Current Gaming Security Topics (part 3, Payment Protection)

Posted in Gaming Security on June 14, 2010 by Will

This topic has baffled me since starting in the online gaming industry. Every show I go to I see many Payment application providers. The sheer number of them is staggering to me. Each one I see I try to strike up a conversation and see what they are doing for security or where there maybe a need. What’s interesting to me is that most of them do not feel that user authentication needs to be secure for them. Most of them simply allow publishers to use their systems to process the end users credit cards or however the user is paying for the game. This strikes me as what I am seeing in the credit card world too. Basically the processing company simply assumes that if you have the credit card number than you must have the card. At LOGIN I spoke to a payment company and they told me of the problems they face with charge backs and proving that a user is who they say they are. It seems like a big problem for this group, yet they still seem to see user authentication as not interesting.

PayPal is about the only one that seems to embrace user security, well if you don’t count the fact that the token devices are hidden deep in their web pages on security. It makes sense to me that if you require the user to make an account, then the user should be using more than a username and password to authenticate themselves.

The issue at hand here is 2 fold from my view.

  1. The users account is used to store the credit card information, if the user goes to view the information most of it is hidden from them and all they can do is to add or change this information.
  2. The customer isn’t paying the payment company, or at least not directly. So there really isn’t much that is driving the payment company to offer security that may come with a price tag.

 
 

I know there is a need here, as I know that I want my payment information protected from prying eyes, but I can’t seem to figure out what the business need is and how to make that leap from convenience to security for this part of our market. As I walk around the show floor at E3 this week, I will continue to investigate this space and see if I can find that missing link.

Current Gaming Security Topics (part 2, Revisit Keylogger/Trojan Protection)

Posted in Gaming Security on June 14, 2010 by Will

Ok it’s been a few months and really there has been a lot of new things going on in the online gaming security space. The threat of the Keylogger is still lurking around, but to be honest it hasn’t deterred many game publishers from not going forward with One Time Passwords. Apparently the attacks just aren’t compromising enough accounts, and the reality is that the attacks really still can’t be automated enough. Many users are still only using static passwords and the major game publishers want users to simply move off of this practice on to the next more secure option.

 
 

I still have the conversations about the Keylogger attacks verse One Time Password tokens, and it came to me one day, the solution has been staring me in the face for years. So I probably need to do a little research but I think I’m ok with my knowledge here, but if your taking a test on what I’m typing you’re probably going to fail, so look it up. I believe that in the late 80’s early 90’s token devices came on to the scene. I know VASCO started in the early 90’s and I know that the first tokens we had on the market were actually PIN PAD (they have a numeric keyboard on the front) style devices. VASCO didn’t introduce our Go-1 device (OTP only) until 1999 I believe. So what does this have to do with the attack. Well these PIN PAD style devices were used for what’s known as Challenge-Response (CR). That means that the server generates a random number and sends it to the user and then the user simply typed it into the token and the token made a random number based on that. As long as the number the server received back from the user could be matched with the Challenge it originally sent over, then the user would be let in.

The technology hasn’t changed too much here, we’ve added the ability to make the Challenges time based with time based responses (instead of just challenge based responses). But all in all the technology is the same. It was designed to stop shoulder surfing (remember my disclaimer about my facts up above) attacks. If an attacker is watching the user generate the password and type into the screen, the attacker would need to get the same challenge generated and sent to them during the same time period in order for the password they stole to work. So this pretty much completely defeats keylogger/shoulder surfing attacks.

The major hurdles for adoption of this technology really depends on what we believe our users will do. The original hurdle for OTP devices was that we didn’t think users would want to hold the devices and might leave us for the next game. What we found was exactly opposite. Not only did users not have a problem with generating a password and typing it in, but the devices sold out in record time and were becoming collectable.

With Challenge Response we need to ask the user to take the next step. Not only do they need to turn the device on, but they also need to type in something they see on the screen before getting a password from the device. While I believe the time it takes for someone to do this is probably less than a few seconds, it’s still something that hasn’t been introduced to our users yet and it’s different than what they are doing at work (where they probably only use an OTP only token).

The benefits here seem to outweigh the usability problems. First we solve the keylogger problem and the marketing real-estate on the device is much bigger than the single button ones. What if we make It so that we extend the in game feeling right to the device by making the challenge from in game languages and character sets. We can start to push the game further out to the user’s own environment while making them more secure in the process.

Current Gaming Security Topics (part 1, Child Security Thoughts)

Posted in Gaming Security on June 14, 2010 by Will

Ok seat back, stuffed in this plane, ready to put some thoughts together.

 
 

So as I mentioned in my last post the main trends I have seen in the Online Gaming market have been (I’ve added):

  • Child Protection (My post below)
  • Keylogger/Trojan Protection (I wrote about this one a few weeks ago, I need to revisit this I think)
  • Payment Protection
  • Hosted Security Options
  • Code/IP Protection
  • End to End Security

 
 

I’ll refine that list as I pull my thoughts together.

 
 

Let’s start with the one that is closest to my heart, child protection. So I have 4 children that range in age from 16 to 4, which means I have many walks of life in the gaming space. My oldest is all about Facebook and other social gaming apps (Farmville, etc.). My 11 year old is all about pushing his boundaries, so he wants to play WoW and is dying to get on Facebook, but I’ve managed to sway him to stay on Wizard101, FreeRealms and FTP Flash Games for a little longer. My 6 year old is all about whatever the 11 year old is doing…but…WoW and Facebook appear to be out of his comprehension at this point, so he has stayed pretty much on Wizard101, Club Penguin and <insert web based gaming>. My youngest is content with watching her older brother run a character named for her through Wizard101 collecting pets and telling him where to move the little computer girl around the screen.

So the landscape of security risks for them is all over the place for me on a personal level. On a technical level, so far I don’t even think one of them has thought about security at all yet. I sat my 11 year old down to chat about security on Facebook as he is just about ready to make the leap. I explained all about the “bad” people out there. His comment “Ok Dad, can I just set one up now?” I kinda expected that but the thought of him on Facebook is scary, I mean the 16 year old almost shocks me on a daily basis as I find out more through Facebook about her than I do when I chat with her. So for me security has to be introduced and I’m making a big push for it everywhere.

Since I work for the largest Token Manufacturer in the world (30 different hardware models alone now), it’s hard not to let the kids play with them. My WoW account is protected by one and I must have a couple dozen hanging around with different logos that they have picked up and asked me how to use it. It’s really my WoW account that really pointed me to what I thought should be investigated. I avoided having my account hacked and got the Authenticator on it as soon as they were ready. This stopped my kids from being able to login to move my character around (and get him killed). As long as I had my keys on me they were stuck. Then came the weekends, and since I am not a morning person, they would have the keys and off and running on my WoW running up my repair build. What I found interesting was exactly who was using the account now. I assumed it would be oldest boy (the 11 year old) but instead it was the 6 year old. He found it easier for himself to login, because he “didn’t need to remember which keys were the password ones”. Well this isn’t really security but it sure sold me on the devices for children.

As far as the security goes, my account still hasn’t been hacked and I still end up with new level 1 characters created in my account every few weekends. What I noticed on their Wizard101 accounts, is they have their passwords written down on scraps of paper everywhere, and not just once, there have be 3 or 4 scraps of paper with the password and username laying around my computer room. What shocked me even more was they were sharing it with our neighbors so that they could help them play (I stopped this activity pretty quickly I think). Additionally if my 6 year old left the desktop computer to play on the laptop he always needed my help, either to type in the username or to help remind him what keys he needed to press. I attempted an experiment and changed his password once, and the effect was pretty much the same. He just asked me to write it on more scraps of paper. The concept of security seems to be lost on children under 10. If it stops them from playing a game they will move on to the next game.

And what about the “bad” people? In the Industry I have been having lots of discussions about using a token to prove that the user is a child. It is an interesting concept. Basically if we put it in a store and ask the potential user to come into the store and buy the device we expect that we will get less people that will pretend to be children. It seems logical as I would imagine people might be more hesitant to walk into a store and buy a token that is labeled and packaged with kid’s toys. I do imagine that if a person wants to attack a child then this will probably be less of a hurdle for them, but it removes the anonymity of the user too and captures them on store surveillance video as they are purchasing the item.

So I think the last point of concern is the FTP (free to play) and social games. There are security issues here that are similar to the other games but for children the accounts appear to be too liquid (they create new ones every time they forget their passwords). As my company starts to roll out new security options soon I suspect that these types of games will have new options to embrace. As business goes I think these new technologies will help usher in a different type of thinking. No longer will it be the cost of doing security, instead it might be the cost of not doing security. I’ll write up more on this technology at a later time.

 
 

 
 

Preparing for E3

Posted in Gaming Security on June 13, 2010 by Will

As I sit in the Boston American Airlines terminal waiting for my over sold flight to begin boarding, I thought I’d take a second to collect some thoughts on the key areas of gaming security and what I hope to find there.

So the main topics I’ve been hearing for the last couple months have been:
* End to End security
* Child protection/proof
* Keylogger/trojan horse protection

Ok so they’ve started boarding and I haven’t finished. I’ll put some more thoughts together on the plane.

What’s in a name.

Posted in General on April 5, 2010 by Will

I was writing my blog and I was struggling with the name of token.  I mean every day I say DIGIPASS or token, but I realized that most of my readers have no idea what a DIGIPASS is (unless they have talked to me).  So I started calling them Authenticator’s.  Everyone in the gaming space knows this name now, thanks to Blizzard.  But I still get the random person that only knows the token device as an RSA SecurID (…”that we used way back in the day at some obscure high security government job…” I love those stories).  So I thought I’d put together a quick post on all of the names I have heard so far for one of these simple little devices:

  • Token (I remember when I first started at VASCO and people thought I was talking about token ring networks).
  • One Time Password device
  • Password Generation Device
  • VASCO DIGIPASS
  • RSA SecurID
  • Security Token
  • Security Dongle (shouldn’t this be something you plug into your pc?)
  • Security FOB (or just FOB, which sounds like you have something stuck in your throat)
  • Two-factor Authentication Device
  • Blizzard Authenticator
  • ….and probably more…

Me personally, I’ll probably stick with Authenticator or token or DIGIPASS (if you’re a customer).  I remember getting the email with the logo for the new Blizzard “Authenticators” (internally we were pushing for “Security Assistant”, Authenticator is so much sexier, hence why I am not in marketing…lol).  So pretty much after that day, they will always be known as Authenticators to me.

New titles and security thoughts

Posted in Gaming Security on April 2, 2010 by Will

So recently I have been working with a number of developers that are getting ready to release titles. Interestingly enough, most of these clients are now thinking about Account security before they send the game out to publishing. This should be recognized as a huge shift in the gaming world. Security was something we used to think about as an afterthought, it’s nice to see that people are starting to include security as forethought.

So most online games are looking at some type of account security, be it hardware or mobile security or a combination of both. The main thing most of these developers are looking at is how do I roll out the security and when?

As a security person, my first reaction is right away and before the user can even start playing the game. So let’s evaluate this. If we give users the option to choose security or to start playing the game, most users, including me, are probably just going to start playing the game. Then if I like the game or start to really invest some time or money into the game, I will take a harder look at my security. The problem is that most users will never come back and take that second look at their security unless we force them or something bad happens. And if we end up having something bad happen to the user, it costs us money and if we force the user to do something then we might lose them (which cost us money).

So if we start right at the beginning with stronger authentication then the users will not have to think about it later. Great, but what is the beginning? Is it when the user picks up the box on the store shelf? How about when the user registers for their account? What about when the user registers to play a beta account and we allow them to transfer it over to a standard account? For me the beginning is when the user has created their online account, be a forum user, and game account, or whatever the account is that is created for the game. This is the point at which we need stronger authentication.

So if the user registers for an account, do I ship them an Authenticator before I let them play (or pay)? Well this is the next biggest question I get, “How do we get the devices to the user?”. There are a few schools of thought here.

First one is generally perpetuated by our users, “Put the device in the box”. Great thinking, but its not that easy as I’m sure we are all aware. Our margins on the box and the materials in the box are very slim and putting anything new in the box could be very costly. It is an interesting idea from the security perspective provided that we force the users to use the device, and we could even tie the serial of the game to the device in the box (great for IP protection or stopping account sharing). Another problem with this is that we are seeing a huge rise in digital distribution. I read an article today that digital distribution will top 3 billion dollars and is expected to increase. So it would appear that our users are moving more towards this method rather than our boxes and in this case we probably won’t have many users getting the security devices we wanted them to have in the first place.

The second one is a bit more interesting, which is to force the user to install a temporary software application on their mobile device. This certainly gets around the cost problem in the box, but now we have to hope that all users have a mobile phone. This doesn’t really work very well for our younger users. But if we are marketing for the older crowd anyways, this is no longer a problem (or at least much less of a problem). With digital distribution this certainly is a much more viable solution. The main issues that you have here, is that it is generally more cumbersome for users to start using the game. Then once they are in and using it, we have to worry about the security of their mobile devices and other issues around that (we’ll talk about the security issues in some other post).

So how about some new solutions?

  • What if we simply sold the authenticator at the store on it’s own. Like our pre-paid game cards (or as a replacement to them)? Purchase the device and you get X credits, oh and by the way you need the number from the device to login to use the credits.
  • What if we text them passwords until they get their devices. Ties the user to a mobile number, user doesn’t need to install anything on the mobile device, and we are shipping them their hardware device while they start playing.

I’m always interested in new ideas; I think I saw a new technology company out there that was putting security on SIM chips for phones. VASCO has done this for a while, but this new company is making a sticker like device that goes over the SIM and offers additional functionality. What if we were to use something like that (I would think people would start breaking their phones pretty quickly and then we would become phone repair gaming companies). It’s an interesting idea.

 
 

 
 

Blog titles gone wrong.

Posted in General on March 30, 2010 by Will

As I was working on figuring out what to call my blog I went through a bunch of names. I started with Gaming Security Notes, everyone thought it was dry (including myself). I spoke to a close friend of mine that I haven’t seen in forever, she was a guild mate in Everquest in a guild I ran back then. She suggested Iweil Says…, I liked this one, but I’m sure no one would ever know what it meant unless you talked to me about my life as an online gamer (my in game name was randomly chosen in EQ as Iweil, I have used it ever since for all of my MMO’s). Finally my technical team here in Westborough came up with “…And things like that”, in honor of my infamous wow.com interview.

If you haven’t read the interview, your head will thank you later. It wasn’t one of my finest performances. 2 days on the floor at BlizzCon, caught right before an Ozzy show, it was pretty much the best I could muster. At the end of pretty much every line I added the quote “and stuff like that”. I think Wow.com finally cleaned up the interview a little bit, as I just re-read it and it’s not half as bad as I remember it. Either way, most people I know will never let me live this down, and to tell you the truth I’m not sure I want to.

Either way, My blog links are:

https://andthingslikethat.wordpress.com

http://iweilsays.blogspot.com

Hopefully they will have the same stories on both…but…we never know.