Security Rules and Reports Create a False Sense of Security for Online Game Publishers

I’ve talked a lot this year about how the video game industry is under siege from cyber criminals, fraudsters, and cheaters. From account hijacking and credit card fraud, to Distributed- Denial-of-Service (DDoS) attacks, money laundering, and even attempted identity theft, there’s no shortage of risk for both ordinary video game players and publishers to deal with.

Additionally, we’ve written extensively about how since video games transitioned from single-player offline to massively online experiences, player protections have focused on Layer 1 front-end safeguards (multi-factor authentication, IP controls) and Layer 3 monetary transaction controls (credit card black/white lists, transaction thresholds). While these safeguards have some value, they can be easily defeated by persistence and basic hacking techniques. Arthur Chu, former Fraud Manager for Nexon America, communicated the problem best when he said that since all major banks use Layer 1 protections, “…fraudsters have a lot of practice at compromising accounts.”

As it relates to in-game (or Layer 2) activity, many video game publishers currently implement a cybersecurity strategy that is similar to those once relied on by financial services institutions. This rules-based approach is what security professionals define as a reactive posture because it relies on forensic investigation to identify patterns of fraudulent behavior and define “rules” (i.e. if you see this defined pattern of bad activity, take this recommended action”) designed to keep bad guys at bay. In this scenario, if an event happens once and is identified, new rules can be implemented to detect it and prevent it from happening again.

While perhaps a sound approach in theory, video game publishers are learning what banks learned more than a decade ago: cybersecurity that relies on rules and reports is time intensive, frustrating, expensive, presumptive, and, in most cases, highly ineffective at protecting their players and profits. A bad actor can more quickly and easily change his or her behavior to get around the rules than a publisher can change the rules to keep up.

What We Know About Rules and Reports from Financial Institutions

The banking industry began using report-influenced cybersecurity in the early 2000s, after bad guys learned to defeat login controls. Because online banking was less than a decade old, financial institutions were ill prepared to protect their customers from attacks by financially motivated cyber criminals. In response to the onslaught of threats, the banking industry began building rules-based tools, created following forensic analysis of successful attack signatures, to help identify suspicious activity. While there was some initial success, bad guys innovated faster. Financial services companies quickly learned that maintaining rules was time-consuming, expensive and most notably, reactive.

Essentially, by the time a report’s recommended rules changes were programmed, hackers had already anticipated the additions or changes in security, and had created the tools or changed their techniques to defeat them. Ultimately it wasn’t until 2011 when the FFIEC upgraded its 2005-cybersecurity recommendations for banks, urging that institutions use a “layered defense” that includes login controls plus “fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response” (i.e. proactive behavioral analytics), that risk to this industry was dramatically mitigated.

Why Reports are (Almost Always) Ineffective

It would be disingenuous to suggest that all reports are ineffective because that simply isn’t true. However, for cybersecurity management in today’s threat landscape, the pros of reports do not come close to outweighing the cons.

For reports to be effective, one would have to be written and reviewed and new rules implemented at the same speed in which hackers operate. Today, that would translate into a new report being issued, reviewed and executed almost every single day; a luxury that most publishers do not have. Even as some publishers employ a team of fraud specialists to review reports and make recommendations on rules adjustments daily, games simply do not have the developer bandwidth to publish new rules as quickly as necessary. In fact, the average time it takes for new rules to be coded into games is measured in weeks and months, and not hours and days. Simply put, by the time most games can implement new rules, those rules are already dead on arrival.

Hackers aren’t dumb. They understand that changing their behavior is a cost of doing business, expect that their actions will invoke new rules, and plan for it in advance. For example, a hacker who sees the cancellation of a compromised player account in one game already knows how to prepare for and maneuver around this counter-measure in other games.

The problem for publishers is that most hackers and cyber criminals remain highly proactive in their attack strategies, often taking a threshold-based approach that keeps them continuously 5 steps ahead of publishers’ security. This means that absent of the adversary leaving the game, the threat is likely to persist because the publisher is too far behind to stop what’s coming.

Risk Mitigation Using In-Game Security

Online video games, especially free-to-play games are under constant, daily pressure to remain at the top of app stores. Therefore, the majority of developer time and resources goes to managing the in-game experience, such as fixing small bugs that could potentially lead to player turnover, which then leads to a decrease in ranking; ultimately becoming a monetization problem.

However, many publishers are sympathetic to the security challenges posed day in and day out, although they are guilty of implementing reactive security measures that have proven ineffective over the years. For these publishers, there is a clear chicken and egg problem. That is, does the time and resources get spent on implementing new security rules or does the priority remain the traditional gameplay experience itself. One can argue that cybersecurity is a critical part of gameplay and can also lead to turnover, but that hasn’t been the common line of thought to date.