Rack up all of guest blogger Kevin Townsend’s good points as he explains how online gamers have to outsmart hackers...in addition to their opponents.
At the beginning of January 2019, a major U.S. security firm published the results of a survey on gamers and security. It was a bit disappointing. It found that three-quarters of gamers worry about the security of gaming in the future; 55% of gamers reuse passwords across accounts; and the average gamer has experienced almost five cyberattacks.
This tells us nothing about gamers or gaming security. Change the word “gamers” to “waiters” and we would learn just as much about baristas and café security; probably with just as much accuracy. Gamers outside of their games are just computer users with the same security issues and the same concerns as everyone else.
But inside the game, it is a completely different world where only some of the normal rules of civilized behavior apply. Hackers hack gamers and steal virtual goods. Then they sell those goods to other gamers inside the game for real-world money. And the best game hackers can earn a lot of money.
Video games are now the world’s largest entertainment industry. Compared with books, movies, TV, and music, it’s also the most inherently digital medium. While video games are entertainment, players often trust as much of their personal information to game companies as they would to their workplace, to online shopping or even to financial institutions. So, what do hackers stand to gain by targeting video games and their players?
In-game economies have essentially provided a precursor to cryptocurrency. Although the virtual money earned in-game can’t be used in the real world, it’s still a commodity with real value to players. Accounts with large amounts of in-game currency or access to rare, prestigious in-game items can fetch high real-world prices. No matter how old the game, where there’s a strong player-base, there’s value. A moderator (aka Mod Jed) for RuneScape, one of the longest-running online games, recently exploited his elevated privileges to steal virtual money (45 billion in-game coins) with a real-world value of $100,000 from players.
This also applies to the games themselves. Many games are published, sold, and authenticated online on distribution platforms like Steam, Origin, GOG Galaxy, and others. Players frequently manage all or most of their games through a single account, and long-term Steam users can have libraries of hundreds of games. Steam also allows players to hold and trade supplementary, virtual items like wallpapers, stickers, and in-game cosmetics. There have been cases of hackers stealing such items from Steam inventories, as well as stealing entire accounts on Origin.
Most often, however, it’s players’ accounts that are the most valuable to hackers, and therefore the most often targeted. Online and mobile games gather a large amount of data on their users. The more personal the data, the more valuable it is to hackers, and mobile games often track such intimate information as location, media engagement, and even phone calls. In-game transactions and monthly subscriptions for online games mean that financial information is often included with a user’s data.
Whether a hacker is aiming to take over an account for the virtual wealth of the player’s character or the player’s real-world data, they have a variety of ways to make a successful hack. The methods themselves are no different to what users in any other field face, but gamers can experience some unique risk factors and circumstances.
Password reuse is a common issue, as the average gamer needs to manage accounts for multiple distribution platforms, publishers, and games themselves. Each distribution platform — Steam, Origin, etc. — requires an account; some game companies such as Epic Games and Rockstar require an account to play games or access social features; most multiplayer online games will require a password all to themselves. This leaves gamers needing to remember and manage dozens of passwords, and older games can be easily forgotten with account credentials going un-updated for years.
Many games also complete half the work for potential attackers by themselves; often, simply seeing another player in-game will reveal their username. For example, Battlefield 5 has a competitive mode of up to 64 players, which means a single game provides a potential malicious actor up to 63 usernames on which to try common or default passwords.
Other games will give you access to players' scores, providing access to basically all the user names used in the game – or at least those of the top players, which will be even more valuable.
Phishing campaigns are frequently targeted against players of popular games. Phishers aren’t limited to the standard fraudulent emails typically used to trick users into giving up login credentials. One frequent tactic is to set up a fake login page, or to pose as a friend and attempt to send malicious links via chat platforms. The common interest in gaming lends credence, and even trust, to a phishing email.
Games also give successful phishers more options than other fields. A successful phishing attack may not result in a full takeover of the player’s account, but instead allows the intruder to take anything valuable from their Steam inventory or MMO character and move on.
Vectors for spreading malware to gamers often overlap with phishing methods. If Steam chat can be used to spread links to fake authentication pages, it can certainly be used to send links to drive-by malware downloads. With competitive games, many players can be convinced to voluntarily download malicious applications promising cheats, hacks, or other ways to gain an advantage over other players.
While there are many ways for gamers to fall prey to malicious actors, this doesn’t absolve the game companies from responsibility. Players rely on secure infrastructures and applications just as much as they rely on their own ability to spot a threat. Sadly, this is not a responsibility that game companies always uphold successfully.
In January 2018, a flaw in the Fortnite authentication process was disclosed. The login URL wasn’t validated, leaving it vulnerable to a redirect attack. To make matters worse, the researchers who discovered the flaw also found and compromised an unused and vulnerable Epic subdomain. Now, Epic’s authentication uses social media login. A genuine login request would also be redirected to the compromised subdomain, which would request the user’s login credentials, receive them, and send them to the attacker.
Both the genuine user and the attacker would have correct login credentials to access the Fortnite account. The attacker would be able to steal artifacts, any personal information it contains (perhaps even bank card details), and buy and steal in-game currency (V-Bucks, which he could then sell for real money outside of the game). And all the attacker would need to do is persuade the victim to use the malicious redirect URL to log on – which is standard social engineering.
The situation isn't as grim as it might appear. It’s often the case that users are the weakest point in any security system, but most gamers are digital natives. A certain amount of familiarity with technology often makes it easier to educate users on finer points of security and data protection. There are multiple precautions people can take to better safeguard their accounts from harm. Here are some of those possibilities:
Good password practices are just as effective in gaming as they are elsewhere. Gamers should follow guidelines for password strength, and consider using passphrases to aid memory and protect against brute-forcing. A good password manager may be helpful as well. Above all, it’s important to avoid reusing the same password across multiple accounts, or a compromised Overwatch account could turn into a compromise of Steam, Origin, and even the user’s personal email.
Standard phishing advice applies to gamers just as much as anyone else. Never click a link without being sure where it goes — even links sent by friends could be malicious in the case of compromised accounts. Remember that genuine emails from game providers will not request login details or personal information. If it’s impossible to tell for sure if an email is genuine, contact the game’s support team directly and ask. Gamers should be wary of “too good to be true” deals. A fellow player offering an apparent bargain trade may be trying to tempt people into a phishing scheme, and a website offering unbeatable competitive advantages is more than likely a scam of some kind.
Many gamers have an antipathy to running antivirus software as it is often perceived as a drain on performance. Some antivirus products are also prone to false-positives when it comes to games or game platforms. It’s still possible — and definitely advisable — to find a good antivirus which includes “game mode” features to keep performance high, and which won’t discourage gamers from staying secure with false-positives.
Many games and distributors offer options for two-(or more)-factor authentication. These should always be turned on, if available. It adds an extra step to the login process, sending a code to either a registered email or phone number. Though inconvenient, game companies encourage 2FA for improved account security, and some are beginning to offer in-game rewards to players who enable it.
In most cases, the ultimate responsibility for keeping accounts secure lies with the players. However, this does not mean that developers, publishers, and distributors can’t — or shouldn’t — do anything to help their players stay as secure as possible. These are some steps that game companies can take to help maintain a high standard of security:
Several of the methods gamers can use to protect themselves depend on what the video game company in question has provided. Multi-factor authentication is good, but only if the software has a framework for it. There should be support in place for users to be able to quickly lock their accounts if compromised, especially if financial information is involved.
There are also features developers can implement that need never be seen by the player. Geofencing can be an effective tool to protect user accounts, and is already employed in many other fields. Behavioral biometrics could also be an option to consider. While behavioral biometrics is still in its infancy and quite costly to implement, gaming is in a unique position to explore the technology. A rudimentary form of behavioral biometrics is already employed in some games’ cheat-detection systems, able to flag potential cheaters by inconsistencies in play. A little innovation could easily extend this to security and account protection.
There’s nothing any business can do, gaming or otherwise, to force their users to be security-savvy. However, there’s no reason not to make information as accessible and digestible as possible. An easily-accessed page of basic security best practices, presented in concise and user-friendly language, would certainly not go amiss. Any known, active threats should be prominently declared on a game’s launch screen or main menu, along with the best way for players to protect themselves.
Data is valuable, both to legitimate data processors and to malicious actors seeking to compromise it. Mobile games and social media apps both share the same reputation for gathering unnecessary data on their users, meaning that any breach results in a far bigger loss than it should have been. Several games had to shut down in the wake of the GDPR, as it would have been too costly to update their sweeping data collection systems to comply with the new regulations. Game companies, as with any organization gathering or storing data on its customers, should follow best practices for security and never gather more data than is necessary.
Video gaming has a unique kind of duality when it comes to cybersecurity. A gamer is a software user just like any other; he or she is subject to the same security risks and threats as any other user. The same security principles are just as effective and important. However, each threat also involves a unique twist, adding a complication that isn’t seen in any other field. Attackers have more options to compromise a player’s security, and the players must tailor their practices to account for them. By knowing which aspects of security are the same and which are different, game companies and their customers can protect themselves, and stay safe in a way of life that’s “just for fun” while still containing real value, and the potential for real loss.
Kevin Townsend is a guest blogger on the Avast Blog where you can catch up on all the latest security news. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products. Join in the conversation with Avast on Facebook and Twitter.
Many of the underlying algorithms we rely on are only as good as the human knowledge they come from. And sometimes, the knowledge transfer from humans to formulas falls short.
Security weaknesses align seamlessly with the spreading of disinformation. The purveyors of disinformation know this and have taken to spreading malware via vulnerable mobile apps.