PC & Tech Authority - - CONTENTS -

Your game ac­counts and pass­words are not se­cure!

If you are a PC gamer – and in­creas­ingly now, a con­sole gamer too – you’ve prob­a­bly found that al­most ev­ery sin­gle pub­lisher and de­vel­oper has some sort of na­tive au­then­ti­ca­tion ser­vice. Where once it was only a hand­ful of gate­keep­ers – Mi­crosoft, Sony, Steam, and Nin­tendo for ex­am­ple – other ma­jor pub­lish­ers found that they’d also like ac­cess to the in­cred­i­ble amounts of data and con­trol over their soft­ware, as well as the abil­ity to of­fer mi­cro trans­ac­tions and pack­ages in a way that got around the larger ex­ist­ing dis­trib­u­tors. So, when we once had maybe two or three lo­gins to con­tend with, we now have up to and pos­si­bly more than ten. And it could be more still if you play games as a ser­vice, such as League of Le­gends, or ba­si­cally any MMO.

There’s a lot to lose here. A com­pro­mised ac­count can mean the loss of ac­cess to hun­dreds if not thou­sands of dol­lars in soft­ware. It can mean unau­tho­rised pay­ments thanks to stored credit card de­tails, and pos­si­ble trans­fer or dele­tion of hard earned progress. It can also be a great gate­way to phish­ing in­for­ma­tion and other de­tails via friend list con­tacts, who would be com­pletely un­aware they weren’t talk­ing to the true owner. It’s also frus­trat­ing as hell to prove to poorly de­signed au­to­mated sys­tems, or bored call cen­tre reps that, yes, you do own the ac­count, and yes, you would like it back. Com­pa­nies need to con­sider se­cu­rity first and fore­most dur­ing the orig­i­nal ac­count cre­ation stage, as well as im­ple­ment­ing com­mon sense se­cu­rity pro­files.

First, most users do not travel reg­u­larly out­side of their coun­try of ori­gin. If they are play­ing from their home in Dullsville, Idaho 99% of the time, if they’ve sud­denly logged in from Pak­istan or China it’s very un­likely this is go­ing to be them. Pub­lish­ers, please, just block any lo­gins from lo­ca­tions that are over­whelm­ingly un­likely to be ac­cessed by that user and make that email a re­quest rather than a post-in­tru­sion ad­vi­sory. In most cases a sim­ple ma­noeu­vre like that would block most at­tacks, un­less the at­tacker al­ready knew the lo­ca­tion of the tar­get (very un­likely). Se­condly, make some sort of 2FA manda­tory dur­ing ac­count cre­ation. Even the crap­pi­est form – email – is still a 100 times more se­cure than a weak pass­word, and takes about only 15 sec­onds longer to lo­gin. You can of­fer users the chance to store de­vices, once se­cured, for a pe­riod to avoid pes­ter­ing them ev­ery sin­gle day; at the very least, again, this will stop a sig­nif­i­cant bulk of ac­counts be­ing taken over. Al­most ev­ery ser­vice now of­fers some el­e­ment of 2FA, whether weak (email), ad­e­quate (text), or best (Authen­ti­ca­tors) but al­most none of them are manda­tory on signup. This needs to change. Com­pa­nies like Bliz­zard, Mi­crosoft, and Steam have been front and cen­tre here, of­fer­ing ben­e­fits to users for turn­ing on 2FA, as well as of­fer­ing dif­fer­ent and in­creas­ingly sim­pler op­tions to ac­tion them. Bliz­zard, for ex­am­ple, just pops up on your phone on re­quest and asks you to tap a sin­gle but­ton. Easy. Steam of­fers you the op­tion of email or an in­stalled app for Steam Guard, and to be hon­est, most PC users have a lot to lose

“Ubisoft and EA are some of the worst of­fend­ers, break­ing al­most ev­ery rule”

and should be tak­ing the stronger op­tion here.

The third op­tion is to block/ quar­an­tine IPs, and even ranges of at­tack­ers, to stop bulk at­tacks. I’ve seen ser­vices that let users brute force for days if nec­es­sary, which is ut­terly point­less. Ubisoft and EA are some of the worst of­fend­ers, break­ing al­most ev­ery rule when it comes to ef­fec­tive ac­count se­cu­rity, mak­ing it sim­ple for at­tack­ers to com­pro­mise hun­dreds if not thou­sands of ac­counts in a sec­ond, be­fore do­ing it again a week or two later once ev­ery­one man­ages to get back in again. If an ac­count is com­pro­mised, 2FA, at the very least, should be a con­di­tion of re­ac­ti­va­tion.

So please, pub­lish­ers, pro­tect your users. It will save you time, money and grief in the long run, and make ev­ery­one’s day a lit­tle bit more pleas­ant.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.