The European Network and Information Security Agency (ENISA) released an interesting position paper on some of the concerns associated with virtual worlds. The report published in November 2008 is entitled:
"Virtual Worlds, Real Money: Security and Privacy in Massively-Multiplayer Online Games and Social and Corporate Virtual Worlds"
Link here
�ENISA an �EU� agency� created� to� advance� the� functioning �of� the� internal�market.� The agency� is� a �centre� of� expertise� for� the� European �Member �States� and� European� institutions� in� network� and� information� security,� giving� advice� and� recommendations� and� acting� as �a� switchboard� of� information� for �good� practices. �Moreover,� the� agency �facilitates �contacts �between �the �European� institutions,� the� Member� States� and� private �business �and� industry �actors.
The report identifies 12 recommendations to tackle some of problems:
To the European Commission and National Governments (Government Policy Recommendations)
1. Support� the� setting� up� of� an� industry wide� forum� for� MMO/VW� service� providers� to� share� information� and� best practice� on� security �vulnerabilities.� In� such� a� competitive� sector� there� is� a� clear� need� for� a� neutral� forum� to� exchange� information� on� security� incidents� for� the� benefit� of� all� concerned.� Given� its �mandate� to� foster� a� culture� of� information �security �and �bring� together �stakeholders� in �Europe,� ENISA �would� be� in� a� good� position �to� stimulate �such� an �initiative.�
2. Fund� work� on� legal� clarification� of� key� issues,� such� as� the� status� of� intellectual� property, �acceptable� risk �and� personal� information� in� MMO/VWs. �Although� this� is� not� an� information� security� issue� per� se,� a� lack� of� legal� clarity� is� at� the� root� of� many� information� security� problems� identified� in� this� report� and� therefore� an� effort�� to� address� this �issue �by �appropriate �bodies �should �be� part �of� the �solution. NB: �This� is �not� a� call� for� extra� legislation �but� only �a� call� for �clarification� and �interpretation �of �existing legislation.
�
3. Encourage� and �fund� independent� dispute� resolution �for �player-to-player� disputes.�
�4. Create� financial� procedures �appropriate� to� MMO/VWs� in� order� to �prevent �virtual� asset� theft �using� chargebacks. �Again, �this �is� not� an �information �security� issue� per� se, �but �it� is� a� root �cause �of �the� information �security� problems� identified� in �this� report. �This �should� be� in� partnership� with� MMO/VW� providers,� banks,� credit� companies� and� online� payment �services.
5. Investigate� and� address� MMO/VW� provider� concerns� about� conflicting� obligations� brought �about by� legislation� on �common-carrier� status.�
��
To MMO/VW providers
6. The� five �most� important �technical� issues �to �be �highlighted� in �this� area� (see� full �report� for �more� details) �include item-duping, �end-to-end �security �and� MMO/VW �specific� denial� of �service.� In� general,� providers �should� create� an� appropriate �balance �between �security� measures �aimed� at �detection� and� response �and� those� aimed� at� prevention.�Detection� and� response� is� often� a� more� effective� means� of� addressing� security� issues� in� MMO/VWs �than� prevention.�
7. Privacy� policies� should �clearly �specify� data �collected� as �part� of� anti-cheating� measures� and� data� available� to� other� users� (eg,� via� eavesdropping),� including� any� information� which �might �identify �a� user �uniquely.�
�
8. Providers� should� consider� charging� a� token,� returnable� lodgement� fee� for� all� ODR� complaints� to �prevent �false �complaints� (eg,�€50).�
�
9. Any� initiative �which� increases �the� strength �of� user �authentication� (while �maintaining� an� appropriate� balance �between� usability �and� cost) �should� be �encouraged.�
�
10. We� recommend �a� standard� set �of �governing �documents �and� terminology, �a� single �point� of� reference� where� governing� documents� may� be� obtained,� and� the� input� and� participation� of� end-user �groups� in� their� design �and �development.�
�
11. As� an� option� for�more� security-conscious� users,� in� certain �MMO/VWs,� a� bootable� CD� image �(Live�CD) �containing �necessary �software �can� be� made �available;� this� is �already� a� well-known �measure� to� improve� security� in� critical� online� operations� such� as� online� banking.�
Awareness raising and research
12. Awareness� raising:� We� describe� issues� to� be� highlighted� in� awareness� raising� campaigns,� such� as� how� to� detect� account� theft,� how� to� deal� with� inappropriate� behaviour, �privacy �risks, �in-world� property� risks,� etc.�
Research: The �group �has� identified� some� future� trends �emerging� in �MMO/VWs� which� have� important� security �implications,� including� effective �content �filtering� for� MMO/VWs, security� and� reliability� issues� of� open� world� formats,� and� security� vulnerabilities� in� corporate� worlds.�
Read more...
Posts
