GamesBeat: Why are we talking about digital security in gaming? What’s the imperative?
Singer: Why are we talking about digital security? Because money. Gamers are a niche demographic. They’re known for spending a lot of money. Their financial status has made them tempting targets. Then you add on top of that that this industry is increasingly moving from physical to digital, to subscription-based services. That makes it more and more — you combine that with collecting a lot of PII and it’s just a really tempting target.
It’s also becoming more and more broadly known as gaming seeks to become one of the primary forms of media consumption as entertainment out there. If you look at how game companies are positioning themselves, you see — someone does $600 million in sales on the opening weekend of their game, and in a press release they compare that to a recent movie opening. “We did twice as much as they did.”
As the industry seeks to go increasingly digital, to collect more information, to collect recurring payments and assured revenue, that makes it a really nice target for folks who want a slice of that, but don’t want to participate. More and more credential stuffing attacks, more credential abuse, more things aimed and getting your data and getting your money out of the system.
GamesBeat: It’s no surprise that after Fortnite became a global cultural phenomenon, it also became a great target for hackers to go after. Every now and then we see some kind of story in the news about that.
Singer: Yeah. And if you look on YouTube, you can just watch a video on how to crack a game. You’ll see the discussion there underneath. “Hey, you just posted a 10-minute video on how to hack this game. Isn’t that illegal?” “Yeah, but try calling the police and telling them that someone hacked your Fortnite account.”
Ragan: There were a series of videos that targeted Fortnite directly, from multiple-stage attacks. The video would start off with walking the viewer through conducting SQL injection attacks to obtain fresh credentials from various websites, and then testing them against Fortnite to see if anybody was reusing their usernames and passwords and taking over the accounts from there. Compromised accounts are sold and resold constantly, traded for other things on the market. It’s no surprise that they go after the top targets.
Keep in mind, though, some of the smaller targets are still very viable marks for criminals. The goal is to try to get as many accounts as possible to later target other, bigger things. Somebody who’s reusing their gaming username and password on, say, a streaming media platform, or an email platform, or a social media platform, or heaven forbid a financial platform, all of those things become at risk. It only takes one weak authentication mechanism or weak credential on the gaming side of things, or shared accounts or what have you.
Bower: Outside of the business aspects of this and the money aspects of this, bringing it back to the players, we exist because we are providing them a story and an experience through a game. We’re inspiring them to play. Talking about digital security, our imperative is protecting company assets. For the studios that would be game IP. For the users it circles back to the first question, about how we ensure they remain secure.
I go back to the communication aspect of that. They need to be just as informed. Don’t let an online person saying “Oh, let me help you win that item you want in the game” — making sure they’re aware that those are bad actors who will just go in and compromise their accounts is critical. If we continue the conversations and communicate with the players, they’re loyal to studios. They trust us. We owe them that much in terms of communicating everything to them.
Ragan: I also want to play on — not just that, but something Jonathan touched on earlier about unregulated markets. A lot of gamers and players are targeted as a community, as a whole, because they’re known to be very generous. Not only with their time and their money for charitable causes and things like this — gamers are huge charity drivers — but they’re known to spend money on untested properties or first-run games from independent studios. They love that stuff.
Criminals take advantage of that by offering what appears to be a unique opportunity or a unique thing that lures gamers into an aspect that they weren’t really expecting. You’ll see exclusive game offers for new release titles. You’ll see fake offers for in-game perks or challenges and things like that. That’s how they start sucking them up. They take advantage of the community aspect of that. When we’re doing awareness training or talking about awareness training, that’s also something to be focused on. You’re part of a much larger community, but you have to focus on the herd. You can’t just focus on the individual.
Adams: Also, with training, it’s a good point that — fraudsters tend to go to a place where there’s the least resistance. Back to the point about things like MFA or other security measures, if we don’t do a good job of protecting the game, then fraud will go there because it’s easy. It’s a huge community.
On the other side, like Steve just said, if you think about all the scams out there — you have to remember, a lot of gamers are kids. And games are worldwide now. Every country in the world plays video games. In some countries, the currency might be weak, and so it could be really expensive to play a game. In companies I’ve worked with like Riot and Epic, you’ll see free virtual currency or loaded accounts — when I was at Riot they used to say there would be a Rioter account, unlocked and loaded with all this stuff. It’s so easy to get somebody to come in and take that bait. The good fraudsters would actually deliver for a while. But then pretty quickly you’d discover it was loaded with stolen credit cards to create all that stuff, and then you’d get shut down.
A really good way to protect the players from that, beyond technology, is what Steve said. It’s a lot of education, making sure players know that there’s only one place to buy currency for your game. Or if there’s more than one place, make sure it’s really easy to tell what’s legitimate and what’s not. If gamers know that, that makes it easier, but it’s still going to be tempting, so you have to have the technology to back it up as well.
GamesBeat: It might make you wish your game company stayed nice and small, so you could avoid all these people.
Adams: It was so much easier when it was all in boxes. But now that it’s online — it’s a lot more fun, the technology is awesome, but that opens a lot of doors. We have to make sure that we take responsibility and protect those.
GamesBeat: We’ll move on to the results of our live audience poll here. We asked the question, “How confident are you in defending your game and players from online security threats?” It looks like 12 percent of our audience here says they have top-notch protection in place. 75 percent say they have some good measures in place, but there’s room for improvement. 12 percent say there’s a lot more to do. Is anybody surprised at those results?
Ragan: I’m not surprised at all. That’s actually a very healthy mindset to have. You have some good stuff in place, but there’s always room for improvement. That’s a very stable mindset to have in security, especially when you’re dealing with an attack surface that’s wide and diverse and contains multiple little cracks and crevices that criminals love to poke at. I like that.
Adams: I’d like to know who has top-notch protection. Things change so fast in this industry that even top-notch — I think you can have top-notch security, but you should still realize that there is always room for improvement.
Bower: As technology is changing, we are also chasing new advancements in how to address those technologies.
Singer: Similarly, I’m not surprised by this. The game industry is no stranger to security and all the problems that they’ve been encountering over the last decade. I’ve met with a lot of companies and they’ve hired some brilliant security folks to do a lot of work building their own solutions. You’re starting to really see it.
If you look at Riot’s 10-year anniversary announcements, they talked about their upcoming shooter. They’re saying, “We’re building anti-cheat into this.” When that’s a way that a major game studio is going to market and talking to their consumer base — “We’re building this into our game, building this into our product. We want it to be a secure experience for you.” — you know that there’s a lot of industry focus on it. You know that the player community has responded enough that they’re ready for this.
Going back to everything we were talking about earlier, about building trust with your players and making them a part of your security solution, educating them and helping them to be more secure, the player base is ready for that too. It puts everyone listening to this webinar in a good position, because your key customers want to be part of the solution.
Adams: When I was at Riot — I can tell you that I still really love that company, and that’s one of the things I love about them. The vast majority of their decisions are player-focused. That’s what we all need to be, really. As far as the new games, they definitely, as they started to develop those — they were talking about security. I was still there at the time some of these started. We were already talking about it.
As I said at the very beginning, we have to start the development process with the idea that we have to be secure. If you don’t, you really can’t do it. You can’t be secure if you don’t have that mindset to start.
Singer: As a community, the game industry needs to come together and work, as Steve said earlier, to protect the herd. We’ve been talking about herd immunity as a way of thinking about how we need to act as a games community and as a community of both publishers and developers and platform holders and players. How do we work together to make sure we let people have fun?
Ragan: There’s an important caveat that needs to be pointed out, though. The earlier mention Fortnite is a great example of this. When we talk about protecting the herd, when we talk about protecting gamers and building things in and making the gamers a part of the security solutions, I think we also need to keep in mind the demographic of the players themselves.
A 20-something is going to look at security from one way and adopt security training and models one way, but a 50-something is going to do it differently. A preteen is going to be completely different than anybody you’ve ever expected. They inherently have more technical savvy. I know it’s an old adage — oh, the kids are so smart about the gizmos and the widgets now — but the younger generations adapt quicker to security changes and models without any kind of fuss. They just want to play their game. It’s all they care about.
But at the same time, the younger generations are also susceptible to very common scams that a lot of us older folks are used to. We’ve seen them in other places before. This is all still new to them. You have to adjust your models to address the differences and the needs within the herd, not just overall. It’s not a silver bullet type of situation.
GamesBeat: We have our second live audience poll here. What is your biggest concern when it comes to online threats? Is it keeping up with evolving threats, losing the trust of your users and tarnishing your brand, or taking a financial hit? Our audience can start mulling that over as we move on to more questions. What are the trends we’re seeing in terms of threats today?
Ragan: I’ve been doing trending for gaming threats now since our last report in preparation for the next report on gaming. Right now the trends are going toward straight account takeovers. There’s been a couple of new titles that have come out over the last couple of months, and people are trying to get in on that bandwagon. Fortnite just launched season two. That put them back in the spotlight. A couple of gaming platforms are hot commodities for account trading and account takeovers. The goal is data collection.
Some accounts are being taken over just to trade for the goodies in the account: custom skins, unlocked characters, things like that. The accounts are being traded and sold just for that. Ban evasion and ban avoidance is another goal of some of these acts, just to get around — players have been kicked off, so they steal someone else’s account so they can log in and play the game. And then there’s personal and financial information. Some accounts have payment details, Paypal accounts, things like that tied to their account. Being able to take that over gives a criminal access to financial resources that wouldn’t otherwise be available. There’s a number of trends going on, but the primary one is just straight account takeover.
Bower: Coming from the developer side, the studio side, it’s really important to leverage partnerships you have with other studios to discuss trends that you’re seeing internally with your games and your services. As we talked about previously, with advancements in technology, things are rapidly improving. Online services are being attacked by hackers in every industry. It’s important to be planning development strategies around security from day one.
And more importantly, you can’t lose sight of those risks once your game has launched. The people who are trying to game the system, they’re looking for ways to manipulate your game. With every deployment, every launch, every update, there’s potential for risk there. They’re going to be looking for ways to get into the game.
Singer: Obviously there is some information sharing. Before I make my statement, I want to turn a quick question back to you. Obviously you deal with other studios on a regular basis and talk to them about this stuff. How amenable have you found other folks in the industry to having those kinds of discussions?