游戏邦注：本文原作者是PayPal高管Peter Martin，文章发布于2010年2月24日，以下所涉时间、事件和数据均以此为基准。

各大商家十分看好虚拟商品销售的发展前景。据Inside Virtual Goods报告所述，该类别发展迅速，今年在美国的总产值预计将达到16亿美元。市场调查公司Forrester的数据表明，15%的美国消费者在线购买于PC上运行的软件和游戏，8%的人付费购买手机游戏。

尽管数字商品业务成长迅速，也有宽广的创新空间，但在线销售和任何商业行为类似，都存在一定的风险。对于数字商品而言，较快的销售和传播循环让坏人有机可乘，庞大的顾客数量让全球欺诈者蠢蠢欲动。而且，数字商品经营者通常都是市场新手，缺乏与欺诈者抗争的经验。

数字商品经营者普遍面临以下三类威胁：账户侵权、资金盗取和非善意欺诈。好消息是，许多用来遏止在线欺诈行为的做法在数字商品销售方面也能够发挥作用。环境和经济有所不同，但方法却很相似，那便是找到弱点并防止其遭到攻击。

PayPal(from wai-mao.net)

账户侵权

账户侵权会伤害用户体验和品牌声誉。在此类行为中，顾客的用户名和密码被盗取，从而导致账户受到侵害。犯罪人员连线开始交易，在开放市场上购买和销售商品。其他虚拟货币使得第三方可以轻松展开交易。这种侵权行为都在短时间内完成，通常采用脚本语言来实施。

预防这种行为的首项措施是改善密码验证，高级措施就需要更好地理解用户的行为。如果我只在家或工作场所登录账户，那么系统对其他机器上的登录行为就必须予以注意，比如可以在登录时提出问题等。如果我的IP地址显示位置是北美，但却在冰岛登录，或如果我惯用浏览器语言设置为美国英语，但新登录浏览器却是西里尔文，那么同样也需要上述做法进行验证。识别方式多种多样，都可用来更好地保障登录的安全性。

资金盗取

账户侵权只会在你的顾客身上发生，但资金盗取所涉面更广。在这种犯罪行为中，欺诈者用盗取的信息创建“合法”账户购买虚拟商品（游戏邦注：如某些虚拟货币等），随后将这些得手的商品转化成现实世界中的金钱。这种方式也需要依靠脚本语言，后者加快过程进展速度。通常，商家会在账户合法持有人报告欺诈性交易后偿还费用。但由于数字商品利润丰厚且单位成本较低，商家时常需要面临此类退款问题却不至于倒闭。

解决方案：使用地址验证系统提高对信用卡信息验证的警惕性，此系统要求顾客提供的账单地址与信用卡公司文件上的地址相符。更好的措施是需要输入卡背上的信用卡安全代码。网络上多数被盗取的信用卡数据基本不包含那些数字。第三层保护措施是NAP验证，即验证顾客的姓名、地址和电话号码是否与顾客的IP地址相符。

非善意欺诈

行业将第三种威胁称为“善意欺诈”，但对商家来说，这似乎并非充满善意。非善意欺诈时常让购买者感到懊恼。玩家沉迷于游戏中并花费200美元，第二天醒来为这件事感到后悔不已。通常情况下，这名玩家可能不会发誓让自己的在线行为更为谨慎，而会选择退款。其他类似情形包括孩子使用家长的信用卡或某些玩家恶意购买数字商品，为的是随后要求退款等。因为退款规则是为实体商品而制定的，人们会滥用这个系统，他们知道多数数字商品经营者不会费时让其撤回退款请求。

无论以何种形式出现，非善意欺诈正逐渐威胁到社交网络。最佳解决方式是将欺诈评分和社区不良行为文件结合起来。欺诈评分分析商家自有的内部数据，尝试推断出所有交易受欺诈行为影响的可能性。比如，游戏运营商可以从用户数据中测出某把剑的平均购买速度，然后找出进行异常购买行为的不良分子。社区不良行为文件使商家可以共享情报，这样每个商家都可以了解到那些有欺诈历史的人。

提高站点安全性

只有你采取措施，这些方式才可能发挥作用。与我们合作的商家已经通过从第三方购买风险化解服务或自行创建相关解决方案使欺诈行为有所减少。驱除欺诈行为也是PayPal的惯例，将来你会看到更多的安全监测措施。（本文为游戏邦/gamerboom.com编译，如需转载请联系：游戏邦）

Selling Digital Goods: Stay Safe and Reap the Rewards

Peter Martin

As a merchant, there’s a lot to like about the selling of virtual goods. The category is exploding, and projected to reach $1.6 billion this year in the US, according to the Inside Virtual Goods report. According to the research firm Forrester, 15 percent of U.S. consumers purchased software and games online to play on their PCs, and 8 percent purchased games to play on their mobile phones.

But while digital goods is a fast-growing business that is wide open to innovation, the reality of selling online is that – just like any business – there exists some level of risk. For digital goods, a faster sale/delivery cycle gives the bad guys a faster getaway, and a “borderless” customer base can attract a global community of fraudsters. In addition, digital goods merchants are often newer to the market and less experienced in combating fraud.

Digital goods vendors generally face three kinds of threats: account takeover, stolen financials and “not-so-friendly fraud.” The good news is that many of the best practices used in curbing online fraud work well for digital goods merchants, too. The situations and economics are different, but the approach is similar: be aware of the vulnerabilities and act to prevent them.

Account Takeover

Account takeover tends to harm the user experience and reputation of your brand. Here, a customer’s user name and password are compromised, and their account is taken over. The perpetrator goes online and starts transacting, buying goods and selling on the open market. Other virtual currencies make it easy for third parties to facilitate the exchange. It all happens very fast, typically with the help of a scripting language.

The first bar of prevention is better password authentication. The higher bar entails a better understanding of a user’s behavior. If I only log into my account at home or work, a login from a different machine should attract some attention—and some challenge questions. The same is true if my IP address would indicate I live in North America but appear to be logging in from Iceland, or if my usual browser is set to American English but this one is set to Cyrillic. There are several of these identifiers, all of which can be used to better secure the login.

Stolen Financials

Compared with account takeover, which is restricted to your customers, stolen financial information casts a much wider net. Here, the fraudster sets up a “legitimate” account using stolen information, purchases virtual goods, then turns those purchases into real-world cash. This cycle also relies on scripting language, which in turn speeds up the process. Typically after the legitimate cardholder reports the fraudulent transaction, the merchant will refund the money. But because the markup on digital goods is so high and the unit costs so low, digital goods vendors routinely tolerate a level of chargebacks that would sink a vendor selling jewelry or electronics.

The solution: be extra vigilant in verifying credit card information by using the Address Verification System, which matches the billing address provided by the customer with the one on file with the credit card company. Even better, require entry of the Card Security Code found on the back of the card. Most stolen card data on the Internet still doesn’t include that number. A third layer of protection is a NAP check: validating a customer’s name, address, and phone number, which can then be cross-checked with the customer’s IP location.

Not-So-Friendly Fraud

The industry calls the third threat “friendly fraud,” but for merchants, it doesn’t seem all that friendly. Not-so-friendly fraud is usually buyer’s remorse. A player gets wrapped up in a game, spends $200 and then wakes up the next day with a financial hangover. Instead of vowing to live a more sober online life, he denies making the charge. That’s the usual scenario. Variations include a child using a parent’s credit card, or a malicious player buying digital goods with the intent of later denying it. Because chargeback rules were designed for physical goods, people can abuse the system, knowing that most digital goods vendors won’t take the time to push back.

Whatever the form, not-so-friendly fraud is a growing threat for social networks. The best solution is a combination of fraud scoring and community negative files. Fraud scoring analyzes a merchants’s own internal data to try and determine the likelihood that any transaction will be fraudulent. For example, a game operator could determine from usage data the average velocity of a sword purchase, and then identify outliers—purchases that are well outside that norm. Community negative files are shared intelligence between vendors, so that a fraudster’s history begins to follow him or her from merchant to merchant.

Securing Your Site

Best practices only work if you implement them. Merchants we work with have reduced fraud by purchasing risk mitigation services from third-party vendors or developing their own in-house. Stamping out fraud is part of PayPal’s DNA, as well, and you will see more of safety measurements from us in the future.

PayPal maintains a microsite for digital goods vendors, including links to best practices guide and list of partners, as well as information on micropayments for digital goods. (Source: Inside Social Games)