ENISA, the European Network and Information Security Agency, has just issued a Position Paper following a study of criminal activity involving on-line "virtual worlds" (MMOGs). Criminals have quickly realized that there is real-world value to virtual-world assets, and have employed various ways of extracting that value from unsuspecting gamers.
The paper notes that "criminals are increasingly exploiting cross-over points between virtual and real-world economies. It is the failure to recognise the importance of protecting the real-world value locked up i this grey-zone of the economy which is leading to the 'year of online world fraud.'" The paper divides the criminal exploits into three categories: (1) identity theft; (2) taking advantage of flaws in the virtual-world economies ("illegally" duplicating or creating virtual-world objects or wealth); and (3) in-game theft (stealing virtual assets from in-game characters).
The paper makes a number of recommendations, of course, many of which boil down to shining a light on the criminal activity and educating the public about the risks associated with participating in virtual worlds.
As for what it calls "Corporate Virtual Worlds," however, the paper notes that there is very little research on the security of those worlds. It recommends that "enterprise-critical data should not be processed within a virtual world that is not entirely under the company's control and that no client or server beyond a protected local area network, administered by trusted parties, should be used." That's a caution worth considering if your company is considering setting up shop in Second Life or a similar public on-line world.
Here is the press release summarizing the paper. Thanks to The Register for the post on this one.