Games are still tempting targets for hackers. Zynga’s popular online game, Words With Friends, was recently hacked and more than 218 million users had their information stolen.
And once hackers breach a game company’s defenses and get inside, they can steal identities, financial wealth, and virtual property in games that can be resold for real-world value. They can also bring an online game down and cause an uproar from gamers who can’t get into their favorite hobby.
So GamesBeat recently held a webinar to talk about the problem and how game companies can protect their players and themselves from cyberattacks. The attacks can also do massive damage to the company’s reputation, the players’ trust in you, and their faith in your security practices — not to mention the victim company’s bottom line. Reparations can be costly.
Akamai sponsored the webinar. We have extracted most of the practical advice that just about any company can benefit from, and we’ve preserved the banter between our panelists.
Dean Takahashi moderated the session, and our speakers included Scott Adams, CEO of FraudPVP (formerly of Riot Games); Lonnye Bower, chief operating officer of game startup ProbablyMonsters (formerly at Bungie); Steve Ragan, senior technical writer at Akamai; and Jonathan Singer, senior manager for global games industry at Akamai.
Here’s an edited transcript of our conversation.
GamesBeat: We have a broad question for all of our panelists here to start with. How can game studios and developers protect themselves and their users? Jonathan, could you tackle it first?
Singer: It’s a pretty simple thing, but it’s coding your login page and your APIs with OWASP. Writing secure code according to OWASP best practices, doing penetration tests on your login endpoints with reputable providers, all of these pieces — that’s the entrance point to your games. Anyone who has a lot of experience and is listening to this probably knows this already, but it bears repeating that that’s one of the things you need to be doing to protect your players.
There’s obviously a lot of concern around [distributed denial of service] (DDOS) protection, around bot management and anti-cheat, around identity. There are a lot of different pieces that need to be solved there, from a lot of different angles. I understand that lots of developers and publishers sometimes build their own solutions. They sometimes buy their own best-practice solutions. But there’s so many aspects of security to look at that really, where you want to start is just thinking about the player and what they need.
Adams: I like where you left that. That’s one of the biggest things. The first thing any game company should do is think about the players. I’ve been inside a lot of different game companies, and companies in general. One of the things that I always like to make sure, from every level, to think about is that when you’re building the game and as you move forward to continue it, you have to make sure that security and fraud and risk and all that stuff is at the table as you make decisions.
I’ve heard so many times from game developers: “I won’t be defrauded. I’m a game company.” Now we’re getting to where that happens less, but even with that knowledge, if you don’t have an expert at the table when you’re making the big decisions and planning out the game, you’re going to end up getting hurt. If you’re not used to thinking that way, you’re probably going to leave a lot of holes. As you come up with a new feature, as you come up with a new unit in your game, new ideas around how the game might play, then having someone at the table that thinks that way is invaluable.
Another thing I’d say, especially as the game launches, listen to your customer support, your player support. Those guys are the front lines. They’re seeing and hearing and talking to your players. If they see something, take them seriously. Try to solve that problem quickly, before it becomes a bigger problem.
Singer: If anyone out there has that sort of mentality in their company — “I’m just a game company” — the game industry is one of the world’s largest completely unregulated financial markets. That’s really how you need to think of yourselves. The more we move toward subscription models, you’re collecting PII. You’re collecting all the contact information. You have credit card information. Players tie up a ton of value in their accounts. The world is increasingly aware of that. It’s a juicier and juicier target for anyone who’s interested in making money. You’re not just a game company anymore.
Bower: I really feel for the players who are out there looking for an inspiring game to play. They’re trusting the studios. They’re trusting the developers that put games out. They really want a challenging and enjoyable experience. On the game side, you need to ensure that all of the teams are thinking and talking about security, really from the initial stages, which goes along with what Jonathan and Scott are saying. When you begin developing the game, it needs to be a conversation you’re having on day one.
Ragan: A lot of the criminals that I researched target two things in particular: the gamers themselves and the authentication mechanisms used to get into a game.
My suggestion is to focus on strengthening your access controls and your identity management controls for gamers themselves, and then awareness training for the players. Make sure they understand the risks of password sharing, the risks of account sharing, the risks of trying to purchase game add-ons and things from unapproved vendors or external parties, all the associated risks with that. That’s a good area of focus as game companies develop new properties and expand, because the player base is going to be the largest asset targeted.
GamesBeat: How do you offer protection without affecting the user experience or game performance?
Ragan: You have to make it so that all of the protections in place don’t ruin the gaming experience for the user, by making sure it’s seamless. I’ve played games in the background where anti-cheating mechanisms or account security mechanisms are just all part of the process. It flows smoothly from one thing to the next. In some cases, for authentication and verification, just getting into the game itself, you don’t realize you’re going through all these security hoops. You’re just logging in to go and play.
I can tell you that one of the largest gaming firms on the market right now, one that’s really popular for subscription-based services, makes security really easy and obtainable for every one of their players. They focus on user awareness training and things like that. But when you’re going through all those security hoops, you don’t realize it. You just log in and you go. All of that stuff happens in the background, so it stays out of the way.
Bower: When I think about protection for the users to ensure their experience and a great performance and experience there, I look at two sides. I look at both the client and the server side. When I say the client, it’s any console or platform that you’re playing on. Looking at that, you want to ensure that your game engineers are aware of and able to incorporate security best practices when they’re building their code, so that we prevent the ability for hackers or bad actors to reverse engineer the game on that client.
Then, when we look at the server side, this would be those services that Steve mentioned when you’re logging into the game and authenticating. Both internal and game-facing, those need to be deployed with security protections in mind. I’d really think of that as starting with the principle of least privilege, where the users on the system have enough access to do only the tasks they need to perform and nothing more. Generally, engineering that way should help with the protections for the game. Talking about the client side, if they’re engineering the game with those best practices in place, it shouldn’t really impact the performance on the client side.
Adams: I agree with everyone so far. But I would also say that you can’t, I don’t think, offer really good protection and not at least affect the experience. You can keep it manageable and keep it a good experience.
One thing we should all think about if we’re speaking to game studios and developers is that the sooner we can make it normal to, say, get some form of identification, a way of communication, like your phone number and email, when someone plays a game — or the consoles, they have hardware IDs. If it’s online, requiring either email or phone — if we can make it so it’s a normal experience for a game to use some form of two-factor authentication, that would be great. Surprisingly, we haven’t really done that. Some games do and some don’t. Once that’s a norm, it’s not a big deal. Those kinds of things can be very good protection.
There’s a lot of new technology out there coming up, things like biometrics, that can help us in a similar way, and then it’s less impactful to the experience. The sooner that we as an industry take note and make this something we all do and take seriously, the sooner things will get more difficult for fraudsters.
Singer: To cap this off, the first thing you do is hide as much as you can. Then, and this is what others have said, you can’t offer the most secure experience without affecting the user experience. What you want to do is positively affect the user experience. You want a bit of security theater to it, which may make some folks wince, but you don’t actually want it to be theater. It’s about giving them useful tools that secure the players that also make them feel secure and build trust.
If we’re talking about multi-factor authentication (MFA), if you want users to enroll in MFA, they have to trust that when they give you their phone number, you’re not selling that. You’re not using that. You can have it printed in a license agreement, but if you don’t do other things to earn the trust of your players, you’re not going to be able to give them a more secure experience. If they don’t already trust you as a publisher for other reasons, it makes partnering with your players on security more difficult. They’re less likely to work with you.
There’s something to be said for — the entire experience of how they interact with you as a company affects your security posture. That’s down to your marketing and PR, even. I know I’m going a little far afield from the technical security discussion, but you need to build trust with your users so that when you give them security solutions to use, they believe that you have their best interests at heart when you’re collecting the information you need to further secure them.
Bower: I’d like to add one comment to that, if I may. Part of fostering a culture of transparency and trust between the players and the studios is really communication. If we are going to be adding anything that would impact the performance of the game, it’s critical that the studios or the developers have that communication open with the players, so that they’re aware of what’s happening and why it’s happening. That will build on the trust that we earn from them.
Singer: I completely agree. If you take DDOS as an example, there are different types of DDOS solutions. Some might just be, the players don’t see it and they don’t know it’s happening. There are other types where you block traffic, scrub traffic, it slows things down, and all of a sudden players are having a negative experience, but it’s not completely shut off. What does that look like? Do they know? Do they understand what’s happening? That’s a basic example, but again, communicating with your players why you do things that might affect their game performance is key to building trust with them overall.