How to Cheat at Online Games
by Shannon Appelcline
No fooling, this week I want to discuss the topic of cheating in online games. But, I don't want this to be a kewl kidz root kit. Rather, I intend to chat with game designers and look at the very serious problems that you'll have to contend with once you make your game live.
So, how do you cheat in online games? Here's a few pointers.
1. Collude with Your Fellow Players
Methods: The simplest way to cheat in an online game. Form an out-of-character alliance and share information that the game designers expect to be kept secret. Join together (again, out-of-character) to gang up on monsters or fellow players. Break the games in ways that only are possible when two players get together.
Solutions: Generally, as a game designer, you just need to expect in-game collusion. Don't think that you're going to keep things secret in-game, and instead design to expect and build upon this behavior.
2. Collude Out-of-Band
Methods: Use IRC, AIM, or Yahoo! to talk with players outside of the game, usually while you're playing the game.
Though in-game collusion usually ends up being OK, the same isn't true for out-of-band collusion. In an RPG this sort of thing is just annoying: you realize that out-of-band collusion is occuring when a small, local event is suddenly filled with people from all over your game, and for the most part you just have to shrug and move on. In a strategic game, however, this type of collusion can be devastating.
Consider, for example, Mystery of the Abbey, a Clue-like game put out by our friends at Days of Wonder. You're trying to gather evidence to find out who is a murderer, and one of the core game design elements is that most of the questions and answers are open--which means that everyone at the table hears them. However, if two members were able to collude beyond the normal game bandwidth--passing just each other information--they'll give each other a notable advantage. It's not possible in-game, but out-of-game ...
This problem becomes even worse with online games. For example, our own Gang of Four allows people who aren't playing a game to "observe" and see how the top-rated player plays. Now, imagine, a cheater with an accomplice. He enters the game, has his friend observe and then report back the winner's hands via out-of-band communication.
Solutions: Out-of-band collusion is even harder to stop than in-band collusion because of the fact that we're sitting on top of a global Internet. One of the few ways I'm aware of to stop it is to present a different view of information to each player. For example, in Mystery of the Abbey my Brother Bruno could be someone else's Brother Ralf, and thus my telling a secret ally about Brother Bruno would mean nothing. The computer have to automatically do all the translations. This sort of thing would probably work for a constrained-input game, like most strategy offerings, but not a freeform input game, like most RPGs.
3. Make Extra Characters
Methods: Have two characters working in concert (e.g., collude with yourself); alternatively, just kill and loot your newbie's stuff.
Solutions: First, you need to make it somewhat difficult to create new characters to avoid this. Require a valid identity token (on the Internet, that's usually a credit card, but in a scrape even an email address is better than nothing, because it requires that extra level of work). Build systems which monitor or disallow "suspicious" transactions for new characters. Finally, don't make new character's "stuff" so valuable that people will want to loot them, rather than going after wimpy monsters.
4. Avoid Consequences
Methods: If something bad happens, run away. If you can't run away, log out. If you can't log out, attack the server with a DOS.
One of the biggest troubles with the Internet medium is that you can get away with things that you wouldn't be able to get away with in the real world, because the Internet is so disconnected, and you aren't really you.
Solutions: Don't allow running away to be any more viable than it is in the real world (which is to say, sometimes it should help). Read Trials, Triumphs & Trivialities #142, The Disconnect Dilemma for any number of thoughts on the issue of disconnecting. If someone does something real nasty like a DOS, make sure you know enough about the Internet to track those packets back and take appropriate actions.
5. Script, Script, Script
Methods: Use computer programs or scripting languages to script repetitive taks in a game.
This is a much larger problem in prose games than it is in graphical games, because it's much easier to script text responses. (I could do it with the scripting program that came with my 28.8kbaud modem back in 1990.) It's also a problem because so many games are achievement-oriented, and that usually means engaging in "click fests" in order to proceed.
Solutions: Figure out alternative ways to model advancement and still maintain player interest. (No small order there.) Build scripts to monitor for task response that is "too" repetitive. Vary the output of a task to befuddle scripting programs. Use up achievement resources in a specific location, forcing a player to move on. Occasionally force a more random type of input during a repetitive task to befuddle scripts.
6. Exploit Bugs
Methods: Find bugs in the game you're playing, don't tell the administrators about them, and instead exploit them as best you can. Reverse engineer network protocols to learn information from client-server network streams and to spoof other players.
Computer programs will innately have bugs in them, but you have an additional issue in online games: the stream of information between the client and the server. I've seen many games which don't even consider this vulnerability, and that can be fatal for an online game.
I think the worst example I ever saw was when the first Diablo went fully online at battle.net. I'd enjoyed the solo game and was eager to see how multiplayer gaming went. I wandered into the dungeon and immediately was attacked by someone who had hacked their unsecure client. I took a bazillion points of damage from a +999999999 sword. Suffice to say, I never returned to that particular online game.
Solutions: First, regarding bugs, make sure you reward players who help you find them and punish players who intentionally exploit them (if, in no other way, by having a hard and fast rule that advancement gained through bug exploitation will be entirely removed).
Second, regarding clients: never trust your client. It's insecure and vulnerable and can be hacked or spoofed, thus it should never do anything but transmit info from the player's keyboard to your server. Don't store information there. Finally, make sure that you have a good authentication method that verifies a player is who he says he is before you let him into his character's account. You need to have a double-handshake so that man-in-the-middle attacks aren't viable. If this is Greek to you, you should make sure that a security expert helps with your auth system.
7. Social Engineer
Methods: Convince administrators that they should give you cool stuff, either because you lost it, because the game's bugs destroyed it, or just because you're best buddies. Trick other players out of their stuff too.
Just as in the real world, there will be con men, and if anything it'll be tougher to find them out, because you're not talking to them in person, and thus are missing a number of emotional and physical cues in conversation.
Solutions: Generally, I say, trust people the first time, but if they seem to continue having "problems" and "losing things", consider that it's probably a scam. I'm willing to be fooled once, but not twice, and definitely not three times--though even then I really hate having to distrust people.
Even if you build the perfect game, the inadequacies and nuances of the Internet will ensure that there are ways to break your system. Make sure you're aware of them, and that you have solutions in hand for these sorts of problems when you are ready to release your game.
Thanks to Matt Seidl, Doug Orleans, and Odheirre for good comments on my initial listing of "ways to cheat".