Are gaming companies and forums taking security seriously?

by Enzoic on August 7, 2019

Many
gaming companies and gaming-related websites prioritize user experience and
easy access above security and strong authentication. They have found that increasing friction at
login can drive customer attrition… which then translates into decreased
revenue. But are they taking security seriously enough?

This is a theme Enzoic’s CTO, Mike Wilson, recently explored in a conversation with Threatpost’s Tom Spring. The resulting article, “Gamers Are Easy Prey for Credential Thieves,” highlights the gaming industry’s security conundrum and outlines why someone would pay a criminal for stolen gaming accounts in the first place.

Why would a criminal even want to access your gaming account?

Gaming credentials are lucrative, especially in larger numbers.Gaming credentials can be worth a surprising amount depending on the type of game, the hashing algorithm they are stored in and what is on the account. Here is a sampling of how much some gaming accounts are sold for on the dark web:

Fortnite combolists: 100K credentials for $5
Fortnite accounts: 6.50-900.00 eur (depending on skins
on account)
Minecraft accounts: $0.10-40.00
League of Legends accounts: $4-115 (depending on skins
and level on account)
Apex Legends accounts: $2
The Sims accounts: $3-4
Origin accounts: $1.50-6 (depending on games available
on account)
Uplay accounts: $1
Grand Theft Auto accounts: $8.50-12.50
PlayerUnknown’s Battlegrounds accounts: $15-28
ARK: Survival Evolved accounts: $20
Call of Duty accounts: $15-26
Steam product keys: $6

By comparison, here is a
sampling of other types of accounts:

Google Cloud accounts with $100+ credit – $6
PayPal Account with $100 balance – 13 eur
PayPal Account with $500 balance – 80 eur
cryptocurrency accounts – 94 eur
Western Union account – 30 eur
Netflix account: $3.00-4.00
Hulu account: $0.50-10.00
Sling accounts: $5.00-15.00 (depending on lineup)
HBO accounts: $3.00
Creative Cloud account: $10.00
Porn accounts: $3-10
VPN accounts: $1-5
Streaming video accounts: $3-7
Streaming music accounts: $0.50-3
Spotify accounts: 1-2 eur
Pizza accounts with reward points: $.50-18.00 (depending on points on account)
AT&T Uverse – 10-12 eur (depending on lineup)
DirecTV Now – 8-15 eur (depending on lineup)
Grubhub with CC – 4 eur
Fandango with CC – 2 eur
Starbucks accounts with $100 – $25

Why is the Gaming Industry at
Risk?

Another
recent piece of Enzoic media coverage analyzes the key factors that make the
gaming industry so vulnerable. As our CEO, Michael Greene, wrote in an opinion
piece for VentureBeat gaming is particularly susceptible
for 2 main reasons:

Gaming sites use weak authentication security measures
during login and since so many users re-use passwords, criminals can easily
access their accounts using stolen credentials.
Many gamers use weak passwords on gaming sites because they are
young and don’t know better, or because they feel there is really nothing of
value in their account.

The good news is that Akamai saw a slight decline in gaming accounts for sale on the dark web between 2017 and 2018, which could indicate that the gaming industry is starting to take security more seriously. By hashing their passwords in more complex algorithms, they are worth less on the dark web, which makes it less lucrative for criminals.

How can gaming sites improve security at login without
creating user friction?

Besides using more complex
hashing algorithms, the gaming industry can adopt newer low user-friction
authentication methods.

Because most people reuse
passwords across multiple sites, credentials for non-gaming sites can be used
in credential stuffing attacks against gaming sites and vice-versa.
Increasingly, gaming sites are quietly screening user accounts for compromised
credentials. When an account is found to
be using compromised credentials, the gaming site can either make the user
reset their password or they can limit access within the account (like hiding
credit card data) to reduce the threat.

For more on security in the
gaming sector, you can read more about it in the following articles:

Threatpost: Gamers Are Easy Prey for Credential Thieve

VentureBeat: The Video Game Industry is a Black Hole for Cybersecurity

Learn more
about how your site can screen for compromised credentials or passwords.

The post Are gaming companies and forums taking security seriously? appeared first on Enzoic.