this way, I don't have anything, really. Certainly nothing I can't replace, so I am not so guarded. Of course, I'm frequently (verbally), slapped upside the head over how naive I am. C'est la vie, I say. Honestly, I don't think that mine is an identity anyone would want...lol At least, not right now. If ignorance is bliss, I must be a very happy camper, but then, I'm not into IT security, so there ya' go. :P
Don't take this to mean that I don't appreciate your point of view, because I do. Very much.

▶ Reply to This

Permalink Reply by Ken B on March 22, 2008 at 1:25pm

You're not alone nor are you paranoid. The problem seems to be that security isn't thought of as a core part of how a service should work, to the extent that once you've verified your an adult (or not as the case may be) not much thought is given to it beyond that. I've seen a couple of VW's using standard PHP gateway apps (forums and portals) and that *does* worry me as a number of them are notoriously insecure.. coming from a 'hardcore' gaming background I've seen what people can do to take sites down (having had that happen to a number of sites I've been involved with - ooo that didn't sound good, lol).

On the other hand, I don't think this is as much of a problem as the general media make it out to be, nevertheless it should be a more considered issue than it currently appears to be; VW's suffer from the 'dot com' buzz atm so all sorts of things will suffer as a result.

▶ Reply to This

Permalink Reply by Adrian C on March 23, 2008 at 9:26am

Thanks for the reply Ken, But coming from the Internet Security field, I can state that the insecurities and the feedom of information that flows across the WWW is astonishing. The media, for once have at least got the right story, and identity theft is on the increase. :)

As a test, try googling any one of your 'Virtual' User ID's and see what you come up with!

▶ Reply to This

Permalink Reply by Ken B on March 24, 2008 at 1:03am

I either get electric guitar amplifiers (apparently rather good ones) or links/info to do with my content creation/tutorial web site ;o).

Can you clarify something... from what you've said above it sounds like you're referring to 'phishing' rather than the 'privacy issues' associated with registering with any given VW - although at their core both deal with ones 'identity', just how that info is collected, used and abused differs greatly (imho); personally I tend not to treat both 'types' the same but I do know/understand that security issues in relation to 'phishing' are far more common (education is needed, yet again.. why does everything fall back to that).

▶ Reply to This

Permalink Reply by Andrew Peters on March 22, 2008 at 5:14pm

with anonymity comes mistrust - I think we are trying to gain trust in this group by being real people

▶ Reply to This

Permalink Reply by Adrian C on March 23, 2008 at 9:20am

We'll have to agree to differ on this matter Andrew. Anonymity dosen't breed mistrust, more a feeling of respecting somones privacy!

▶ Reply to This

Permalink Reply by Andrew Peters on March 24, 2008 at 2:11am

ok - we disagree - i have however been subject to real life identity theft - over mobile phones and amazing bills as a result - i do understand you position because of this - however I am serious about virtual world technology so I want people to Know that Andrew Peters (not my Nick APLINK or AP Link in SL) is the serious one and intends being someone that can and will move this technology forward. hehe

▶ Reply to This

Permalink Reply by Ken B on March 24, 2008 at 1:08am

People tend to use 'real' names on sites like these because the intent behind them is specifically more professional; with that comes a different social requirement that usually means 'nicks' and 'txt speak' aren't used nearly so much as they are in VW associated with 'leisure'; this (site) is 'business' (the 'business' of 'leisure').

▶ Reply to This

Permalink Reply by John Kwag on March 25, 2008 at 8:59pm

In many cases, resources available as well as the knowledgebase available to these companies regarding can only cover so much. Personal Data is actually in most every case encrypted, stored behind multiple layers and variations of security. Its not just the law but in many cases agreements between publishers and developers MUST have a provision that provides for this. CDN's worth their salt have frequent offensive security tests or else they lose certification.

There are a few things however that many of us in the biz cannot guard against no matter how much we try to educate. Social engineering. Laziness in regards to variance of passwords from not only site to site, service to service, but also being not sufficiently motivated enough to change your password from time to time. Having worked in the operational side, GM side, the billing/transaction verification, business side...it is amazing that in about approximately 60% to 70% of cases where accounts are "stolen" it is because they used the easiest most publically available information for their passwords and login. This then translates to not only account theft in a particular virtual world...but these same people have used the EXACT SAME login information with online bank accounts, credit reports, online healthcare information. But guess who gets the blame? But in most cases you can not blame the user. You cannot motivate them to change that behavior either.

Specifics in regards to what you consider an "appropriate" enhancement to many privacy statements would be a little more helpful than simply saying they suck. What do you think needs to be added in these policies to ensure, in your opinion, required safety from identity theft?

Finally, you talk about too much information being required to activate an account. I would reply that in many cases, the single largest financial risk in the business of operating virtual worlds in today's market is:

Chargebacks. or credit card fraud.

Without verifiable and trackable information which holds the user concretely responsible for payments, the company is open and vulnerable to credit fraud and thus chargebacks. Most payment gateways have a cut off level if your chargebacks reach a level of 5 to 10%, where you cannot ever use that payment gateway again or only after extensive effort be reinstated.

Oftentimes if a company is only operating that service in one territory, then you can use the legal personal identifitication number used in that territory such as a social security number but if you are operating and managing a service simultaneously in multiple territories you have to rely on other verifiable personal information. There is no Universal ID no. yet. If you do not have any information that can be reliably used to hold the user accountable for their transactional activity you better be prepared to either lose all your transactions or allocate huge amount of resources to hire staff that is ONLY dealing with your billing and transactional activity.

I understand the concern over privacy. I belive that most legitimate comapnies are not only doing what they are obligated to do in regards to protecting passive privacy violations with encryption, port protection, database segregation, and IP masking but doing all they can on the technical and operational side as well to prevent active intrusions. But...they have to balance that out against financial security, legal liability, and resource management.

▶ Reply to This