Without looking at statistics, doesn’t it feel as if the world of online gaming is as strong as it’s ever been? The mobile gaming scene has exploded, and it seems like hundreds of new games for the iOS and Android platforms are being rolled out every week. Nonetheless, the force is still strong with PC!
We’re getting to a point where gaming is a business for both developers and the players themselves. People make money by streaming themselves playing games. Players can now “go pro” in the most popular games and literally sign contracts that will qualify them for a salary on a professional team. Games like Diablo III have changed the face of online gaming completely by offering features like the real-money auction house. Losing access to an account for an online game in 2013 isn’t quite what it was back in 2003. We are invested in our games. So what is up with the slack security?
Looking at Blizzard
Although Blizzard may be the one of the most recognized brands in PC gaming, their security woes are getting out of hand.
Some millions of people play Blizzard games, including World of Warcraft, StarCraft II, and Diablo III. So, what is their excuse for the constant security breaches?
Battle.net, which operates as the backend and account management interface of Blizzard, has been constantly targeted (rather successfully) by hackers. Battle.net accounts are literally being stolen every day. But how? Being savvy in this area of discussion, maybe they don’t use a CAPTCHA on their login and hackers are able to essentially “crack” accounts through brute-force attempts? Of course not. Blizzard is beyond that, and even offers a mobile or physical keyphrase authenticator to act as a second password and ensure that your account is protected at the login stage.
It’s certainly not that all of these users are infected with some sort of trojan or malware that is compromising their accounts. Is it some security vulnerability in their server infrastructure? What is it?
I’ve not played World of Warcraft, or any Blizzard game, for months, but I recently received the (shortened) email shown above. My assumption has to be that my account is being closed because it was compromised and then used and abused by one of these gold-farming mafias or other exploitative groups. How though? Well, check on Google for any search term similar to “Blizzard account stolen” or “Blizzard security breach” and it’s not much of a mystery.
This is a plague that has infected World of Warcraft even worse than the Corrupted Blood incident. The thing is, my account is currently being “protected” by Blizzard’s mobile authenticator. There is some very deep problem with Battle.net that Blizzard must explain. They’ve been hit with countless lawsuits due to these breaches of data, and it’s getting to a point where the company just looks plain negligent and irresponsible.
At this point, I can’t do anything else but assume that there has been some exploit that exists in Battle.net for years that has constantly allowed hackers to compromise accounts, basically at will. It’s really unacceptable, and something needs to be done.
Phishing on RuneScape
No, not fishing, the less-than-fun gathering skill on Jagex’s all-star online game. Phishing, the act of tricking a user into clicking a malicious link and then entering sensitive data for a hacker to take advantage of.
If you have an older RuneScape account, I bet you’ve received at least one of these emails. As you can see, it’s so routine for me that I don’t even read half of them anymore. Maybe I am accidentally clicking them. Surprisingly enough, this is yet another issue that exists for Blizzard, but we’ll let them off the hook for now.
These emails basically accuse you of trading items for real money, which is against RuneScape’s terms. Your first thought must be, “Hey, I’ve never done that! My account must be hacked!” Conveniently for you, “Jagex” offers you a link where you can appeal this case and claim your account was compromised:
The link, in text, looks trustworthy. However, it’s just a masked hyperlink. Hover that URL and look at your status bar very carefully and you will see the difference:
Okay, so all we’ve proven is that RuneScape players are often targeted by phishing scams. How is Jagex to blame for this? Well, how are our email addresses getting out? How do these people know we have a RuneScape account? Could it be because there have been security breaches at Jagex that have made our personal account information available to these people? It seems likely.
While Jagex can’t really do anything in response to past breaches and people having access to older lists of information, they can improve their security today. If Jagex cleans up their act and does their job, no one who is new to the game today will have to worry about encountering these deceptive emails.
Gabe Newell’s army is strong, so let’s tread this one very carefully. Could there be some security concerns within everyone’s favorite digital distribution client?
In the video of above, we have Kripparrian. I’ve talked about Kripparrian before, and those of you who follow games like World of Warcraft, the entire Diablo series, Path of Exile, and Neverwinter may have heard of him. Coincidentally enough, Kripparrian has achieved superstar status in the PC gaming community as being this guy who finds clever ways to basically exploit the economy and other gameplay elements of MMORPGs and MOBAs.
Strangely, as he is such a gamer, Kripparrian seems to have not downloaded Steam until March of this year. This video is a bit of a rant about Steam’s security during the registration process, but Kripp prefers… Blizzard games. Interesting.
To summarize his situation, he was streaming to an audience of a few thousand people while registering a Steam account. After his registration was complete, Steam asked him to verify his account credentials and showed his username and password in plaintext. While I don’t think it’s a good practice to ever do that, we have to consider two things:
- I don’t think anyone should be registering an account for anything in front of anyone, especially not to a stream of thousands of people.
- The security concerns that this does bring upon the user can be quickly taken care of.
Later on during this night of streaming, Kripp was under the impression that, just by revealing his Steam username, he was being hit with a DDoS attack. Later, he learns that this wasn’t what had actually happened, and it was more at fault of the way Steam manages your bandwidth when downloading a game.
It’s an issue that even I’ve had, but it is fixed by limiting the amount of bandwidth that you allow your Steam client to use.
Being the giant that Steam is, security over at Valve isn’t all that bad. There are maybe a few blemishes, but I really believe that they’re willing to do whatever is possible to protect the security of their customers and please gamers everywhere. Sometimes we nitpick, and other times we have severe problems. You won’t find an alternative better than Steam, but certain situations should still be addressed.
What about you?
Do you have any security horror stories in the realm of online gaming? It happens, and I’d like to hear about it. If not, you’d be surprised at what it does to a gamer! Having an account compromised and picked apart that belonged to one of my favorite games ever was one of the worst hacking incidents that I’ve experienced, and thinking about it today still has me a little upset over it. It’s not cool.
Let me know what you think about the state of security in online gaming in the comments below!