New reports have surfaced that credit card thieves are laundering their ill-gotten gains in one of the most heretofore-innocuous markets out there: Free-to-play mobile games, such as Clash of Clans, or Marvel Contest of Champions.
According to cybersecurity company Kromtech, accounts in popular mobile games have become a surprisingly easy way for thieves to launder stolen credit cards. Researchers found an open MongoDB database with hundreds of thousands of stolen credit card numbers.
Upon further research, Kromtech researchers discovered the thieves had set up a complex automated system creating accounts, purchasing items within the game’s economy, then selling the account on third-party sites — thereby making money without connecting themselves to the stolen cards.
The primary reason it’s so easy to do this is because usually all you need to get started in a mobile game — at least on an iPhone — is an Apple ID, which requires very little effort to create.
A surprising amount of people purchase accounts in mobile games from online marketplaces — presumably in order to avoid that dreaded new game grind. (On a personal note: Come on people, suffering builds character.) This is against most games’ Terms of Service, but I’ll bet you money most people haven’t even bothered to read those.
So what could official channels do in order to make things more difficult for money launderers? Kromtech researchers suggest Apple could step up on card verification:
…interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address. Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.
We’ve also contacted Supercell, the developer behind Clash of Clans, for more information on what kinds of flags, if any, exist to mark these accounts out.