Today is European Data Protection day 2014, or ‘Privacy Day’ if you live outside of Europe. Happy EDP or PD depending on where you live.
To celebrate EDP/ PD, I thought I’d share the latest scam going around on EA Sports FIFA 14 and Twitter, mainly targeting children.
FIFA 14 has one of the best monetisation strategies of all computer games which leaves Candy Crush and Farmville well behind.
Firstly, the game costs around £40 to buy, and to play it online on the Xbox, you need to buy a subscription to Xbox Live, which is a further £40 per year. And that’s only the beginning of the journey because many online gamers have quality football ‘players’ in their squads.
There are two ways of getting decent players into your own team – either to trade players in a marketplace or buy ‘packs’ of players (a pack contains a random selection of players which are undisclosed until purchase).
The currency for these transactions are FIFA points. You can buy FIFA points with real cash or through trading players. A brief survey of my kids’ friends revealed that the average amount of money spent on FIFA coins is around £10 per month. Playing FIFA is a £200 per year hobby.
The trading option provides the perfect environment for scammers – it’s the combination of naïve children who constantly want more FIFA Coins.
There are dozens of websites and Twitter accounts setup offering ‘free’ or cheaper coins. Remember that we’re dealing with children who want more coins quickly. So these websites ask for personal details in return for the coins. These personal details appear logical to a child.
I saw a Twitter scam as follows:
- The ‘Free coins’ account asks the gamer to follow them in return for coins. The reason for asking a gamer to follow the account is because following a Twitter account enables both parties to Direct Message (DM) each other. This means that further communication can’t be publicly viewed.
- The ‘Free coins’ account now DMs the gamer, dangles the carrot of ‘Thanks for following, do you want 100K or 500K coins?’
- The gamer responds
- The ‘Free coins’ account now asks for the FIFA team name and the Xbox Live account name. Both appear reasonable and are easily justified as “I need to know who to send the coins to.”
- The gamer replies.
- Now the clever part… the free coins account claims the transaction didn’t work correctly. They will ask the gamer to re-confirm their details. It builds the frustration and emotion for the gamer.
- The free coins account now explains there must be some sort of technical problem and asks for the gamer’s email account and password.
At this point, the DM conversation may have taken under 5 minutes from the gamer following the account. Once any hacker has control of a person’s email account, they have an open door to many other services because they can visit other sites and press ‘Forgotten password’, and keep resetting these services. And of course, the hacker’s first job is to change the email password and backup email account/ phone number.
Remember that we’re mainly dealing with children who undervalue security.
There are two steps to prevent this scam:
- Explain to your child the importance of never giving away their email password to anyone, no matter what the ‘offer’ is. It’s the online equivalent of giving a stranger your house keys.
- Explain no one on the Internet is likely to give you something for nothing, especially just for following them on Twitter. Back to the first analogy, it’s like someone on the street offering to buy you some chocolate for free, but they need your house keys to leave the chocolate in the fridge.
Parents of children who have fallen for this scam are rightly upset. The psychological impact is that a stranger has managed to break into the family home and steal from the children, all without parents noticing.
With more apps and games offering freemium options and monetised gamification, these scams will become more common.
Have a happy European Data Protection day.