Signing in to an account registered to another player (by email information) with a device that has a history of using an account registered to another player could support evidence of AW piloting. It may not be feasible, but from what someone who has been co-prinicipal and principal investigator for close to $5 million worth of National Science Foundation grants in information security told me, it is very easy for companies that offer services through internet access to monitor who specifically accesses their services and from what devices they use to do so.
You don't need an NSF investigator to tell you that. iOS has function calls to identify app installations. VendorID, for example, is guaranteed to be the same for apps from the same vendor on the same device, and different in other situations. So if MCOC was programmed to fetch this ID, every time you logged into the game the game servers could record whether you were logging in from the same device or different devices. If I hand you my iPhone and you log me out and then log in as you, the game servers would be able to tell both logins took place on the same iPhone because of this ID.
But that's not enough to prove account sharing, because I can also do that if I have two accounts, and Kabam has explicitly stated that it is legal for one person to play two different accounts. You could prove that two logins were coming from one device, but not that both logins were from different people or the same person using this technique alone.
I agree with almost everything you have been saying and i know for a fact that they use the deviceID code as previously (around 10.0 maybe) someone found a way to decipher the support url. The data that was sent just to the support url was account creation date, account name, lifetime spend, most recent purchase, deviceID,and maybe one or two more things.
What i disagree with you on, is yes. It probably IS enough to prove sharing, if data was logged by device ID history, and then then one device ID is only used during war attack phase, and used on several accounts. It’s a pretty open and shut case. And they can even track WHO was the pilot by looking back at who is the primary user of said deviceID.
What i disagree with you on, is yes. It probably IS enough to prove sharing, if data was logged by device ID history, and then then one device ID is only used during war attack phase, and used on several accounts. It’s a pretty open and shut case. And they can even track WHO was the pilot by looking back at who is the primary user of said deviceID.
That's a lot of ifs that make the question of whether two logins from the same device prove account sharing a completely different question. What you're saying is if several accounts log in from the same device and those accounts only log in during AW attack phases, that is an open and shut case of account sharing.
That's more suggestive, but that would not be enough for me because there are still scenarios that can replicate that behavior, at least once. It would be more difficult to account for that kind of behavior multiple times in different patterns, which is why I mention traffic analysis. Its how this actually works in real investigations: you look for multiple instances of unusual behavior which can be individually explained but not with an explanation that explains them all. You build a strong enough case with enough data that you're comfortable making the inductive conclusion.
A good investigator, by the way, wouldn't be sure of what was conclusive evidence without looking at the data first. This kind of investigation is a complex meet in the middle where the data informs you of what is normal, and then you look for abnormal within that data, as impossible as that sounds. Whenever I've done this type of work, it has always included a reverse analysis that specified that the criteria used to show that something unauthorized had been done does not fit any known innocent behavior in the entire data set. If you state with certainty that X,Y, and Z prove someone guilty, you have to be 100% certain that you know all the times X, Y, and Z actually happened in all of the data you possess, and are certain that all other instances are equally guilty. One innocent piece of conduct that matches your criteria that someone else can discover destroys your entire analysis because it is the very definition of reasonable doubt.
@phillgreen Machine learning. You want to identify patterns, patterns in device usage, activity and ability and assign them to each player profile and look for outliers. The problem is that in many instances, a discrete outlier might be evidence of account sharing but not proof.
The question I ask myself is, do I want Kabam to spend resources developing this technology to eradicate account sharing or do I want them to spend it eradicating bugs or adding new features in the game?
Seems like there needs to be some kind of 2FA with additional context.
I’d be surprised if someone isn’t working on this sort of thing for gaming already. My guess is that the 2FA service would have to track something like geolocation. Then it verifies that yep, the person signing in is near the same physical location as the game. Kind of weird to ask people gaming to get access to their location, but, it would shut down all piloting.
Well, this is assuming that altering the 2FA process is tedious, which it typically is. Thus, you can, say setup the 2FA app on your phone, then flip between the phone and tablet for the game. But trying to give the login to someone means giving them 2FA login, which usually requires de-registering a device and registering a new one. And that you can simply say requires a lockout period.
It should be trivial as well to have multiple “game accounts” for a single 2FA account, so all current legal usage would be supported.
Seems like there needs to be some kind of 2FA with additional context.
I’d be surprised if someone isn’t working on this sort of thing for gaming already. My guess is that the 2FA service would have to track something like geolocation. Then it verifies that yep, the person signing in is near the same physical location as the game. Kind of weird to ask people gaming to get access to their location, but, it would shut down all piloting.
Well, this is assuming that altering the 2FA process is tedious, which it typically is. Thus, you can, say setup the 2FA app on your phone, then flip between the phone and tablet for the game. But trying to give the login to someone means giving them 2FA login, which usually requires de-registering a device and registering a new one. And that you can simply say requires a lockout period.
It should be trivial as well to have multiple “game accounts” for a single 2FA account, so all current legal usage would be supported.
Many MMOs already use two-factor authentication systems of some kind. But no two-factor system specifically integrates geolocation because that doesn't address a problem enough people want to spend money on, at least not in the way you're describing.
This would also not eliminate piloting. This would add extra steps to piloting, but it would be easy to defeat. Any technological solution would have to account for the following. I drive to your house. I forgot my iPad. You let me log into the game with my account. Any reasonable authentication system must a) allow for this to happen and b) not detect this as account sharing. No technological system can distinguish between this situation and account sharing, that doesn't involve the phone literally watching the person playing the game and figuring out a way to identify that person. The privacy concerns involved would make this all but impossible to implement by the hardware manufacturers, and without their support the game companies cannot use this.
Geolocation is one of the few ways it actually DOESNT work. Many people run through VPN.
I think @FingerPicknGood wasn't thinking about geolocating the phone, but rather geolocating the two-factor authentication token or system. This would identify the location of the person, who presumably wouldn't give away their token or it would be too difficult to ship them around, and thus would have to transmit the factor data to the person piloting. You'd then know the token aka the person and the phone aka the game device were physically in two different locations. But this kind of system doesn't actually exist in a practical form, and it contains other weird and nasty problems that make it problematic to build.
Well, I said this before. The easiest way for them to know when an Alliance is doing this during wars is to check the times of log outs and log ins during attack phase, for the whole alliance, not single players. If the log in details for a player are being repeated on all the other players that alternatively log out when someone else logs in, there is your proof.
Sure, the player could still change his IP, but probably has not that many devices, in any case, it would slow down the account sharing a lot.
As long as they focus on alliance war attack activity, almost everyone would be satisfied by that. AQ would be more complicated, but would be probably the same. I would start applying this in wars.
I’m mostly just thinking aloud that 2FA with some “additional trusted context” provided by the device vendor (i.e., Apple and Google) is possible, but, yeah, there’s all kinds of nasty problems that make it kind of expensive to build. I wouldn’t count out that someone isn’t spending money on this sort of thing. There’s so much location tracking going on now, I think it’s just a question of time, since, well, I’m pretty sure most online banks want to see if they can track if someone all of a sudden starts withdrawing money halfway around the world.
Again, I’m not talking about using IP location, but things like location services that are combinations of GPS, cellular usage, WiFi, etc. (There was a comment about using VPNs, etc. Pretty sure location services causes all kinds of problems for people trying to hide behind VPNs.)
I’m also thinking this trusted context has to be accessible to both the game and the 2FA mechanism. Which is a really complex and funky user experience and probably why nobody really wants to do it. If I was asked “hey the app where you sign in and the game you want to play both want to track your location” I might get the heebie jeebies.
So yeah, back to the drawing board. Kind of a fun problem to think about though.
I’m guessing this is also why Apple kind of swept Game Center under the rug. Vendors probably wanted to trust it, and well, that was probably much harder then they realized and the priority just wasn’t there yet.
Well, I said this before. The easiest way for them to know when an Alliance is doing this during wars is to check the times of log outs and log ins during attack phase, for the whole alliance, not single players. If the log in details for a player are being repeated on all the other players that alternatively log out when someone else logs in, there is your proof.
Sure, the player could still change his IP, but probably has not that many devices, in any case, it would slow down the account sharing a lot.
As long as they focus on alliance war attack activity, almost everyone would be satisfied by that. AQ would be more complicated, but would be probably the same. I would start applying this in wars.
It’s not always back to back to back. Some times the piloting is fairly spread out.
Geolocation is one of the few ways it actually DOESNT work. Many people run through VPN.
I think @FingerPicknGood wasn't thinking about geolocating the phone, but rather geolocating the two-factor authentication token or system. This would identify the location of the person, who presumably wouldn't give away their token or it would be too difficult to ship them around, and thus would have to transmit the factor data to the person piloting. You'd then know the token aka the person and the phone aka the game device were physically in two different locations. But this kind of system doesn't actually exist in a practical form, and it contains other weird and nasty problems that make it problematic to build.
I dont think that’s what he was saying. But if someone did invent a system like that they would be very rich after they license it to every competitive mobile game company
As I have been stating about the topic of account sharing is opening yourself up for potential identity theft but what if you manage to get on someones bad side by something said in alliance chat on line app or clanhq what is to stop someone who has your login details from getting into your account and selling off all your champs, catalysts and whatever else? What then? Send a ticket to kabam and confess to sharing your account in hope they can recover everything for you?
People have done that, too. Admit to a wrongdoing and ask for forgiveness in order to get their account back but usually, they just cry "hacking" instead as that generates more sympathy when they post in the forums.
The question I ask myself is, do I want Kabam to spend resources developing this technology to eradicate account sharing or do I want them to spend it eradicating bugs or adding new features in the game?
the answer to that question depends on whether you prioritize rankings or solo player progress.
if you prioritize single-mode progress, you want them to eradicate bugs and adding new features.
if you prioritize rankings / rank rewards, you want them to deal with the cheaters that pilot to get the top ranks
Not really, because general gameplay bugs affect AQ and AW, to an extent more so. The resources for combating issues with solo gameplay i.e. pots, are cheaper and more readily available than for alliance events. I'm way more annoyed about whiffing or hitting through a block occurring on an alliance event than a solo quest.
On a more general note...
If Kabam don't want piloting to occur, create an environment where it is a less necessary evil. If you run map 6, you need 10 people in each battle group working in concert otherwise YOU WILL run out of energy at the end.
We've missed out on map 6 crystals because one person didn't move to a node and the node didn't even have an opponent on it. 30 map 6 crystals gone because that player didn't move to an empty space. If the map didn't require that it run for basically the whole day you wouldn't have to have people choose between playing the game or waking up in the middle of the night.
Geolocation is one of the few ways it actually DOESNT work. Many people run through VPN.
I think @FingerPicknGood wasn't thinking about geolocating the phone, but rather geolocating the two-factor authentication token or system. ...
I dont think that’s what he was saying. But if someone did invent a system like that they would be very rich after they license it to every competitive mobile game company
Actually DNA was pretty close to what I was thinking. And I suspect some very rich people are in fact working on this problem, because it's very interesting to pretty much all mobile applications that have any kind of central server and have to secure data, not just mobile games. I just think that Apple and Google are probably finding more interesting ways to provide secure auth with some privacy.
Lots of ways to skin the auth cat, though. Right now I just think the game's auth system is probably custom, simple and naive. They probably didn't easily keep track of which devices logged in which accounts. So maybe they just do better tracking of that.
Really, it's like tracking the inverse of a "impact user" in social media, where devices are the people and accounts are their connections. You just want to spot any "popular people" or clusters of connected people. Everything will probably need to be reviewed by a person yet, but it's probably good enough as long as the report can pop in for review quickly instead of needing to go through some kind of slow data export and analysis.
There is no way they can implement this without harming innocent normal people. My work VPN routes everything through NY server when I am sitting in London. I use Wifi to play the game at work. I have two mobiles with me all the time.
It will be ridiculous to stop being able to use VPN or several devices.
How many times do we have to say it. ITS NOT YOUR IP ADDRESS. VPN wouldn’t matter. They would only look for your deviceID.
And you also got the wrong idea of what they’re looking for. They aren’t looking for one account that has multiple log ins from different devices. They would look at the log ins on the account all being from the SAME device ID.
This would mean that the same phone did multiple paths, and the could correlate the log in times with the movements and attack phases in war. It would be easier than you think.
The real issues here is so they even care? And given how the handled a certain high profile case of admitted piloting. I would lean towards thinking that they don’t give a 💩
Just because you don't consider their actions with one case as sufficient doesn't mean they don't care about Sharing. If they didn't care, it wouldn't be a rule.
They already have ways of detecting it. The solution is making it a larger priority and dealing with it more swiftly. Starting with all those that are well-known for it and investigating there. It needs to be made a visible example before people take it seriously. It's been a subversive problem for years and it has to be brought more forward.
Lotta poor excuses being made in this thread. Lotta defensiveness as well. Both are expected every time this comes up. The "you don't know, you can't prove anything" is always my favorite because that's also what account sharers and pilots/piloted tell themselves. All it takes is kabam starting to care about this. I've been told they do, just waiting to see it
Account sharing is cheating. In high school you dont get out of trouble because you copied someone elses answers for a test. You still get in trouble for cheating. In a relationship you dont get a free pass by sleeping with someone else and say "well they told me to". Thats still cheating.
People are getting defensive because they know they are guilty and if kabam actually decides to address this then these defensive people are at risk of losing there accounts or rewards or whatever.
If your in an alliance that requires pilots then either you are not good enough to be playing in that tier or the alliance is not strong enough to be playing that content. If you dont have a life in the real world then you shouldnt be playing this game in the first place.
Mike or adora, can you respond and acknowledge this is an issue? I also submitted a ticket and have video showing alliance piloting. These piloting alliance should be disqualified from season rewards
Comments
I agree with almost everything you have been saying and i know for a fact that they use the deviceID code as previously (around 10.0 maybe) someone found a way to decipher the support url. The data that was sent just to the support url was account creation date, account name, lifetime spend, most recent purchase, deviceID,and maybe one or two more things.
What i disagree with you on, is yes. It probably IS enough to prove sharing, if data was logged by device ID history, and then then one device ID is only used during war attack phase, and used on several accounts. It’s a pretty open and shut case. And they can even track WHO was the pilot by looking back at who is the primary user of said deviceID.
Would only take a handful to show they actually care. And i can think of a certain someone who, in doing so, would be noticed by a lot of people.
That's a lot of ifs that make the question of whether two logins from the same device prove account sharing a completely different question. What you're saying is if several accounts log in from the same device and those accounts only log in during AW attack phases, that is an open and shut case of account sharing.
That's more suggestive, but that would not be enough for me because there are still scenarios that can replicate that behavior, at least once. It would be more difficult to account for that kind of behavior multiple times in different patterns, which is why I mention traffic analysis. Its how this actually works in real investigations: you look for multiple instances of unusual behavior which can be individually explained but not with an explanation that explains them all. You build a strong enough case with enough data that you're comfortable making the inductive conclusion.
A good investigator, by the way, wouldn't be sure of what was conclusive evidence without looking at the data first. This kind of investigation is a complex meet in the middle where the data informs you of what is normal, and then you look for abnormal within that data, as impossible as that sounds. Whenever I've done this type of work, it has always included a reverse analysis that specified that the criteria used to show that something unauthorized had been done does not fit any known innocent behavior in the entire data set. If you state with certainty that X,Y, and Z prove someone guilty, you have to be 100% certain that you know all the times X, Y, and Z actually happened in all of the data you possess, and are certain that all other instances are equally guilty. One innocent piece of conduct that matches your criteria that someone else can discover destroys your entire analysis because it is the very definition of reasonable doubt.
If you repost I promise not be offended.
Would only take a handful to show they actually care. And i can think of a certain someone who, in doing so, would be noticed by a lot of people.
It was about different crimes, and how even though one wasn’t as bad it was still a crime and should be prosecuted. But with more descriptive words.
Not as controversial as I expected
The question I ask myself is, do I want Kabam to spend resources developing this technology to eradicate account sharing or do I want them to spend it eradicating bugs or adding new features in the game?
I’d be surprised if someone isn’t working on this sort of thing for gaming already. My guess is that the 2FA service would have to track something like geolocation. Then it verifies that yep, the person signing in is near the same physical location as the game. Kind of weird to ask people gaming to get access to their location, but, it would shut down all piloting.
Well, this is assuming that altering the 2FA process is tedious, which it typically is. Thus, you can, say setup the 2FA app on your phone, then flip between the phone and tablet for the game. But trying to give the login to someone means giving them 2FA login, which usually requires de-registering a device and registering a new one. And that you can simply say requires a lockout period.
It should be trivial as well to have multiple “game accounts” for a single 2FA account, so all current legal usage would be supported.
Many MMOs already use two-factor authentication systems of some kind. But no two-factor system specifically integrates geolocation because that doesn't address a problem enough people want to spend money on, at least not in the way you're describing.
This would also not eliminate piloting. This would add extra steps to piloting, but it would be easy to defeat. Any technological solution would have to account for the following. I drive to your house. I forgot my iPad. You let me log into the game with my account. Any reasonable authentication system must a) allow for this to happen and b) not detect this as account sharing. No technological system can distinguish between this situation and account sharing, that doesn't involve the phone literally watching the person playing the game and figuring out a way to identify that person. The privacy concerns involved would make this all but impossible to implement by the hardware manufacturers, and without their support the game companies cannot use this.
I think @FingerPicknGood wasn't thinking about geolocating the phone, but rather geolocating the two-factor authentication token or system. This would identify the location of the person, who presumably wouldn't give away their token or it would be too difficult to ship them around, and thus would have to transmit the factor data to the person piloting. You'd then know the token aka the person and the phone aka the game device were physically in two different locations. But this kind of system doesn't actually exist in a practical form, and it contains other weird and nasty problems that make it problematic to build.
Sure, the player could still change his IP, but probably has not that many devices, in any case, it would slow down the account sharing a lot.
As long as they focus on alliance war attack activity, almost everyone would be satisfied by that. AQ would be more complicated, but would be probably the same. I would start applying this in wars.
Again, I’m not talking about using IP location, but things like location services that are combinations of GPS, cellular usage, WiFi, etc. (There was a comment about using VPNs, etc. Pretty sure location services causes all kinds of problems for people trying to hide behind VPNs.)
I’m also thinking this trusted context has to be accessible to both the game and the 2FA mechanism. Which is a really complex and funky user experience and probably why nobody really wants to do it. If I was asked “hey the app where you sign in and the game you want to play both want to track your location” I might get the heebie jeebies.
So yeah, back to the drawing board. Kind of a fun problem to think about though.
It’s not always back to back to back. Some times the piloting is fairly spread out.
I dont think that’s what he was saying. But if someone did invent a system like that they would be very rich after they license it to every competitive mobile game company
What is the root cause of piloting?
Life gets in the way of gameplay.
Lucky/rich but terrible players in alliances they only fit due to roster.
Any others?
People have done that, too. Admit to a wrongdoing and ask for forgiveness in order to get their account back but usually, they just cry "hacking" instead as that generates more sympathy when they post in the forums.
Not really, because general gameplay bugs affect AQ and AW, to an extent more so. The resources for combating issues with solo gameplay i.e. pots, are cheaper and more readily available than for alliance events. I'm way more annoyed about whiffing or hitting through a block occurring on an alliance event than a solo quest.
On a more general note...
If Kabam don't want piloting to occur, create an environment where it is a less necessary evil. If you run map 6, you need 10 people in each battle group working in concert otherwise YOU WILL run out of energy at the end.
We've missed out on map 6 crystals because one person didn't move to a node and the node didn't even have an opponent on it. 30 map 6 crystals gone because that player didn't move to an empty space. If the map didn't require that it run for basically the whole day you wouldn't have to have people choose between playing the game or waking up in the middle of the night.
Actually DNA was pretty close to what I was thinking. And I suspect some very rich people are in fact working on this problem, because it's very interesting to pretty much all mobile applications that have any kind of central server and have to secure data, not just mobile games. I just think that Apple and Google are probably finding more interesting ways to provide secure auth with some privacy.
Lots of ways to skin the auth cat, though. Right now I just think the game's auth system is probably custom, simple and naive. They probably didn't easily keep track of which devices logged in which accounts. So maybe they just do better tracking of that.
Really, it's like tracking the inverse of a "impact user" in social media, where devices are the people and accounts are their connections. You just want to spot any "popular people" or clusters of connected people. Everything will probably need to be reviewed by a person yet, but it's probably good enough as long as the report can pop in for review quickly instead of needing to go through some kind of slow data export and analysis.
How many times do we have to say it. ITS NOT YOUR IP ADDRESS. VPN wouldn’t matter. They would only look for your deviceID.
And you also got the wrong idea of what they’re looking for. They aren’t looking for one account that has multiple log ins from different devices. They would look at the log ins on the account all being from the SAME device ID.
This would mean that the same phone did multiple paths, and the could correlate the log in times with the movements and attack phases in war. It would be easier than you think.
The real issues here is so they even care? And given how the handled a certain high profile case of admitted piloting. I would lean towards thinking that they don’t give a 💩
Well said. Yes, I actually mean it
WE WERE ON A BREAK!