Why securing players’ accounts in the gaming industry is a nightmare?
The gaming industry is booming ever since we entered into the high computing era where latency is in nano-seconds, computing is done by multi-core processors and every machine has the best GPU to render high graphics. With the gaming industry at its peak and players enjoying their time playing games, some challenges are inevitable, such as security, availability, and consistency.
The largest challenges facing users are dealing with multi-factor authentication, soft and hard compromise, automated bot attacks, email verification, account availability, PC bang, and VPN traffic. This article also talks about the north star solution which can prevent all the problems related to players’ accounts in the gaming industry.
Multi-factor authentication (MFA)
MFA has always been a challenge for players, especially for those who just want to play games. From the player’s Point-of-View (POV), they just want to enter the game arena and not be bothered by anything else. They create their account with a username, password, DOB, etc., and do not want to enhance security for their accounts. Gaming companies are trying their best to incentivize players to add a security level by giving them free coins, skins to buy in-game, etc. It helps the players to secure their account from account takeovers and credential stuffing attacks and the gaming companies to spend less time and resources on player support tickets. At Riot Games, player support spends around 10 min per ticket in account takeover cases, which end resulting in a $4.5M loss to the company. This should be the onus of both players to enable high security and gaming companies to balance player experience while not compromising security.
Soft and Hard compromise
Soft compromise is something where a player’s account is compromised, and an attacker uses their account to play games without the player’s consent. In the hard compromise, the attacker goes one step ahead and changes the email/username/password, harasses players, exploits credit card information. Both are bad for the player experience and decrease gaming companies’ credibility if no action is taken. There are multiple solutions deployed in the market to fight this issue, like detecting IPs, devices, sending an email about an account’s username/password changes, etc. Those are effective and must be deployed in place to help players and not compromise security.
Automated bot attacks
Automated bot attacks where an attacker either uses the previously stolen username/password from some other website to attack the login APIs and looks for a match or randomly runs a script to create accounts using signup API. Both are examples of this category and affect players because this results in denial of service to players. There are industry practices to mitigate these attacks. Some of them are using anti-fraud solutions, rate limiters on signup/login APIs, and using firewall rules, but none have effectively mitigated 100% of the attacks. Several companies are working on anti-fraud solutions like Google reCAPTCHA, Arkos Labs, hCaptcha. Google ReCaptcha works based on challenge base responses and builds trust based on cookies stored in the browser. If Google detects an anomaly, then it throws a challenge. Still, there will be actual players who might often see the challenge because if the trust model supports cookies like in the desktop client environment, players will see the challenge every time, which works as a downer. Companies like Arkos and hCaptcha work better here as their trust model is based on deviceID, fingerprints, IPs, etc. Epic Games, Battle.net uses Arkos to prevent bot attacks. Another improvement is to add firewall rules in your WAF layer before it reaches the servers.
Verifying email has been a big challenge for some companies, especially for those who are customer-focused. Some companies like their customers to use their product without email verification; like in the gaming industry, companies focus on getting players into the game rather than email verification that adds additional 2–3 steps in the process. This issue becomes a major problem once you have millions of unverified accounts. It also becomes a nightmare for player support to recover the account in the event of account takeovers.
For a gaming company, the launch events are most important similar to black Friday events to retail companies. During these events, there is always a surge in account creation and traffic like 50,000 signups per minute is normal. Customers expect to log in just after creating their account, but if there is an architecture problem, they may have to see some latency, which will affect customer experience. The architecture should be well thought so that these situations can be prevented. Things like letting players do signup or doing pre-registration before the actual launch can be one way to mitigate the heavy burst.
In some countries like South Korea, players share PCs to play games in exchange for an hourly fee. The PC bang problem is as the device is shared among many players, it is easy for a player to compromise the data. In such situations, players have to make sure security hygiene is honored, like not clicking on trusting this device and making sure to sign-out of the account before leaving.
Gaming companies always try to make sure that the launch of new games goes smoothly. Players can create accounts; they should log in just after signup; accounts can only be created in the country where the games are launched. But the problem arises due to VPN traffic, which can change the IP address of the system and pretends to come from the same country. Due to VPN traffic, players can play games even if they are not launched in their country. The side-effect is they end up purchasing things in-game that cannot be transferred to the new account when the same game is launched in their own country. Also, due to VPN traffic, it consumes the bandwidth of account creation where legitimate player’s signups are affected. Most of the gaming companies avoid this situation by blocking VPN traffic manually.
Most of the problems discussed above are related to accounts being compromised, bot attacks, credential stuffing, and brute force attacks affecting the gaming industry. Imagine a world where there is no need to enter a password, remember a password, and the player experience is not compromised. That is the world I imagine, which is called password-free. If there are no passwords, then there is no account breach, and with that, the gaming company can focus on their actual work, which is to make awesome games. FIDO (Fast Identity Online) is a security standard developed by Google, Microsoft, and Yubikey. This is based on having a FIDO server deployed, which sends a challenge during registration to your FIDO device (mobile phone, platform authenticator). That challenge is signed by the private key generated by the authenticator present in the mobile device and finally reaches back to the FIDO server with the authenticator public key. When a player logs in, the same challenge is sent to the registered mobile device, which signs the challenge, verified from the public key already present in the FIDO server. This is how a user is verified.
The good thing is the private key never leaves the device and acts as the source of truth to log the players in. There are no passwords, so there will be no account takeovers. For hackers to do account takeovers, they have to grab the private key individually from each layer’s mobile device and the public key from the FIDO server. This makes the process very challenging and impossible to hack. I would say password-free with the FIDO standard should be the final goal for a gaming company.
After exploring all the security best practices, it is clear that most of the problems happen due to account takeover or due to account breaches, which are due to using passwords. What if we eliminate the passwords for players and move to a world where we rely on decentralizing security to make it hard for hackers to get into players’ accounts? I think that is the north star goal of Riot Games, and I am excited to lead that mission.