Many gaming companies and gaming-related websites prioritize user experience and easy access above security and strong authentication. They have found that increasing friction at login can drive customer attrition… which then translates into decreased revenue. But are they taking security seriously enough?
This is a theme Enzoic’s CTO, Mike Wilson, recently explored in a conversation with Threatpost’s Tom Spring. The resulting article, “Gamers Are Easy Prey for Credential Thieves,” highlights the gaming industry’s security conundrum and outlines why someone would pay a criminal for stolen gaming accounts in the first place.
Gaming credentials are lucrative, especially in larger numbers.Gaming credentials can be worth a surprising amount depending on the type of game, the hashing algorithm they are stored in and what is on the account. Here is a sampling of how much some gaming accounts are sold for on the dark web:
By comparison, here is a sampling of other types of accounts:
Another recent piece of Enzoic media coverage analyzes the key factors that make the gaming industry so vulnerable. As our CEO, Michael Greene, wrote in an opinion piece for VentureBeat gaming is particularly susceptible for 2 main reasons:
The good news is that Akamai saw a slight decline in gaming accounts for sale on the dark web between 2017 and 2018, which could indicate that the gaming industry is starting to take security more seriously. By hashing their passwords in more complex algorithms, they are worth less on the dark web, which makes it less lucrative for criminals.
Besides using more complex hashing algorithms, the gaming industry can adopt newer low user-friction authentication methods.
Because most people reuse passwords across multiple sites, credentials for non-gaming sites can be used in credential stuffing attacks against gaming sites and vice-versa. Increasingly, gaming sites are quietly screening user accounts for compromised credentials. When an account is found to be using compromised credentials, the gaming site can either make the user reset their password or they can limit access within the account (like hiding credit card data) to reduce the threat.
For more on security in the gaming sector, you can read more about it in the following articles: