Is cybersecurity for the gaming industry really necessary?
The global games market is immense. Newzoo, a leader in the field of video games and gamer data, forecasted in 2020 that the gaming market would grow to nearly $190 billion in 2021, up from $137.9 billion in 2018. It further stated that 2023 would mark a major milestone for this market, with the global number of players exceeding 3 billion, representing a CAGR of +5.6% (2015-2023), with the vast majority playing on mobile.
The data collected by the gaming companies is of very high value to them. As explained by EY, this data improves their understanding of player behaviors, enables them to personalize and redesign their games to make them more engaging, and allows them to create targeted in-game advertisements.
The immense amount of personal and credit card data collected by gaming companies has not escaped the attention of cybercriminals looking for an easy financial profit, or for a way to use stolen data to perpetrate various attacks on various organizations or individuals.
What are the risks that would justify cybersecurity for the gaming industry?
According to Akamai, the gaming industry is a more popular attack target than banking!
Cybercriminals launch attacks against online gaming companies for financial gain, however they achieve this goal also by stealing gaming accounts, and not only through theft of personal information and credit card data. Gamers put a great deal of effort into building their game characters and purchasing goods; gaining control of such accounts enables the account buyers to play at a higher level, benefitting from what the original gamers had already gained, while sparing themselves the effort the gamers had invested.
A 2020 survey conducted by DreamHack and Akamai among 1,200 gamers revealed that 52% of the respondents have had at least one of their accounts hacked, and 70% have come across hacked accounts being sold online.
In its 2022 State of the Internet (SOTI) report, Gaming Respawned, Akamai further shares that it has tracked 821,648,208 web application attacks in the gaming industry from May 2021 to April 2022, representing an annual increase of 167%.
The vulnerability of gaming sites is compounded by the fact that gaming developers do not place sufficient emphasis on security; their primary concern is speed and quantity in releasing games.
Which types of attacks should cybersecurity for the gaming industry aim to prevent?
- Web application and API attacks – according to Akamai, since January 2021, the top three web application attack vectors targeting gaming were LFI (Local File Inclusion) – 38%, SQL injection – 34%, and XSS (Cross Site Scripting) – 24%. The company further stated that since April 2022, web application and API (Application Programming Interface) attacks were the largest attack category, and continue to increase in volume.
- DDoS attacks can adversely affect gaming performance, or even prevent gamers from playing altogether. According to Akamai’s 2022 State of the Internet (SOTI) report, gaming is the industry most affected by this type of attack, incurring 37% of all global DDoS attacks, almost twice as many as in the financial services vertical.
- Malware and phishing attacks are often perpetrated together in the gaming industry, where gamers are tempted with an advantageous “cheat” and unwittingly install malware and ransomware. Inventory and characters can also be stolen through a phishing attack.
- Credential stuffing attacks – to give an idea of the extent of the problem, Akamai has revealed that in the 17 months ending in March 2019, hackers have carried out 12 billion credential stuffing attacks against gaming websites.
- Ransomware attacks – cybercriminals are known to put “hacks” and other virtual good up for sale. Unbeknownst to the gamers buying them, these are actually Trojan horses intended for ransomware.
Is cybersecurity for the gaming industry also important from a regulatory compliance viewpoint?
Yes, it is. As gaming companies collect vast amounts of personal information and payment credentials, they are required to abide by strict regulations, including the GDPR (General Data Protection Regulation) and the global Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with the GDPR places them at risk of heavy fines of up to 4% of their global annual turnover, or 20 million euro – the higher of the two.
Which attacks have taken place in recent years, justifying the need for cybersecurity for the gaming industry?
Examples of attacks highlighting the justification for implementing cybersecurity measures in the gaming industry are presented below.
- In June 2021, Infosecurity reported that hackers staged an attack against Electronic Arts (EA), a global leader in digital interactive entertainment headquartered in the USA. The attack was detected when the hackers published blog posts on underground hacking forums, offering 780 GB of data for sale. The stolen data included the source code for FIFA 21 and code for its matchmaking server, as well as source code and tools for the Frostbite engine, which powers the popular game Battlefield, among other EA games. The hackers also gained access to proprietary EA frameworks and software development kits; however, it seems that they did not steal any of EA customers’ personal data.
- About two and half years earlier, in late December 2018, hackers targeted the popular role-playing game Town of Salem, which is streamed on the Amazon Twitch platform, an
- d gained access to the entire player database. Forbes reported at the time that the breach impacted more than 7.6 million players, adding that the security firm DeHashed had disclosed that the total row count of that database was 8,388,894, and included some 7,633,234 unique email addresses. It further added that the compromised data also included usernames, IP addresses, game and forum activity, passwords and payment information. In this case, the perpetrators were unable to monetize the hack, as payments were handled by a third party. However, they could still use the data they had gained access to launch phishing attacks or sell it on the dark web.
Gaming companies failing to protect themselves adequately from cybercrimes place themselves at risk of great financial loss – both directly, and as a result of fines due to non-compliance with regulations and standards. They are also be at risk of great harm to their reputation.
ACID’s state-of-the-art solution provides real-time alerts to cyberattacks waged against gaming companies, even as early as in their planning stage. The initial information provided, and the subsequent updates, enable the targeted companies to implement effective countermeasures, and maintain business continuity and profitability.