Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/9/2016
11:00 AM
Matthew Cook
Matthew Cook
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Video Game Publishers Must Adopt Enforceable Security Standards

Video games have been under attack at an unprecedented rate since 2012, with cyber criminals playing an increasingly significant role.

The video game industry’s business model has changed significantly over the past 20 years. In the 1990s, video game publishers sold physical cartridges for $30 to $60 each, making it easy to forecast revenue. In the early 2000s, the Internet paved the way for video games to move online, expanding the revenue stream by introducing monthly subscription fees. Around 2009, the business model changed forever when video game publisher Zynga established micro-transactions. This led to the "freemium"  model in which gameplay became free, with revenue driven primarily from in-game purchases of virtual items and virtual currency.

Overall, the evolution of the video game business model has been beneficial for players and lucrative for publishers. In fact, analysts project the industry to surpass $100 billion in annual revenue in 2017. However, success often comes with unintended consequences. For the video game industry, these consequences come in the form of cyber attacks in which hackers have followed the money from banks and big box retailers to online video games.

Cyber attacks on video games now an epidemic
Recently, Trend Micro issued a report on the cybercriminal roots of selling online gaming currency. The report concludes that, "the increase in cybercriminal activity related to online games can be attributed to the huge potential for revenue, the ease of hacking a game account, and the lack of severe penalties or criminal prosecution for such cybercrimes."

Since 2012, video games have been attacked at an unprecedented pace. One of the most notable video game hacks targeted the highly popular League of Legends, published by Riot Games. From 2012 to 2014, the game was compromised, exposing tens of millions of user records to cyber criminals. In late 2015, one of the world’s largest online video game platforms, Steam, admitted that 77,000 of its gamer accounts are hacked every month through special malware called Steam Stealer. Just a few months ago, the worldwide phenomenon Pokémon Go was hacked multiple times within its first week of existence. Then, just a few weeks ago, a large-scale Distributed-Denial-of-Service (DDoS) attack on Blizzard Games brought down three of the world’s most popular titles: Overwatch, World of Warcraft, Hearthstone and Heroes of the Storm. This marked the fourth DDoS attack targeting Blizzard’s game client, Battle.net, in a few week period.

Is video game cybersecurity regulation inevitable?
Recently, the U.S. government has placed utmost importance on cybersecurity with the passage of the Cybersecurity Act of 2015 and the Cybersecurity National Action Plan (CNAP) in 2016. While no federal agency has yet to step in on the U.S. video game industry, other countries have begun regulating video games – but with only minimal or no success.

On the state level, the Washington State Gambling Commission recently ordered the video game developer Valve to stop allowing the transfer of gun skins for what they defined as "gambling purposes." Washington state cited $1B in illegal revenue generated as a result of such activity. The practice of sharing gun skins - or any virtual items for that matter - is no more than a mask for players to exchange virtual currency on gray market websites for real world dollars. 

Abroad, the South Korean government passed a series of regulations on the video game industry. It is unclear if the South Korean laws had their intended effects, but some unintended consequences emerged. In fact economically, the devastation has been profound. A country that just five years ago had 30,000 game developers, now has less than 15,000.

The challenges posed by cybercrime in online video games will gain the attention of the Congress and the Federal Trade Commission sooner or later, unless the industry comes together to develop its own set of enforceable cybersecurity standards and guidelines that can protect players and publishers alike.

A model forward
Recognizing the advantage of self-governance, the advertising industry has created a group by which the video game industry can take heed. The Advertising Self-Regulatory Council is a successful “system by which the advertising, marketing, agency and media industry set voluntary rules and standards of practice that go beyond their legal obligations.” There is also precedent for self-regulation in the video game industry. In 1994, the Entertainment Software Ratings Board (ESRB) was formed to “assign ratings for video games and apps so parents can make informed choices.”

Considering the increasing frequency of cyber attacks against the game industry and its players, it is time for industry leadership to proactively work together to define and enact enforceable cybersecurity standards that protect the gaming experience before the government gets involved. 

Related Content:

 

Matthew Cook is a veteran security and risk professional and a lifelong gamer. He is currently the co-founder of Panopticon Laboratories, the first and only cybersecurity company for video game publishers. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Panopticon_Matt
50%
50%
Panopticon_Matt,
User Rank: Author
1/5/2017 | 5:35:19 PM
Re: Hackable Games, Irrelevant Standards
Thanks for the kind words - glad you found them useful! If you ever have any ideas re: how we can do things even better, don't hesitate to let me know. 

I'm a fraud and risk geek, so I almost see this fight as "high level PvP"... it's something I actually enjoy doing (God help me). =) But as a gamer myself, I want game devs and publishers focused on building cool new virtual worlds I can visit and explore, not wasting their time and money fixing stuff they tell me they hate, and sometimes even resent, having to deal with (fraud and risk). I can't blame them; that's not why they got into the biz, right?

The reality, unfortunately, is that so long as devs are choosing to monetize their games online over time, and are designing them such that they're really only viable so long as players are returning again and again and interacting with others in a multiplayer environment, then bad guys' activities and their negative impact on those worlds *must* be addressed, ideally before their activities become an epidemic and drive all the good players (some of whom will hopefully vote with their wallet) away. 

Always glad to help.

 
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
12/20/2016 | 1:22:37 PM
Re: Hackable Games, Irrelevant Standards
Yep, the back-end is where it's at, for sure, especially with so many tactical teams out there willing to use social and old-fashioned B&E to get to your backside.  Taking a quick moment to give props, the Panopticon Labs resources are excellent.  Been browsing some of the documents and the white papers are well-written and not the usual fare.  Nice work on that.
Panopticon_Matt
50%
50%
Panopticon_Matt,
User Rank: Author
12/12/2016 | 9:49:34 AM
Re: Hackable Games, Irrelevant Standards
All excellent points - thanks very much for listing them.

What you recommend can definitely help, but other industries have learned the hard way that ANY observable system can (and eventually will) be defeated by a dedicated attacker - that's why I'm such a proponent of back-end, server-side controls like analytics and machine learning designed to model and alert on not only bad, but also good, behavior. Fortunately, game publishers are investing more than ever before in tools and techniques designed to study beneficial player behavior (typically as it relates to monetization), so it's much more common than it was, say, three years ago, for game operators to invest in assets like a robust data warehouse and data scientists to make effective use of that intel - very useful assets when we start discussing how to efficiently find and eliminate bad actors. 

The gaming indsustry also has a golden opportunity to proactively share this information between themselves as well, ideally through a 3rd party dedicated to gathering, studying, and standardizing fraud and risk behavioral data across many different games, genres, and geographic regions. Other industries (notably banking) were extremely slow to share this sort of intelligence, choosing instead to adopt a more "walled castle" approach which did little to stop the spread of automated attack tools. Ironically, those same tools are the ones we see for sale now on cheating and hacking black market sites, customized to infiltrate and compromise online games.

My hope (both as an avid gamer as well as someone who studies fraud, risk, and its impact on various industries) is that the video game industry will come together to self-regulate before lawmakers or regulatory agencies feel the need to step in, just as they did when they banded together to establish the ESRB ratings system. Unfortunately, with the recent decsions like the State of Washington ordering Valve to move against skin gambling sites, and the latest South Korean EULA criminlization act, I fear we're already heading down that road... 
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/9/2016 | 4:37:03 PM
Hackable Games, Irrelevant Standards
I think the key thing to note in video gaming is the online community aspect of the platforms.  For full immersion MMOG environments, standardizing bodies need to understand that even by applying strict regulations to what features and functionality are allowed in these game platforms, as long as the MMOG sits on hackable software, users could potentially write their own interfaces and continue business as usual.  The value in MMOGs is the access to the users and being a user. 

Once you are in the system and able to move around, and once you have code access to the servers, anything is possible.  Imagine for a moment that someone has raised a host of servers that have an active clone of a popular MMOG and have already fetched user data.  Now imagine they DDoS the server farms for the real MMOG and have spoofed the TCP (rare, but possible); they begin answering the connection requests for all those users who were previously disconnected.  Sure, people would realize right away something wasn't right, but if the game appears still to be functional, then no problem.  Now you have a fully live MMOG clone in which criminals do what they need to do and then bring the system down again. 

So, yes, regulations and standards by all means for the day-to-day business as usual, but I think those regulations and standards are going to need to dig much deeper and reach out wider in terms of preventing scenarios like the above; solutions such as hardware-bound encryption fingerprints (hard to spoof hardware), regular fingerprint validation during logged user sessions, intelligent traffic scanning per-user, etc, and kill switches to the system when any of these are not Kosher.  Anything to bind authentication to the internal systems so spoofing becomes that much harder to do.

Exciting to see gaming and game security out there and being discussed.  Ever since platforms like Ultima, EverQuest and Second Life took flight this has been one of the most interesting environments to explore from a security perspective.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.