Wednesday, June 26, 2013

Account security and gaming: I don't wanna be hacked!

Last week, someone commented on my How to fix WoW article, asking about account security.  Ironically enough, this comment was from a spam bot, but this is a great topic that's definitely relevant to what has happened over the past couple of years.  There are some really easy ways to reduce your risk and minimize the damage in the event your accounts are compromised.  Here's a few tips on what to do.

  • Use a strong password

This is probably the easiest and biggest thing anyone can do to make their account more secure.  I interviewed Mark Beard, a network security consultant for the security consulting firm, Network Security Professionals Inc. (NetSPI). He says that strong passwords will make your account much harder to compromise. "What's convenient for you is also more convenient for a hacker.  You have to keep a balance between convenience and security."  A good password will have the following traits.
  • Make it as long as the service allows Longer password strings are more difficult to crack and brute force.  The more characters, the more variations are available.  "It's very cheap to build a powerful server to crack passwords," Beard said.  "We built an internal server for client testing purposes."  Of course, this cracking box is only effective if the hacker has already broken into company's back end servers.  If a hacker gets into the back end, the damage is already done.
  • Contains numbers, special characters, and both capital and lowercase letters For a password using all of the above, an eight character password has over 722,000,000,000,000 (722 quadrillion) variations.  A 10 character password has over 3,740,000,000,000,000,000 (3 sextillion, 740 pentillion) variations.  These numbers are based on using a-z, A-Z, 0-9, and !@#$%^&*() for a total of 72 possible characters.  These passwords are almost impossible to guess offhand when these characters are randomized, and especially more difficult to crack.
  • Doesn't contain any actual words Hackers will shorten their wait times by using what's called a dictionary attack.  This involves using a list of predefined words to make guess at your password.  "A dictionary attack is quick and dirty, and can yield quick results," Beard said. "It's the hacker's quickest bang for his buck."  Dictionary attacks aren't always the best option, however. "It's very easy for a hacker to get caught using a dictionary attack."  Even so, removing actual words from your password minimizes your risk.
  • Rotate your passwords Changing your password on a regular basis goes a long way to make your account more secure. From talking with Mark, he recommends a password cycle of once a month for changing your password.  It's also important to not recycle the same password twice, especially with different services.
  • Examples of weak passwords "GoYanks!!1" "thisisastrongpassword" "password" "12345678"
  • Example of a strong password "Ux48&wGC16?#"
When crafting a strong password, make sure it's not going to fall into wrong hands.  Use a password manager to store the password, never write it down.  A password written down is asking for it to get transferred into the wrong hands.  Actually, that's a great segue into:
  • Don't share account information with the world

This guy may be protected, but you're not him.  Don't be like him
It turns out there's an ounce of wisdom in all those announcements in online games.  Account sharing is one of the biggest ways someone else gets into your account.  All it takes is a username and password shared to the wrong person to expose your account and give someone else access.  Sending account info electronically is also dangerous.

While this next part is not intended to be an anti-piracy rant, pirated software is one of the easiest ways to get a keylogger or virus on one's computer.  This is usually included within the code that cracks the authentication software, and opens up a connection to the outside to install other malware on the affected computer.  While there may be plenty of cracking groups that release software without viruses, there are thousands more that do.  Unless you are prepared to assume that kind of risk, don't take it.

  • Use multi-factor authentication if it's available

In addition to using a strong password and staying away from viruses that can steal your data, there are additional ways to keep gaming accounts more secure.  Many game companies already offer additional verification via email, text messaging, or other options.  Both Blizzard and Trion Worlds offer mobile apps for iOS and Android devices, as well as keychain versions of these authenticators.  If you have the means of getting one, seriously consider getting one.  It's worth it.  Steam will email authentication codes to the email address on file every time it detects a new computer logging in with a user's account.  Microsoft recently rolled out extra authentication measures that they call "proofs" to all Live accounts.  When setting up the proofs, Microsoft gives users the option of phone call, text message, and/or email verification to add to the user's account.  Adding authentication like this can go a long way to keep unwanted visitors out of one's account. This also prevents brute force attacks.

  • Protect your credit card data

Two of the major console manufacturers have seen their share of account exploits in the past three years.  Sony saw millions of credit card numbers leaked when their servers were compromised by an attacker or a group of attackers. Microsoft also found themselves dealing with the fallout of account hijacking and fraudulent purchases.  As Xbox live users found out, it's not always a good idea to keep a credit card on file, especially when someone else has access to it.  Most game companies offer prepaid cards for their services, usually run through a company like FastCard or a similar service.  By using prepaid cards instead of keeping one on file, it keeps one's credit card data secure and out of an hacker's reach, reducing the likelihood of fraudulent activity.  For people who already have a credit card tied to an online gaming account, like Xbox Live, there's little they can do.  Most often, the best thing to do is wait until the card expires, then don't update the credit card information.  At this point, the card will drop off their records, and disappear from the company's servers.

  • Don't fall for phishing scams

If you check your spam folder on a regular basis, you've probably seen emails from "Blizzard" saying that your World of Warcraft account has been temporarily suspended and that you need to log in to to reactivate your account.  There's a link included in the email to "log in" to your account.  The link, however, takes you to a fake site.  Its sole purpose is to collect usernames and passwords through a process known as "phishing."  This is such a common occurrence that Blizzard has a whole article dedicated to phishing.  For just about every game service out there, the companies that run them have outstanding policies regarding contact with the people who play their games.  Most, if not all, will never ask a user for their password.  They will never lock a user's account and require them to unlock it through a self-service website.  If an account does get locked, it usually requires a phone call and/or email with a specific support department.  Actually, this is another great reason to set up multi-factor authentication.  Even with a username and password, if a hacker doesn't have the authenticator, they still can't get in.

Now, all of this information is fine and dandy, but there's one thing more important than anything else when it comes to keeping data secure.  Hackers will only go after an account if there's something they can exploit or leverage there.  "If someone is trying to break into your account, and you're making it difficult for the attacker, they are more likely to give up and go after an easier target." Beard said. "It's kind of like that joke with the lion and the two best friends. 'I don't have to be faster than the lion, I just have to be faster than you.'"

No comments: