What Blizzard Doesn't Want You To Know - Part 6
Those "Fraud Manager" job results are slowly disappearing from Google, so I took some screenshots before they're gone forever. :)
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5
I'd like to keep atleast some evidence that they did at one time exist, especially because so many people said it didn't exist and then proceeded to insinuate that a Tin Foil Hat was needed. :P (Even with all of that other supporting documentation that I provided.)
Funny that Blizzard is suddenly removing all of those posts.. I guess my post must have hit a nerve somewhere? =] I don't think it's really that big of a deal though, I was just trying to make a simple point that no business is 100% secure and fraud incidents can either be internal or external.
Some were taking the post a little extreme, "It's a conspiracy!!!". But I think it's just because they've never heard of it before and don't realize just how common internal fraud is.
So to clarify: Don't worry, it's actually no big deal - this happens EVERYWHERE. You've just never been aware of it. =]
I've worked with several Fortune 500 companies and every single one of them has some form of fraud. Whether it's physical theft of office supplies, theft of credit card numbers, theft of virtual property, account details (for harassment purposes) or theft of company information (corporate espionage), it can happen and does happen. It also depends on the employee's position, moral character, security rights, skills and data that they have access to. (For example, a Billing Representative might have access to credit card information, but not virtual account details.)
"The U.S. Chamber of Commerce estimates that 75 percent of all employees steal at least once, and that half of these steal repeatedly. The Chamber also reports that one of every three business failures is the direct result of employee theft. According to the U.S. Department of Commerce, employee dishonesty costs American business in excess of $50 billion annually. It can happen in your company." Source)
Hell, even Mark Zuckerberg (you know, the Facebook CEO) bragged about reading private information and using the details for personal gain or entertainment.
There's no big conspiracy, this is all just stuff that happens in every business (but they don't want you to know about it).
- No, Blizzard is not in cahoots with gold sellers.
- No, this isn't a marketing scheme to sell authenticators.
- Recruiting is not a perfect science and sometimes Blizzard may hire bad apples. It's hard to filter the good vs. the bad.This happens in every company.
What Blizzard Doesn't Want You To Know - Part 5
Argument #4: Blizzard does not employ fraud specialists or fraud managers, that's just conspiracy talk.
Here's my favorite Blizzard posting from Faizaniel.
Apparently, I am 'trying to make some kind of conspiracy theory about Blizzard recently having a job listing up for a "fraud manager".'
Faizaniel, by the way, is one of Blizzard's Most Valuable Posters (apparently #1 of all MVPs)! His position is described as someone who consistently answers Blizzard questions with accuracy and credibility. MVP's also promote constructive posting, are polite, they tell the truth, and that they're specifically chosen due to their strong knowledge. Interesting..
Anyhow, here's the official Blizzard posting for the job that doesn't exist. =]
Fraud Manager at Blizzard Entertainment(Google cached search still shows it as of this blog post date.)
Location: Irvine, CA (Orange County, California Area)
URL: http://www.blizzard.com
Type: Full-time
Experience: Mid-Senior level
Functions: Finance
Industries: Computer Games
Posted: April 20, 2010
Job Description
Blizzard Entertainment has an immediate opening for a fraud manager with a minimum of five years experience in this type of position. Duties will involve investigating credit card accounts in order to detect and stop fraudulent activity while preventing chargebacks and consumer disputes. Additional duties include calling issuing banks and customers for transaction verification, reviewing account referrals for fraudulent activity, and replying to third party inquiries.
Responsibilities
Closely monitor fraud attempts and losses.
Regularly and proactively analyze fraudulent transactional data to identify previously unknown groups or individuals.
Identify trends, standard practices, and modus operandi of fraud groups and individuals.
Utilize advanced relational database, link analysis software programs, SQL and access to create and run queries to determine fraud trends, identify fraud rings, and link unidentified transactions and accounts to known fraudulent activity.
Monitor investigations and deal directly with law enforcement as necessary
Maintain standard reporting metrics and provide non-standard management reporting and metrics as required.
Requirements
Minimum of 5 years related experience, preferably within a corporate/private setting focusing on fraud prevention and investigation, Ability to maintain extreme confidentiality, SQL or other relational database query language skills, Excellent organizational, analytical, and written/verbal communication skills, Ability to work independently to achieve results, Basic technical understanding of data and data storage, Basic understanding of credit card processing flow, payment fraud, the travel industry, e-commerce, and the credit card industry, Strong project and time management skills, Proficient internet research, Excel, Word, Outlook, and overall PC skills, Successful completion of a background check
Pluses
Degree in criminal justice or a related field
Experience in e-commerce
Experience utilizing internal fraud tools, system/site administration tools, and CRS or GDS systems
Job ID: 933896
Apply on Company Website
The job posting was previously on the Blizzard.com Careers page, however it was quickly removed after my Reddit comment on this post regarding the position and what the job entailed. The posting was available on about 10 different (and highly recognized) job boards, and they were all posted at different times & dates. The "Fraud Manager" position was also posted 'new' on June 16, 2010 - however ALL references to this fraud manager position were removed just after my post. It's definitely eyebrow-raising.. I could understand if they expired automatically, but they were posted at different times and the fact that one job posting was pulled after only 2 weeks is highly suspicious. =]
At the time, I thought it would just be interesting to talk about the jobs available at Blizzard, and what that says about the company and internal operations. If I had known Blizzard was going to delete all references to their fraud-related internal investigations team - I would have taken more screenshots.
(FYI: There have also been postings for internal affairs and fraud specialists over the past year or so, in addition to the recent "Fraud Manager" job.)
Here are some other jobs that Blizzard has hired for in the past by the way:
* Facilities Manager & Facilities Coordinator -> hmmm, I guess that means their sites need to be managed (clean up, repairs, construction, etc.)
* IT Administrative Assistant -> IT Managers do a lot, and they sometimes need help
* Human Resources -> workers compensation, special needs, employee disagreements, personnel/HR related issues (assault, harrassment, etc.)
* Senior HR Generalist
* Company Nurse -> accidental injuries, general health management, emergency response, paper cuts, etc.
* Human Resources Generalist -> more HR related jobs
* Recruiter -> the ones who screen you first, first line of defense and IMHO one of the most important jobs in a company to ensure you hire the right people
* Specialist, Learning & Organizational Development -> internal training, company advancement, etc.
* Internal Affairs Representative -> monitoring the employees for fraud/theft/policy violations
* Team Manager, Internal Affairs -> managing, coaching, and approving overtime for the investigation teams
(Sources: Nerd Dungeon, Archive.org)
In the end, the point I'm trying to make is this: Blizzard hires individuals to fill a need in the organization. One of those needs is to prevent, monitor, and investigate fraud within the company.
Prevention involves implementing security measures and software to prevent fraudulent activities, as well as creating effective internal policies (with follow up enforcement and education.) However, monitoring and investigations (this is their job responsibility) are both POST-incident activities. In order to catch someone in the act (monitoring), you need see the incident occurring and action. If the fraud activity is not caught but there is evidence, then it's fully investigated (reports, logs, paper trails, speaking to users involved, etc.)
So, they are hiring Fraud Specialists whose duties are to investigate fraudulent incidents that have basically already taken place. Therefore, this isn't really a "preventative" position, as that would fall under the scope of InfoSec / IT Security / Applications Development.
Note: When there is a billing accident (e.g. Blizzard bills you twice), that's not corporate fraud - that's just a simple mistake. Once you alert a Billing Representative, they can quickly and easily revert the charges for you. Although some people care calling these billing mistakes "fraud", it's far from it.. the Billing Department fixes these, there's no need for a fraud investigation to take place. When actual fraud occurs there are two things that happen: internal fraud or someone external trying to defraud Blizzard. What's important to note, though, is that the "Fraud Manager" description does not mention working with Credit Card companies, but it does mention dealing "directly with law enforcement" and the utilization of "internal fraud tools and system/site admin tools."
One other interesting item is that one of the primary skills required for this job is the "Ability to maintain extreme confidentiality." This makes it very difficult to obtain information on the position, but here's a couple Blizzard employees I found that were previously in the Fraud department:
Ian Wynne, Fraud Specialist - Source: http://www.linkedin.com/in/ianwynne
Interesting notes I learned from Ian:
* the "Fraud Specialists" title is kept out of public eye, instead they are called "Billing Representatives" in official announcements & postings. (See "Reputation Management".)
* there are multi-millions of yearly loss due to internal fraud.
* there's a Global fraud team. (See "Data Breach Notification laws", based by country.)
Andrew Bellinger, Internal Affairs - Source: http://www.linkedin.com/pub/andrew-bellinger/a/209/867
Interesting notes I learned from Andrew:
* moving up quickly within the company, do I see senior management in his future? =]
* his job description was later updated to show "Internal Affairs work." Note, that's "internal affairs" not external investigations.
Additional details on Andrew show that his position is called "Internal Affairs, Account Administrator". Take note that he investigates internal employees for infringement of company policies. (Many people are still in complete denial of this, but it's very common practice in both Blizzard and other corporations - they need internal security teams to monitor their own employees for policy violations like theft of property or information.)
Patrick Nagel, Internal Affairs Representative - Source: http://www.linkedin.com/pub/patrick-nagel/20/3b4/986
Interesting notes I learned from Patrick:
* the "Internal Affairs" position involves documentation and maintenance of records about their internal employees.
* there are external information leaks, which he also investigates.
* there is large scale exploitation and collusion. This is actually pretty serious, and means that there are massive cover ups and conspiracies taking place within the organization (really though, a conspiracy is just 2 or more people working together to some end.)
* also note that large scale exploitation wouldn't mean the occasional player exploited the game.. this is large scale exploitation within the organization (ie, theft of information and exploitation of said information)
* there are internal investigations and reports of external impacts due to internal activities (e.g., fraud, theft & selling, etc.)
Stefan Modh, Internal Affairs - Source: http://ie.linkedin.com/in/stefanmodh
Interesting notes I learned from Stefan:
* he's on the Internal Affairs team that monitors Customer Support departments who are responsible for support WoW and SC2 customers.
* he works out of the call center in Ireland
Addendum:
- To the Blizzard employees reading this. I'm sorry guys, but as a result of this posting you may see more stringent policies regarding information that you can post publicly. For example, certain job titles can no longer be posted on LinkedIn, etc.
- Even with this overwhelming evidence, it boggles my mind that many people are still convinced that internal security positions within Blizzard do not exist, or they tell others that "internal affairs" means investigating players for hacking, botting, etc. It's normal for businesses to investigate and monitor their own employees, especially if they have access to account or credit card information. Anyone who has worked in a corporate environment knows this. Unfortunately, there's a false belief (complete denial?) that Blizzard employees can do no wrong. Were you aware that most "Blizzard" customer support staff are in fact outsourced to overseas call centers (ClientLogic / Sitel) where they're paid poor wages? Surprisingly, most players are not aware of this.
Click here to read the rest of the series.
What Blizzard Doesn't Want You To Know - Part 4
Argument #3: Blizzard’s systems are foolproof, it’s impossible to compromise their database.
"To date Blizzard's systems have not been compromised at all. They are absolutely vigilant about their systems 24 hours a day. They have teams in place to monitor this every single second of the day."
Really? Come on.
I have to roll my eyes every time someone makes this comment, and I think it would be insulting to the intelligence of you readers if I were to link to any of the millions of research papers that address this silly misconception. In any field, security is actually a degree of security.. several measures and processes need to be implemented in order to further protect an asset.
Speak to anyone in IT / Security circles, and they'll all tell you the same thing: nothing is foolproof & nothing is perfectly secure. The Martin Fury internal affairs investigation comes to mind. And, the WoW Authenticator was also once described as fool proof.
Since I'm specifically interested in public Blizzard information, though, let's take a look at something that their official representatives have to say on the subject:
Here are the most interesting take-away's from this post:
"To date, Blizzard Entertainment has not been compromised"
"an inside job is not easy to perpetrate"
"in addition to oversight, there are substantial and multi-layered safeguards in place"
When the OP wrote "All I'm expecting is for people to at least open their minds to the possibility...", Malkorix's response was "When logic is applied, I'm afraid that is is your presumptions that are ruled out =/."
"Of course no system is perfect - but that's why there are multiple layers of protection."
"Regardless, while I'm not in a position to determine the precise origin of your compromise"
To summarize what was said:
"An inside job is not easy, but also not impossible."
"Blizzard has not been compromised, but no system is perfect and I wouldn't know if it happened or not anways.. I'm not in a position that allows me to access those details." (Holy contradiction Batman!)
GMs, phone support, and CS Forum Representatives (such as Malkorix) don't operate in the same circles as the finance, IT/Security, and investigative teams. Investigation details are above his pay grade, and private information in regards to breaches or fraudulent activity within the company are kept private and confidential. I guess you could call this "plausible deniability" - no GMs/Forum reps are aware of any fraudulent activity, hence "to date, it's never happened within Blizzard." =]
Finally, here's a another tid-bit of information from Snowfox that explains "foolproof" systems:
Breaches, theft, fraud, employee terminations, employee health details, data loss / outages, system crashes, employee issues, assaults, investigations, etc. are all private and confidential information internal to every company. Unless there's a law requiring so, no company will ever publicly release this information.
You can learn a lot about a company though, by who they employ and the types of skillsets that they're looking to hire.
Now, remember how Blizzard flat out stated that "To date, Blizzard Entertainment has not been compromised"?
Ignoring all of the major security breaches that has taken place within all of Blizzard's games (maphacks, speedhacks, leveling exploits, bots, boss bugs, item exploits, xyz hacks, etc) and the variety of applications that can emulate Battle.net servers, let's look at security of their websites and databases. (If all of their games have been hacked, why should their applications be any different? But for some reason, most users still claim that Blizzard security is foolproof.)
Multiple breaches have occurred, however in each instance Blizzard made no announcements whatsoever. Instead, they were picked up by public new sources and Blizzard quietly swept the issue under the rug.
- On Jan 3 2001 the Diablo 2 Player Database was breached. Hundreds of thousands of accounts were deleted, and Blizzard had to recover 2 week old data from older backup systems because the normal backup database was also hacked.
- On Oct 7 2005 Battle.net was defaced.
- On May 19 2006 Blizzard's European WoW webpage was defaced.
- On Nov 26 2006, Blizzard's Starcraft webpage was hacked.
- In Sep 2007, the Warcraft.net and Battle.net webpages were hacked and defaced by an Algerian hacker.
- This happened again on Nov 16, 2007.
- Sometime before March 7 2008, a Korean user installed key logging software internally on Blizzard's network, allowing him access to server and personal information. Many accounts (possibly thousands) were breached, and the personal information (names, address, passwords, etc.) was used to hack accounts (for stealing items/gold) and sold on the black market.
- On Sep 25 2008, Blizzard employee accounts were hacked and the Battle.net forums were breached (Another). Apparently a few months before this incident, employee accounts were also hacked and keyloggers were posted by "Blizzard employees".
Note that the posts were requested by Blizzard to be removed? (more "Reputation management" as mentioned before.)
- In November 2010, as you're all aware by now, a senior Blizzard manager leaked confidential sales information, global subscriber database details, release schedule, marketing and media plans/budgets, internal financial documents, etc.
I think those instances definitely prove that Blizzard has indeed been compromised. And these are just the ones that made it to public internet sources, who knows how many other breaches there have been or how many others Blizzard has requested to be removed?
Note: On sc2pod, if you keep reading you'll see that there have also been other posts that Blizzard has ordered to be removed. Blizzard apparently has staff that monitors webpages and forums to control perception of the company (even Wikipedia is probably closely monitored by Blizzard).