Cybersecurity in Gaming: DDoS & Hacking Threats

Cybersecurity in Gaming: DDoS & Hacking Threats

Cyber-threats plague our society today in every area of our lives that involves technology. Be it work, school, or play, we are always surrounded by technology that could potentially be hacked or attacked at any moment, leaving us vulnerable. One of the industries where protecting against these cyber-threats has been an issue for many years is gaming—and with Pokémon Go all over the news this week, there is no better time to address cybersecurity in the gaming world.

Smartphone threats, ‘Gotta catch em all’

Pokémon Go is all people have been able to talk about recently—with over 7.5 million downloads in the U.S. alone within its first week of launch, the game is wildly successful and obviously entertaining. But with its emergence as one of the first augmented reality games for your smartphone, it has exposed users to a herd of cyber threats because of the full level of permissions it has been asking of users who sign up with their Google accounts. Not only that, but with “Pokémon Masters” sharing their location in order to play with and battle other users, this is the biggest database of people’s current locations created from a game. Thankfully, Pokémon has released a patch in an app update to lessen the amount of permissions they can access to just your Google user ID and email address. However, prior to this fix, they were privy to all of the information listed in Figure 1 below.

 

PokemonGoPermissionsAccess_viaInverse

Figure 1: Pokémon Go Permissions before 7/12/16 patch via Inverse

Though the company may have had no intentions of using this information in a malicious way, had a hacker gotten into the app on your phone or through the Pokémon Go servers, they could have used all of this information to their advantage. This is one of the issues with gaming on smartphones—you must be careful of the permissions you allow otherwise you could be a victim without even knowing it.

Online and Console Gaming, A DDoS minefield

Cyber-threats are not only prevalent in the smartphone gaming world, but they are also rampant in online and console gaming as well. While these segments face many threats, but two of the biggest threats are DDoS and hacking. DDoS, or distributed-denial-of-service, attacks occur when massive numbers of corrupted systems attack a single target. These malicious sources flood the target with bad traffic, preventing (or denying) service to the site for genuine, honest users. DDoS can also include denying service via wiping out entire databases full of user information or attempting to change a user’s password too many times, thus locking him or her out. The primary way it affects video games is by overloading the servers with malicious traffic, thus bringing them down, making them inoperable. As you can see below in Figure 2, in the first quarter of 2016, the overwhelming majority of DDoS attacks across the internet were targeted at the gaming industry.

gaming in ddos info Q1_2016

Figure 2: First Quarter 2016 DDoS Report by Industry via Statista

 

While these are shocking numbers, this is nothing new for the gaming world. Online and console games have been the primary targets for gaming DDoS attacks for years.

Earlier this year, well-known DDoS attack group, Lizard Squad, launched an attack on World of Warcraft and Diablo III online game provider, Blizzard. Servers were down for several hours leaving players restless and angry. DDoS is a cyber-crime that is easy to commit and difficult to combat, so getting their servers up and running again took much time and effort on Blizzard’s end.

Lizard Squad also led DDoS attacks on Christmas two years ago that affected both Microsoft and Sony, providers for Xbox and Play Station consoles respectively. Lizard Squad warned of the attack in the months leading up to the holiday—tauntingly asking how ‘Live’ and ‘PSN’ (the games’ online networks) were doing. It is difficult to fight these kinds of attacks because having traffic come from so many locations, especially with people the massive amounts of people who received the consoles as gifts for Christmas all logging on around the same time as the attackers, to weed out the good traffic from the bad.

Hackers: threatening your phone, laptop, and console

In addition to DDoS attacks, all platforms of gaming are threatened daily by hackers. Late last year, Steam, one of the world’s most powerful online gaming companies, admitted that 77,000 of its players’ accounts were hacked every month.

One of the scariest aspects of hacking is the information that hackers are able to take. PII is readily available because these users provide so much personal information just to sign up and play; so when game systems are attacked, users’ data is vulnerable to being stolen and possibly even sold on the internet. These players include people of all ages, so parents of young gamers should talk with their children about the amount of information they provide when registering for different games they play.

Many games ask for sensitive information such as a birth date, home address, and credit card information. Unless the game is specified for a specific age level (i.e. “Rated M for mature”) then they should not need your birthday information. Having access to your home address could lead malicious cyber-criminals to your right to your front door, exposing you to some serious physical trouble in the real world. And the only reason a credit card number should be needed is if you’re paying to play that game—though some ask for it even though they’re “not going to bill you anything.” This information should not be given out carelessly because, should it fall into the wrong hands, it could be detrimental to your personal cybersecurity—possibly even leading to hackers using this information to steal your identity.

Gaming Cybersecurity, Be careful where you download

Nobody who loves gaming will stop just because there are threats to the industry; however, by taking steps to personally protect yourself as well as being aware of what dangers are out there, you can better enhance your own personal cybersecurity.

Though all aspects of cybersecurity require layers of protection, many of the threats that gamers face are caused by the gaming platforms they use, and there is little they can do personally to defend against attack. The best way for players to protect themselves is by only downloading legitimate games from trusted sources. If you are unsure about the security and validity of a game, you should not download it. Downloading mobile games form third party providers can leave your smartphone vulnerable to attack and the same goes for computer downloads negatively affecting your laptop. While it is slightly more difficult to download games freely on consoles like Play Station and Xbox, it is still possible. The best way to prevent a malicious game from infecting your device is by only downloading legitimate, verified games.

Hailey Carlson, Marketing Intern, Axiom Cyber Solutions 7/15/2016

Image Source

Beware: Pokémon Security Vulnerability Allows Access to User’s Entire Google Account

LAS VEGAS— With over 7.5 million downloads since launch on July 6, 2016, Pokémon Go is a wildly popular game but Axiom Cyber Solutions wants to warn users of the security risks of the app connected to user’s Google accounts.

Currently, the app offers the option to connect with a Pokémon Trainer Club account or a Google Account. A large percentage of users are choosing to connect with their Google account, not knowing that they are giving the app permission to their entire Google account including documents and photos to email messages and search history, and even items stored in the cloud. A patch is being worked on by the app developers to restrict the app permissions to only basic Google information and the developers insist that so far the app has only accessed basic information, there is still a risk to users.


Ahead of the patch, users can restrict access to their Google account information through their Google Account. To change the app permissions, go to “My Account” on Google (https://myaccount.google.com/) and navigate to “Connected Apps and Sites”. Select “Manage Apps” and then on the Pokémon Go app, and select “Remove Access”.


Android users must also be wary of third-party download sites that are offering malware-infected versions of the app. Security research firm Proofpoint has found a version available from a third-party site that was packaged with a remote-access Trojan (RAT) which would give a hacker full control over the phone once activated.

Image Source