How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?

diablo3hackthumb   How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?Game accounts have been the targets of hackers for years, but as more games go online or require account verification the stakes are only rising. Having your account hacked could mean hours of lost work and hours more spent on the phone with the game’s tech support.

So how are game accounts hacked, and what can you do to stop yours from being a target?

An Old Hat – Guessing Passwords

passwordguess   How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?

I’ve written a fair number of security articles on MakeUseOf, and although they often have different topics there are some basic tidbits of wisdom that remain the same. Use complex passwords. Change them occasionally. Don’t disclose them to anyone.

It’s no different with games. Although most people play games just for entertainment, hackers go after game accounts for the same reason they go after any other – profit. In-game items and/or digital game copies are worth real money.  In some games, items can be converted to in-game currency that can be re-sold to other players on the black market.

Telling ourselves that hackers are entering systems via complex methods that we can’t possibly detect or avoid is comforting. But in truth, hackers often use simple methods that arguably aren’t even hacking. Why? Because they work. Security studies have shown that about 30% of people use passwords with just six alphanumeric characters and a significant number of people still use strings of characters like “123456” or even “password” as their password. There’s no need for any hacking to take place when so many users have such lax security.

Gamers would often like to think they’ve above such tomfoolery, but we have no reason to suspect that’s the case. We are simply consumers of a specific form of entertainment. If you are currently using a simple password, change it now. And if you’re not sure about the strength of the password you’ve chosen have a look at our round-up of password strength tools.

Another Old Hat –  Keyloggers & Phishing

keyboard   How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?

Even if you have a secure password you can still have an account compromised if someone else discovers what the password is. Sometimes this occurs because a friend manages to obtain or guess another person’s password, in which case you’ll probably wake up with all your gear dyed pink. For the most part, however, such problems come from keylogging or phishing.

Keyloggers are common. They’re not hard to implement or to send into the wild. Gamers are just as vulnerable as anyone. Perhaps more so – we often download patches, mods and add-ons to games. World of Warcraft has been struck by keyloggers built in to fake game add-ons, for example.

The large number of accounts we have with different game companies and websites also make use prime targets for phishing attacks. Did you register for that Star Wars: The Old Republic website? Hmmm. That would have been a few months ago. It’s hard to remember.

We’ve already covered methods of protection before, so instead of going over it again, I’ll direct you to our articles about combating keyloggers and identifying phishing attacks.

Brute Force

bruteforce   How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?

Most people who are compromised swear up and down that their passwords are secure and they couldn’t possibly be the victim of a keylogger. It’s quite strange. When it comes to gaming, the people who are the smartest about their security are the most likely to be hacked.

That was sarcasm. Still, it’s worth talking about brute force, a tactic that is commonly thought to be the culprit and may in some cases actually be the problem. A brute force attack is an attempt to crack a password by using a library of random passwords as quickly as possible. Eventually, one will work.

This sounds like a probable culprit, but it’s not. Most games have lock-out mechanisms that will prevent additional logins after a certain number of tries. In addition, brute force attacks are usually not effective against complex login servers because of the time required to log in. Even a correct password will take a few seconds to verify.

That’s not a lot, but it becomes an issue when a hacker is trying to crack an account using a library of hundreds of thousands or even millions of passwords. That small delay can translate to days, weeks or years of additional time.

Hackers can get around this by using relatively small libraries that contain only extremely common passwords. But this just leads us back to proper password security. Brute force attacks can be an issue, but the methods of protection outlined above will work against this attack as well.

Authentication Phishing Attacks

riftauthentication   How Are Video Game Accounts Hacked & What Can You Do To Protect Yourself?

Some companies, most famously Blizzard, have started to use authenticators with their games. These devices work by generating a code based on a pre-defined encryption algorithm owned by the company. Each authenticator will generate certain codes at certain times, but the codes can only be guessed if you have your hands on the algorithm. Which no one besides the company has (in theory).

But this can still be subject to phishing attacks. A fake website can ask for an authenticator code just like any other. These codes are only valid for an extremely short period of time – usually a few minutes – but that can be enough time for a hacker monitoring income information to log in, at which point the hacker can change account passwords, strip gold and items, and etc.

The basics of protecting against this are the same as protecting against any phishing attack. Do not assume a source that is asking for your authentication code is legitimate. Ask yourself – how did I get here? Does this page look different from normal? What’s the URL? If there’s any doubt, leave the site immediately.

Are There “Real” Hacks?

Yes. Absolutely. There are methods of hacking that can compromise numerous accounts. The PlayStation Network is the most famous case of wide-spread infiltration by hackers, but even companies like Valve and Trion have had smaller, less serious security issues.

There’s also always the possibility of a man-in-the-middle attack or a local wireless network being compromised. Such things do happen.

But they are also rare because they’re not easy. The PlayStation Network hack was exceptional because of its duration, apparent ease and severity. Sony did not take the proper security measures. Most hacks of other game company servers have had caused minimal damage because the companies detected the attacks relatively quickly, took the right steps to limit the problem and encrypted valuable user data.

Conclusion

The chance that you’ll be hacked via a “real” hack is small. Organizations that consistently compromise game accounts are in it for the money, and the best way to make money is to use the simplest methods possible. There is no need to hack game company servers when a non-trivial portion of any game’s user base uses six-digit passwords and is vulnerable to keylogger infection.

Protection is simple as a result. Use strong passwords. Use an anti-virus and firewall. Use best practices for safe computer use. And, yes, use an additional authentication method if one is provided by the game’s developer.

Image Credit: Coconinoco

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

12 Comments -

0 votes

Dany Bouffard

Also something to remember when receiving email from a game company is they will never actually ask for your passwords for gaming accout. Never ever give your password with anyone.

0 votes

GamerJunkdotNet

Another way people are hacked is when they download “cheats” for games which are really just broken programs that they log into which steal their passwords.

0 votes

Pavel

…which, as Matt mentioned in his article, would in fact be a keylogger.

There aren’t many ways to cheat in games revolving around the MMO/MOBA genre anyway (unless we’re talking about World of Warcraft, a 10-year old could cheat there), and the odds of an actual cheat coming out to the rest of the internet is more than unlikely – gaming hackers keep their cheats very private, to keep it undetected for as long as they can.

By the way Matt, wouldn’t guessing passwords and bruteforcing be essentially the same?
I would imagine bruteforcing to only define the act of automating the input of random passwords on random accounts – contrary to guessing passwords, which true hackers would only do if they felt very confident about their knowledge of the account owner (mainly their behaviour on the internet).

Also, I’ve received a slightly disturbing e-mail from Riot Games three days ago – might want to include it in your articles next time you point out poor security ^^
http://ebm.email.leagueoflegends.com/c/tag/hBP0qnuB8GwhtB8jbYoNuCwZGLz/doc.html?t_params=

0 votes

Tanguy Djokovic

yeah people must be careful and always display the extension of a file, some pirate will name their file “something.jpg” while it actually is “something.jpg[.exe]” but the .exe is not shown. So always display the full extension even if it’s a bit ugly

0 votes

Terafall

Then,how can we identify when a cheat,mod,etc we download has keylogger?

0 votes

Pavel

Eh, well there are a few ‘trusted’ cheat publishers like h4xor (and his SI cheats site), but the odds are that someone will just download a trainer for a game, bind it with their dropper, and it will be executed with the trusted trainer (assuming you downloaded the binded file from some dodgy site).

I never fully trust anything in that grey area (be it anything from cheats/trainers, to pro RATs etc), and so I run everything in Sandbox, to see everything that launches when I open a file.
Case in point: I was recently testing a crypter someone posted on Hack Forums, and after opening in Sandbox, I could see three applications running. After closing the crypter, the two other ‘hidden’ applications were still running, and demanding access to random parts of my system. Clearly, the crypter was infected. I even managed to trace the DynDNS they used for their keylogger to communicate with them, and got their IP perma-banned.

Few notes that I should mention. If you scan a trainer using an antivirus, there is a high possibility it will detect it as a virus. This is because most trainers inject little pieces of code into the memory when your game is running, in order to change its properties and therefore cheat. Don’t trust your AV, trust Sandbox ^^
Also, quite a few modern virus’ have a protection against being ran in Sandbox. Therefore, if nothing loads in Sandbox, don’t trust it.

Lastly, don’t cheat. It just takes all the fun away.

0 votes

Matt Smith

This is good advice. Trainers are well known for tripping up anti-viruses and I think some gamers decide just to note really scan them as a result. Which is, uh, unwise.

0 votes

Krzysztof Buzko

Thanks for this article, it’s a fact that most of people use easy-to-remember passwords. I was doing the same some time ago. But my Facebook account was hacked (don’t know by what method). i got a bill for advertisment and some other things. it took me a long time to resolve this matter with Facebook customer service. From that moment i’m always using more complex passwords. and always check if the website i am giving my password is the website i wanted to go to. Man is always smart after a loss.

0 votes

Matt Smith

A lot of people wait until there is a problem to fit it. Don’t let it happen to you! \

0 votes

lololol

Well i have been hacked onces in this online game am scared because i sued my real email

0 votes

lololol

Well i have been hacked once in this online game am scared because i sued my real email

0 votes

Brad Haccer

contact bradhaccer at aol dot com for your hacking problems