Online Gaming: Real Money, Real Threats

30 11 2012

by A.J. Holton

Background

Today millions of people across the world are joining together over the Internet to immerse themselves in the virtual world of gaming.  MMORPGs (Massively Multiplayer Online Role Playing Games) are the top guns of the industry, boasting millions of subscribers worldwide.  “New World of Warcraft® expansion sells 2.7 million copies in first week — global subscriber base passes 10 million” (“Alliance and Horde Armies”). This is a game which has been out for 8 years, and it still has many subscribers paying roughly $15 dollars a month for service.  Games like Blizzard’s World of Warcraft are constantly being exploited through cheats and account hacking.  Guild Wars 2 was just released late August 2012 and had problems with account security that day with more than 11,000 accounts being exploited due to malware from adversaries (Parrish). It would seem account hacking is somewhat correlated with third-party account modification. TheGuardian wrote a story on Chinese prisoners who were actually forced to play this game to turn a real profit through illegal sales (Beijing).  So as you can see, there is definitely a market for the willing adversary.  The focus here is on Blizzard as I am most experienced with their company, it is the biggest, and most newsworthy.  However, security applies to all online games, especially those of the MMORPG variety.  What I aim to discuss is the implementation of what is called a Real Money Auction House, but first I must explain the security measures already in place.

Security Measures

Overall, MMORPG security issues have been growing, forcing companies like Blizzard to come up with ways to counteract them.  “The Battle.net Mobile Authenticator is an optional tool that offers Battle.net, the Blizzard game client, account users an additional layer of security to help prevent unauthorized account access” (“Battle.net Authenticator”).  The authentication process was needed to help Blizzard deal with the amount of account compromises going on.  Basically what it does is generate a random number, held by Blizzard and the user, which changes every minute allowing only the user to log in (“Battle.net Authenticator”). Another security measure taken is the use of spyware like Blizzard’s Warden.  This software takes information from your RAM, hard drive, CPU, IP address, OSes, and others “FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF ANY BLIZZARD AGREEMENT” (“World of Warcraft Terms of Use”). Obviously the implementation of these security measures is because of the severity of the problem.  We would expect for companies like Blizzard to continue making games safer, but sometimes money is more important in the end.

Real Money Auction House?

Yes, Blizzard’s Diablo III came with a new, experimental RMAH (Real Money Auction House) which allows users to purchase in-game items on the auction house with real currency.  In an auction house users can purchase anything from equipment to collectables.  With this RMAH, you no longer need to spend countless hours collecting materials for in-game currency to purchase items.  All you would have to do is enter your credit card number and your transaction is processed almost instantaneously.  I believe this was a bit too ambitious for Blizzard as security was already compromised frequently.   “This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard”, taken from the Blizzard website September 2012 (“Important Security Update”). Gaining access to Blizzard’s database would offer an adversary hundreds of account passwords and users’ credit card information.  Blizzard gets a cut from the RMAH, meaning when a player makes a sale, Blizzard takes15% off the top of the sale price (“Diablo III Auction House”). I think it almost goes without saying; the RMAH could be a very lucrative business for a skilled adversary to get into.  It would be easy to modify transactions or redirect funds to new accounts.  I can see countless vulnerabilities this new auction house brings to the online gaming world.  Finding ways in code to repeat a transaction, modify the value of items before or after transactions, rerouting money to different accounts, and simple password theft/account fraud are all examples of problems that could arise.  If the problem gets too bad, Blizzard could lose the trusted fan base they have been working so hard to maintain.  There is a story about a player losing $200 dealing with this RMAH, and the FBI even got involved.  They were able to assist and return the user’s money (Usher). This is just one of many problems this implementation has caused already, and the FBI getting involved is nothing to disregard.  We need to take a look at Blizzard’s perspective to better understand their reasoning behind creating a RMAH.

Blizzard’s perspective is totally profit driven in a sense; however this RMAH does offer a service to players.  Instead of players buying and selling items from third parties, which is usually the main culprit behind compromised accounts, they will buy the items from Blizzard (Heartbourne). When looking at it from this perspective, it doesn’t seem so bad.  This would actually help cut down on account hacking and make Blizzard big profits in the end.  I think using the RMAH as a “security device” is brilliant and could really bring about a new age of gaming, if successful.  I have not found sufficient numbers to determine the success of the RMAH in Diablo III, as sadly I think the game died out much too quickly.  If games continue with this trend, the system could be completely compromised by an adversary getting into the company database.  If they do not implement this, there will still be a demand for purchasing items with real money from third parties (possibly leading to user account exploitation).  It is a tough decision, but I would opt for the RMAH because it has a high profit margin for the company and reduces user attacks.  I would put more resources into keeping my company’s systems secure, whereas I do not have as much control over the user’s account.  All in all, there will always be a market for adversaries in the online gaming realm.  Blizzard will remain a key innovator in the industry and it will be exciting to see if other companies start to follow suit. I would like to hear other people’s thoughts and comments on whether a system such as this is a good or bad idea for the future of online gaming.

__________

Beijing, Danny Vincent in. “China Used Prisoners in Lucrative Internet Gaming Work.” The Guardian. Guardian News and Media, 25 May 2011. Web. 01 Nov. 2012. <http://www.guardian.co.uk/world/2011/may/25/china-prisoners-internet-gaming-scam&gt;.

Blizzard. ALLIANCE AND HORDE ARMIES GROW WITH LAUNCH OF MISTS OF PANDARIA. Blizzard.com. Blizzard Entertainment, 04 Oct. 2012. Web. 15 Oct. 2012. <http://eu.blizzard.com/en-gb/company/press/pressreleases.html?id=6147208&gt;.

Blizzard. “Battle.net Mobile Authenticator FAQ.” Battle.net. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <https://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq&gt;.

Blizzard. “Diablo III Auction House”. Blizzard.com Blizzard Entertainment., n.d. Web. 26 Oct. 2012. <https://us.battle.net/support/en/article/diablo-iii-auction-house-general-information&gt;.

Blizzard. “Important Security Update.” Blizzard.com. Blizzard Entertainment, n.d. Web. 26 Oct. 2012. <http://us.blizzard.com/en-us/securityupdate.html&gt;.

Blizzard. “World of Warcraft Terms of Use.” Blizzard.com. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <http://us.blizzard.com/en-us/company/legal/wow_tou.html&gt;.

Heartbourne. “Diablo III Real Money Auction House: Analysis of Fees, Market Forces, and Strategy.” Lorehound.com. N.p., n.d. Web. 26 Oct. 2012. <http://lorehound.com/news/diablo-iii-real-money-auction-house-analysis-of-fees-market-forces-and-strategy-part-2/&gt;.

Parrish, Kevin. “Guild Wars 2 Accounts Hacked Immediately After Launch.” Tom’s Hardware. Tom’s Hardware, 08 Sept. 2012. Web. 20 Oct. 2012. <http://www.tomshardware.com/news/ArenaNet-Guild-Wars-2-MMOG-PC-Gaming-Hacking,17455.html&gt;.

Usher, William. “Gamer Loses $200 Due To Diablo 3’s RMAH Region Restrictions.” Cinemablend.com. Gaming Blend, n.d. Web. 19 Oct. 2012. <http://www.cinemablend.com/games/Gamer-Loses-200-Due-Diablo-3-RMAH-Region-Restrictions-44123.html&gt;.

Advertisements




The Future of Gaming……Security

9 08 2012

When most people think of online security they don’t immediately think of online gaming through popular outlets such as Facebook (i.e. Farmville / Mafia Wars), XBOX Live, Sony PlayStation Network, or Blizzard (World of Warcraft), but the virtual world is ripe for the picking and full of vulnerabilities.  These social media outlets connect people like never before but they also expose a rich new environment for cyber criminals to exploit.  Consumers should be aware of the risks that exist in the virtual world of online gaming so that they can best protect themselves.

Online Gaming Vulnerabilities / Risks:  There are several vulnerabilities that exist in online gaming that can result in loss of confidential consumer information.  These vulnerabilities are as follows along with their associated risks and real world exploitation examples:

  • Account Hosting Vulnerabilities:  Because online gaming is typically a subscription service users must register with the provider and establish an account.  In doing so the user must provide personal information and a credit card to the provider.  This information is kept on the providers hosting environment and is used to pay for the subscription service & to purchase items relevant to the online game.  Many online games also use virtual currency to make transactions within the game, and this currency must be purchased by the user with real world money using a credit card.  Because these online gaming services contain an extremely large user base they make a desirable target for hackers interested in stealing consumers confidential information in order to conduct identity theft.  A prime example of this occurred on April 20, 2011 when the Sony PlayStation Network was hacked.  The attack resulted in theft of 24.6 million PlayStation accounts and 12,700 credit card numbers (Wikipedia, 2012).  From the stolen information it was believed that the hackers were able to obtain user’s confidential information such as names, addresses, birthdates, email addresses, PlayStation Network usernames / passwords, & security questions / answers that could be used in identity theft or fraud (Schreier, 2011).  To make matters worse Sony waited nearly a full week (6 days) before announcing to PlayStation Network users what had occurred and who was affected.  After the intrusion was detected Sony shut down its PlayStation Network for 24 days while they attempted to discover the extent of the damage and repair the vulnerabilities in the network.  The 24 day service outage outraged the Sony PlayStation Network’s 77 million customers and was estimated to cost the company $171 million dollars from lost revenue and untold amounts in reputation damage (Wikipedia, 2012).  Sony claimed that user’s credit card information was encrypted, and account passwords were stored as a hash value but hackers may have been able to decrypt the credit card info while inside the network (Wikipedia, 2012).
  • Social Engineering Vulnerabilities:  Much like traditional online scams.  Online gamers are susceptible to Phishing.  Phishing is a popular form of online game hacking because these criminals know that once they have access to a user’s account they can purchase items or cyber currency using the credit card that is stored on file.  In particular phishing has become a major issue for Microsoft where users have received phishing attempts via email or pop-ups while playing popular titles such as Modern Warfare 2 in an attempt to gain user’s confidential information (Yin, 2011).  Once this information is known a criminal can log onto the target account as the user and purchase items or cyber currency.  In some cases the stolen account information is also sold on the black market.  Microsoft has experienced a large number of compromised accounts and fraud as a result of phishing attempts coupled with an XBOX Live system vulnerability that has been discovered.  It was discovered that a hacker attempting to access an XBOX Live account via the Internet at XBOX.com with a valid email address was returned an error message indicating that either the account ID was invalid or that the account password was incorrect (Pereira, 2012).  With this information the hacker could attempt a brute force attack once the ID was known.  This method was successful because Microsoft failed to lock accounts after a set number of failed logon attempts.  Instead Microsoft would display a CAPTCHA screen after eight failed logon attempts.  CAPTCHA screens display characters only readable by humans that must be typed in to proceed.  The CAPTCHA screen was defeated by hackers by scripting a brute force attack to try less than seven time to crack the password and then to click on an external link.  The external link reset the CAPTCHA counter and the attack could continue (Pereira, 2012).
  • Online Game / Software Vulnerabilities:  Much like traditional application software, online games frequently have software vulnerabilities that can be exploited by hackers for malicious purposes or to wreak havoc on a virtual community.  An example of this was seen in Blizzard’s popular World of Warcraft where a group of hackers called “griefers” found and exploited a vulnerability in the game that allowed malicious players to use a contagious disease called “Corrupted Blood” against other players, causing death.  The disease was only intended to be experienced in a particular portion of the game however game developers failed to limit the affected area of the curse and the hackers were able to exploit this vulnerability with a self-propagation feature to create a plague in the virtual World of Warcraft (Lemos, 2005).  A second example of this in the online gaming world, and a predecessor to “Corrupted Blood” was seen in the Sims 2.  The Sims developer, Will Wright, intentionally added a malicious Trojan horse in the game.  In the game, players were able to purchase a pet guinea pig.  If the player failed to keep the guinea pig’s cage clean and attempted to pet the guinea pig they could be bitten.  Once bitten the player was infected with a contagious virus and would begin sneezing.  The virus could then be spread to nearby players.  If the infected player failed to get sufficient rest the virus would result in death (Markoff, 2000).  Both of these examples show how online game vulnerabilities can be exploited to disrupt game play or to cause mayhem but one could also see how software vulnerabilities could be exploited by hackers for more malicious purposes such as gaining control of an account or finding a backdoor into the system in order to steal confidential information.

Online Gaming Protection:  Clearly the vulnerabilities that exist in online gaming pose a threat to consumers that can lead to fraud or identity theft.  The question remains what can one do online to protect themselves in order to help prevent these issues.  The answer to this question is to abide by the same good access control principles that are recommended for traditional cyber security.

  • Strong IDs / Passwords:  Online gamers should use unique IDs and passwords for online gaming accounts.  Additionally passwords should be strong, greater than 10 characters containing numbers and letters as well as upper and lower cases.  Passwords should also be changed on a predefined frequency (Trendmicro, 2012).
  • Virus Protection / O/S Patches:  Usersgaming from a PC should always ensure that they are running up to date virus protection and current operating system patches (Trendmicro, 2012).
  • Never Share Credentials:  Online gaming users should never share credentials with other users or supply credentials to individuals claiming to work for the parent game hosting company (XBOX.com, 2012).
  • Avoid Suspicious Emails or Pop-ups:  Online gaming users should be suspicious of pop-ups or emails requesting confidential information.  Many of these are phishing attempts by hackers (Trendmicro, 2012).
  • Use Secured Networks:  Online gaming users should never play online using an unsecured Wi-Fi connection.  Users should utilize a Wi-Fi connection that utilizes WPA or WPA2 security.  Additionally online PC gamers should ensure that they are connected to the host site with a secure SSL connection as indicated by HTTPS in order to ensure their data in transit is encrypted (Trendmicro, 2012).
  • Credit vs. Debit:  When establishing an online gaming account, users should opt to use a credit card over a debit card in order to avoid responsibility should any fraudulent activity occur (Trendmicro, 2012).

Conclusion:  The world of online gaming is full of vulnerabilities that can be exploited by hackers and is a highly desirable target due to the exceedingly large number of users.  As shown by the Sony PlayStation Network case the consumer is at the mercy of the provider to ensure that personal information is kept confidential and vulnerabilities are reported in a timely manner.  However the consumer can still take certain precautions as outlined above in order to help protect their personal information’s confidentiality and integrity.

 _____________

Cummings, A. (2012, June). 95-752 Information Security Management. Lectures 1-4. Pittsburgh, Pennsylvania, USA.

Lemos, R. (2005, September 9). Digital plague hits online game World of Warcraft. Retrieved June 27, 2012, from SecurityFocus: http://www.securityfocus.com/news/11330

Markoff, J. (2000, April 27). Something Is Killing the Sims, and It’s No Accident. Retrieved June 27, 2012, from The New York Times: http://partners.nytimes.com/library/tech/00/04/circuits/articles/27sims.html

Pereira, C. (2012, January 1). Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? Retrieved June 27, 2012, from 1up.com: http://www.1up.com/news/xbox-com-security-loophope-hacks

Pfleeger, C. P. (2009). Security in Computing. Upper Saddle River, NJ: Prentice Hall.

Schreier, J. (2011, April 26). PlayStation Network Hack Leaves Credit Card Info at Risk. Retrieved June 6, 2012, from Wired.com: http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Trendmicro. (2012, April 1). A simple guide to gaming security. Retrieved June 27, 2012, from Trendmicro.co: http://www.trendmicro.co.uk/media/br/simple-guide-to-gaming-en.pdf

Wikipedia. (2012, June 6). PlayStation Network outage. Retrieved June 6, 2012, from Wikipedia: http://en.wikipedia.org/wiki/PlayStation_Network_outage

XBOX.com. (2012, June 27). Xbox LIVE Account Security Check List. Retrieved June 27, 2012, from XBOX.com: http://www.xbox.com/en-US/Live/Account-Security/Security-Checklist

Yin, S. (2011, April 27). Microsoft Warns of ‘Modern Warfare 2’ Phishing Attacks. Retrieved June 27, 2012, from PCMag.com: http://www.pcmag.com/article2/0,2817,2384395,00.asp