How the gaming industry is risking its most vulnerable users

Earlier this year the popular online game ‘Neopets’ suffered a major data breach.

Whereby hackers were able to access the personal information of nearly 70 million players worldwide. Similarly to most videogames, the franchise, which is predominantly geared towards children, uses in-app purchases to reward users – however comes without basic security tools to keep users safe.

This incident is sadly not unique, and similar occurrences are being repeated across the entire gaming industry, with attacks on the sector having risen by 167% in the last year. Without calling on the videogame industry to strengthen its cybersecurity posture, threat actors that prey on security illiterate companies and their customers will continue to succeed. Outside of incurring fines, the industry has little incentive to boost its cybersecurity measures beyond the bare minimum. However, the shift in gaming towards a more internet-connected experience will ensure hackers continue to  gain access unless security defences in the industry improve.

Over the last decade, gaming has shifted from a largely individual offline gaming experience to an online social one, meaning games like Fortnite and Animal Crossing now have higher engagement than the majority of social media platforms. This enhanced level of online interaction, alongside a target audience largely unfamiliar with basic cybersecurity hygiene, has opened up new pathways for malicious actors to exploit for personal or financial gain.

Throughout the pandemic, video games became more popular than ever before, with hackers unleashing an unprecedented number of attacks on gamers via SQL injection, phishing scams and credential stuffing. As a result, the video game industry sustained a 340% increase in cyberattacks on web applications in 2020 compared to 2019. Within the last two years, hackers have also exploited poor cybersecurity controls in high-profile franchises like FIFA, Dark Souls and other blockchain-based video games to exfiltrate data and funds that players put into the games in order to buy items that improve their characters. These funds can add up fast, too, with scammers taking more than $600 million in cryptocurrency from the videogame Axie Infinity earlier this year.

However, hackers aren’t purely motivated by financial gain when targeting gamers online. Rather, it’s because the security controls built to ensure the safety of players are stuck in the stone age of cybersecurity. For example, Jumpstart, the educational gaming company that owns Neopets, did not implement multifactor authentication — a basic security measure commonly deployed for more than a decade — until last month, following the publicised breach. Games that encourage microtransactions, like FIFA and Fortnite, often lack the warnings and parental controls necessary to encourage under-aged users to safely interact with potential scammers in the game. Beyond the video game industry, manufacturers like Vtech produce internet-connected toys with security as an afterthought, leaving children who use toy phones, video cameras, and smart watches at risk of being targeted.

While its critical videogame companies adopt user-friendly controls like multi-factor authentication, hackers will continue to successfully target users until developers get rid of their current “opt-in” security measures. Users can also take a number of steps to reduce the risk of being targeted online. Using foundational security measures, like choosing strong, unique passwords and remaining vigilant about not sharing account details online  can prevent hackers from gaining unauthorised access to an account. If an attack  does occur, users should contact the platform’s official technical support, rather than ask for help in online forums or unofficial chat rooms.

Companies can no longer afford to treat cybersecurity as an afterthought in their product design. As both children and parents continue to carefully navigate their increasingly digital lives, video game companies must act before it’s too late.

About the Author

Ian McShane is Vice President of Strategy at Arctic Wolf. The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge, and yet despite this constant innovation we continue to see high profile breaches in the headlines. All organizations know they need better security, but the dizzying array of options leave resource-constrained IT and security leaders wondering how to proceed. At Arctic Wolf, our mission is to End Cyber Risk through effective security operations.

Featured image: suludan diliyaer