Credential stuffing attacks are just the tip of the iceberg. What are games developers doing to stop user accounts from being pwned?

As the video games industry pivots to a cloud-based model, developers are struggling to cope with the security risks, analysts warn.

While ‘games-as-a-service’ enables massively multiplayer online role-playing games (MMORPGs), swift updates, cross-platform support, and more, it is also opening up new opportunities for criminals.

In a new report (PDF), cloud service provider Akamai highlights an “alarming” rise in the number of SQL injection exploits and an associated increase in credential stuffing attacks.

Indeed, its analysis shows that the gaming industry attracted 12 billion credential stuffing attacks between November 2017 and March 2019.

The big attraction is the opportunity to use stolen card credentials to purchase in-game currency and other items that can then be sold on via eBay or the dark web. It’s a technique that’s seen as less risky than straightforward financial fraud.

“The banking industry has had 20 or 30 years’ experience of telephone banking, online banking and [credit card] fraud, so it’s very, very aware of these threats and largely keeps up with the hackers and stops them before things become too serious,” industry strategist Paul Jackson of Akamai tells The Daily Swig.

“And also, it’s treated very, very seriously by the police – they know how to prosecute online banking fraud. But when you come to gaming stuff, it’s all a bit amorphous and international: ‘Is this really a crime?’ and ‘What is the value of the virtual goods?’, so it’s less of a protected area.”

In another recent report, cyber intelligence firm SixGill found that some Fortnite accounts were selling for thousands of dollars.

In one 60-day period alone, just the top 50 Fortnite items listed on eBay brought in about $250,000.

Indeed, a BBC investigation late last year found that children as young as 14 were making thousands of pounds a week by selling stolen in-game Fortnite items.

Earlier this month, research released by cybersecurity firm DynaRisk revealed that Riot Games was the most targeted brand by hackers, with Origin and EA also in the top five.

“Recent high-profile data concerns on social media platforms have likely alerted consumers to the ease with which data and personal information can be stolen or misused by third parties; however, they might not have the same awareness of the risks to accounts,” says DynaRisk CEO Andrew Martin.

User incentives

Gaming companies such as Epic are aware of the problem, and are doing their best to encourage users to use two-factor authentication to secure their accounts.

“Epic, because of their success, are a massive target for this sort of thing, but you then have this policy of a free skin if you turn on two-factor authentication, and you can trade with your friends,” says Jackson.

“But the trick is to encourage your customers to embrace security without making it so difficult for them that they think, ‘Oh God, I forgot my password last week, so I’m not going to go back into that game’.”

And, says Jackson, the advent of games-as-a-service is bringing new risks. While the likes of Microsoft, Sony, and Google already protect user data reasonably efficiently, that may not be the case for all.

“Asset attacks and account thefts are far more prevalent [now] than two or three years ago,” he said. “And given that we’re seeing this growth in free-to-play gaming and virtual assets, it’s only likely to be a faster-moving, larger space to watch out for.”


RELATED Zero-day in EA’s Origin exposes gamers to yet more RCE pwnage