It seems the trend for hackers in 2012 is video games. And they aren’t leaving anyone out: NCsoft’s Guild Wars is the latest video game enterprise to fall victim to hackers, along with last month’s Blizzard Entertainment, the software company behind some of the world’s most popular games, including Starcraft, World of Warcraft and Diablo.
A year ago, our mini-series on gaming security delved into possible security issues that could plague the world of online gaming for both gamers and developers. A year on and these issues are still very much a part of the modern gaming landscape.
As an avid video gamer and StarCraft 2 player myself, I was concerned after hearing the news about the recent security breach of Battle.net, Blizzard’s online gaming interface. I wondered if my information was accessed and more importantly how is it being protected?
Blizzard announced that the “compromised information is cryptographically scrambled versions of passwords which are not enough for anyone to gain access to Battle.net accounts” yet this is the second time the video game developer has been hacked this year. Blizzard subsequently advised players on North American servers to change their passwords for security measures.
At Gemalto, we have long argued that passwords alone simply do not offer enough security in today’s digital world. In this case, Blizzard has been using a Secure Remote Password (SRP) protocol to protect user’s passwords. A SRP essentially “makes it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually” explains Mike Morhaime, Blizzard’s President. This makes it more difficult to hack, but still far from impossible. Blogger, Lysa Myers, for Intego security research, gave a positive spin to Blizzard’s security measures. She cited that Blizzard’s passwords “were not simply hashed but also salted” reiterating Mike’s insistence that hacking the system is difficult. But hackers do not stop at ‘difficult’…
Jeremy Spilman, Opine.Me blogger and founder of TapLink Inc addressed the Blizzard security breach in a blog post I’d recommend as further reading. He mentions that the security breach was downplayed and that users should be made aware that “passwords have almost certainly been cracked, and immediate action should be taken.” But it’s not fair to expect gamers to just hop on board and alter their password each time another security breach occurs. It’s up to the providers to ensure that their customers have as secure a login system as possible from the start.
In the long run, the gaming world can learn from the office or the hospital, where a second identifying factor is pre-requisite to sign-in. In many cases, this could be either a one-time password (OTP) token or a mobile phone app that generates an OTP. This takes them a step closer to more secure multi-factor authentication, with something you know, something you have and, as technology evolves, something you are. Online gaming has built a huge fanbase in the last decade, but with our home consoles and entertainment systems sitting in our living room hooked up to the internet, it’s up to the providers to make sure that when we power down the system for the night, the online battle ceases until the next day.