Online game EVE sees virtual EBank robbed by CEO

The robbery of EBank, EVE Online’s largest player-run financial institution, took place in June and was carried out by its CEO, known as Ricdic. Richard, in real-life, is a 27-year old Australian working in the technology industry, according to Reuters and BBC reports.

“Basically this character was one of the people that been running EBank for a while. He took a bunch of (virtual) money out of the bank, and traded it away for real money”, Ned Coker at Icelandic CCP, the developer of EVE Online, told Reuters.

Under the rules of EVE Online, which has more than 300 000 subscribers paying $15 a month to play, Ricdic only violated the online game’s terms and conditions when he traded the stolen credits for real money to players wishing to buy virtual money rather than earning it through playing the game. Ricdic has now been banned from EVE Online.

Ricdic told Reuters, he had responded to a spam email for a black market website that traded online money for real cash. Ricdic, or Richard, reportedly used the money to put down a deposit on a (real-life) house and to pay for his son’s medical bills.

Although regretting letting his EVE friends down, Ricdic told Reuters he would have done it all over again: “I’m not proud of it at all, that’s why I didn’t brag about it. But you know, if I had to do it again, I probably would’ve chose the same path based on the same situation”.

EVE Online, which is an open-ended massively multiplayer online game (MMOG), revolves around trade, mining asteroids, and player-controlled corporations taking control of swathes of virtual space. Wealth, or credits, is gained through work, manipulating the market, or ‘killing’ rivals.

The insider’s story

Dave Carter, aka Hexxx, the chairman of EBank, told Infosecurity, that an interesting characteristic of EVE “is that there is no real ‘law’ and even if players define a ‘law’, it is up to them to enforce. In this way, the only way to punish a thief or a scammer is to hunt them down yourself – and people do.”

“Stealing is an accepted gameplay feature”, Carter said. “CCP allows it because of the real possibility of loss it creates and also because it forces players to group together and trust each other. It sounds a bit harsh but it does make the game more "intense" and it also makes what EBank has accomplished all the more impressive. 6000 users trust us not to steal from them in a game where trust is their only protection.

Ricdic only got into trouble when he tried to ‘sell’ his stolen for real money as this is against the rules CCP has laid down for EVE Online.

Carter said EBank will not prosecute Ricdic as the in-game currency is technically the property of CCP, and so “CCP are the only ones in theory that could prosecute Ricdic”.

Explaining how EBank works, Carter says: “An entire financial eco-system has been built by the players over the past two and a half years, launching bonds, stocks, creating stock exchanges out of game, and more recently banks. With no real system of law, players must rely on trust and reputation to conduct large business operations. Money is king in EVE and running a large business can be very profitable....the trouble is getting the money to do it. Just like in real life financing is important. EBank functions from an operational level just like any modern fractional reserve Bank.”

Asked how EBank protects its assets, Carter told Infosecurity: “We take a risk based approach to protecting our assets. Since theft is quite easy, we try to mitigate the risks by spreading out cash and investments across various people in EBank. We use a set of formal policies and informal controls to do this.

“For example, we require certain things like loans to have been approved by at least two Directors. Most of our informal controls are detective in nature with some being more operationally focused (tracking a 48 hour SLA on withdraws) and some are more focused on security (we use a very simple role-based permission system). We make an attempt at avoiding Segregation of Duty issues but...it is a game at the end of the day.”

In terms of identity protection, he said EBank holds customer information “in strict confidence and encrypt all passwords. Even if our database was compromised, an attacker could not use the encrypted passwords.”

Carter concluded by adding: “It may be slightly ironic, but I work for one of the ‘Big 4’ audit firms. My focus is in IT General Controls at the moment and I'm helping a large international client deploy global controls. Much of EBank's informal controls are derived from my real world experiences (for example, our preventative security controls around password encryption). The challenge has been creating light weight controls that can reduce our risk.”

What’s Hot on Infosecurity Magazine?