Why Security Is Often an Afterthought on Video Game Websites
stock photo, PeterPhoto123.Gamers beware: Your online accounts could be easy picking for hackers.
In late August, thousands of people who play Riot Games' popular online title "League of Legends" learned that their data had been stolen. Hackers accessed players' online accounts, grabbing names, email addresses and credit card numbers.
Just two weeks before the hack, game company Crytek shut down its websites and temporarily suspended its members' accounts. Crytek doesn't run any online games, but fans can create user accounts on the website to access forums and news updates. It appears that hackers acquired login data to Crytek's systems that allowed them to steal members' personal information.
And back in June, game companies Ubisoft, Konami, Club Nintendo and Bohemia Interactive all saw similar attacks.
That makes at least six major game companies whose users' account information has been compromised in three months. Is this a trend? Derek Tumulak from data security company Vormetric says yes.
That doesn't mean that the same group is behind all these attacks. Rather, Tumulak argued, the rash of security breaches shows that gaming companies are not taking security seriously enough.
"Gaming companies are not thinking about security," Tumulak told Tom's Guide. "They're thinking about gaming experience. Security is more of an afterthought."
Gaming companies aren’t the only ones guilty of such oversight. However, in general, other types of companies have been far better at upgrading their data security.
"Financial organizations have finally gotten more serious [about security] recently," Tumulak said. "They were also primarily focused on network security. Data-centric security was an afterthought. But that's changed in the last couple of years."
Given the rash of break-ins to high-profile video game company websites, it seems this sector could certainly benefit from some basic security lessons.
How to hack a password
Tumulak specified that many of these companies have strong perimeter security, meaning it's very hard to break through the firewalls, encryption and other defensive systems themselves. However, their data security is weak, meaning it's fairly easy for malicious attackers to acquire a username and password and then let themselves into the system without actually "attacking" anything. It's the difference between bashing down a door and letting oneself in with a stolen key.
One of the ways attackers acquire usernames and passwords is through phishing, or tricking people into revealing their account information through authentic-seeming emails and websites. For example, you might get an email from an official-looking address, but on closer examination, a few letters are off.
Phishing isn't a very technologically sophisticated attack, but if attackers can make the bait look good enough, it's inevitable that a few gullible people will bite.
The hackers who broke into Ubisoft's systems accomplished this by stealing an employee's login credentials, the company confirmed in a blog post. This suggests that a phishing attack was used.
Another technique for acquiring usernames and passwords is called a brute force attack. This is also fairly unsophisticated: attackers use a type of program that attempts to guess a correct username/password combination by trying every possible combination of letters and numbers.
Club Nintendo's security breach appears to be due to a brute force attack: In the space of a month, the website saw 15.5 million login attempts, a huge increase from their usual numbers. Of these attempts, 23,926 successfully logged in.
"What is perhaps most alarming is the length of time that the Club Nintendo website was being bombarded by attempts to break into customer accounts," observed security expert and blogger Graham Cluley on his blog.
"It’s hard to imagine that a sustained attack like that could have gone unnoticed for nearly one month and suggests poor stewardship by Nintendo’s security team."
Konami's statement regarding the security breach suggested that their users' IDs and passwords were leaked by a third-party service provider, but also admitted that they'd seen a huge spike in unsuccessful login attempts between June 13 and July 7, which suggests they were hit with a brute force attack as well.
Easy ways to protect against attacks
One way companies can protect against brute force attacks is to closely monitor the number of login attempts on a given website. If the site's administrators see a sudden spike in failed login attempts, it's likely they're in the midst of a brute force attack.
Two-factor verification also adds a strong layer of protection to any system. When two-factor verification is implemented, people who login with a username and password are then asked to enter a randomly generated code that is texted to the cellphone associated with the username account. That way, merely phishing for usernames and passwords isn't enough to compromise an account.
Tumulak also suggests that game companies should also avoid giving any one account holder, even administrators, too much power within the system. That way, even if hackers compromise a high-level account, they are still limited in the amount of damage they can do.
"As a system administrator, I need to be able to do my job," Tumulak said. "But do I actually need access to other users' data [such as email addresses and credit cards]? That answer's usually no."
The fault isn't entirely with the game companies, though. Many people think their online game accounts' security isn't very important, especially if the accounts don't have any credit card data associated with them. But short, simple passwords are the first to fall in a brute force attack.
What's more, hackers can still use the information acquired from gaming sites to break into even more important accounts. For example, gaming sites store users' names and email addresses, which could be used to create better phishing scams for banking or e-commerce accounts.
Further, if you use the same password, or variants of the same password, across your accounts, then hackers could use the password acquired from hacking into a gaming site to break into your more important accounts.
"The bar has been low [in terms of security] at these gaming companies," Tumulak said. "It's easy to get in, get that [sensitive] information, get out and use that information in a more valuable way later."