Actu
Jan Valcke, VASCO: How to prevent that virtual identity theft will be the downfall of your online gaming application
May 2012 by Jan Valcke, President and COO of VASCO Data Security
With the ever increasing popularity of online games, internet fraud has become a real threat. Egaming
is a multi-billion dollar business and is being targeted for various attacks by fraudsters
hacking into users’ accounts. Especially MMOG are becoming ever more popular. MMOG stands
for Massively Multiplayer Online Game, a video game capable of supporting hundreds or
thousands of players simultaneously. Millions of players interact in this virtual world, assuming the
roles of heroes and amassing materials and virtual money for their characters to fight against
virtual evil.
With millions of users worldwide they contribute a significant percentage of revenue to the gaming
industry. This lucrative market now has become a playing field for cybercriminals, forming a real
threat to the long-term sustainability of any MMOG. As account theft is not an inherent function of
game design, game developers can exert little control. However, this does not diminish the
significance of the threat and game developers should seriously consider the security risks
involved. Account hacking poses a real threat which may erode gaming applications’ customer
bases.
Virtual economies offer economic incentive for hackers
MMOG introduced a new phenomenon: virtual economies. Players can accumulate virtual
currency, pieces of armor, weaponry, energy or other paraphernalia to tweak their virtual
appearances. Gamers spend hours developing their characters, skills and acquiring virtual
equipment to increase their strength and combat virtual evil. Some players’ accounts can be
worth up to thousands of dollars.
Fraudsters soon saw big business by hacking into gamers’ accounts and stripping players of their
gaming credits and acquired game paraphernalia to resell it to the highest bidder. The link
between virtual economies and real money is easily laid and cybercriminals have a real economic
incentive to acquire online gaming accounts as it offers a good return for relatively low risks.
Game publishers keep providing new materials to enhance or influence the game. These items
can be downloaded for small purchase fees. And the gaming industry will provide even more
downloadable content, updates and expansion packs. Securing gamers’ accounts will therefore
prove to be essential as a key to success for online game developers and providers given that is
are the players who help build their success.
Common threats
One of the primary means used to obtain passwords is phishing whereby fraudsters, sometimes
posing as game developers, send a fake email or redirect players to a bogus website that
prompts them to enter their username and password.
Many cybercriminals also make use of keyloggers: malware which can record keystrokes and
hence your password which is then sent over the network to the hacker. It is a common way of
obtaining passwords without the player’s knowledge. This kind of malware can be hidden in any
executable file and is often disguised as a game cheat.
As most people have more than one internet account, whether it be for online gaming, ordering
groceries at a hypermarket or buying books on amazon.com; they often reuse the same
username – password combination. An additional threat lies in the fact that people tend to create
passwords that are easy to remember; whereby the word ‘password’ is still the most commonly
used today. Through so called dictionary attacks, fraudsters are able to fairly easy retrieve those
guessable passwords and use your account information for malicious intents.
Another danger lurks in account sharing. Although prohibited by the terms and conditions of most
online gaming applications, people often share accounts with family members or friends. The
consequent increase in exposure risk is self-evident.
Dynamic passwords circumvent online threats
As said before, there is little or nothing that gaming developers can do to protect their users’
account information and virtual assets as it is not a part of in-game design. Or is there? Though
developers could reason that password safety is the responsibility of the end-users, most gaming
developers realize that they should offer their customers a more secure means of protecting their
gaming characters.
One way of circumventing the above mentioned threats, is by putting a strong authentication
system in place. VASCO, one of the leading-edge companies in authentication and internet
security, has built an impressive track record for securing online gaming applications. By using its
renowned DIGIPASS technology, static and weak passwords are replaced by strong two-factor
authentication. For the price of a few dollars, players buy peace of mind and can protect their
valuable assets.
The company offers an API-based authentication platform that can be embedded in gaming
servers to automatically handle authentication request. Gaming providers can choose to distribute
hardware authenticators or software authentication to their end-users, who can then generate a
dynamic password to log-on to their favorite games. Dynamic passwords bypass the weaknesses
commonly associated with static passwords. Firstly, as they can only be used once, they cannot
be stored by fraudsters for batch processing. Furthermore, the validity of the passwords is very
limited in time, forcing criminals to operate in real-time, severely reducing the lucrative aspect of
account hacking. As each player will receive a personalized authenticator, the exposure of
passwords through account sharing is eliminated; a beneficial side effect for gaming providers as
it consequently minimizes revenue loss. As the password is generated by a hardware
authenticator or on a software platform, it is not previously exposed over the internet.
Scalability and ensured user acceptance at a bargain price
When implementing a security system, gaming developers face many challenges. First there is
the involved investment to consider. Secondly, the solution must be suited for mass deployment
to a multi-million customer base. Thirdly, when making an investment for a security roll-out,
gaming companies want to be sure that it is future proof and not outlived in a few years time. And
last, but not least: the threshold for user acceptance must be kept very low without compromising
too much on security level.
VASCO’s authentication solutions are built on a single API-based platform without the hassle and
costs of rebuilding the entire infrastructure, which allows for significant cost savings and flexibility.
DIGIPASS authentication is extremely scalable, which has been proven time and time again.
VASCO currently has millions of online gamers using its authentication devices and software. Its
software is able to handle over 9,OOO authentication request per second. As the platform can
support multiple games and additional users, it is surely a future-proof solution.
User acceptance is a very important factor for mass authentication. As VASCO’s DIGIPASS
technology, be it hardware or software, is so easy to use, gaming operators will be quickly
persuaded that this is the perfect authentication tool for deployment. End-users do not need to
install additional software on their computers, eliminating the need for training manuals and
therefore helpdesk costs ensuring a secure gaming experience without any hassles.
