Zee Linden warns Risk API puts you at risk. L$ not to be trusted.

Posted Jan 17th 2007 7:01PM by Tateru Nino
Filed under: Linden Dollars, Accounts, Linden Lab

Today, Zee Linden talked a bit about the Risk API. If you spend much time on secondlife.com, you'll have seen it appear in the sidebar more than once. You might have poked at it to find out what it was all about. Basically it's a system for monitoring account activity, conditions and funds transfers that indicates fraud. Why should you care? After all, you don't commit fraud.

Because Zee Linden says that griefers are using the Risk API as a form of techno-social judo to have the accounts of innocent people mass-suspended. In fact, it's even better than goo attacks. Zee's initial message is "Be smart, don't get scammed", but by the end, there's obviously no way to prevent it, since your consent is not required.

Risk API griefing involves: Getting a large sum of money by fraudulent means (for example, through a stolen credit card), giving it to people, waiting for the system to identify the fraud, then sitting back and laughing your ass off as your account and hundreds or thousands of others are suspended by the system pending investigation. Once the money's moving, even relatively small sums could potentially cause issues, as we read it.

We're not just talking about a few minutes, or even an hour of goo attack here. We're talking about possible days of interruptions. Over at FurNation, there was wholesale disruption for weeks -- the griefer apparently counted on the Risk API to grief the community.

Zee Linden says to avoid using L$ for large sums, as it cannot be trusted. "If a resident wants to donate to your group, please ask them to do it in US dollars rather than Linden Dollars."

Umm. Generally a griefer isn't going to ask. They can give the money and you can't refuse, messing you up without consent. Depending on how it's done (eg paid to the group, then distributed) you may not even notice. Most people who do many transactions in a day have money transfer notifications turned off. In the case of FurNation, they asked, but actually, they didn't even need to. Just paying the money to a group owned object would pretty much have clinched the whole thing.

Tags: fraud, furnation, griefer, L$, linden dollars, LindenDollars, risk api, RiskApi, second life, SecondLife, suspension, USD, zee linden, ZeeLinden

Read

Reader Comments

(Page 1)

1. Well ain't that a hoot?? Wonder what LL will do to fix this... Kind of like Microsoft and the recent MSWord exploits, where MS's measured response to the exploit is:
"Don't open recieved Word documents..." d'oh.. I'm beginning to wonder if LL learned security programming from Microsoft... As much as I love SL, this is getting too much..

Tas

Posted at 9:14PM on Jan 17th 2007 by Tasman Perth

2. Oh, spiffing! A denial-of-service attack that absolutely CANNOT be prevented! I hope LL is working on SOME form of mitigation for this issue, and FAST!

Posted at 1:01AM on Jan 18th 2007 by Erbo Evans

3. "As much as I love SL, this is getting too much.. "

No it's not. Everyone says this. But no one ever means it. I guarantee you that it's not "getting too much." You're not even close to quitting.

Posted at 8:28AM on Jan 18th 2007 by Luciftias

4. Maybe this is too simple of a solution, but how about a "keep/discard" popup for money transfers like when someone gives you inventory? If some arbitrary person wants to give me money, I would like to be able to choose to accept it or not, especially in light of this news (which I had no clue about until I just read it here).

Posted at 9:32AM on Jan 18th 2007 by October Hush

5. October, the problem with the solution you suggest is that it would basically break every vendor in Second Life.

Posted at 2:01PM on Jan 18th 2007 by Eric Maelstrom

6. Ok, well how about having a choice of accepting payments automatically or manually? That wouldn't break vendors and would at least solve part of the problem.

Posted at 11:14AM on Jan 19th 2007 by October Hush

TGS 08: White Knight Chronicles impressions Buy PixelJunk Eden, get Monsters Encore for free Alone in the Dark gets new subtitle for PS3: Inferno	Blizzcon 2008 DVD production panel reveals WoW tidbits Mounts to be usable on water The funny, morbid, and sad coins of the Dalaran fountain
Soulja Boy calls out Xbox Live gamers Activision calls in the budget Secret Service TGS 08: Street Fighter IV extended trailer	High Voltage announces new WiiWare racer Wii Warm Up: Taiko Risk Assessment New Mario Kart tournament keeps it simple
DS Daily: Saving up for a Flowery, Sunny, and Rainy day Neopets Screenshot Adventure Unlikely rumor: Kingdom Hearts bundle includes GBA-capable DSi?	TGS 08: LocoRoco 2 and the curiously embargoed trailer PSP Fanboy hands-on: Kingdom Hearts: Birth by Sleep TGS 08: LocoRoco 2 grabs us with cuteness and depth
Blizzcon 2008: Notes from the DVD production panel New Starcraft 2 screenshots emerge from BlizzCon Infogrames purchase of Atari completed	Five Months Pregnant and Still Making Birdies, Hjorth Near the Lead in LPGA Boo Weekley on 'The Tonight Show'