The video game industry has been booming of late — and cybercriminals are drawn to it as an expanding threat surface, seeing players as a potentially less cautious group of victims. As such, cybersecurity has risen in profile as a major business priority and differentiator for many in the industry.
There's been an influx of casual gamers drawn to new mobile platforms during the pandemic, and companies have found increasingly profitable ways of monetizing in-game items and social experiences. Gaming studios and affiliated games companies seek to keep those users playing while maintaining that growth and profitability in the post-pandemic era.
But with so much entertainment competition out there — not just from other games, but also streaming and digital platforms — it's easy enough for players hacked or cheated one too many times to drop one game and pick up another one instead. Gaming industry insiders like Jonathan Shroyer say that if gaming companies are lax in security, "their games will not succeed."
"Players of games depend on trust, credibility, and predictability when leveraging a brand's game," says Shroyer, chief CX innovation officer for Arise Gaming, a consulting firm that helps gaming companies improve customer satisfaction and gamer engagement in their platforms. "If they find out there was a hack, or fraud, or other security issues, you will see a dramatic drop in gameplay and spend."
He says this is especially true in mobile gaming as these are the least sticky and most casual games in the industry. But the impact of cyber trust is felt across console, PC, virtual reality (VR), and streaming customers as well.
More Gamers, More Attacks & More Customer Expectations
There's a lot of money at stake for gaming companies planning for the future. According to a recent study by PwC earlier this year, the video gaming industry will earn $235.7 billion in 2022. That's following a massive tear over the last few years, with the combination of PC, console, and casual gaming companies increasing their revenue by an astonishing 32% from 2019 through 2021. PwC says it expects gaming revenue to keep ticking up from now through 2026 by a healthy 8.4% compound annual growth rate.
As the money has been flowing into everything from eSports to hyper-casual gaming, so, too, have the attacks. Akamai reported recently that cyberattacks on player accounts and gaming companies has increased "dramatically" in the past year, with Web application attacks rising by 167%. The firm says gaming is the industry most hit by distributed denial-of-service (DDoS) attacks, making up 37% of all DDoS globally. That's double the volume of attacks lobbed at the financial sector, which is the second-most DDoS-attacked vertical industry.
Account takeovers, cheating hacks, and fraud are all growing problems, and gamers are taking note of which companies are addressing these cybersecurity issues and which aren't. A study of attitudes from 10,000 gamers worldwide that was released last week by Kaspersky showed that 70% of regular gamers think hacking is a big problem in the gaming world. Around 63% of respondents said their accounts aren't safe enough from attacks — with one in three reporting that their accounts have been hacked in the last two years. And 89% of gamers said they want game developers to pay more attention to cybersecurity issues.
These stats point to why cybersecurity is fast becoming a huge engagement pillar for game studios right alongside designing creative gameplay and immersive worlds. It's a tricky proposition for security executives in this world, because gamers also have big expectations when it comes to gameplay and the overall ambiance of a gaming environment, says Julie Tsai, a longtime cybersecurity executive with deep expertise in the gaming world.
"Users and the community expect things at a high level. They expect things to be intuitive, they expect things to be in the spirit of the gaming — and also sometimes in the spirit of the culture of the particular gamer community they're in," says Tsai, who was head of security for Roblox for the past three years prior to recently venturing on her own as a security consultant. "They're very, very passionate and attached to these things. And also for a security professional, it means that you're going to be dealing with some of the strongest attackers and the adversaries that you can think of because they're very creative and often gamers themselves."
Today's Biggest Cyberthreats to Gaming
Like any other vertical industry, games companies are tasked with protecting their organizations from all nature of cybersecurity threats to their business. Many of them are large enterprises with the same concerns for the protection of internal systems, financial platforms, and employee endpoints as any other firm.
"Gaming companies have the same responsibility as any other organization to protect customer privacy and preserve shareholder value. While not specifically regulated like hospitals or critical infrastructure, they must comply with laws like GDPR and CaCPA," explains Craig Burland, CISO for Inversion6, a managed security service provider and fractional CISO firm. "Threats to gaming companies also follow similar trends seen in other segments of the economy — intellectual property (IP) theft, credential theft, and ransomware."
IP issues are heightened for these firms, like many in the broader entertainment category, as content leaks for highly anticipated new games or updates can give a brand a black eye at best, and at worst hit them more directly in the financials. The industry saw this kind of fallout in full effect in September when a hack of Take-Two Interactive and subsequent public leak of Grand Theft Auto 6 resulted in a 2.3% stock drop for the firm.
Layered on top of all of those typical enterprise cybersecurity concerns are unique eccentricities in protecting gaming platforms and player ecosystems. The gaming platforms are their brands — financial and customer service engines all rolled into one. And they're supremely juicy targets for all nature of malfeasance.
Some of the most common concerns gaming companies must contend with are cheaters who seek to take advantage of technical or bugs or design flaws to their advantage, spammers finding ways to blast out links to gamers to everything from snake-oil products to porn, scammers seeking to take advantage of and steal from younger gamers. And then, of course, most common of all are the everyday cyber fraudsters cashing in on account theft.
"What you have to realize is that criminals attack games for one of three reasons: status, ideology, or cash," says Brett Johnson, chief criminal officer for Arkose Labs and a former cybercriminal who before he went straight ran ShadowCrew, the forerunner to today's Dark Web marketplaces. "Most attacks — 98% or more — are cash driven. So criminals are looking for the easiest access that gives the largest return on investment."
The black-hat ROI prospects have especially grown now that gaming companies have monetized in-game assets through means like direct purchase, voluntary advertising views, and recurring subscriptions. This presents endlessly more new ways to commit financial fraud and launder money through gaming platforms. From a gaming cyber defender's perspective, this means that cheating and hacks now not only threaten gameplay experience, but create more financial and legal risks.
"Any time real money value is tied to in game assets, you will see a spike in fraud and other bad actors," Shroyer explains.
Attackers are turning up the heat on game users and platform with credential stuffing attacks and social engineering scams to break into accounts and access in-game currency and unique items. They leverage third-party marketplaces to sell these in-game assets off the platform for real currency to other gamers who want to bolster their characters or speed up their progress. This creates an ideal situation to not only fence stolen in-game assets, but to launder money stolen elsewhere online.
A lot of this criminal activity is powered by bots and click farms to scale up the profitability of their criminal enterprise, Johnson says.
"The problem is, from an attacker point of view, it's not really worth it to me to attack people manually. If you consider most of these accounts, the dollar amounts are not high enough for me to do that," he says. "So I need to find a way to scale that without me having to manually sign on or try to take over to account. And the answer to that is bots."
The Culture Wildcard
Many of the criminal ploys targeting games will also play upon the emotional mindset of gamers, who just want to have as much fun as possible. It makes them more likely to maybe fall for a phishing lure in hopes of getting a sneak peek at a new feature, or go to great lengths to buy items from a third-party marketplace that could speed up their progress.
"The gamer almost immediately is not acting out of reason or logic — it's a knee-jerk type of emotional thing. They want to play that game," Johnson says. "It's much easier for me as an attacker to use that to my advantage because they're already going through that door of reacting emotionally."
This highlights the big balancing act that gaming companies generally have to manage when it comes to protecting their platforms and their users. They've got to design better technical controls and more cyber resilience in their systems without damaging player experience or the vibrancy of the gaming culture built up around their brands and their gaming titles.
As Tsai alluded, gamers are passionate and they're also often curious hackers by nature. That includes the creative and benign type, but also the black hats.
The game industry has always been a place where everyone from script kiddies to budding cybercriminals have come to cut their teeth. For the most part, though, the cohort is usually mostly made up of customers who want to be able to develop and share their custom mods and who are willing to spend a lot of engaged time and money on their games, building up a community that buoys up successful games and studio brands.
This means that a lot of the work of security executives is in detangling the malicious elements from that creative and loyal group of gamers. This takes user education and outreach, foresight in design, and engineering work.
Engineering Good Choices for Gamers
On the latter front, some of the easiest and most low-hanging fruit can come through layered protection measures that just make it more expensive for attackers to run roughshod over platform with automated bot attacks.
"If a security product can increase the cost of the attack, the chances of the criminal staying on that platform, not very good," Johnson says. "That criminal's going to find someplace else where they can profit easier and not have to have the investment to get the attack to be successful."
According to Shroyer, the industry is in a lot better place now with moderating and managing mods and curbing cheating because there's more technical measures available to developers.
"Gaming brands now have more tools in their toolkit to prevent these activities," he says. "A few examples are unique online accounts that require the latest software update to play games, new tech and security placed in gaming data centers that make hacking more difficult, and the ability to turn off access via games online if bad behaviors are noticed. These don't eradicate the issues, but similar to how Netflix and Hulu curbed illegal movie downloading, these tools have had a similar effect in the gaming space."
More fundamentally at the design level, though, Tsai says that security teams and gaming developers also have to work to create player journeys and experiences less hackable. This doesn't mean shutting off the faucet for mods and other beneficial hacking in the platform. Instead, it means doing better threat modeling of platforms, locking down the riskiest areas and providing guardrails for user "developers" almost in the same way that a DevSecOps team would do so for internal developers.
"There's a saying in engineering with regards to user centricity, which is 'Make me make good choices,'" she says. "And so in that respect, you want to create technology that either encourages or only allows users to make good choices."
This kind of effort takes significant effort and a security-first mentality for game development. However, it's an investment that has a definite ROI for gaming firms, she says.
"Security ties to how users in the community think of your integrity and trust you. These are long-term assets," she says. "If you gain credibility over the years, it can absolutely be a business value-add."