Why Security Is Often an Afterthought on Video Game Websites

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.tomsguide.com/us/video-game-account-hacking-spree,news-17482.html

Gamers beware: Your online accounts could be easy picking for hackers.

In late August, thousands of people who play Riot Games' popular
online title "League of Legends"learned that their data had been
stolen. Hackers accessed players' online accounts, grabbing names,
email addresses and credit card numbers.

Just two weeks before the hack, game company Crytek shut down its
websites and temporarily suspended its members' accounts.  Crytek
doesn't run any online games, but fans can create user accounts on the
website to access forums and news updates. It appears that hackers
acquired login data to Crytek's systems that allowed them to steal
members' personal information.

And back in June, game companies Ubisoft, Konami, Club Nintendo and
Bohemia Interactive all saw similar attacks.

That makes at least six major game companies whose users' account
information has been compromised in three months. Is this a trend?
Derek Tumulak from data security company Vormetric says yes.

That doesn't mean that the same group is behind all these attacks.
Rather, Tumulak argued, the rash of security breaches shows that
gaming companies are not taking security seriously enough.

"Gaming companies are not thinking about security," Tumulak told Tom's
Guide. "They're thinking about gaming experience. Security is more of
an afterthought."

Gaming companies aren’t the only ones guilty of such oversight.
However, in general, other types of companies have been far better at
upgrading their data security.

"Financial organizations have finally gotten more serious [about
security] recently," Tumulak said. "They were also primarily focused
on network security. Data-centric security was an afterthought. But
that's changed in the last couple of years."

Given the rash of break-ins to high-profile video game company
websites, it seems this sector could certainly benefit from some basic
security lessons.

How to hack a password

Tumulak specified that many of these companies have strong perimeter
security, meaning it's very hard to break through the firewalls,
encryption and other defensive systems themselves. However, their data
security is weak, meaning it's fairly easy for malicious attackers to
acquire a username and password and then let themselves into the
system without actually "attacking" anything. It's the difference
between bashing down a door and letting oneself in with a stolen key.

One of the ways attackers acquire usernames and passwords is through
phishing, or tricking people into revealing their account information
through authentic-seeming emails and websites. For example, you might
get an email from an official-looking address, but on closer
examination, a few letters are off.

Phishing isn't a very technologically sophisticated attack, but if
attackers can make the bait look good enough, it's inevitable that a
few gullible people will bite.

The hackers who broke into Ubisoft's systems accomplished this by
stealing an employee's login credentials, the company confirmed in a
blog post. This suggests that a phishing attack was used.

Another technique for acquiring usernames and passwords is called a
brute force attack.  This is also fairly unsophisticated: attackers
use a type of program that attempts to guess a correct
username/password combination by trying every possible combination of
letters and numbers.

Club Nintendo's security breach appears to be due to a brute force
attack: In the space of a month, the website saw 15.5 million login
attempts, a huge increase from their usual numbers. Of these attempts,
23,926 successfully logged in.

"What is perhaps most alarming is the length of time that the Club
Nintendo website was being bombarded by attempts to break into
customer accounts," observed security expert and blogger Graham Cluley
on his blog.

"It’s hard to imagine that a sustained attack like that could have
gone unnoticed for nearly one month and suggests poor stewardship by
Nintendo’s security team."

Konami's statement regarding the security breach suggested that their
users' IDs and passwords were leaked by a third-party service
provider, but also admitted that they'd seen a huge spike in
unsuccessful login attempts between June 13 and July 7, which suggests
they were hit with a brute force attack as well.

Easy ways to protect against attacks

One way companies can protect against brute force attacks is to
closely monitor the number of login attempts on a given website. If
the site's administrators see a sudden spike in failed login attempts,
it's likely they're in the midst of a brute force attack.

Two-factor verification also adds a strong layer of protection to any
system.  When two-factor verification is implemented, people who login
with a username and password are then asked to enter a randomly
generated code that is texted to the cellphone associated with the
username account. That way, merely phishing for usernames and
passwords isn't enough to compromise an account.

Tumulak also suggests that game companies should also avoid giving any
one account holder, even administrators, too much power within the
system. That way, even if hackers compromise a high-level account,
they are still limited in the amount of damage they can do.

"As a system administrator, I need to be able to do my job," Tumulak
said. "But do I actually need access to other users' data [such as
email addresses and credit cards]? That answer's usually no."

The fault isn't entirely with the game companies, though. Many people
think their online game accounts' security isn't very important,
especially if the accounts don't have any credit card data associated
with them. But short, simple passwords are the first to fall in a
brute force attack.

What's more, hackers can still use the information acquired from
gaming sites to break into even more important accounts. For example,
gaming sites store users' names and email addresses, which could be
used to create better phishing scams for banking or e-commerce
accounts.

Further, if you use the same password, or variants of the same
password, across your accounts, then hackers could use the password
acquired from hacking into a gaming site to break into your more
important accounts.

"The bar has been low [in terms of security] at these gaming
companies," Tumulak said. "It's easy to get in, get that [sensitive]
information, get out and use that information in a more valuable way
later."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.