CEO of SecurePlay discusses account security

Updated Mon, Jan 18, 2010, 1:00 PM·10 min read

Anyone even slightly in touch with the MMO community is aware that account security has been an even bigger concern than usual for the past few months. While it's more in the forefront of everyone's mind these days, it's important to remember that this isn't a brand new problem. It's very important for people on both sides of a game -- both the player side and the development side -- to work to make player accounts as safe as possible.

Steven Davis, CEO of SecurePlay and the mind behind PlayNoEvil, has been watching the events with interest and spent some time recently talking to us about his take on the situation as well as overall account security. Follow along after the jump and see what he had to say.

Massively: The recent wave of security problems most visibly affected two companies: NCsoft and Blizzard. In the case of NCsoft, it began with a significant amount of Guild Wars accounts being compromised, then moved on to Aion shortly after Guild Wars login security was stepped up. To many players, this pointed to NCsoft itself as the source of the problem. What does the situation look like to you, and do you see anything preventative that could have been done?

Steven Davis: The technical situation at NCsoft is hard to assess based on the available information. That being said, the real weakness has been how NCsoft has responded to its players/customers. After all, most of these players have put in tens, if not hundreds of dollars into a game (or will, if they like the game) and many, many, many hours. Players care deeply about the security of their accounts, their characters, and their loot.

Security incidents are going to happen. The real question is how you respond. Public relations are as important as the technical and business response to the incident. There are a number of steps that a game company should take when a serious incident arises:

1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.

2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.

3. Investigate – Figure out what is really going on.

4. Patch – Identify short term solution or work around to get things "almost" normal.

5. Repair – Fix the problem and reconstitute the game.

6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.

There is no way to tell if NCsoft is handling the problem well technically, but the company is not doing a very good job of public relations (see Google in China or CCP Games for companies getting in front of security problems).

The general MMO community views all of these security issues lately as a very unusual thing. In your opinion, is this out of the norm or does it just happen to be getting more attention now?

I've been following game security problems since the late 1990s and writing my blog, PlayNoEvil.com since October 2004. That there are notable game security problems is not new or unusual.

I suspect that there is a basic change going on in the types of fraud targeting games. The fact that it is regularly reported that "secondary markets" are a billion dollar business makes it look tempting for aspiring fraudsters, and these criminals are competing with gold farmers. John Smedley raised this issue in early 2008 and I coined the term "gold frauders' when I first started writing about the problem.

I suspect that we are seeing the displacement of gold farmers (which takes a lot of work and risk) with gold frauders... and game company security mechanisms that are good for fighting gold farmers don't work when dealing with gold frauders.

It is a much more difficult problem and much harder to counter.

I would not be surprised to see real subscriber number impact in some games where fraud gets out of hand, probably in a reasonably large game.... and it is going to be particularly interesting to see how World of Warcraft responds to this problem going forward (watch those subscriber and revenue numbers in their investor reports).

Game companies have been offering the standard security tips: change your password regularly, don't use the same password everywhere, don't respond to phishing attempts, etc. These tips seem like no-brainers to many of us, but do you think there are still enough people unaware of these measures to make it an issue?

Short Answer: Yes.

Long Answer: Hell, Yes.

Longer Answer: In my book, Protecting Games, I talk about the three big security problems: Lazy, Cheap, and Stupid. Being lazy is very common, very human, and very deadly. If you force people to have very elaborate passwords, people will write them down or store them on their computers. It is worth noting that elaborate passwords don't stop phishing or key-loggers. Another area of weakness is when people use "Mother's Maiden Name" and other readily located information to protect an account when someone "forgets" their password.

Game developers are not blameless here. Far too often, developers "roll their own" security systems. You've seen them. I've seen them. They are not pretty. Also, games can be attacked through third party sites... there are no "fan sites" for banks (especially today). Game companies need to find a way for fan sites to make money legitimately... otherwise they are going to be prime targets for phishing attacks and, without a real revenue stream, they won't have resources to take security seriously.

What can players do to protect themselves in addition to those safety measures?

All of the usual "Practice Safe Computing" mantras hold. If you are reading this, you probably know what you should do ... and you probably know what "shortcuts" you are taking that put yourself at risk.

Let's take a look at the other side of the equation. In your opinion, what measures should be in place at any company to help ensure the safety of their customers' accounts?

Each customer account represents hundreds of dollars of value to the customer AND to the developer. If you recognize that, you are going to take account security seriously. It often seems like game companies design their account & security systems sometime during Beta testing. These are the core of your business model and should be part of the game design, implementation, and testing from Day One.

The resource challenge with gold farmers, gold frauders, and cheaters is that the resources the bad guys have to beat you far exceed your internal security resources. After all, from a game company perspective, gold farming is only a matter of customer service...perhaps a cost of a couple of junior staff. From the gold farmer's perspective, there are conceivably millions of dollars at stake.

The best way to "win" is to design as many security problems "out" as early as possible.

During the recent wave of security problems, many players complained that ArenaNet was not doing enough to communicate to the players on a solution. ArenaNet pointed out that if they tell the players what they are doing, they are also telling the hackers what they are doing. Where do you think the balance lies between keeping the player base informed and not tipping your hand to those you are working against?

ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).

That being said, the argument that sharing information with players is bad because the hackers will get the data is totally spurious. When the US was mining harbors in Nicaragua in the 1980s, it was "classified"...but you can bet the Sandinistas knew what was going on. Hackers are acutely aware of what security mechanisms are being used against them.

As I noted above, it is important to tell your customers that you are doing something. Customers are fickle and can leave... there are a lot of games out there and players are going to play where they feel safe and that they are valued by the game company. Players are pretty sophisticated and do not like being treated like children.

... there is no reason to tell them EVERYTHING that you are doing, however.

Many MMOs and other client/server games have web-based out-of-game activities, ranging from the simple forums to more complicated features like auction houses. How do you see security being managed in these cases where there may be multiple points of vulnerability?

As with alcoholism, first you have to admit that you have a problem. Forums and auction houses and social networks are powerful and amazing things, but, like everything else in life, they are not free of risk. Simply considering "what can go wrong" when you design and operate these services is going to go a long way towards avoiding problems. Virtually all of the cheats and hacks that I wrote about in my blog in 2009 were repeats of stories from 2008 and 2007 and 2006 and 2005.... The games were changed, but the underlying vulnerabilities remain the same. Sometimes something new comes up, like Account Theft being a new kind of piracy in games-on-demand services like Steam, but even this is a new variation of an old problem.

This is mostly good news. Game developers don't have to struggle in the dark against an unknown threat.

They do have to admit there is a problem.

Thank you for your time, Steven!

Steven Davis has over 23 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade. He advises game companies, governments, and regulators around the world. Mr. Davis has written numerous papers and speaks at conferences on all aspects of game security. He is the author of the book "Protecting Games" and the game security and industry blog, PlayNoEvil. Mr. Davis has international patents on game security and IT security techniques, most notably the anti-cheating protocols that underlie the SecurePlay anti-cheating library. He has designed several games including DiceHoldem and acts as a design consultant. He is currently the CEO of IT GlobalSecure which develops game security products and provides game security, IT security, and game design and evaluation services. Mr. Davis' expertise includes security leadership positions at the US National Security Agency (NSA), CSC, Bell Atlantic (now Verizon), and SAIC. He has extensive cryptographic and key management design experience including work on Nuclear Command and Control systems, the Electronic Key Management System, and numerous other commercial and government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a Masters Degree in Security Policy Studies from George Washington University.

Engadget
Samsung's Galaxy S24 Ultra falls to a new low, plus the rest of the week's best tech deals
This week's best tech deals include a new low on the Samsung Galaxy S24 Ultra, Apple's MacBook Air M3 for $989 and Anker's Soundcore Space A40 earbuds for $49, among others.
26m ago
Engadget
Nikon’s Z8 is a phenomenal mirrorless camera for the price
Nikon's Z8 is one of the highest resolution full-frame cameras with 45 megapixels, but is also one of the fastest and has incredible video capabilities too.
33m ago
Engadget
Some of our favorite Bose headphones and earbuds are back to all-time low prices
Amazon has some of the highest-rated Bose headphones on sale for record-low prices. That includes the Bose QuietComfort Ultra headphones, which have best-in-class active noise cancellation (ANC).
36m ago
Engadget
Apple's 13-inch MacBook Air with the M3 chip has never been cheaper
The latest Apple MacBook Air with the M3 chip is down to a new low price at Amazon.
1h ago
Engadget
NHTSA concludes Tesla Autopilot investigation after linking the system to 14 deaths
The National Highway Traffic Safety Administration has concluded a lengthy investigation into Tesla’s Autopilot system. It found 13 fatal crashes due to misuse and software that doesn’t prioritize driver attentiveness.
2h ago
Engadget
Wacom's first OLED pen display is also the thinnest and lightest it has ever made
Wacom's latest pen display model is called Movink, and it's the company's first with a OLED screen. It's also Wacom's thinnest and lightest option ever, while still offering 13 inches of work space.
4h ago
Engadget
It doesn’t matter how many Vision Pro headsets Apple sells
This week, there was a lot of back and forth about Apple Vision Pro production numbers. Here's why they don't matter.
4h ago
Engadget
The Google Pixel Buds Pro are back on sale for $135
Google's Pixel Buds Pro are on sale for $135 at Wellbots, which is the lowest price we've seen this year.
6h ago
Engadget
Dell XPS 13 and XPS 14 review (2024): Gorgeous laptops with usability quirks
Dell’s XPS 13 and 14 are stylish, portable and powerful. You’ll have to get used to some of its design quirks, though, and it’s far pricier than older models.
6h ago
Engadget
OpenAI's Sam Altman and other tech leaders join the federal AI safety board
Sam Altman, OpenAI's CEO, Microsoft chief Satya Nadella, Alphabet CEO Sundar Pichai are joining the government's Artificial Intelligence Safety and Security Board, according to The Wall Street Journal.
7h ago
Engadget
The best gaming gear for graduates
New graduates have earned the time to unwind after a busy year. These pieces of gaming gear would make great gifts for the new college graduate in your life.
a year ago
Engadget
The Morning After: Apple announces an iPad event for May 7
The biggest news stories this morning: Adobe’s new upscaling tech uses AI to sharpen video, BlizzCon 2024 is canceled, The world’s biggest 3D printer can make a house in under 80 hours.
7h ago
Engadget
Engadget Podcast: Why TikTok will never be the same again
Biden passed the TikTok divestment bill -- now what?
8h ago
Engadget
The best wireless earbuds for 2024
It's safe to say the wireless earbuds space is pretty saturated. We've tested and reviewed dozens of models; these are our top picks.
4 months ago
Engadget
Apple is launching new iPads May 7: Here's what to expect from the 'Let Loose' event
Apple has scheduled an event for May 7 that'll more than likely focus on new iPads. Here's what we expect the company to show off.
22h ago
Engadget
Spotify tests Apple's resolve with new pricing update in the EU
Spotify submitted a new update for Apple's approval that would display pricing right in the app.
1d ago
Engadget
Tupac’s estate threatens to sue Drake for his AI-infused Kendrick Lamar diss
Tupac Shakur’s estate isn’t pleased with Drake cloning the late hip-hop legend’s voice in a Kendrick Lamar diss track. Attorney Howard King, representing Mr. Shakur’s estate, sent a cease-and-desist letter calling Drake’s use of Shakur’s voice “a flagrant violation of Tupac’s publicity and the estate’s legal rights.”
1d ago
Engadget
BlizzCon 2024 is canceled
Blizzard has canceled this year's edition of BlizzCon. It plans to bring back the event in the future.
1d ago
Engadget
Reddit is back online after a major outage forced everyone to touch grass
Reddit is currently down. The company is working on a fix.
1d ago
Engadget
Formula E debuts Gen3 Evo race car: All-wheel drive unlocks 0-60 mph in 1.82 seconds
For the first time, all-wheel drive will be available on a Formula E car, which will unlock 0-60 MPH times under two seconds.
1d ago

CEO of SecurePlay discusses account security

Latest Stories

Samsung's Galaxy S24 Ultra falls to a new low, plus the rest of the week's best tech deals

Nikon’s Z8 is a phenomenal mirrorless camera for the price

Some of our favorite Bose headphones and earbuds are back to all-time low prices

Apple's 13-inch MacBook Air with the M3 chip has never been cheaper

NHTSA concludes Tesla Autopilot investigation after linking the system to 14 deaths

Wacom's first OLED pen display is also the thinnest and lightest it has ever made

It doesn’t matter how many Vision Pro headsets Apple sells

The Google Pixel Buds Pro are back on sale for $135

Dell XPS 13 and XPS 14 review (2024): Gorgeous laptops with usability quirks

OpenAI's Sam Altman and other tech leaders join the federal AI safety board

The best gaming gear for graduates

The Morning After: Apple announces an iPad event for May 7

Engadget Podcast: Why TikTok will never be the same again

The best wireless earbuds for 2024

Apple is launching new iPads May 7: Here's what to expect from the 'Let Loose' event

Spotify tests Apple's resolve with new pricing update in the EU

Tupac’s estate threatens to sue Drake for his AI-infused Kendrick Lamar diss

BlizzCon 2024 is canceled

Reddit is back online after a major outage forced everyone to touch grass

Formula E debuts Gen3 Evo race car: All-wheel drive unlocks 0-60 mph in 1.82 seconds

About

Sections

Contribute

Buying Guides