Gaming and Account Security (repost)
(Edit: This was originally posted in February as a contribution to the gamer safety week. The recent Guildwars 2 release and the hacking attempts there made me add a few remarks at the bottom of the post.)
We all have heard of hacked gaming accounts, robbed guild banks and stripped or even deleted characters. Gaming account management websites have been attacked in order to extract Credit Card Information. Many of us have been locked out for weeks from the Playstation network or the SOE servers. And last but not least, fansites of all sizes are being attacked in order to gain account names, email addresses and passwords.
A group of online gaming companies has now come together under the Merchant Risk Council’s (MRC) Gamer Safety Alliance and declared this week as Gamer Safety Week. Members include Electronic Arts, En Masse Entertainment, Microsoft, MindCandy, NCsoft West, Nexon America, Sony Online Entertainment, Square Enix, and Turbine. The purpose of Gamer Safety week is to provide gaming fans and customers with safety information and resources and raise awareness about account security.
Why are online games being attacked? Like all websites doing business on the Internet, online gaming companies process payments this way. The attackers are after payment and credit card information. A thread more specific to online games is the ability to steal in-game currency (gold, platinum, credits) or other valuables, which in turn can be sold to the gamers for cash. And a more general thread exists through vandalism, security advocacy or political activism. I haven’t heard of religious groups hacking online games and their websites, but the motivation is there.
What to do as a user: Overcome your complacency and challenge your lazy self. Again, it’s fairly standard that security is traded for simplicity and ease-of-use. Simplicity can be used to the advantage of attackers. It is effort to come up with new user names and passwords for every website and every game. But if you don’t do it, somebody who gains access to your Turbine information will also be able to access your Sony games. Or worse, somebody who gains access to some small blog you created an account to leave a comment 7 years back will have access to your WOW gold.
Be aware of websites with poor security. For instance, websites that store your password as clear text are vulnerable to hacking attempts. The better ones encrypt the password, then store it and compare the encrypted input at login time against it. This website, MMOCompendium.com stores its passwords encrypted, but sends out initial passwords as clear text. You should be changing them right after you created your account. Another weak spot is the way forgotten passwords are handled: I don’t know your 17 character password, but know the name of your first pet. A website should send you an email with reset information to your registered email address, instead of giving you access right away.
Added security comes from using key fobs or security key apps for your smart phone. Use them whenever they are offered by your game of choice. Those key fobs produce a 6 digit number once a minute and it’s close to impossible to guess that number. An attackers only way to circumvent the system are men-in-the-middle attacks, which intercept your input, disconnect you and use your code on their system. This type of attack is unreliable, since it leaves only a small window (<< 1 min) to succeed. The other option for the attacker is to hack into the fob producers systems and steal seed codes and algorithms.
And lastly, to enable you to manage your passwords better, and therefore make it easier for you to use many different passwords, use a password manager tool. Password Safe has been around for a while and offers good protection. But there are also tools that allow you a more automated approach like LastPass. That’s the one I am using. It keeps track of all login prompts you discover while surfing the web. It remembers the logins and passwords you are using, or better, creates hard to guess passwords for you. Next time you visit the site, it either fills the account information in automatically, or asks you to confirm before it does so. It can also cut and paste account and password information to allow you using them outside of web browsers, like your game login screen.
In the end, information security is an arms race. Compare the value of having access to the data against the effort that is needed to gain access. As long as you can keep it more expensive to hack into your system than the potential gain, you’ll win. And all security efforts come down to this, making it more expensive to gain access.
August, 2012 edit: By now most of us have seen email notifications where others try to reset your password. They can do that if they know your email address. It’s not the best choice to use an email address as account name, especially if the account manages valuable information like your bank account or your gaming account. Some relief can come from using different email accounts or plussed email addresses, which are supported by some email providers. For instance gmail allows this: email sent to firstname.lastname@example.org, myaccount+WOW@gmail.com and myaccount+GW2@gmail.com are all sent to the same address, email@example.com. Not all places accept email addresses containing a “+”, but GW2 does.
© Disclaimer: Guildwars 2
© 2011 ArenaNet, Inc. All rights reserved. NCsoft, the interlocking NC logo, ArenaNet, Arena.net, Guild Wars, Guild Wars Factions, Factions, Guild Wars Nightfall, Nightfall, Guild Wars: Eye of the North, Eye of the North, Guild Wars 2, and all associated logos and designs are trademarks or registered trademarks of NCsoft Corporation. All other trademarks are the property of their respective owners.