Linden Lab in another data security breach. Possibly payment details, definitely cardholder name and email address

Linden Lab has outsourced the processing of payment details to a company called Dragonfish, who claim to be  “The Leading Provider of Online Gaming Solutions”.  How true this claim may be is for others to decide, one thing is certain, they appear to play fast and loose with their customer’s credit card data.

Apparently Dragonfish/Cassava Enterprises (the parent company) passes at least the card holder name and the email address to other gambling sites, this has been confirmed by people who have received spam email for gambling sites to email addresses that are only used for Second Life purposes*.  More worrying is that card holder names are also being passed, this claim was made by someone who received a spam email to the Second Life account used by the account holder yet addressed to the card holder name which was someone who had allowed them to use the card to make payment to Linden Lab*.

Added to this was the extremely poor method of verifying a card holder.  All reputable payment processing organisations use the card verification plugin provided by the credit card company (think “Verified by Visa” and the rest) but not Dragonfish, they send emails with the following text* before they even use the security provided by the card companies. This of course is unnecessary as the card company is best placed to verify the card, so the question arises as to why this effort is being spent on obtaining copies of the card.

(*to view links marked * you need a Second Life account and be logged into the forum.)

Operations Department – Second Life to me
show details 2:48 PM (2 hours ago)

Dear Resident,

I am Paramjit B. from the Operations Department at Cassava Enterprises (Gibraltar) Ltd. I am contacting you with regards to your Linden Lab account with username “(name redacted)“.

As part of our continued efforts to provide confidence and security for all of our members, we will always seek to verify the ownership of any credit cards used to make a deposit. As such your account may experience enhanced security steps at deposit stage, including processing through Verified By Visa or Mastercard Secure.

To process your deposits without this requirement and in order to become a fully verified customer, please send us the following documentation –

–  A photocopy of your credit card ending # 0479 (front & back)
–  A photocopy of your national identity document such as an ID card, Passport or Driver’s License

These documents can be sent to us by you uploading them through the link:

http://secondlife.com/my/account/billing-verification

Please copy and paste the above address directly to your web browser. You will then be prompted to enter your username and password. You will then be guided through a simple process to upload the requested documentation.

Please note that to ensure the security of your documents we have implemented powerful security policies, rules and technical measures to protect the financial security of our Residents. However, please make sure that you block the middle 8 numbers of any credit/debit card uploaded and also block the CVV (3 digit code) on the back of such cards.

If you have any further queries with regards to our requests please review first our Frequently Asked Questions, located on the “Contact Us” tab of the website. Here you will find all the information on why we routinely request documents, how it is possible to send these documents, and the type of documents that we will accept. All these questions and more are answered by typing in the relevant key words to the Frequently Asked Questions search option.

Many thanks for your continued patience and co-operation in this matter.

Regards
Paramjit B.
Payment Operations
Second Life

I did smile wryly at the claim they have “powerful security policies” but then ask you to remove some of the card details and in breach of best practice for financial services, they provide a link to the web page to upload the documents.

Neither Linden Lab nor Dragonfish have ever provided details of their customer data handling procedures.  If you ever send sensitive documents like this to Linden Lab you have no idea what becomes of them, for example;

  • who has access to the data? (apparently everyone by the look of it),
  • if the information is printed out, how is it disposed of?

This is a concern as Linden Lab has had data security breaches in the past which they never advise their customers of.  Those we do know about range from the wholesale breach of the database in 2006 which resulting in everyone being advised to change their password to last year when accounts were compromised but only those affected were notified when they tried to access their account and the doubts (now realised with this Dragonfish leak) about their commitment to protecting their customer data, giving Linden Lab your data is a risky business and on the balance of probabilities, sending them copies of your ID is foolhardy.

It’s been 8 months since full payment options were available to Second Life users.  Apparently Dragonfish are having problems delivering the solution.  If Linden Lab were any one else, the fact that their new supplier of services had effectively stopped some overseas customers paying them would have been a big deal.  Linden Lab appear to be fine with it and apart from reinstating PayPal payments last week after some pressure and bad publicity due to people losing their regions and accounts due to LL not providing a mechanism for their customers to pay them.  This project seems to continue to meander along with a possible release date of this month, yet as usual the Beta deployment isn’t even what would normally be considered Alpha, let alone deployed for customer use due to the sensitive nature of the transactions.

Will I use local payments when it’s finally released?  No.  If I ever have to add new payment details and Dragonfish is the only choice then I won’t be doing it. There’s nothing I need in Second Life that would make me provide my details a site that cannot keep the financial data secure.

How will you know if your data has been compromised?

You can’t really, if you live outside the United States and in particular Europe and have recently used Linden Lab’s local payment option (new accounts apparently were forced to join the beta test for this, for the rest it was “voluntary”), it is very likely that you have had your credit card details compromised.   There will be a couple of indicators that arouse your suspicions.

  • You should have received spam emails from gambling sites.  Although, if you use a provider such as gmail, yahoo or hotmail you may not have received them as the spam filters
  • You may see unusual transactions on your card statements

What you can do

  • Check your spam folder to see if you’ve received any spam emails from gambling sites
  • You should check your card statements, and
  • Consider making a complaint to you local data protection commissioner.

Here is the link to the European Data Protection authorities: http://www.dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Feuropean%2F6f.htm&CatID=37&m=i

Here’s the UK one: http://www.ico.gov.uk/complaints/data_protection.aspx

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

I’ve highlighted the relevant reasons for the complaint.

Dragonfish has a UK office, you may like to also lodge a formal complaint with them.

Dragonfish UK

20 Thayer Street
London
UK
W1U 2DD

As always, carefully think about the information you provide to Linden Lab.  The risk of it being accessed by unauthorised people appears to be continuous and real.

Advertisements

Second Life, the Dash Deal and You. Welcome to the virtual Walmart

The cynic in me choked a little more when I finally read the details of the Dash Deal.  For those of you who are blissfully unaware of the term, it’s the latest marketing ploy from Linden Lab to try to make Second Life look popular and to use the social media version of recommendations to snare the unwitting.

The deal is classic marketing for all the wrong reasons.

For a start, it isn’t aimed at the user base in general.  The aim is to get current users to either like it on Facebook or to friend on Twitter – if you don’t want to do either then you miss out.  Bad luck for those who would prefer an email in your inbox or even to join an inworld group and get the group notice.  They do claim there’s a weekly email that will go out as well, but I’m betting it will happen well after the event, as usual only go to a subset of users and probably will say something like..  “see what you missed??  Give yet more data to Facebook that we don’t even get to see and as a bonus to us, show the rest of the Facebook universe that the 100,000 odd likes we have on our page weren’t actually bought in the same way others buy backlinks for their web sites.”  OK. paraphrasing here but certainly having to like the Facebook page or friend them on twitter has absolutely nothing to do with binding users a little more strongly to the platform and everything to do with cheap marketing and demonstrating just how unsuitable Second Life is for people who like social media. It’s certainly not aimed at those who don’t use the marketplace because of course the deal isn’t available inworld.

The way it works for content creators is simple, in exchange for your item being publicised in this supposed email, on twitter and on Facebook (via a link only, not even a pic by the look of it) you must reduce your price by 50% for the 24hr period as well as write the copy for the ad and provide the pics (with Linden Lab then making any modifications they see fit without your subsequent approval) and on top of the 50% reduction you must give half of each sale price to Linden Lab. The benefit is brand awareness, (in theory) at least 4 times the number of sales you would otherwise have had on the item and possibly some repeat custom later on.  As the businesses who have used Groupon type sites have discovered lately, the last one is rare but they do have people who will continually take advantage of the loss leaders – which means that the marketing is not value for money.

and the really sad thing?  It amply demonstrates that when everything is said and done that Linden Lab’s values are shoddy as ever and they still haven’t learnt basic PR and customer communication.  I’m beyond tired of Linden Lab positioning Second Life as something even less worthy than being the Wal-Mart of virtual worlds. Always cheap, always seeking to exploit its content creators in particular and its userbase in general and always appearing to go out of its way to not deliver anything that we’d recognise as a benefit.  If it goes well? Well, that’s not happened in Second Life. If it’s gone badly? Well, blame the users as that’s what we asked for.  It’s funny that I don’t ever remember asking for each deliverable to be a shoddy piece of shit but there you go, some of us must have.

I despair when I see Linden Lab demonstrating such a lack of understanding of, or confidence in, their product that they can only position Second life as a more immersive You Tube, or dress up your Barbie doll and do lifestyle of the rich and famous in 10 minutes. Linden Lab certainly has become more sophisticated in exploiting its userbase.  It really does leave a sour taste in the mouth.

As a little ray of light though..  Here’s a screenshot of the comments so far.  Of the 33 Likes for the post, 12 of them are liking various comments pointing out how unseemly the Dash Deal is and only one out of the 9 comments is positive.

I bet Linden Lab will be glad when the likes of me finally gives up on Second Life completely.  It must be so irritating having people who remember when there were more usable features and still hold out hope that one day Linden Lab will actually see us as customers to be cherished rather than a resource to be disregarded, except when useful.

What do you want to see in Second Life in two years time?

Our new leader wants to know what we’d like to see in 2 years time

TMJ: We don’t want this to be entirely one-sided. What are we – as users and customers – not asking you about that you’d nevertheless like us to hear?

I will read the comments to this interview, what I would most like to know is this: In 2 years time what would you most like to be doing in Second Life, and how would you like to be doing it? The answers to that question would be very helpful indeed.

 

Here’s mine.

  • Stop using mainland as a test server – spend the money and the time creating a proper test environment
  • Make support actually do what they are supposed to – the frontline chat works adequately but the support tickets processing sucks. Processing tickets may not be sexxxy to your employees but it helps to keep around the people paying their wages.
  • Fix inworld search. Just admit GSA6 was a bad decision and move on.
  • Fix the marketplace. It’s borderline unusable for merchants and customers don’t fare much better. 
  • If you have a policy, actually implement it.  A tough one I know but pretty well every other organisation manages it. 
  • Fix the maturity ratings issues.  If someone only wants to search in one rating they should only see returns that are: 
  1. relevant
  2. on parcels with that rating

currently it does neither for listings or classifieds.

and the only bit of advice I’m going to give…

Understand the difference between social media and virtual worlds.  Second Life has always been cruelly deficient in social media tools – much to its detriment.  The current social media tools out there don’t cut it for what your current customer base want and need.  So, don’t be afraid to look at the current tools and take the best bits to create a version we will use inworld and revisit Avatars United in that light.

How I saved money in Second Life.

At the end of last year I spent some time away from Second Life – almost 4 glorious months in fact.  I did have to go in at least once a week to deal with the store but apart from that nothing.  I discovered that the longer I spent away from it the harder it was to force myself to log in, I was fine once I was in but eager to leave.  During that time I stopped caring about most sl things; search, the marketplace migration, the instability of the platform – even the closure of the business I used for my network vendors had a care factor of virtually zero.   It truly was a beautiful time.  I do enjoy being a virtual goods retailer but Second Life being what it is, everyone needs to come up for air and get some perspective sometimes.

Then just before Christmas I realised just how much I was neglecting it and I thought I should get back into it, so I went back to the workroom and started building.  Since then I’ve surveyed my *cough* empire and was shocked at the reality of how Linden Lab are implementing their objective of streamlining their world.

  • I’ve discovered that search inworld has been optimised once more, in fact they’ve optimised it so much that some of my smaller stores can never be returned in search.  So I’ve taken them out of search, cancelled the classifieds and am in the process of removing them and selling the land.
  • I’ve rediscovered that one of my larger parcels still doesn’t appear in search.  That classified is quite expensive but I’m almost at the stage of pulling the plug on both the parcel listing and the classified. The parcel listing drives traffic more than the classified.  LL won’t refund me for all the money wasted so far and I got tired of live chat telling me to tweak it/wait for the latest update/give it a few more days. 9 months is more than enough time to fix it and they haven’t so I can only assume they don’t want that business.
  • I’m on a version of the rc server code and I’m tired of people IMing me to say that they have an account stuck on the region/haven’t received their purchase from one of my vendors.  I’m also tired of the rolling restarts that seem to be endemic at the moment on that poxy rc.  Do you think I can find out how to get off it?  live help could only suggest I put a ticket in to ask, which of course Linden Lab have promptly ignored.
  • Inworld search is so poorly built that it isn’t even capable of keeping the returns filtered by maturity rating, add that to their inability to get some listings to actually show in search at all and to apply their relevance weightings in a manner that a reasonable person would consider logical. The only thing you can say is that it ticks the fail box.
  • Then there’s the marketplace.  The merchant back end is still at fag packet prototype level and the relevance function is once more embarrassingly bad.  I finally relisted all the items that were corrupted by the migration but now each time I make a change they lose their relevance position and of course don’t have the old xsl data which looks like it is used in the relevance calculation.  

Despite this I spent the last week considering expanding as I’ve run out of prims at the mainstore and need a new full prim region and a couple of homesteads. 

So I did some pros and cons – here’s the list:

Pros

  • I can keep releasing items. 
  • I can make the store more visually attractive and easier for shoppers to find what they are looking for.

Cons

  • I’ll be paying an extra $545 per month on top of the purchase price and there’s no guarantee I’ll see a commensurate increase in sales.  
  • I can’t divide the regions into parcels as smaller regions are penalised in search, so it makes it pointless to try to cleanly target different markets
  • There’s no guarantee Linden Lab won’t stop tinkering with inworld search or the marketplace.  Last year I found out how much of my sales depend on visibility in search and in the marketplace.  I was pretty shocked at the percentage.  The risk of a recurrence of search failing to deliver relevant results is high and the amount of effort required to keep on top of their latest changes via reverse engineering (because God forbid they ever tell us what they’ve done) and then adapt to the change before they change it again is too time consuming for no real return.
  • Concurrency and demand for Lindens is reducing.  Less money and less people means less opportunity for sales.
  • I can’t even be assured that I’ll appear in search.

Now, I really do want to expand, despite the list.  So I went to the land page and there was a button that offered me a human to chat to about it.  

Want Help?

Land specialists can answer
your questions.*

*(Available Wed-Friday 8am-6pm Pacific Time)

As you can see, they’re only available a few days a week but my luck was in as I was looking at the page as these humans were supposedly there.  So I clicked the link, thinking that just maybe the human would say something that might give me the confidence to go ahead and buy – a discount would have been nice but I’ve in SL so long that I know better than that – but I wanted to try – even if they would offer something like actual attention to my tickets and resolution to the search issues I may encounter would have been enough.

Anyway, I clicked on the link and it came back “page not found”.

Sums it up really

So, here’s what I’ve done.

  • I’ve cancelled the parcel listings and the classifieds for the smaller plots that are no longer returned in search. 
  • I’m going to close them and sell the land. I toyed with buying a 1/4 sim on mainland as a sop but the fact they’re all RC is enough to put me off that.
  • I’m not going to expand – Once I can no longer remove prims to make way for the new releases that will be it.

Which means..

  • LL have lost at least $6540 usd plus sinks per year (I was planning on converting the new homesteads to full prims later in the year as part of the growth plan, which would have uppped the overall take – assuming they could do something as simple as upgrading them)
  • I’ve gained many hours in my day as I don’t have to spend all that time setting up the new regions
  • and soon I won’t have to worry about creating anything as there’ll be no room to put it

Pretty well any other B2C outfit would have been all over me at the thought of generating that kind of income, then there’s Linden Lab.  I suppose Linden Lab think they’re creating the new paradigm for self-confessed successful online businesses that in reality are struggling –  Don’t provide service, look amateur, deliver  a shoddy product, pretend the customer doesn’t exist when they ask for help via the support they supposedly pay for and better still, ignore the key drivers for your business and make it as hard as possible for your users to use your service.

Why do they do this?  Are they really so ignorant of the underlying drivers for their world?

The lessons from Blue Mars

I’ve watched the development of Blue Mars down the years and felt a tinge of sadness with the announcement yesterday from Avatar Reality, the owners of the Blue Mars platform, that development of the pc platform for Blue Mars has effectively ceased due to a change of direction towards the mobile market.

So far the blogsphere has been discussing the technology failures of the platform.  Yet the the failure was even earlier than the choice of technology, they identified the wrong market and initially designed their system around delivering for that.  The initial push was towards large organisations with professional developers creating what I call “show-and-tell” content, designed along the lines of websites where you would use the equivalent of a google search and go to what was effectively a stand alone environment for a look. It was never designed to attract consumers to set up home or become anyway attached to the platform or their avatar. From what I remember of the early days there wasn’t even a basic inworld communication system between avatars.  It wasn’t an oversight, they openly said that was a deliberate design decision based on the approach they were taking. Consumers were completely out of the equation.

When the content creators from Second Life moved over in early 2009 the limitations of the design were revealed.  Early on there appeared to be a tension between what the creators wanted to do with the platform against how Avatar Reality envisaged it being used. Eventually it settled down and Avatar Reality did attempt to deliver what was needed to turn the platform to a more consumer focussed environment but it was really too late – the basics came slowly and they missed the boat with capturing the imagination of those consumers who did come to check it out.  The bar is higher these days, I suspect most early adopters come from Second Life or other platforms and expect a basic level of functionality and experience – shopping, ease of use and avatar customisation are a requirement – no matter how rudimentary.  Without those, there’s no reason to stay and on the whole they didn’t.  Without content creators, consumers are bored and without consumers spending there’s no justification for content creators to invest time and money in the platform. A vicious circle for a start up.  Jim Sink, the now ex-CEO of Avatar Reality, said in his final public meeting that they acknowledged that the lack of social tools hindered user take up and that the current pc platform technology is just not flexible/cheap/easy enough to deploy for them to deliver what was required within the financial constraints.  Again the tension between what they originally envisaged and the reality of their actual market is apparent in his statement that despite their QA, user content creates platform instability and that will increase now they’re reducing the QA oversight.  

So, finally the investors got tired of waiting for their investment to show a return.  50% of the staff are now redundant and Avatar Reality has changed tack and have moved to the more traditional role of almost full control over the platform and content and gone for the current next big thing. Whether their staged approach will work is another matter.  Having an avatar in a room that you can dress up and not do anything else with is probably not a great intro to the potential of Blue Mars but I’m not a Facebook app fan so I have no idea how basic the apps are that appeal to the masses.  I don’t think Blue Mars has enough customer goodwill to be able to overcome the initial limitations it is handicapping itself with in this rush to move into the mobile market and I still don’t believe Avatar Reality understand consumer behaviour or needs.  I suppose we’ll know soon enough, since they plan on launching in February on Apple.

It’s funny, but after listening to that I came away from listening to Jim Sink with the distinct impression that although Avatar Reality is slick and professional they just don’t understand the consumer market which is why they couldn’t capitalise on it for the pc platform and may actually be the reason why they fail again with the mobile platform.  Doesn’t that failure to understand sound familiar?  Yet, I think it’s a good demonstration of why Second Life still survives, Linden Lab aren’t the barrier to Second Life that Avatar Reality were, so up to a point we can work around Linden Lab and their failures to support us. We can create content despite the instability in the platform, we can interact and generally live our virtual lives – despite their best efforts to get in our way.  That is the key strength of Second Life and is reinforced yet again with the failure of Blue Mars.  Let’s hope Linden Lab learn that lesson well.

 

 

Second Life ecommerce leaps to the 21st century. Is it the end of inworld retail as we know it?

From around 2001 when internet shopping was first moving into the mainstream until around 2006, there was a steady drip of press articles talking down internet shopping.  From the (real) fear of fraud to the belief that people always had a desire to see the item before buying, the mainstream media kept shaking their heads as web shopping became more and more popular.   The impact of the emergence of internet shopping is still being felt as some traditional bricks and mortar traders find that their business has effectively moved to the internet and their high street stores have become an overhead that makes them uncompetitive enough to put them out of business.

What has this got to do with virtual worlds and virtual goods shopping?  Rather a lot.

The open endedness of Second Life has meant that people have built what they know.  This is particularly true for retail.  Those who have flourished in Second Life have done so because they’ve taken the basic retail behaviours and adapted to the limitations of the platform.  The key driver (excluding word of mouth) of Second Life retail activity has always been inworld search and when that, combined with the ever present lag, proved to be a poor tool for retail, consumers moved to the blogs and the shopping sites for information.  12 months ago a survey of Xstreet users by Linden Lab showed 75% of people used Xstreet to find items before going inworld to view and or purchase.  A staggering indictment of how unsuitable the inworld search tools were for the preferred shopping behaviours of their customers.

Three months ago Second Life was a mirror of the retail world circa 2001, if you wanted to find something you’d either slog around the grid using search (think of driving around town with the yellow pages) or would use the internet to find a shop then go there to see the range.  

2010 was the year of content creators according to Linden Lab in February.  After they’d released the new viewer, their next step was to concentrate on retail.  It was due to deliver in Q3 2010 and it did.   

With the release of the new shopping portal and the constant issues around inworld search since March, we’ve jumped forward in time to 2010.  Without any current figures, my guess is that the proportion of marketplace browsers to marketplace purchasers has decreased.  From a shoppers perspective this is good and is long overdue and it brings consumer shopping behaviour for virtual goods closer to their real life experiences with sourcing and purchasing.  It’s taken close to two years but the market that Onrez served so well and were  has finally been catered for again and the results are impressive.  

Indications are that the shakeout is about to begin.  With the changes to inworld search and the marketplace, the desire of Linden Lab to force inworld consolidation is mirroring their objective with estate landlords and is finally moving to fruition.  In retail’s case, those with large land holdings will still have their inworld presence and smaller, specialty retailers will move to the web.  The problem for Linden Lab may well be that yet again their view of what is best for Linden Lab doesn’t coincide with what is best for their bottom line. 

We shall see.

I’ll digress for a moment and say that the Second Life Marketplace deployment is the wort software deployment I’ve ever seen in all the years I’ve been involved with IT.  The original design and ideas were spot on as we’re seeing now but the execution, particularly since the termination of Melinda Byerly’s employment, has been astoundingly poor even by Linden Lab’s  low standards.  

The rumour mill says Linden Lab will file for bankruptcy. It’s probably more true than not.

I was just finishing off a post explaining just why the rumour I read yesterday that Linden Lab was about to file for bankruptcy was unhelpful and untrue speculation – despite the reduction in support and all the other things that have been going on with Linden Lab that have given the impression that the company is going out of business..  then I saw this.

Why does Linden Lab constantly snatch defeat from the jaws of victory?  From the deluge of users they cavalierly despised and ignored back in 2006, viewer 2, xstreet to slm migration, zindra, homesteads, AU, the approach to reducing the number of smaller estate owners via the deluge of around 500 regions via the Atlas programme and finally kissing goodbye to all but the most passionate and monied educators and non profits with the tier increase next year..  I’ve always despaired at how totally wrong LL seems to get things.  Now it looks like it’s all coming home to roost.

I desperately hope I’m wrong but the signs aren’t good.  I thought we might have another 12 months left but perhaps my original thought that they wouldn’t last until Christmas really was more accurate.

This is completely down to poor judgement on Linden Lab’s part.  I really could give them a slapping.