The hack of Words with Friends in 2019 was high-profile, but today’s columnist, Yuval Elddad of CYE, says CISOs at all gaming companies have to take a closer look at the growing threats to online gaming platforms. drukelly CreativeCommons CC BY-ND 2.0

Online gaming has become a huge business, and growing quickly, with gaming companies adding millions of users a year - and tens of millions of dollars in revenue - while competing with one another to build the best, most immersive experiences for their users. 

However, there’s a cost that comes along with this rapid growth. With its high-volume stream of data flowing between gamers and game servers, along with the real-time immediacy of gameplay, gaming has also become especially attractive to hackers. According to an Akamai report, gaming has become a large, unregulated market of in-game purchases and rare items, with gamers focused on hormone-fueled excitement that elicits instantaneous and often emotional responses from players. Players spend substantial amounts of money on everything from in-app purchases, subscriptions, cosmetic enhancements and even gambling. Fueled by COVID-19 lockdowns, gaming platforms have grown user numbers almost 40% over the last year, with the overall industry now worth more than $159 billion, and expected to surpass $200 billion by 2023. 

Additionally, a McAfee study showed that 55% of gamers reuse passwords across different accounts and services – making them excellent targets for hackers.

Combined, these factors leave the gaming ecosystem extremely vulnerable to common cyberattack techniques used by hackers to steal sensitive information. This includes SQL injections, local file inclusions, phishing attacks and malware that can grab billions of accounts without having to obtain credentials.

Gamers are also susceptible to drive-by downloads, in which gamers don’t even need to click on links or buttons to get hacked and can download malware without even realizing it. 

Another danger facing gamers involves cheats – the popular shortcuts to game advancement that are so popular with many players. Kaspersky reports that the cheat industry is worth many millions of dollars, and it’s growing. Gamers often acquire cheat codes from sites with poor “quality control” that make it relatively easy for hackers to slip in lines of malicious code that will help them exploit the gaming ecosystem. 

Those threats can lead to major security breaches. In 2019, Zynga’s popular online game, Words with Friends, was hacked, resulting in the breach of 218 million user accounts. The info included names, email addresses, login IDs, hashed and salted passwords and phone numbers. Earlier that year, the same hacking group –Gnosticplayers – compromised more than 26 million online user accounts on six websites and placed the stolen records for sale on Dream Market, a leading dark web market for stolen data.

In light of the growing risks to the online gaming scene, how can gaming companies make a dramatic shift to promoting and prioritizing increasingly secure environments? While gaming companies are well aware of cybersecurity dangers, and many invest substantial resources in defenses, we have identified three main areas that need to be “rethought” to help gaming companies invest their resources in the most effective way possible, allowing them to dramatically improve their cyber posture:

Think like a hacker: Players are a gaming company’s most important assets, so the majority of their security resources need to go toward protecting them. While significant resources go toward securing initial points of access to prevent malicious actors from disrupting real-time play operations, other corresponding security issues within the organization are often not addressed sufficiently. For example, hackers can inject SQL codes in online forms to reach databases, which lets them get personal identification information from players. A company that invested most of its resources in preventing hackers from interfering with gameplay but not enough in securing its database will likely find itself the victim of a major attack. At most companies, entering credit card information runs securely, but hackers can get to that information if a company's internal infrastructure is poorly protected, and that’s too often the case with gaming companies. 

We need to adopt a hacker’s mindset by understanding and neutralizing the vulnerabilities before they become threats. That could include requiring players to change their passwords regularly, conducting frequent updates of security patches, and upgrading firewalls. They also need to implement two-factor authentication for game company employees who need to update players’ payment information, and educate employees – and players – about what phishing messages look like. By adopting a hacker’s mindset, companies can cover security holes that bad actors could use to compromise players, and their data.

Recognize that there are too many moving parts: With thousands of data exchanges occurring every second from a significant number of players connecting on networks that may not be fully secure, many gaming companies have come to realize that basic security assessments are not sufficient; there are just too many possible breach points. 

Even large mainstream companies don’t have the time or manpower to remediate all vulnerabilities, with most organizations able to rectify approximately 20-50% of identified risks. For gaming companies, cutting through the noise and prioritizing the weak spots that hackers are most likely to attack remains key to effectively improving security. By doing that, they will identify where their biggest vulnerabilities lie, which business-critical assets they want to protect most and the attack routes that lead to those assets. As such, they can then be able to properly implement a focused, multi-layered security protection.

Build a crisis recovery program: Even with all their precautions, gaming companies need to realize that they could become victims of a major breach and must prepare themselves for that possibility. Take a holistic approach, focusing on the real risks to business continuity and optimizing the cybersecurity investment. By implementing a hands-on organizational cybersecurity approach and conducting risk assessments, gaming companies can proactively prevent attacks using an actionable, business-savvy, and cost-effective mitigation plan.

The last thing players want to think about when they log onto their favorite game are cyber-risks. Gaming companies sell themselves as a way for players to immerse themselves in an alternative reality and players readily pay for the fantasy. Time and time again, gaming companies have failed to properly allocate resources; they may have high cybersecurity budgets, but hackers are getting through anyway. By addressing their security issues in a holistic manner that takes into account all organizational assets, gaming companies can keep their players – and companies – safe from the hackers.

Yuval Elddad, vice president, customer operations, CYE