Game accounts have been the targets of hackers for years, but as more games go online or require account verification the stakes are only rising. Having your account hacked could mean hours of lost work and hours more spent on the phone with the game’s tech support.
So how are game accounts hacked, and what can you do to stop yours from being a target?
An Old Hat – Guessing Passwords
I’ve written a fair number of security articles on MakeUseOf, and although they often have different topics there are some basic tidbits of wisdom that remain the same. Use complex passwords. Change them occasionally. Don’t disclose them to anyone.
It’s no different with games. Although most people play games just for entertainment, hackers go after game accounts for the same reason they go after any other – profit. In-game items and/or digital game copies are worth real money. In some games, items can be converted to in-game currency that can be re-sold to other players on the black market.
Telling ourselves that hackers are entering systems via complex methods that we can’t possibly detect or avoid is comforting. But in truth, hackers often use simple methods that arguably aren’t even hacking. Why? Because they work. Security studies have shown that about 30% of people use passwords with just six alphanumeric characters and a significant number of people still use strings of characters like “123456” or even “password” as their password. There’s no need for any hacking to take place when so many users have such lax security.
Gamers would often like to think they’ve above such tomfoolery, but we have no reason to suspect that’s the case. We are simply consumers of a specific form of entertainment. If you are currently using a simple password, change it now. And if you’re not sure about the strength of the password you’ve chosen have a look at our round-up of password strength tools.
Another Old Hat – Keyloggers & Phishing
Even if you have a secure password you can still have an account compromised if someone else discovers what the password is. Sometimes this occurs because a friend manages to obtain or guess another person’s password, in which case you’ll probably wake up with all your gear dyed pink. For the most part, however, such problems come from keylogging or phishing.
Keyloggers are common. They’re not hard to implement or to send into the wild. Gamers are just as vulnerable as anyone. Perhaps more so – we often download patches, mods and add-ons to games. World of Warcraft has been struck by keyloggers built in to fake game add-ons, for example.
The large number of accounts we have with different game companies and websites also make use prime targets for phishing attacks. Did you register for that Star Wars: The Old Republic website? Hmmm. That would have been a few months ago. It’s hard to remember.
Most people who are compromised swear up and down that their passwords are secure and they couldn’t possibly be the victim of a keylogger. It’s quite strange. When it comes to gaming, the people who are the smartest about their security are the most likely to be hacked.
That was sarcasm. Still, it’s worth talking about brute force, a tactic that is commonly thought to be the culprit and may in some cases actually be the problem. A brute force attack is an attempt to crack a password by using a library of random passwords as quickly as possible. Eventually, one will work.
This sounds like a probable culprit, but it’s not. Most games have lock-out mechanisms that will prevent additional logins after a certain number of tries. In addition, brute force attacks are usually not effective against complex login servers because of the time required to log in. Even a correct password will take a few seconds to verify.
That’s not a lot, but it becomes an issue when a hacker is trying to crack an account using a library of hundreds of thousands or even millions of passwords. That small delay can translate to days, weeks or years of additional time.
Hackers can get around this by using relatively small libraries that contain only extremely common passwords. But this just leads us back to proper password security. Brute force attacks can be an issue, but the methods of protection outlined above will work against this attack as well.
Authentication Phishing Attacks
Some companies, most famously Blizzard, have started to use authenticators with their games. These devices work by generating a code based on a pre-defined encryption algorithm owned by the company. Each authenticator will generate certain codes at certain times, but the codes can only be guessed if you have your hands on the algorithm. Which no one besides the company has (in theory).
But this can still be subject to phishing attacks. A fake website can ask for an authenticator code just like any other. These codes are only valid for an extremely short period of time – usually a few minutes – but that can be enough time for a hacker monitoring income information to log in, at which point the hacker can change account passwords, strip gold and items, and etc.
The basics of protecting against this are the same as protecting against any phishing attack. Do not assume a source that is asking for your authentication code is legitimate. Ask yourself – how did I get here? Does this page look different from normal? What’s the URL? If there’s any doubt, leave the site immediately.
Are There “Real” Hacks?
Yes. Absolutely. There are methods of hacking that can compromise numerous accounts. The PlayStation Network is the most famous case of wide-spread infiltration by hackers, but even companies like Valve and Trion have had smaller, less serious security issues.
There’s also always the possibility of a man-in-the-middle attack or a local wireless network being compromised. Such things do happen.
But they are also rare because they’re not easy. The PlayStation Network hack was exceptional because of its duration, apparent ease and severity. Sony did not take the proper security measures. Most hacks of other game company servers have had caused minimal damage because the companies detected the attacks relatively quickly, took the right steps to limit the problem and encrypted valuable user data.
The chance that you’ll be hacked via a “real” hack is small. Organizations that consistently compromise game accounts are in it for the money, and the best way to make money is to use the simplest methods possible. There is no need to hack game company servers when a non-trivial portion of any game’s user base uses six-digit passwords and is vulnerable to keylogger infection.
Protection is simple as a result. Use strong passwords. Use an anti-virus and firewall. Use best practices for safe computer use. And, yes, use an additional authentication method if one is provided by the game’s developer.
Image Credit: Coconinoco