Steven Davis, CEO of SecurePlay and the mind behind PlayNoEvil, has been watching the events with interest and spent some time recently talking to us about his take on the situation as well as overall account security. Follow along after the jump and see what he had to say.
Massively: The recent wave of security problems most visibly affected two companies: NCsoft and Blizzard. In the case of NCsoft, it began with a significant amount of Guild Wars accounts being compromised, then moved on to Aion shortly after Guild Wars login security was stepped up. To many players, this pointed to NCsoft itself as the source of the problem. What does the situation look like to you, and do you see anything preventative that could have been done?
Steven Davis: The technical situation at NCsoft is hard to assess based on the available information. That being said, the real weakness has been how NCsoft has responded to its players/customers. After all, most of these players have put in tens, if not hundreds of dollars into a game (or will, if they like the game) and many, many, many hours. Players care deeply about the security of their accounts, their characters, and their loot.
Security incidents are going to happen. The real question is how you respond. Public relations are as important as the technical and business response to the incident. There are a number of steps that a game company should take when a serious incident arises:
1. Aware – Tell your customers that you are aware of the problem and are taking it seriously. Let them know that they (the customers) and their issues are important and that the integrity of the game is critical to the company.
2. Triage – Figure out what immediate action you can take to stop the problem from getting worse or spreading.
3. Investigate – Figure out what is really going on.
4. Patch – Identify short term solution or work around to get things "almost" normal.
5. Repair – Fix the problem and reconstitute the game.
6. Reflect – Look to see if there are related vulnerabilities in the game design, business operations, or other areas that can be exploited and fix them before they fix you.
There is no way to tell if NCsoft is handling the problem well technically, but the company is not doing a very good job of public relations (see Google in China or CCP Games for companies getting in front of security problems).
The general MMO community views all of these security issues lately as a very unusual thing. In your opinion, is this out of the norm or does it just happen to be getting more attention now?
I've been following game security problems since the late 1990s and writing my blog, PlayNoEvil.com since October 2004. That there are notable game security problems is not new or unusual.
I suspect that there is a basic change going on in the types of fraud targeting games. The fact that it is regularly reported that "secondary markets" are a billion dollar business makes it look tempting for aspiring fraudsters, and these criminals are competing with gold farmers. John Smedley raised this issue in early 2008 and I coined the term "gold frauders' when I first started writing about the problem.
I suspect that we are seeing the displacement of gold farmers (which takes a lot of work and risk) with gold frauders... and game company security mechanisms that are good for fighting gold farmers don't work when dealing with gold frauders.
It is a much more difficult problem and much harder to counter.
I would not be surprised to see real subscriber number impact in some games where fraud gets out of hand, probably in a reasonably large game.... and it is going to be particularly interesting to see how World of Warcraft responds to this problem going forward (watch those subscriber and revenue numbers in their investor reports).
Game companies have been offering the standard security tips: change your password regularly, don't use the same password everywhere, don't respond to phishing attempts, etc. These tips seem like no-brainers to many of us, but do you think there are still enough people unaware of these measures to make it an issue?
Short Answer: Yes.
Long Answer: Hell, Yes.
Longer Answer: In my book, Protecting Games, I talk about the three big security problems: Lazy, Cheap, and Stupid. Being lazy is very common, very human, and very deadly. If you force people to have very elaborate passwords, people will write them down or store them on their computers. It is worth noting that elaborate passwords don't stop phishing or key-loggers. Another area of weakness is when people use "Mother's Maiden Name" and other readily located information to protect an account when someone "forgets" their password.
Game developers are not blameless here. Far too often, developers "roll their own" security systems. You've seen them. I've seen them. They are not pretty. Also, games can be attacked through third party sites... there are no "fan sites" for banks (especially today). Game companies need to find a way for fan sites to make money legitimately... otherwise they are going to be prime targets for phishing attacks and, without a real revenue stream, they won't have resources to take security seriously.
"Security incidents are going to happen. The real question is how you respond."
All of the usual "Practice Safe Computing" mantras hold. If you are reading this, you probably know what you should do ... and you probably know what "shortcuts" you are taking that put yourself at risk.
Let's take a look at the other side of the equation. In your opinion, what measures should be in place at any company to help ensure the safety of their customers' accounts?
Each customer account represents hundreds of dollars of value to the customer AND to the developer. If you recognize that, you are going to take account security seriously. It often seems like game companies design their account & security systems sometime during Beta testing. These are the core of your business model and should be part of the game design, implementation, and testing from Day One.
The resource challenge with gold farmers, gold frauders, and cheaters is that the resources the bad guys have to beat you far exceed your internal security resources. After all, from a game company perspective, gold farming is only a matter of customer service...perhaps a cost of a couple of junior staff. From the gold farmer's perspective, there are conceivably millions of dollars at stake.
The best way to "win" is to design as many security problems "out" as early as possible.
During the recent wave of security problems, many players complained that ArenaNet was not doing enough to communicate to the players on a solution. ArenaNet pointed out that if they tell the players what they are doing, they are also telling the hackers what they are doing. Where do you think the balance lies between keeping the player base informed and not tipping your hand to those you are working against?
ArenaNet faces a unique challenge because people don't "buy stuff" from the company very often - just the base game or expansion every year or so... and even then, it is often done through a retailer, so ArenaNet doesn't have a direct financial relationship with its players. Subscriptions and payments allow online game companies to tap into a number of external security mechanisms (such as validating credit card numbers).
That being said, the argument that sharing information with players is bad because the hackers will get the data is totally spurious. When the US was mining harbors in Nicaragua in the 1980s, it was "classified"...but you can bet the Sandinistas knew what was going on. Hackers are acutely aware of what security mechanisms are being used against them.
As I noted above, it is important to tell your customers that you are doing something. Customers are fickle and can leave... there are a lot of games out there and players are going to play where they feel safe and that they are valued by the game company. Players are pretty sophisticated and do not like being treated like children.
... there is no reason to tell them EVERYTHING that you are doing, however.
Many MMOs and other client/server games have web-based out-of-game activities, ranging from the simple forums to more complicated features like auction houses. How do you see security being managed in these cases where there may be multiple points of vulnerability?
As with alcoholism, first you have to admit that you have a problem. Forums and auction houses and social networks are powerful and amazing things, but, like everything else in life, they are not free of risk. Simply considering "what can go wrong" when you design and operate these services is going to go a long way towards avoiding problems. Virtually all of the cheats and hacks that I wrote about in my blog in 2009 were repeats of stories from 2008 and 2007 and 2006 and 2005.... The games were changed, but the underlying vulnerabilities remain the same. Sometimes something new comes up, like Account Theft being a new kind of piracy in games-on-demand services like Steam, but even this is a new variation of an old problem.
This is mostly good news. Game developers don't have to struggle in the dark against an unknown threat.
They do have to admit there is a problem.
Thank you for your time, Steven!
Steven Davis has over 23 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade. He advises game companies, governments, and regulators around the world. Mr. Davis has written numerous papers and speaks at conferences on all aspects of game security. He is the author of the book "Protecting Games" and the game security and industry blog, PlayNoEvil. Mr. Davis has international patents on game security and IT security techniques, most notably the anti-cheating protocols that underlie the SecurePlay anti-cheating library. He has designed several games including DiceHoldem and acts as a design consultant. He is currently the CEO of IT GlobalSecure which develops game security products and provides game security, IT security, and game design and evaluation services. Mr. Davis' expertise includes security leadership positions at the US National Security Agency (NSA), CSC, Bell Atlantic (now Verizon), and SAIC. He has extensive cryptographic and key management design experience including work on Nuclear Command and Control systems, the Electronic Key Management System, and numerous other commercial and government projects. Mr. Davis has a BA in Mathematics from UC Berkeley and a Masters Degree in Security Policy Studies from George Washington University.