HOW ONE OF YOUR VIRTUAL PERSONA COULD WORTH 500,000,000.00 EURO
FADI ABU ZUHRI
The advancement of technology has brought about massive change in the lives of people. These developments have greatly affected how they transact and behave online. Many of the activities that were conducted face-to-face have transformed in the virtual world. More and more people have built comprehensive online profiles for them to shop, bank, and connect with friends to the point that they have created a Virtual Identity or Persona of themselves.
An individual’s Virtual Persona allows them to access their credit status, bank balances, engage in gaming, socializing, dating, blogging, etc. This makes your Virtual Identity of immense value to organizations and people. Your online behaviour indicates your buying patterns; your social and financial status attracts certain people who want to befriend you.
Virtual Persona has real value and certain entities may want access it and impersonate in the virtual world. Data derived from the virtual persona has become a source of profiteering legally and illegally. The widespread proliferation of illegal and unrestricted use of private information necessitates the need for effective online Identity Management to create a safe online environment for ecommerce and Internet usage as a whole (Smedinghoff, 2011).
People need to understand that in the virtual world, their online identities have immense value. Earlier, people stored their identity cards in their wallets. Now these are stored online – whether it is your social, legal or financial profile. This means, your Virtual Identity can potentially be stolen electronically. Even something as harmless as online gaming is subject to the same threats. Games such as “World of Warcraft” are termed Massively Multiplayer Online Role-Playing Game (MMORPG) as it engages a huge number of users. The “World of Warcraft” holds the Guinness World Records for the largest monthly subscribers of 11.6 million (Mitchell, 2009). The other most played MMORPG include Final Fantasy, The Elder Scrolls Online, Guild Wars 2, Blade & Soul, Black Desert Online, RuneScape, EVE Online and Star Wars (IG Critic, 2016). Various Augmented Reality games, Pokémon Go for example, also are gaining popularity. Such virtual communities are not immune to cyber attacks.
This paper explores the subject of Virtual Identity, the risk and opportunities of losing them to cyber theft. It reports on how organizations, legally and illegally, are analysing your Virtual Persona and what it could mean to losing accessing your Virtual Identity. The paper focuses on Virtual Reality (VR), Augmented Reality (AR), Analytical Tools and services available to analyse Virtual Identities.
VIRTUAL REALITY: RISK & OPPORTUNITIES
Virtual Reality (VR) describes the world that exists in our minds when we are interacting online. It is the computer-generated artificial environment that users can interact with (Biocca & Levy, 1995). This artificial environment can be experienced via stimuli as sounds and sights afforded by a computer. Virtual Identities are created in VR and represent users in the video games, chat rooms, virtual common space or any other similar environments. These identities aimed at complementing various virtual spaces and platforms are simply referred to as “Avatars” (Morgan, 2009). An Avatar includes a representative video content or image, a profile, a name, or a “handle” that offers more information about an individual’s Virtual Identities.
People create virtue identities by creating virtual representatives of themselves (Rheingold, 1991). In online games, the individual’s Virtual Identity may be part of their identity but may differ from their own identity. In other spaces such as Basecamp, Virtual Identities may be less creatively oriented and represent the user’s actual physical identity, where the user uses their own image or name for an Avatar (Witmer & Singer, 1998).
These virtual platforms pose special risks to users, as they are hubs for Cybercriminals. This occurs because VR technology is built upon existing platforms (Lanier, 1992). As such, it offers little new attack opportunity. At the highest level, VR is largely a new input and display mechanism added to the traditional devices. The technology is powered with underlying computers (whether a mobile, personal computer or console device) that have not really changed much. However, VR facilitates positional and orientation tracking. Physical body movements are tracked. The comprehensive behaviour tracking can be quantified to understand preferences, divert the user’s attention and even sell things (Rubin, 2016). Perhaps, the risk posed by it is not any greater than any other device or software that the user may add to his or her computer.
Today, the use of VR in gaming provides users with a fantasy world that is disconnected from reality. This way, it offers the opportunity to the identity thieves to attack VR and monetize such attacks via social engineering.
Finally, tracking data on online shopping facilitated through VR may allow Cybercriminals to make dangerous attacks. Online shopping provides users with an entirely different VR experience. It allows users to browse items online and even try these items on the Avatar. Unfortunately, the program used can identify a person’s debit card or credit card and Cybercriminals can capture and sell this information.
A Cybercriminal can also use VR/ AR headsets tracker such as web-coding tricks to find valuable information of the user, monitor mouse clicks and movements and use this data in recreating the user actions in a similar way one could mimic the manual pin entry (Fox, Arena, & Bailenson, 2009).
AUGMENTED REALITY: RISK & OPPORTUNITIES
Augmented Reality (AR) describes a series of technologies (i.e., Head-Mounted Displays (HMDs)) that makes it possible for the real-time mixing of content generated via computer with video display (Azuma R. T., 1997). It is used to integrate virtual information into the physical environment of a person making it possible for them to perceive it as existing in their environment (Janin, Mizell, & Caudell, 1993). Its functioning is based on the techniques that was developed in VR and interacts with the virtual world. AR technologies are defined by the following features: (1) interactive in real-time; (2) combining virtual and real; and (3) registered in 3D (Azuma, Baillot, Behringer, Feiner, Julier, & MacIntyre, 2001). This means that these technologies are registered in 3D and interact in real-time. This ensures accurate registration and tracking to ensure the user obtains a believable image. As such, the three key building blocks of AR systems are real-time rendering, display technology and tracking and registration (de Sa & Churchill, 2012).
New mobile wearable computing applications supporting AR functionality are increasingly become possible with the decrease in size and increase in the power of computers making it possible for users to access online services everywhere and always. This flexibility allows applications that enable users to exploit the surrounding context. This AR presents a powerful User Interface (UI) to context aware computing environments (Mekni & Lemieu, 2013). Currently, AR exists in consumer products including Microsoft’s HoloLens, Google Glass, Apple’s iPhone X, Samsung Pixie and games such as Pokémon Go.
AR devices may be prone to attacks and lead to identity theft. For instance, a Cybercriminal using Social Engineering and 3D models can alter and create fake videos and games. Computer scientists and animators have already succeeded in creating the techniques to take the voice recording of a person and make them say something they didn’t. They can give a person different lip movements and expressions by altering the person’s video. This can be achieved by way of tracking a history of movement of a person in VR. While these fake videos are yet to be perfected on, it demonstrates how accurate 3D models and VR tracking could change things. The individual’s unique identifiers could be their physical or verbal “ticks” or unique movements. If compromised, Cybercriminals can use these personal intricacies to digitally impersonate a user or to socially engineer one’s friends (Shatte, Holdsworth, & Lee, 2014).
AR technology was developed over forty years back. Pokémon Go just made AR mainstream. Cybercriminals see AR as an opportunity to execute their malicious intents, and have already seized the opportunity of the popularity of games and various other applications to execute their malicious intents (Zhou, Duh, & Billinghurst, 2008). They have succeeded in creating Windows ransomware, SMS spam, scareware apps, lockscreen apps and apps for purpose of executing their malicious intents. They use fake Windows-based Pokémon Go Bot to attack the users of Pokémon Go Bot. This Pokémon Go Bot application levels the account of the user with little effort by mimicking the role of a fake Pokémon trainer (Paz, 2016).
People are also exploiting Pokémon Go to spread malware to the AR game via bogus guides (Tynan, 2017). Augmented wearable technology pose a serious risk as images in the field of view of a person could be manipulated. These Cybercriminals essentially substitute real virtual objects with fake virtual objects. These AR Cybercriminals could also reinvent a new version of ransomware, which could be used for malicious purposes. By using this new breed of ransomware, these Cybercriminals could make a Doctor who is using Microsoft HoloLens to lose control of it or to pay ransoms. Cybercriminals can also use AR devices to collect personal health data and biometric data and use it for malicious intentions (Boyajian, 2017).
ANALYTICAL TOOLS AND SERVICES
The online technology has generated huge amount of data from video streaming, social media activities, online game playing and browsing in the Internet. These data are accumulating day by day from various sources, through different methods of inputting via different technologies. These data accumulated are called as “Big Data” which is considered to be broad, fast and voluminous. It is either structured or unstructured, but still useful to derive data sets and subsets to sell and utilize by online and non-online companies for increasing market coverage and profits (Tiwarkhede & Kakde, 2015).
Companies engaging in analytic services record and then sell online profiles like user/ screen names, email addresses, web site addresses, interests, preferences, home addresses, professional history, and the number of friends or followers an online user has. There are also companies who gather and synthesize data on the tweets, posts, comments, likes, shares, and recommendations of the user in his social media accounts (Beckett, 2012).
Analytic service and online data industry is reported to be a $300 billion-a-year industry, employing around 3 million people in the United States alone (Morris & Lavandera, 2012). There are a lot of successful companies that provide analytical services and data brokering. These companies, supposedly, know more about you than Google. The list includes Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future (Mirani & Nisen, 2014). What they do is look into online personal profiles of the users, gathering information like names, friends, activities and interests of those personal profiles and selling them to end users for advertising, marketing and other legitimate economic activities. Basically, it collects information like contact detail, interests, preferences and demographics, then aggregating those information gathered based on a subset needed or applicable to its clients. Acxiom alone has recorded over a billion dollar in revenue for its analytical services involving 144 million US households (Morris & Lavandera, 2012).
Data brokers are intelligent in gathering data and know how to use it. They take advantage of the vast data available online in order to deliver relevant services to users, suggest products and services that the users might need or subliminally suggesting that they need it. These companies claim that all the information gathered and sold is legal, secure and suitable for the users. Data brokers cater to different customers that can range from small enterprises to large Fortune 500 companies (Morris & Lavandera, 2012).
Data brokers source their information from a variety of places. For example, Facebook, Google and other free apps are collecting your data and selling it to those who are willing to pay for it. And then there are Cybercriminals who steal this information and sell on the dark net.
It is scary to think what damage a cyber attack on data aggregators could do. In September 2017, Equifax reported a massive data breach. Initially reported as affective 143 million people, the estimate was revised to 145.5 million later. Cybercriminals accessed consumer’s highly sensitive personal and financial information including names, birthdates, addresses and credit card numbers (Hackett, 2017).
The cost of virtual persona of a user is priced depending on its legality, usage and the purpose of its application. Bank details, credit history and the availability of personal documents like driver’s license are seen as high value. Financial Times has presented a calculator to show what each bit of your personal information is worth (Steel, Locke, Cadman, & Freese, 2013). The more is revealed about your real and virtual behaviour, the more valuable your information is. And consider the fact that this information is constantly traded and resold to multiple buyers. It is not difficult to imagine that over the course of your lifetime (or afterlife) your persona may be worth 500 million Euros.
In almost all of the cases the owner of such personal information does not receive the income, or even a tiny share of it, from the revenues generated by the analytics service providers who sell this to willing buyers. The owner themselves are facing risk of breach in security when their information is leaked to undesirable elements who will use their identity to commit fraudulent and criminal activities, leaving them liable for credit fraud or for the unpaid loan that they did not apply for in the first place. The real owner of the personal data faces the burden of proving his/ her innocence.
AR and VR devices are highly complex and relatively new. They are vulnerable and attractive to Cybercriminals looking for the weakest link. Some argue that Cybersecurity’s weakest link are the organization’s own employees (Banham, 2017). Social engineering, as it is also known, is where Cybercriminals deceive their victims and gain their trust. Once the Cybercriminal gains entry, the best protective software turns useless. Therefore, organizations need to invest in on-going Cybersecurity awareness for their employees.
Does it make sense to blame people who are the value creators in organizations? Shouldn’t technical systems be built for normal people rather than techies building systems for techies?
1.Azuma, R. T. (1997). A Survey of Augmented Reality. Presence: Teleoperators and Virtual Environments , 6 (4), 355-385.
2.Azuma, R., Baillot, Y., Behringer, R., Feiner, S., Julier, S., & MacIntyre, B. (2001). Recent advances in augmented reality. Computer Graphics and Applications , 21 (6), 34–47.
3.Banham, R. (2017, March 20). The Weakest Link In Your Cyber Defenses? Your Own Employees. Retrieved 2017, from https://www.forbes.com/sites/eycybersecurity/2017/03/20/the-weakest-link-in-your-cyber-defenses-your-own-employees/#7815acac5d51
4.Beckett, L. (2012, November 9). Yes, Companies Are Harvesting – and Selling – Your Facebook Profile. Retrieved 2017, from ProPublica: https://www.propublica.org/article/yes-companies-are-harvesting-and-selling-your-social-media-profiles
5.Bimber, O., Raskar, R., & Inami, M. (2005). Spatial Augmented Reality. Wellesley: AK Peters.
6.Biocca, F., & Levy, M. (1995). Communication applications of Virtual Reality. Hillsdale, NJ: Erlbaum.
7.Boyajian, L. (2017, February 27). The 3 biggest challenges facing Augmented Reality. Retrieved 2017, from Network World: http://www.networkworld.com/article/3174804/mobile-wireless/the-3-biggest-challenges-facing-augmented-reality.html
8.de Sa, M., & Churchill, E. (2012). Mobile augmented reality: exploring design and prototyping techniques. 14th international conference on Human-computer interaction with mobile devices and services (pp. 221–23). ACM.
9.Eskelinen, M. (2001). Towards computer game studies. Digital Creativity , 175–183.
10.Fox, J., Arena, D., & Bailenson, J. N. (2009). Virtual Reality: A Survival Guide for the Social Scientist. Journal of Media Psychology , 95–113.
11.Hackett, R. (2017, October 2). Equifax Underestimated by 2.5 Million the Number of Potential Breach Victims. Retrieved 2017, from http://fortune.com/2017/10/02/equifax-credit-breach-total/
12.IG Critic. (2016). Most Played MMORPG Games of 2016. Retrieved 2017, from http://igcritic.com/blog/2016/03/17/most-played-mmorpg-games-of-2016/
13.Janin, A. L., Mizell, D. W., & Caudell, T. P. (1993). Calibration of head-mounted displays for augmented reality applications. (pp. 246–255). IEEE.
14.Lanier, J. (1992). Virtual reality: The promise of the future. Interactive Learning International , 275–279.
15.Mekni, M., & Lemieu, A. (2013). Augmented Reality: Applications, Challenges and Future Trends. Applied Computational Science .
16.Mirani, L., & Nisen, M. (2014, May 27). The nine companies that know more about you than Google or Facebook. Retrieved 2017, from https://qz.com/213900/the-nine-companies-that-know-more-about-you-than-google-or-facebook/
17.Mitchell, B. (2009, June 5). E3 2009: Guinness World Records announces awards at E3. Retrieved 2017, from http://www.ign.com/articles/2009/06/05/e3-2009-guinnes-world-records-announces-awards-at-e3
18.Morgan, G. (2009, July 24). Challenges of Online Game Development: A Review. Simulation & Gaming. (Sage) Retrieved 2017, from Simulation & Gaming: http://research.ncl.ac.uk/game/research/publications/87445d01.pdf
19.Morris, J., & Lavandera, E. (2012, August 12). Why big companies buy, sell your data. Retrieved 2017, from CNN: http://edition.cnn.com/2012/08/23/tech/web/big-data-acxiom/
20.Paz, R. D. (2016, August 24). Pokémon Go Accounts Targeted by Bogus Pokémon Go Bot. Retrieved 2017, from Fortinet: https://blog.fortinet.com/2016/08/24/pokemon-go-accounts-targeted-by-bogus-pokemon-go-bot
21.Rheingold, H. (1991). Virtual reality. New York: Simon & Schuster.
22.Rubin, P. (2016). AR, VR, MR: Making Sense of Magic Leap and the Future of Reality. Retrieved 2017, from https://www.wired.com/2016/04/magic-leap-vr/
23.Shatte, A., Holdsworth, J., & Lee, I. (2014). Mobile augmented reality based context-aware library management system. Expert Systems with Applications , 41 (5), 2174–2185.
24.Smedinghoff, T. J. (2011). Introduction to Online Identity Management. Colloquium on Electronic Commerce .
25.Steel, E., Locke, C., Cadman, E., & Freese, B. (2013, June 13). How much is your personal data worth? Retrieved 2017, from http://ig.ft.com/how-much-is-your-personal-data-worth/?mhq5j=e5
26.Tiwarkhede, A. A., & Kakde, V. (2015). A Review Paper on Big Data Analytics. International Journal of Science and Research , 845-848.
27.Tynan, D. (2017, June 9). Augmented reality could be next hacker playground. Retrieved 2017, from https://www.the-parallax.com/2017/06/09/augmented-reality-hacker-playground/
28.Witmer, B., & Singer, M. (1998). Measuring presence in virtual environments: A presence questionnaire. PRESENCE: Teleoperators and Virtual Environments. Presence , 7 (3), 225–240.
29.Zhou, F., Duh, B. I., & Billinghurst, M. (2008). Trends in augmented reality tracking, interaction and display: A review often years of ISMAR. 7th IEEE/ACM International Symposium on Mixed and Augmented Reality (pp. 193–202). IEEE Computer Society.