Cyber Security in Gaming – Extensive Show Notes for KOVA Podcast X F-Secure

by Joel Latto on March 29, 2021

Recently I was invited to KOVA Esports podcast to talk about cyber security, online privacy and identity management from the perspective of gamers and gaming industry in general. Hosted by KOVA’s General Manager Timo Tarvainen and joined by their streamer Teemu “Spamned” Rissanen, we had a great one-hour long discussion. This post covers my own notes about the things we mentioned, source links included, and further expands on some of the topics. Links to the podcast episode can be found on the bottom of the page. Enjoy!

All timestamps refer to the YouTube version of the podcast episode. If you’d like to learn more about some of the things mentioned, please leave a comment down below.

10:00 Timo mentions “Vastaamo case”. This refers to a massive data breach impacting psychotherapy center Vastaamo in Finland, and the developing case was widely publicized here during the last months of 2020. The data breach was notable due to the extremely sensitive data it included as well as due to the strange behavior of the (supposed) hacker, when that person tried to ransom not just the company, but also its patients directly in order to monetize the breach. While not directly related to gaming, we’ve seen similar data breaches happening to gaming companies too (and we discuss those later during the podcast).

10:30 Security hygiene or cyber hygiene is a term that refers to the basic, everyday measures that one should take to better defend themselves against more serious “infections” – so just like with normal hygiene. Washing your hands is a no-brainer, so similarly we should aim for making simple cyber security practices no-brainers as well.

Sponsorships Available

11:19 Although we’re generalizing here, here’s one example from a study that concluded that “…the findings show that less privacy is perceived by younger age groups. They are more aware than their older fellows. Surprising is that although they are aware of privacy issues they do not engage in protecting their data online as much as age groups 50+.”

15:15 This is called threat modelling: what are you trying to defend yourself and your information against? Most people already do this at least on unconscious level, and hey, this is also the reason why you lock your car and pay for insurance. Now apply that same mentality with your devices and online accounts. We gamers especially tend to have quite a bit of money, in-game items or even credit card details attached to our accounts, so we should definitely be thinking about securing them!

17:05 At least Ubisoft, Epic Games, Rockstar Games, GTA Online and Fortnite rewards players with in-game currency or items if they turn on two-factor authentication for their accounts.

18:00 While strong and unique passwords (preferably generated and stored in a password manager) are great, sometimes passphrases can be useful too. Learn more about passphrases: https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/

21:42 If you have a Steam account, you should be using Steam Guard too. No excuses. https://support.steampowered.com/kb_article.php?ref=4020-ALZM-5519

There was a case where CS:GO player Paytyn “Junior” Johnson’s Steam account was hacked and Steam Guard was circumvented apparently through accessing the victim’s iCloud backups, but the article is very scarce on technical details and I haven’t seen this examined properly anywhere else, so take it with a grain of salt.

23:35 “Keep identities and profiles completely separated”, and 9 other hack commandments. I’ve written more about online identity management previously.

25:54 Top six things everyone should do. I represented my employer F-Secure in this podcast, so I’m going to shamelessly plug F-Secure’s products here:

Enable two-factor authentication everywhere you can. If possible, don’t use SMS authentication, but instead an authenticator app such as Authy or a hardware key such as YubiKey.
Do not login with your social media accounts. This way in case your social media account gets compromised, you don’t lose access to other accounts as well. Also, every time you login with a social media account, you’re giving permission to that social media company to track what you’re doing on that other service too.
Consider using a password manager. F-Secure ID PROTECTION is a good choice and you can try it five days for free.
Lie to security questions, write down and store your fake answer.
Use more common sense and use only official platforms to trade items and download games.
Get security software. F-Secure SAFE has a gaming mode, and it doesn’t slow down your computer (as proven by the recent Best Performance award by an independent test organization AV-Test).

34:55 More information about credential stuffing: https://blog.f-secure.com/what-is-credential-stuffing/

36:30 What kind of passwords are strong or easy to hack? The answer is not straightforward. Refer to the link above about passphrases.

43:30 Steam Support’s excellent Trade Scam FAQ: https://support.steampowered.com/kb_article.php?ref=3415-WAFH-6433&l=english

51:35 More information about spam and phishing emails: https://blog.f-secure.com/5-ways-to-stop-phishing-scams/

1:00:40 Researchers found nearly 1 million compromised accounts pertaining to gaming clients and employees, with 50% of them offered for sale during 2020. They also detected more than 500,000 leaked credentials pertaining to employees of the leading companies in the gaming sector: https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/

1:01:30 CD PROJEKT, the makers of games like Witcher 3 and Cyberpunk 2077, got hit by a ransomware and some of their source codes were stolen: https://twitter.com/CDPROJEKTRED/status/1359048125403590660

1:06:43 Check if your email address has been in data breaches: https://www.f-secure.com/en/home/free-tools/identity-theft-checker