Since launching in 2003, Call of Duty has evolved into one of the world’s most popular video game franchises, surpassing more than $10 billion in sales. The first-person shooter enables players to assume the persona of a military or intelligence agent/superhero. As part of the gameplay, players proactively pursue, capture, or kill ‘bad guys’ in mission-critical war-like scenarios.
What’s ironic, however, with Call of Duty and thousands of other video games, is that while players proactively pursue virtual-world ‘bad guys,’ video game publishers reactively track real world ones.
Today, online video games face unprecedented risk from hackers, cheaters and fraudsters who are ‘following the money’ from online banking and eCommerce to the $100 billion video games industry. The worldwide phenomenon Pokémon Go was recently hacked multiple times within its first week of existence. Blizzard’s Overwatch had to begin banning cheaters immediately.
Despite the havoc caused by years of attacks, the majority of video game publishers continue to maintain a reactive security posture, heavily relying on users to report suspicious or fraudulent activity or on outdated rules to identify pre-defined patterns of bad behavior. Additionally, they depend on antiquated login controls, such as multifactor authentication, device reputation, and IP/geolocation to keep bad guys out of their game and on credit card processors’ tools, which can not identify unauthorized credit card activity until the point of purchase.
Over the past decade, as the enterprise threat landscape broadened, other industries that once emphasized a reactive, compliance-first security model have evolved to prioritize a defense-in-depth proactive risk mitigation strategy. As online video game publishers come to terms with the reality that their industry is the next big target for cyber attack, they must follow the lead of online banks and retailers and adopt a proactive security posture in which behavioral analytics are used to identify a baseline of normal activity for every player. This will allow them to identify suspicious or anomalous behavior, flagging adversaries and stopping attacks before they cause damage to the game and its legitimate players.
Here are five ways that a proactive security posture can benefit video game publishers:
Beat Bad Guys at their Own Game – Traditional cybersecurity tools have a glaring weakness: any tool that bad guys can observe they will defeat. Since fraudsters have had a decade to defeat them, login controls and rules-based reporting on player behavior are obsolete, but publishers continue to use forensic analysis to define the characteristics of a confirmed account takeover event or incident of credit card fraud, and create rules to generate a daily report of similar accounts displaying that same behavior. In response, bad guys, noticing that they are being detected, change their activities just enough to slip past these static rules, swiftly weakening their effectiveness (a process typically referred to as “rules decay”). The publisher must re-perform forensics and manually adjust their rules to detect the new tactics.
Avoid Reputational Damage – Whenever a company is hacked, there is financial and operational loss, but the greatest long-term consequence is less tangible: damage to the company’s reputation. Earlier this year, CSO “argued that this reputation argument is a falsehood,” upon analyzing how Target has rebounded since being attacked in 2014. However, the vast majority of other groups, like the Ponemon Institute, disagree. According to its study of 700 consumers, data breaches, “have the greatest impact on brand reputation.” In today’s online game environment, reputation is critical as every game must compete for players with hundreds of competitors. When a player account gets hijacked and their virtual items are stolen, the player’s trust in the company is damaged, leading some to leave the game for good. Point in case: when Steam Stealer malware led to 77,000 accounts being compromised a month, the online video game platform lost more than 20,000 players in the following month resulting in a massive loss of in-game revenue.
Reduce the Costs of Credit Card Fraud – Credit card fraud and associated chargebacks, the “demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction,” cost a merchant an additional $2.40 for every $1 of losses. To limit risk, some publishers purchase chargeback insurance, which offers100% protection, but costs an astounding 8% or more per transaction. With a proactive security posture, the in-game behavior of all players is constantly monitored and anomalous activity is flagged. With this type of behavioral analytics, publishers can be alerted to suspicious in-game activity well before a credit card is compromised, saving potentially millions of dollars on merchant fees and/or chargeback insurance each year.
Control Recent Releases – According to an article in ComputerWorld, attackers can exploit the flaws inherent to game engines, compromising game clients and servers from the second the game becomes publicly available. For this reason, hackers and fraudsters seek to compromise recently released video games or updates before publishers can fix critical vulnerabilities and blind spots. With anomaly detection, video game publishers can monitor the behavior of early adopters and identify and stop suspicious activity in real-time, all without interrupting the experiences of those playing the game for the first time.
Identify & Reward Good Gamers – A proactive security posture doesn’t just help identify ‘bad guys,’ it also helps discover ‘good guys.’ For publishers that rely heavily on in-game revenue, knowing the habits and behaviors of the most active players can be invaluable. With this information, publishers can reward players for good play, increase monetization and identify players worthy of becoming brand and game ambassadors. Showing appreciation for current players also has value. According to a Forbes article citing Gartner, “80% of your company’s future revenue will come from just 20% of your existing customers.”