MUCH MORE NEEDS TO BE DONE TO SAFEGUARD GAMERS FROM FINANCIALLY DEVASTATING SECURITY BREACHES. JAMES PINNELL HAS SOME SUGGESTIONS
Your game accounts and passwords are not secure!
If you are a PC gamer – and increasingly now, a console gamer too – you’ve probably found that almost every single publisher and developer has some sort of native authentication service. Where once it was only a handful of gatekeepers – Microsoft, Sony, Steam, and Nintendo for example – other major publishers found that they’d also like access to the incredible amounts of data and control over their software, as well as the ability to offer micro transactions and packages in a way that got around the larger existing distributors. So, when we once had maybe two or three logins to contend with, we now have up to and possibly more than ten. And it could be more still if you play games as a service, such as League of Legends, or basically any MMO.
There’s a lot to lose here. A compromised account can mean the loss of access to hundreds if not thousands of dollars in software. It can mean unauthorised payments thanks to stored credit card details, and possible transfer or deletion of hard earned progress. It can also be a great gateway to phishing information and other details via friend list contacts, who would be completely unaware they weren’t talking to the true owner. It’s also frustrating as hell to prove to poorly designed automated systems, or bored call centre reps that, yes, you do own the account, and yes, you would like it back. Companies need to consider security first and foremost during the original account creation stage, as well as implementing common sense security profiles.
First, most users do not travel regularly outside of their country of origin. If they are playing from their home in Dullsville, Idaho 99% of the time, if they’ve suddenly logged in from Pakistan or China it’s very unlikely this is going to be them. Publishers, please, just block any logins from locations that are overwhelmingly unlikely to be accessed by that user and make that email a request rather than a post-intrusion advisory. In most cases a simple manoeuvre like that would block most attacks, unless the attacker already knew the location of the target (very unlikely). Secondly, make some sort of 2FA mandatory during account creation. Even the crappiest form – email – is still a 100 times more secure than a weak password, and takes about only 15 seconds longer to login. You can offer users the chance to store devices, once secured, for a period to avoid pestering them every single day; at the very least, again, this will stop a significant bulk of accounts being taken over. Almost every service now offers some element of 2FA, whether weak (email), adequate (text), or best (Authenticators) but almost none of them are mandatory on signup. This needs to change. Companies like Blizzard, Microsoft, and Steam have been front and centre here, offering benefits to users for turning on 2FA, as well as offering different and increasingly simpler options to action them. Blizzard, for example, just pops up on your phone on request and asks you to tap a single button. Easy. Steam offers you the option of email or an installed app for Steam Guard, and to be honest, most PC users have a lot to lose
“Ubisoft and EA are some of the worst offenders, breaking almost every rule”
and should be taking the stronger option here.
The third option is to block/ quarantine IPs, and even ranges of attackers, to stop bulk attacks. I’ve seen services that let users brute force for days if necessary, which is utterly pointless. Ubisoft and EA are some of the worst offenders, breaking almost every rule when it comes to effective account security, making it simple for attackers to compromise hundreds if not thousands of accounts in a second, before doing it again a week or two later once everyone manages to get back in again. If an account is compromised, 2FA, at the very least, should be a condition of reactivation.
So please, publishers, protect your users. It will save you time, money and grief in the long run, and make everyone’s day a little bit more pleasant.