Time To Fix Trade Window Scam

[Ruby Knight]

Thanks. I will see if I can catch it on video. Now, here is a question. If I can catch it on video will I be able to post it here ? I ask because it will have my toon name as well as the one doing the scam. If I post it will I get a mark on my account here for breaking the rules of posting names of players?

 

[Scribbles]

Thanks. I will see if I can catch it on video. Now, here is a question. If I can catch it on video will I be able to post it here ? I ask because it will have my toon name as well as the one doing the scam. If I post it will I get a mark on my account here for breaking the rules of posting names of players?

Send it to the devs first. then before you post it here ask a moderator to review it by sending them a PM.

 

[Archnight]

If I post it will I get a mark on my account here for breaking the rules of posting names of players?

Send it to the devs first. then before you post it here ask a moderator to review it by sending them a PM.

Yes that's correct but honestly it's best to send this straight to the dev's (Though apparently multiple video's have already been sent...), Pinco's client issued a fix for the trade window this month but again it's always best to have the person paying with gold check first and WAIT an additional ~10 seconds before clicking at your end. This script or whichever exploit they're using is done fast and you should be able to detect it within that wait time

 

[Ruby Knight]

So, with multiple videos being sent, the Devs still clam it cannot be happening? That is strange. People sending proof and still being called liars. Maybe it is just a mass delusion. And since we can't post any video on Stratics to prove it I guess this whole thread is 100% pointless. After I make the video please feel feel to pm me for a copy anyway.

 

[Ruby Knight]

I could answer that question, I could indeed. However if I do answer that question I would be breaking the TOS here and it isn't worth the effort to get a mark. So, I am NOT going to answer that question for fear that if I were to say yes, I would get a mark. JUST sayin.

 

[Ruby Knight]

I mean Just in case I would get into trouble I will not answer.

 

[Captn Norrington]

I mean Just in case I would get into trouble I will not answer.

You can still PM people the name if they want to know. Thank you for following the rules by not posting it publicly though, the moderation team appreciates it.

I did pick up on the hidden message, but it's hidden well enough to not be an issue

 

[Pawain]

The sad thing is. The same toon has been doing it for a long time. The name was posted here for a few minutes a long time ago and I saw it and it was who scammed the LS player.

.

Please tag the guy if you happen to see it happen so The Devs can get the correct account and do something!

Do whatever you do to report him before he scams you. And send the video to the devs and a copy to Captain here so he can also make sure it gets to the correct person.

Good Luck

 

[Syncros]

Just add a delay for both parties and if someone changes something it cancels the trade or resets it.

Something like this should be changed for the better and soon rather then argued about.

 

[MalagAste]

OBS is free. but you can just google free video recording software. and several pop up.

It is and I have used it a few times so if I can do it anyone can... Just saying. It's pretty good and makes very nice videos.

 

[Phantasmagorian]

Please feel free to prove it. I have 5 computers, run ec and cc, run vpns, and other misc. programs.... I have not been able to reproduce what anyone here is talking about. As far as I am concerned people are mad they got ripped off over a simple exploit that is easily avoidable. Their Pride has been hurt so they feel the need to complain about a bug that doesnt exist.

Until anyone produces a video or some other form of legit proof this topic is an unwarranted complaint.



yet you have no proof of this. If I had seen this multiple times id probably get wise and record it for the devs sake.


In summary... On a good day i do somewhere around 20 trades a day with random people. I have never been ripped off or seen anyone attempt to rip me off.


Im not saying its not possible. Im just saying that if its this prevalent in the game we should probably have some proof by now.

I don't even follow what you think you are saying here. Have you read what I said? Prove what? That one side can tick and unstick and in between swap the sum? Of course that is possible, per the design of the trade window. I am describes several scenarios, and this scenario is at least quicker and easier in the EC: You can type in a sum, tick accept, wait a few seconds (buyer is checking sum), THEN ---> [ untick, select all->delete->paste, tick accept again ] <-- and you try to time this RIGHT before the buyer would accept. This part doesn't require any hacks, it's just far quicker and easier to do in EC, because the sum swapping part is that much easier in EC. And obviously a script can be written for this, as these are client side actions. Whether they are out there, I don't know.

Other scenarios may include more hacking/scripting, I don't know that. It may be possible.

What I am starting to find pretty annoying, is that I actually said I got a 20M scroll stolen off of me right after purchasing it at a Felucca vendor and I am not looking to blame others. This is normal, intended gameplay. Well played! Do you see me looking for blame anywhere but myself?

In the case of this trade, I read the sum and counted the zeros TWICE, The buyer accepted FIRST, so I then clicked accept. What more should a normal player expect, assuming the trade window mechanism works as designed?

Of course armed with knowledge of these scams, you would now not merely have them accept first as Scribbles suggested - that is not enough, as they can super quickly unaccept-swap sum-accept right as your finger went down on the mouse button (point of no return), but actually wait a long time. Like 20 seconds.. and see if anything changes. But as I've said several times, this trade window even says "secure trading". It's anything but. It's at the very least a cat and mouse game. It should't be. That's just absurd. Even without any hack, the fact that the sum might be swapped at the blink of an eye, right before you accept, is just bad design in dire need of fixing.

 

[Phantasmagorian]

Okay, I just ran the EC and CC side by side, and the EC is definitely the culprit. The EC:

• Seems to have virtually no delay ticking and unticking the accept button (the CC has a slight delay)
• Allows you to paste in the sum
• Allows you to select and instantly replace the sum.

These three aspects allow you, as the buyer, to put in the real sum and accept, then at blink of an eye unaccept-swap sum-accept. There is no meaningful deal in any of these actions and this is client-side input, so you can script this. Whether people are doing that I don't know. Since the CC only allows you to remove your sum ONE DIGIT at a time, but the EC allows you to select-paste.. a CC user will not see movement in the price when its instantly replaced with a sum lacking a zero.

Even the check mark disappearing and reappearing happens in a flash. For those of us who play fullscreen on a big screen (I play on 30 inch) the trade window is pretty big and after checking the sum TWICE with the buyer already having accepted, I deemed safe to accept.

What likely happened is the buyer waited the few seconds for my to check and double-check the price, and the moment I decided to click accept and moved my mouse and eyes to the check box, he did the swap.. my finger went down on the accept mark and it was already too late. I didn't see any movement in the sum because it can be instantly replaced in EC (I was playing CC).

Since unaccept-swap sum-accept can be done in under a second, it's absurd to expect even prudent sellers to get duped. If you have knowledge beforehand of the issues with this, then you would wait uncommonly long and smoke out a potential scammer. But remember, this is just one scenario I am presenting. Without any hack or without uncommon sloppiness on part of the buyer, this scam can be done by virtue of the EC allowing a sequence of actions to occur in under a second. I dare not think how quickly this can be executed by a simple script with a button called "swap".

P.S. I will film this scenario, as it is dead-simple to film and right there. As I have said, trading in UO is as best a cat and mouse game, and at worst seriously broken.

 

[Ruby Knight]

And the Devs could not figure that out? Is this not proof enough? Now anyone can replicate it with the above instructions. It will probably get deleted though since it shows how to exploit in game mechanics. Maybe the Devs intentionally put this in an they are the players doing it. I kid, I kid.

 

[Phantasmagorian]

Orrore. Well, then we've identified already one way to scam other players that is definitely a borderline exploit. Given the design of the trade window, a normally prudent player shouldn't expect this to happen to them. If the buyer times it right, he does this swap right before the seller clicks accept, and even if they happen to catch the flashing V, in the tickbox, it's too late.

For players not using Pinco's on EC or using CC: know that the buyer can instantly unaccept-swap sum-accept, right before you click.. so you can never be safe to click accept. Of course the longer you wait, the harder it will be for them to time this close to your click... so you can smoke out scammers by waiting a long time. I waited about 5-6 seconds, checking the sum carefully twice, and the buyer still timed it so that I didn't even notice it. It must have happened a split second before I hit accept. So the only defense to this completely broken and exploitable trade window debacle, is smoking scammers out.

And this needs to be fixed by the team ASAP, and not just fixed with timers.. it should show a final confirmation, with a blown up list of items and sums, with proper commas. The design is broken, no doubt.

 

[Damon Beasts]

You can do the scam in either EC or CC. What they are doing is typing in the amount then when you click OK, they paste in the new amount then hit OK themselves. The DEV's are wrong about a bug unless the trade window is suppose to allow people to paste in amounts. As for the DEV's to say nothing is wrong with the trade window either they havent tested it properly or someone in that office is the culprit. We have already seen EMs Turn on the community so wouldnt put it past the developers.

 

[ShriNayne]

Maybe the problem here is that the Devs are looking for a bug when really they should be looking at human nature, scammers maybe just got more sophisticated, I don't doubt that people will find a way to fleece other people if there is any possibility of doing so! Hopefully someone can actually get a video of this in action to persuade the Devs to do something. A big thank you to @Pinco for helping out those of us who use his UI.

 

[Phantasmagorian]

Maybe the problem here is that the Devs are looking for a bug when really they should be looking at human nature, scammers maybe just got more sophisticated, I don't doubt that people will find a way to fleece other people if there is any possibility of doing so! Hopefully someone can actually get a video of this in action to persuade the Devs to do something. A big thank you to @Pinco for helping out those of us who use his UI.

I can make a video. I'll make it and send it.

You can do the scam in either EC or CC. What they are doing is typing in the amount then when you click OK, they paste in the new amount then hit OK themselves. The DEV's are wrong about a bug unless the trade window is suppose to allow people to paste in amounts. As for the DEV's to say nothing is wrong with the trade window either they havent tested it properly or someone in that office is the culprit. We have already seen EMs Turn on the community so wouldnt put it past the developers.

In EC this can be done instantly, in CC not.

 

[Archnight]

I have no problem proving it

In EC this can be done instantly

Has anyone tested if it can still be done in Pinco's UI? Cause apparently he issued a fix for these problems in the last patch

 

[Phantasmagorian]

Has anyone tested if it can still be done in Pinco's UI? Cause apparently he issued a fix for these problems in the last patch

I haven't. The fix Pinco put in is that if the buyer changes the sum, the sum turns red and you can't accept for 5 seconds or so. The buyer will always be able to swap out the sum instantly, even if Pinco blocks some related functions of the trade window, since then the scammer can turn off Pinco's. But with Pinco's, you're at least protected and alerted as a seller.

 

[Scribbles]

Here are two videos. one is from cc to ec and the other is ec to cc. there is no delay. You are welcome.

 

[petemage]

All it takes is some server-side 5 second cooldown every time something changes, but the Devs did not understand the issue at hand and just said there is no issue

 

[Syncros]

Make code to track the offenders and toss in a fix in a couple weeks then strip them of gold and ban them.

 

[Phantasmagorian]

Here are two videos. one is from cc to ec and the other is ec to cc. there is no delay. You are welcome.

Hi @Scribbles, that's good, but I am talking about a delay in clicking accept/unaccept. As in, try rapidly clicking the checkmark in both clients and you'll see the CC has a slight delay (a peculiar detail: the delay seems to vary slightly.. not sure if this is due to the connection to shard or something else). This impacts the swap out trick. The CC also doesn't allow to instantly select the sum and delete it. In the EC you can just single click the sum and ctrl+v in the new one.

The posts detailing this were deleted because they come to close to explaining exploits, but Pinco confirmed this swap out can be automated and thus is virtually instant. This proves players who pay attention to the sum and see it's correct, and since everything is in order, normally and without significant rush just click accept, can't still get scammed.. as right before they click, the buyer can instantly swap the sum.

 

[Ruby Knight]

Been speaking with Mesanna in game. They are trying to reproduce it with the new info I just gave them. Phantasmagorian can you email [email protected] with the exact details?

 

[Ruby Knight]

Mesanna and Misk are now trying to duplicate the bug/scam/exploit. I gave them as much info as I remember from the post but it is a good idea to email Mesanna.

 

[Finley Grant]

As obviousely everyone who actually can inform people what they need to lookout to maybe identify before being a victim is Not allow to post Details i would Like to meet ingame as i want to see it from First row in Order to protect myself.

Can somone get Back to me andere Show me that Thing?

 

[MalagAste]

Mesanna and Misk are now trying to duplicate the bug/scam/exploit. I gave them as much info as I remember from the post but it is a good idea to email Mesanna.

Sometimes @Bleak will meet with people in-game and observe perhaps one of you who knows how to get this bug to work can meet with him on TC and show him exactly how it's done.

 

[Ruby Knight]

Mesanna just emailed me and asked that anyone who knows how to recreate the bug/scam/exploit meet with her on TC1 tomorrow. Please email her if you know how it is done and can show her.

 

[Phantasmagorian]

Mesanna just emailed me and asked that anyone who knows how to recreate the bug/scam/exploit meet with her on TC1 tomorrow. Please email her if you know how it is done and can show her.

It's not even a bug, though. In EC, you can simply very rapidly unaccept-swap sum-accept. To make matters worse, this can potentially be automated with a script, Pinco confirmed. That's all it is.

What time on TC1?

 

[Keith of Sonoma]

Sometimes @Bleak will meet with people in-game and observe perhaps one of you who knows how to get this bug to work can meet with him on TC and show him exactly how it's done.

Right, he met with me a while back about the crimson/platinum drake trade bug.

 

[Lord Arm]

needs to be fixed in both clients, not just one lol. guess it needs to auto cancel trade if someone removes a zero and/or maybe a confirm button where nothing can be changed.

 

[Lore]

Tell me what program I need to use to create a video from my desktop and I'll happily create a video of it happening to me. They try it every day with me. Two toons specifically. I have no problem proving it. I just don't know what program will record the desktop.

Your vid card may come with it in it's own software if you downloaded and included it. Assuming you're using a vid card... not really necessary for UO. You'd know you had a vid card if you have one. It's usually a big block with a fan on it plugged in a long plug on your motherboard.

People should be compressed air spraying the fans out on these as well, just FYI for those of you that don't. It's one of the most common fixes for your computer.

 

[Troll The T Hunter]

a simple fix is just to have a separate confirmation window pop up after both parties have accepted asking if you confirm the transaction and if you don't the trade is cancelled.

 

[petemage]

Mesanna just emailed me and asked that anyone who knows how to recreate the bug/scam/exploit meet with her on TC1 tomorrow. Please email her if you know how it is done and can show her.

Not like there is a thread on Stratics about it ....

 

[Parnoc]

Hasn't Pinco's now fixed this bug on the EC? Too bad he and the devs don't have a better working relationship, he could help them out a lot.

 

[Phantasmagorian]

Hasn't Pinco's now fixed this bug on the EC? Too bad he and the devs don't have a better working relationship, he could help them out a lot.

No, he didn't fix the bug and it's not really a bug. It's just exploiting the built-in features of an input field and the trade window on EC to the max. And what Pinco did was create a delay when the buyer changed their sum, also turning the sum red. So he created a safe-guard for sellers who use Pinco's on EC.



It's a shame this was sent out as it gives players a false notion of safety. Since I found out you don't need to change the sum while a party has accepted, you accept and then swiftly unaccept-swap sum-accept. And I found this after 5 minutes of simple testing, trying to find some way to recreate the effect of the sum being different than what the seller read. Just because I only spent 5 minutes testing this so far, I wonder what other ways exist. This may have been the only thing, but I don't know.

 

[Syncros]

Friend just got scammed outta 100mill from this bug, damn hes pissed! He said even waited 5 secs to click accept.

Looks like any high value items its best to toss it on a vendor and let players buy off them to avoid this exploit till its fixed.

 

[Ruby Knight]

Yep, a guy just tried it with me again. Got it on video and sending to Mesanna now. It won't be long.

 

[Pinco]

Friend just got scammed outta 100mill from this bug, damn hes pissed! He said even waited 5 secs to click accept.

Looks like any high value items its best to toss it on a vendor and let players buy off them to avoid this exploit till its fixed.

the solution I've added to my UI was blocking your accept button for 2s every time the other guy changes the amount of gold, and since for this scam to work they continuously change the amount of gold (so that you can see the right amount up to the last second), you just won't be able to accept at all until they stop

that's why waiting makes no difference, because they will keep changing the amount until you press accept and in that moment you get scammed :/

 

[Ruby Knight]

Thanks for clearing that up. Now if someone could just show Mesanna HOW it is being done it will get fixed. She is aware of the issue but cannot seem to duplicate it.

 

[petemage]

Thanks for clearing that up. Now if someone could just show Mesanna HOW it is being done it will get fixed. She is aware of the issue but cannot seem to duplicate it.

Let's do their job for them for free. Sure...

What's the deal writing some PoC lua code the shuffles the amount every couple milliseconds? Oh yea, I guess they never actually tried since it costs them time..

But after weeks of denial, it's at least some progress at Mesanna's front

Give it another 4 weeks for them to figure it out. And another year to actually put in a fix of their thinking. And another year for a second actually working fix like the many described in this thread.

 

[Parnoc]

No, he didn't fix the bug and it's not really a bug. It's just exploiting the built-in features of an input field and the trade window on EC to the max. And what Pinco did was create a delay when the buyer changed their sum, also turning the sum red. So he created a safe-guard for sellers who use Pinco's on EC.

View attachment 80865

It's a shame this was sent out as it gives players a false notion of safety. Since I found out you don't need to change the sum while a party has accepted, you accept and then swiftly unaccept-swap sum-accept. And I found this after 5 minutes of simple testing, trying to find some way to recreate the effect of the sum being different than what the seller read. Just because I only spent 5 minutes testing this so far, I wonder what other ways exist. This may have been the only thing, but I don't know.

This is what was Pinco posted on the login screen of Pinco's EC. I never saw what you posted above.

Quote:
Since lateley there has been an increased amount of people scamming others by rapidly
changing the gold amount a split seconds before you accept a trade, I've decided to add
a protection system to avoid that.
Now during a trade when the other party changes the gold amount, your accept button
will be disabled for 2 seconds and the new gold amount offered will be highlighted, so
you won't be able to be scammed unless you forget to check again the gold amount
before pressing accept. I hope this can solve the problem once and for all.

 

[Wing Zero Straight Edge]

I know someone great at videos @Wing Zero Straight Edge

I hadn't seen this till now, but yeah if anything I really should.

 

[Victim of Siege]

Yep, a guy just tried it with me again. Got it on video and sending to Mesanna now. It won't be long.

Soon™

 

[Ruby Knight]

Well, it took some time to finally bait someone into trying the scam on me but I now have video evidence. I have sent it to Mesanna. I am going to try and upload it to Youtube for anyone who wants to see it. PM me if you'd like a link.