The Future of Gaming……Security

9 08 2012

When most people think of online security they don’t immediately think of online gaming through popular outlets such as Facebook (i.e. Farmville / Mafia Wars), XBOX Live, Sony PlayStation Network, or Blizzard (World of Warcraft), but the virtual world is ripe for the picking and full of vulnerabilities.  These social media outlets connect people like never before but they also expose a rich new environment for cyber criminals to exploit.  Consumers should be aware of the risks that exist in the virtual world of online gaming so that they can best protect themselves.

Online Gaming Vulnerabilities / Risks:  There are several vulnerabilities that exist in online gaming that can result in loss of confidential consumer information.  These vulnerabilities are as follows along with their associated risks and real world exploitation examples:

  • Account Hosting Vulnerabilities:  Because online gaming is typically a subscription service users must register with the provider and establish an account.  In doing so the user must provide personal information and a credit card to the provider.  This information is kept on the providers hosting environment and is used to pay for the subscription service & to purchase items relevant to the online game.  Many online games also use virtual currency to make transactions within the game, and this currency must be purchased by the user with real world money using a credit card.  Because these online gaming services contain an extremely large user base they make a desirable target for hackers interested in stealing consumers confidential information in order to conduct identity theft.  A prime example of this occurred on April 20, 2011 when the Sony PlayStation Network was hacked.  The attack resulted in theft of 24.6 million PlayStation accounts and 12,700 credit card numbers (Wikipedia, 2012).  From the stolen information it was believed that the hackers were able to obtain user’s confidential information such as names, addresses, birthdates, email addresses, PlayStation Network usernames / passwords, & security questions / answers that could be used in identity theft or fraud (Schreier, 2011).  To make matters worse Sony waited nearly a full week (6 days) before announcing to PlayStation Network users what had occurred and who was affected.  After the intrusion was detected Sony shut down its PlayStation Network for 24 days while they attempted to discover the extent of the damage and repair the vulnerabilities in the network.  The 24 day service outage outraged the Sony PlayStation Network’s 77 million customers and was estimated to cost the company $171 million dollars from lost revenue and untold amounts in reputation damage (Wikipedia, 2012).  Sony claimed that user’s credit card information was encrypted, and account passwords were stored as a hash value but hackers may have been able to decrypt the credit card info while inside the network (Wikipedia, 2012).
  • Social Engineering Vulnerabilities:  Much like traditional online scams.  Online gamers are susceptible to Phishing.  Phishing is a popular form of online game hacking because these criminals know that once they have access to a user’s account they can purchase items or cyber currency using the credit card that is stored on file.  In particular phishing has become a major issue for Microsoft where users have received phishing attempts via email or pop-ups while playing popular titles such as Modern Warfare 2 in an attempt to gain user’s confidential information (Yin, 2011).  Once this information is known a criminal can log onto the target account as the user and purchase items or cyber currency.  In some cases the stolen account information is also sold on the black market.  Microsoft has experienced a large number of compromised accounts and fraud as a result of phishing attempts coupled with an XBOX Live system vulnerability that has been discovered.  It was discovered that a hacker attempting to access an XBOX Live account via the Internet at XBOX.com with a valid email address was returned an error message indicating that either the account ID was invalid or that the account password was incorrect (Pereira, 2012).  With this information the hacker could attempt a brute force attack once the ID was known.  This method was successful because Microsoft failed to lock accounts after a set number of failed logon attempts.  Instead Microsoft would display a CAPTCHA screen after eight failed logon attempts.  CAPTCHA screens display characters only readable by humans that must be typed in to proceed.  The CAPTCHA screen was defeated by hackers by scripting a brute force attack to try less than seven time to crack the password and then to click on an external link.  The external link reset the CAPTCHA counter and the attack could continue (Pereira, 2012).
  • Online Game / Software Vulnerabilities:  Much like traditional application software, online games frequently have software vulnerabilities that can be exploited by hackers for malicious purposes or to wreak havoc on a virtual community.  An example of this was seen in Blizzard’s popular World of Warcraft where a group of hackers called “griefers” found and exploited a vulnerability in the game that allowed malicious players to use a contagious disease called “Corrupted Blood” against other players, causing death.  The disease was only intended to be experienced in a particular portion of the game however game developers failed to limit the affected area of the curse and the hackers were able to exploit this vulnerability with a self-propagation feature to create a plague in the virtual World of Warcraft (Lemos, 2005).  A second example of this in the online gaming world, and a predecessor to “Corrupted Blood” was seen in the Sims 2.  The Sims developer, Will Wright, intentionally added a malicious Trojan horse in the game.  In the game, players were able to purchase a pet guinea pig.  If the player failed to keep the guinea pig’s cage clean and attempted to pet the guinea pig they could be bitten.  Once bitten the player was infected with a contagious virus and would begin sneezing.  The virus could then be spread to nearby players.  If the infected player failed to get sufficient rest the virus would result in death (Markoff, 2000).  Both of these examples show how online game vulnerabilities can be exploited to disrupt game play or to cause mayhem but one could also see how software vulnerabilities could be exploited by hackers for more malicious purposes such as gaining control of an account or finding a backdoor into the system in order to steal confidential information.

Online Gaming Protection:  Clearly the vulnerabilities that exist in online gaming pose a threat to consumers that can lead to fraud or identity theft.  The question remains what can one do online to protect themselves in order to help prevent these issues.  The answer to this question is to abide by the same good access control principles that are recommended for traditional cyber security.

  • Strong IDs / Passwords:  Online gamers should use unique IDs and passwords for online gaming accounts.  Additionally passwords should be strong, greater than 10 characters containing numbers and letters as well as upper and lower cases.  Passwords should also be changed on a predefined frequency (Trendmicro, 2012).
  • Virus Protection / O/S Patches:  Usersgaming from a PC should always ensure that they are running up to date virus protection and current operating system patches (Trendmicro, 2012).
  • Never Share Credentials:  Online gaming users should never share credentials with other users or supply credentials to individuals claiming to work for the parent game hosting company (XBOX.com, 2012).
  • Avoid Suspicious Emails or Pop-ups:  Online gaming users should be suspicious of pop-ups or emails requesting confidential information.  Many of these are phishing attempts by hackers (Trendmicro, 2012).
  • Use Secured Networks:  Online gaming users should never play online using an unsecured Wi-Fi connection.  Users should utilize a Wi-Fi connection that utilizes WPA or WPA2 security.  Additionally online PC gamers should ensure that they are connected to the host site with a secure SSL connection as indicated by HTTPS in order to ensure their data in transit is encrypted (Trendmicro, 2012).
  • Credit vs. Debit:  When establishing an online gaming account, users should opt to use a credit card over a debit card in order to avoid responsibility should any fraudulent activity occur (Trendmicro, 2012).

Conclusion:  The world of online gaming is full of vulnerabilities that can be exploited by hackers and is a highly desirable target due to the exceedingly large number of users.  As shown by the Sony PlayStation Network case the consumer is at the mercy of the provider to ensure that personal information is kept confidential and vulnerabilities are reported in a timely manner.  However the consumer can still take certain precautions as outlined above in order to help protect their personal information’s confidentiality and integrity.

 _____________

Cummings, A. (2012, June). 95-752 Information Security Management. Lectures 1-4. Pittsburgh, Pennsylvania, USA.

Lemos, R. (2005, September 9). Digital plague hits online game World of Warcraft. Retrieved June 27, 2012, from SecurityFocus: http://www.securityfocus.com/news/11330

Markoff, J. (2000, April 27). Something Is Killing the Sims, and It’s No Accident. Retrieved June 27, 2012, from The New York Times: http://partners.nytimes.com/library/tech/00/04/circuits/articles/27sims.html

Pereira, C. (2012, January 1). Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? Retrieved June 27, 2012, from 1up.com: http://www.1up.com/news/xbox-com-security-loophope-hacks

Pfleeger, C. P. (2009). Security in Computing. Upper Saddle River, NJ: Prentice Hall.

Schreier, J. (2011, April 26). PlayStation Network Hack Leaves Credit Card Info at Risk. Retrieved June 6, 2012, from Wired.com: http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Trendmicro. (2012, April 1). A simple guide to gaming security. Retrieved June 27, 2012, from Trendmicro.co: http://www.trendmicro.co.uk/media/br/simple-guide-to-gaming-en.pdf

Wikipedia. (2012, June 6). PlayStation Network outage. Retrieved June 6, 2012, from Wikipedia: http://en.wikipedia.org/wiki/PlayStation_Network_outage

XBOX.com. (2012, June 27). Xbox LIVE Account Security Check List. Retrieved June 27, 2012, from XBOX.com: http://www.xbox.com/en-US/Live/Account-Security/Security-Checklist

Yin, S. (2011, April 27). Microsoft Warns of ‘Modern Warfare 2’ Phishing Attacks. Retrieved June 27, 2012, from PCMag.com: http://www.pcmag.com/article2/0,2817,2384395,00.asp

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: