7 Ways Gaming Companies Can Battle Cybercrime on Their Platforms
Balancing gameplay and security can drive down risks and improve gamers' trust and loyalty. Check out this slideshow for how.
December 9, 2022
![Kids wearing gaming headsets Kids wearing gaming headsets](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf8ce23ac50204f32/64f1563dbe1983a4afd9914e/gamerkid-littlewolf1989-AdobeStock.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: littlewolf1989 via AdobeStock
As money keeps flowing into the gaming industry — particularly with the boom in NFTs and valued in-game items — the video game world is fully within cybercriminal crosshairs. Recent reports show that attacks against gaming brands and player accounts are at an all-time high, with attacks rising by as much as 167% in the last year.
Security experts believe that gaming industry attitudes toward cybersecurity are still in the adolescent stage of development. The following are some of the ways that the companies in this industry can work to improve the risk posture of their gaming platforms.
And for more detail on cybersecurity in the gaming industry, check out Dark Reading's recent industry spotlight.
Earlier this year, hackers breached personally identifiable data of more than 69 stolen accounts held by gamers of the Neopets franchise.
An online virtual pet platform with numerous minigames used to earn pets and pet accessories, Neopets has been around for decades and boasts a healthy in-game economy.
And yet, the breach uncovered the fact that the platform was operating without some very basic security controls in place, explains Ian McShane, vice president of Arctic Wolf and a former Gartner analyst.
"Jumpstart, the educational gaming company that owns Neopets, did not implement multifactor authentication — a bare-minimum security measure that's been in use for more than a decade — until after the publicized breach," McShane says. "Although the Neopets event isn't entirely unique, since we've seen this issue across the entire gaming industry, the severe impact of this incident highlights the gravity of this topic."
According to Jonathan Shroyer, chief customer experience innovation officer at Arise Gaming, most game companies are still behind the times with authentication, primarily relying on usernames and passwords.
"Most games do not require [users to have] two-factor authentication or other security measures," Shroyer says.
Games are huge targets for account takeover fraud. Even with strong MFA and automated anti-fraud technology in place to combat this, gaming companies can only do so much to stem the tide of scams without active participation from its user community.
Experts say that gaming companies need to do a better job of educating users about the types of scams they might face and why they need to be wary about their account details.
"It seems simple, but you'd be surprised how easy it can be to get someone to hand over enough information to break into their account," says Max Podkidkin, co-founder and CEO of BisectHosting, a gaming server hosting technology company.
He adds, "This reminds me of when many years ago scammers used to join Minecraft servers and tell the owner that they are from Planet Minecraft — a popular Minecraft content website — and these owners would hand these people operator-level permissions who would then proceed to destroy their server's world."
Game developers also need to account for the naivete of youth in their game and user design, experts say.
The gaming audience skews young, with a lot of users who are not yet old enough to be wary of "too good to be true" offers from scammers and fraudsters. As such, a younger audience is easier to trick into handing over secure information, no matter how secure their accounts actually are.
Similarly, no amount of education is going to make a young (or even old) audience impervious to clever social engineering attacks. This is why game development teams should be creating interactions that make their users make good choices, says Julie Tsai, a security consultant and former head of security for Roblox.
"You want to create technology that either encourages or only allows users to make good choices or makes it impossible or difficult for other people to compel them to make bad choices," Tsai says. "For example, to protect kids you might make a very simple set of options, where kids below a certain age don't have any purchasing authority or where parents can set parameters for how they interact with a game or account."
For example, parents can say, "I'm comfortable with my kid spending up to their allowance amount on this range of items."
As more and more games encourage community-building and user creativity through third-party content like mods and add-ons, this also introduces risk to the platform. For example, attackers might appeal to users with supposedly free add-ons that are laden with malware.
"We've seen many times that users download add-ons from these sites because they're free; what they don't realize is that most of these add-ons have been modified with malicious code," Podkidkin says. "We've seen anything from code that turns customers' servers into zombie DDoS bots to where their servers start mining cryptocurrency using our hardware. When we see this happen, we do our best to educate them about the dangers of downloading cracked software instead of immediately accusing the customer."
Podkidkin also says that his firm runs all customer servers in separate containers to limit the blast radius of attacks like these. Companies in all sectors of the gaming industry can learn from this, by utilizing network segmentation, containerization and system isolation to protect gaming environments and ecosystems.
As in-game items increasingly have real-world dollar values attached to them, the fraudsters have come out of the woodwork. The one thing going for defenders is that, for the most part, cybercriminals can't make a whole lot of cash from these kinds of scams on a one-off basis. They have to scale up through ample use of bots and automation to make real money.
"They need to make thousands and thousands, if not hundreds of thousands or millions, of attacks to make anything worthwhile from a profit standpoint," explains Kevin Gosschalk, the founder and CEO of Arkose Labs, an anti-bot firm that got its start in the gaming industry and has since expanded its horizons to other verticals.
"But the bulk of video game fraud and video game abuse," he adds, "is largely a technology problem because it happens at scale, and you can build defenses to take away that at-scale component."
The goal should be to make it expensive for bots to operate in that particular gaming platform, thus encouraging them to move to greener pastures elsewhere.
While a lot of the battle against bots and other automated attacks is an engineering problem, Gosschalk does note that crafty phishing attacks and social engineering attacks still require gaming companies to invest in ample content moderation.
This means moderating the content of mods and add-ons, as well as chat and messaging functions within the game and the platform.
Gaming platforms must be able to curb bad behaviors — picked up through automation and manual efforts alike — through banning mechanisms, Shroyer says.
"These don't eradicate the issues, but similar to how Netflix and Hulu curbed illegal movie downloading, these tools have had a similar effect in the gaming space," he adds.
He explains that in order to power these efforts, games companies should be investing in trust and safety teams to "protect both the players' accounts and the game brand, prevent fraud, and instill trust and efficacy with their players."
In addition to battling the bots, some companies are examining other ways to protect in-game assets, including the use of blockchain.
"Many companies are attempting to protect against this by using third-party blockchain wallets, partnering with the platforms to anonymize player data in-game, and leveraging technology to identify bad behavior," Shroyer says. "With the increasing interest in metaverse and blockchain gaming, we are seeing a natural desire for digital ownership for the players and this will illuminate more opportunities for companies to find new ways to protect against fraud, theft, and other bad actors."
In addition to battling the bots, some companies are examining other ways to protect in-game assets, including the use of blockchain.
"Many companies are attempting to protect against this by using third-party blockchain wallets, partnering with the platforms to anonymize player data in-game, and leveraging technology to identify bad behavior," Shroyer says. "With the increasing interest in metaverse and blockchain gaming, we are seeing a natural desire for digital ownership for the players and this will illuminate more opportunities for companies to find new ways to protect against fraud, theft, and other bad actors."
As money keeps flowing into the gaming industry — particularly with the boom in NFTs and valued in-game items — the video game world is fully within cybercriminal crosshairs. Recent reports show that attacks against gaming brands and player accounts are at an all-time high, with attacks rising by as much as 167% in the last year.
Security experts believe that gaming industry attitudes toward cybersecurity are still in the adolescent stage of development. The following are some of the ways that the companies in this industry can work to improve the risk posture of their gaming platforms.
And for more detail on cybersecurity in the gaming industry, check out Dark Reading's recent industry spotlight.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024