Sign in with
Sign up | Sign in

Why Security Is Often an Afterthought on Video Game Websites

By - Source: Tom's Guide US | B 7 comments

stock photo, PeterPhoto123.stock photo, PeterPhoto123.Gamers beware: Your online accounts could be easy picking for hackers.

In late August, thousands of people who play Riot Games' popular online title "League of Legends" learned that their data had been stolen. Hackers accessed players' online accounts, grabbing names, email addresses and credit card numbers.

Just two weeks before the hack, game company Crytek shut down its websites and temporarily suspended its members' accounts.  Crytek doesn't run any online games, but fans can create user accounts on the website to access forums and news updates. It appears that hackers acquired login data to Crytek's systems that allowed them to steal members' personal information.

And back in June, game companies Ubisoft, Konami, Club Nintendo and Bohemia Interactive all saw similar attacks.

MORE: 10 Best Mobile Games for Hardcore Gamers

That makes at least six major game companies whose users' account information has been compromised in three months. Is this a trend? Derek Tumulak from data security company Vormetric says yes.

That doesn't mean that the same group is behind all these attacks. Rather, Tumulak argued, the rash of security breaches shows that gaming companies are not taking security seriously enough.

"Gaming companies are not thinking about security," Tumulak told Tom's Guide. "They're thinking about gaming experience. Security is more of an afterthought."

Gaming companies aren’t the only ones guilty of such oversight. However, in general, other types of companies have been far better at upgrading their data security.

"Financial organizations have finally gotten more serious [about security] recently," Tumulak said. "They were also primarily focused on network security. Data-centric security was an afterthought. But that's changed in the last couple of years."

Given the rash of break-ins to high-profile video game company websites, it seems this sector could certainly benefit from some basic security lessons.

How to hack a password

Tumulak specified that many of these companies have strong perimeter security, meaning it's very hard to break through the firewalls, encryption and other defensive systems themselves. However, their data security is weak, meaning it's fairly easy for malicious attackers to acquire a username and password and then let themselves into the system without actually "attacking" anything. It's the difference between bashing down a door and letting oneself in with a stolen key.

One of the ways attackers acquire usernames and passwords is through phishing, or tricking people into revealing their account information through authentic-seeming emails and websites. For example, you might get an email from an official-looking address, but on closer examination, a few letters are off.

Phishing isn't a very technologically sophisticated attack, but if attackers can make the bait look good enough, it's inevitable that a few gullible people will bite.

The hackers who broke into Ubisoft's systems accomplished this by stealing an employee's login credentials, the company confirmed in a blog post. This suggests that a phishing attack was used.

Another technique for acquiring usernames and passwords is called a brute force attack.  This is also fairly unsophisticated: attackers use a type of program that attempts to guess a correct username/password combination by trying every possible combination of letters and numbers.

Club Nintendo's security breach appears to be due to a brute force attack: In the space of a month, the website saw 15.5 million login attempts, a huge increase from their usual numbers. Of these attempts, 23,926 successfully logged in.

"What is perhaps most alarming is the length of time that the Club Nintendo website was being bombarded by attempts to break into customer accounts," observed security expert and blogger Graham Cluley on his blog.

"It’s hard to imagine that a sustained attack like that could have gone unnoticed for nearly one month and suggests poor stewardship by Nintendo’s security team."

Konami's statement regarding the security breach suggested that their users' IDs and passwords were leaked by a third-party service provider, but also admitted that they'd seen a huge spike in unsuccessful login attempts between June 13 and July 7, which suggests they were hit with a brute force attack as well.

Easy ways to protect against attacks

One way companies can protect against brute force attacks is to closely monitor the number of login attempts on a given website. If the site's administrators see a sudden spike in failed login attempts, it's likely they're in the midst of a brute force attack.

Two-factor verification also adds a strong layer of protection to any system.  When two-factor verification is implemented, people who login with a username and password are then asked to enter a randomly generated code that is texted to the cellphone associated with the username account. That way, merely phishing for usernames and passwords isn't enough to compromise an account.

MORE: How to Turn On 2-Step Verification

Tumulak also suggests that game companies should also avoid giving any one account holder, even administrators, too much power within the system. That way, even if hackers compromise a high-level account, they are still limited in the amount of damage they can do.  

"As a system administrator, I need to be able to do my job," Tumulak said. "But do I actually need access to other users' data [such as email addresses and credit cards]? That answer's usually no."

The fault isn't entirely with the game companies, though. Many people think their online game accounts' security isn't very important, especially if the accounts don't have any credit card data associated with them. But short, simple passwords are the first to fall in a brute force attack.

What's more, hackers can still use the information acquired from gaming sites to break into even more important accounts. For example, gaming sites store users' names and email addresses, which could be used to create better phishing scams for banking or e-commerce accounts.

Further, if you use the same password, or variants of the same password, across your accounts, then hackers could use the password acquired from hacking into a gaming site to break into your more important accounts.

"The bar has been low [in terms of security] at these gaming companies," Tumulak said. "It's easy to get in, get that [sensitive] information, get out and use that information in a more valuable way later."

Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 6 Hide
    John Bauer , September 3, 2013 9:20 AM
    Yunno what pisses me off the most about this? When companies have a password LIMIT. Like Origin has a 8 or so character limit. It makes me feel insecure, EA. But do they care? Probably not.
  • 3 Hide
    g-thor , September 3, 2013 9:29 AM
    My question is, are they that lax in the security for their game code? If they aren't, if they aggressively protect their coding, then why don't they protect our information as diligently?

    And I think the article answers that question - the bar has been low [in terms of security] at these companies. They protect their information because it generates money, but why bother with the individual's security - we don't get paid for that. However, loose enough customer info and you will loose your audience.
  • 2 Hide
    matthew_nicho2 , September 3, 2013 10:34 AM
    Their code is their property and don't want it stolen/abused, user info on the other hand isn't theirs so they seemingly don't give a crap. You bought their product and are using their service, money in their pocket; that's all that matters to them.

    Once your there they have you and you have no choice but to use their service.
  • Display all 7 comments.
  • 1 Hide
    KelvinTy , September 3, 2013 11:23 AM
    You lost me at "they are thinking gaming experience"...
    On the security side, when you are "big" enough, you have already painted a target on your back, with making money the no.1 too 100 priority, they would not fix something that ain't broken. Therefore, hacked then security, hacked again, then security fix.
  • 2 Hide
    gm0n3y , September 3, 2013 11:37 AM
    @John Bauer,

    I was going to complain about this as well. My normal passwords are usually 12+ characters. I prefer to use long non-dictionary words or phrases as they are easier to remember and much harder to crack. But then for my Origin account they tell me that my password is TOO LONG?!?! How can a password be too long?
  • -1 Hide
    thethirdrace , September 3, 2013 1:18 PM
    I don't believe it's a problem companies have to solve.

    Companies should never force you to give them personal information in the first place. That's half the problem right there.

    The other half of the problem is the users themselves. If somebody went knocking on their doors and ask them their information, nobody would be dumb enough to give it just like that. But replace the door with a screen and the user would even provide their bank PIN number and the size of its underwear while they're at it...

    There's no better security than absence of information. As soon as you realize that, the only problem you might have on the net is maybe a password change once a year.

    This is a non issue as it was always like that even when everything was on physical paper. Unauthorized people shouldn't be able to read your information in your doctor's old paper file, but do you really believe it never happened? Are you really that naïve? Some people need a reality check ASAP.
  • 0 Hide
    jRaskell1 , September 3, 2013 2:52 PM
    "I don't believe it's a problem companies have to solve."

    While I agree everyone is personally responsible for their own online security, I don't agree that 'companies' don't belong under that umbrella.

    Bottom line is, EVERYONE is responsible. Honestly, in today's world, anyone who falls for a phishing attack at work should just be fired. Quite literally they are simply too incompetent to be allowed access to a company's internal networks.

    On the other hand, any service that still allows brute force attacks on their servers are also exhibiting an unacceptable level of incompetence.

    These are two types of attacks that have been around for well over a decade, and they are EASILY defeated. People still succumbing to phishing attacks doesn't surprise me, there will always be incompetent people out there, but large organizations succuming to brute force attacks... that's just plain inexcusable.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter