Gaming has come a long way since the arcade games we played on Nintendo. Thanks to Virtual and Augmented reality, Gamers now get to experience the game instead of just playing.
But let’s not forget, with great innovations comes an even greater threat.
Here are some stats that throws a light on the importance of security testing for Games.
In 2021, Hackers broke into Electronic Arts and stole the source code of FIFA 2K21.
In July of 2022, a breach happened, and hackers stole player credentials of Roblox, Bandai Namco and Neopets from the servers.
5% of monthly traffic in gaming consists of some form of DDoS attack.
In the period of July 2020 to June 2021 alone, around 69,244 malware files were distributed amongst gamers, snowballing into infection attempts numbering in the hundreds of thousands.
The most popular games for malware and phishing attacks were Among Us, Minecraft and PUBG Mobile.
These recent attacks reveal one thing – The need for Game Security Testing.
Most game developers push game releases to meet marketing deadlines without proper testing. This leads to data breaches. So, what do hackers do with this data and why is game security testing more important than ever? You can learn more about them in this quick read.
Types of data games collect from players
Data has become the focal point in this digital era, it is considered to be more valuable than Oil, which is why hackers target them.
Back in the day, you could simply purchase the game and start playing, all you needed was a Desktop or a Gaming Console.
But things have changed now, Games are now hosted on servers. Gamers need to sign in with their credentials to play the game. And let’s not forget the rise of online games in the last decade. These games require more than just an email and password, here’s the list of data it collects from players.
Bio-data: Most AAA games have a PEGI/ESRB-approved age rating. Mobile and online games often collect your name, age and email ID, as their Terms require that of Service and End User License Agreement.
Financial data: To enable smooth completion of in-game microtransactions, games may store your credit card/online wallet details. In recent times, game security testing has emphasised this aspect significantly.
Usage statistics: Ever since the gaming industry jumped to the cloud and digital software, tracking player activity has become more streamlined. Aside from in-game statistics like the number of hours played and wins and losses; games also actively place your records against your friend network to bring healthy competition into the mix.
Behavioural/Social data: Some games can opt to track in-game activity in terms of gameplay choices to construct a rough profile of the player.
Geo-data: Games with worldwide server networks will often require you to specify your region to access more tailor-made content. This naturally divulges more information about your real-world location.
In simple words, a game collects almost all necessary information about an individual. Interesting thing is that even social media platforms don’t collect this much data from their users.
Types of Security Issues of Games
All those sensitive data related to a player can be siphoned off within seconds just like the Roblox attack and sold for a price if the server isn’t secure.
And not just servers, here are some interesting security issues that the world of gaming,
Phishing – Phishing is a social engineering technique involves sending a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message to trick a person into divulging sensitive information to the attacker or to install malicious software on the victim’s infrastructure.
SQL injection – A technique that allows an attacker to interfere with the queries that an application makes to its database and lets him view, modify or delete the data causing changes in the application functionality. SQL injections can also be performed on the web server.
Local File Inclusion (LFI) attacks – In a LFI attack, an attacker tricked a web application into exposing sensitive information, resulting in cross-site scripting (XSS) and remote code execution (RCE).
Account takeovers (ATO) – Cybercriminals use stolen passwords and usernames to take control of online accounts.
DDoS attacks – By flooding a server, service or network with Internet traffic, a malicious attempt is made to disrupt the normal operation of the targeted server, service or network.
In-game data theft – A technique where the attackers attacks the server and steals in-game resources like gems, gold, coins etc.
Almost 90% of these attacks can be prevented if the developers had performed Game security testing, the only exception is Phishing, users are the ones responsible for that.
Security Threats of Modern Gaming Ecosystems
This refers to the criminal act of leaking private & confidential information about a game player, often with malicious intent. This presents a severe threat in games intended for a wider, younger audience (e.g. Minecraft, Fortnite).
There have been countless instances of infected files gaining access to gamer profiles, usually from illicit third-party software downloads. Game security testing faces a whole gamut of malware, including ransomware and spyware, posing potential cyberstalking threats.
Listening & Tracking:
In games that include voice chat communication between players, negligent usage can leave a backdoor for hackers to gain sensitive information.
Impact of Real-life Scenarios of Security Attacks in Gaming Industry
Part of the threat factors in-game security testing stem from the reality that not even the biggest players in the industry are safe from the line of fire.
Example 1 – 2021 Cyber-attack on Electronic Arts server.
Hackers broke into the EA server and stole the source code and internal tools for the Frostbite engine which powers multiple EA games. EA responded to it by admitting that there was a data breach and a small number of source codes, SDKs, and game frameworks were stolen.
Impact – Though EA didn’t admit it publicly, Hackers claimed that they stole more than 780GB of data including user credentials. They even released screenshots to prove their claim. Cybersecurity experts criticized EA, saying that EA’s domain was vulnerable for months and despite the warning, EA took no action which ultimately led to the breach.
Example 2 – 2022 Cyber-attack on Roblox
Cyber-criminals hacked into Roblox and stole sensitive information as part of an extortion attempt. Roblox reacted to it quickly and sought the help of experts to secure their servers and enhance them to identify future attacks beforehand.
Impact – Cyber criminals claimed to have stolen 4 GB worth of sensitive game information and user credentials. They tried to negotiate a deal with Roblox – money in return for the stolen data. But Roblox refused to pay the ransom to those cyber-criminals, it is believed that the stolen data was sold online, but Roblox has refused to comment on them.
Other similar examples:
World-renowned game studio Ubisoft made headlines this year by announcing a company-wide employee password reset.
On the cusp of their big-budget Cyberpunk 2077 release, developers CD Projekt Red (CDPR)’s internal network faced a hacking incident.
Big or small, gaming security is a non-compromisable aspect for every developer. In that regard, how effective is game security testing as a line of defence?
Importance of Game Security Testing
Server Security: DDoS attacks typically target game servers to induce latency and shut them down. Dedicated game security testing can mitigate these attacks effectively.
Game UI Authenticity: Running comprehensive tests on game UI and features can identify potential loopholes and backdoors in the ecosystem. This brings the dual benefit of rectifying bugs and glitches while making the game more secure.
Increased Data Security: Game security audits allow testers to adapt to evolving cyber threats and introduce countermeasures.
QAonCloud: Holistic Game Security Testing Solutions
Game Security Testing guarantees a better, safer gaming experience for your player base. Games should bring us happiness and not misery. Lack of game security testing will only lead to the loss of sensitive information that can be detrimental to both the developers and gamers.
At QAonCloud, we offer 360-degree security testing solutions specifically catering to game ecosystem requirements. We leave no stone unturned through extensive scanning based on competitive benchmarks to ensure your creative output remains untainted by external threats. We offer:
– Vulnerability Scanning to identify potential gaps in game security.
– Penetration Testing for real-time security audits.
QAonCloud offers a comprehensive suite of game security testing services. Visit our website www.qaoncloud.com to know more!