Game Security: Protecting Your Bottom Line
22 June 2020
For those of us who grew up before the true tech boom, the term ‘hacker’ and the idea of hacking as a viable, ethical professional field can sometimes be dismissed or misunderstood. It can conjure distorted images of shut-in, anarchist rogue agents with a flair for disruption. Sometimes we think of Hollywood images of Mathew Broderick in War Games or Johnny Lee Miller in Hackers typing prodigiously at computers faster than anyone realistically can type and crashing servers worldwide for personal gain or just for fun. Simply put, we have been trained to think of hacking as a danger to our way of life, not as a way to maintain or protect it. Thankfully, it isn’t 1983 anymore and attitudes to hacking have started to change, but we’ve still got a way to go before we all fully appreciate how important a role hacking and cybersecurity has in protecting the way we do business.
I don’t think it’s unfair to say that creators and publishers in the gaming industry are uniquely vulnerable to hacks and cybersecurity threats. Not only are our audiences highly tech-literate and naturally competitive individuals, our very business is built around hardware and software – so much of which is shifting to a fully online sphere. Long gone are the days of LAN parties and couch cooperatives played by teenagers in the summer months. We now live in an era of online, massively multiplayer, digital gaming landscapes and global gaming audiences with real spending power. And therein lies the threat.
So many people – often cybersecurity experts far more technically equipped than me – have spoken about the dangers of game hacking. As an industry we know about DDOS attacks, noclipping vulnerabilities, XP manipulation, and item duplication. We know what the threats to our games are and we know how they happen. But fewer people are talking publicly about the wider scale impact of this on business at large. We need to be thinking bigger. We need to think about the threat these elements can have on our bottom line – our business continuity and our profits.
Threats to Business Continuity
We tend to get stuck in a cycle here. A game becomes popular, popularity makes the game more competitive, this competition leads to players trying to find new ways to win which in turn leads to seeking out hacks and cheats. These hacks and cheats can often be bought on the black market as a means of advancing or winning in MMO games, for example. Of course, this makes the game not only unfair but untrustworthy. If a game can be exploited in one way, who knows how many ways it can be exploited (payment details, personal information, etc.). This, it goes without saying, leads to massive player drop-offs, damage to reputation, and ultimately into loss of revenue (if not legal action!). If a game finds and fixes these vulnerabilities – and if they can regain their reputation enough to encourage players to come back – often the cycle can start again with black hat hackers taking new security systems as some kind of challenge. It’s a destructive cycle that’s best avoided altogether by simply installing proper security measures from day zero.
In the midst of this storm, in most public conversations, talk tends to focus on the public liability. Player loss, player data, trust. These are extremely important pillars to build on, but they are also well-covered ground, we need to talk more about the real impact these hacks also have on revenue.
Let’s take a ‘harmless’ bug like item duplication for example. If a player can clone a high value item – let’s say a sword – sure, they are gaining an unfair advantage on other players and that alone is reason enough to act. At the same time as this, however, there is the hidden cost to the developer of this item duplication. If your game works on a microtransaction or in-game spending model, these items usually cost money and every duplicated item is eating into profits. If left unchecked, this can destroy a game both from an inside player-level perspective and from the external business perspective. Especially for indie developers relying on these kinds of revenue streams to keep afloat (or even to fund the next passion project), erosion of profits from in-game hacks can be a death sentence.
In addition to this, allowing players to foster their own in-game black market is a practice in dancing with the devil. Despite this being outside the realm of liability for most developers, it just takes one player to take advantage of another for the whole house of cards to fall. Players who have been ripped off or exploited are going to turn to support teams and developers to report black market issues even if they are openly condemned in a game’s policy. Publishers will be held accountable publicly for allowing these kinds of attacks to happen.
This is just one kind of revenue eroding attack. There are so many out there and the list of ways hacking can impact profits grows almost daily. What’s the solution? Don’t allow room for this activity to grow, embrace the ethical hacking community and project your profits by protecting your players.
Ethical Hacking is Protecting Your Profits and Reputation
The hacking community has flourished since those first depictions in Hollywood films. Even within the confines of the games industry, we have true gaming cybercrime specialists who use the same tactics as the bad apples who crash servers, steal personal data, and eat into a game’s profits and reputation to protect developers and players alike. As ethical hackers, they strive to use their skills to find, report, and remove in-game vulnerabilities that pose a threat to players and business continuity.
Security like this can work on two levels. The go-to method should always be to build security into applications and code from the ground up, integrating native security specialists into a development team from day one and having them test and implement security measures as the game is being built. This proactive approach gives a game a natural head start in terms of security because it doesn’t allow a culture of hacking to grow around it. If, for example, a major vulnerability is found in a game’s code, even if it is fixed, players are likely to keep trying to find new and unexpected ways to perform the given hack again or discover new ones.
That doesn’t mean of course, on the other level, that security applied after the fact is ineffective. Penetration testing teams very rarely are brought in from day one and yet are still incredibly effective in finding and eliminating 90% of potential vulnerabilities and injection points. Sometimes introducing a team that is independent of in-house development teams can even be a benefit, providing a fresh pair of eyes to find holes or inconsistencies in code an in-house developer may pass over from sheer over-familiarity and exposure to a game’s code from working with it day in day out.
Regardless of what stage of the development cycle an ethical hacking or security team is introduced, the important point is that an expert pair of eyes – knowledgeable in how, where, and why games can be attacked – is invaluable in protecting a game’s in-app and code security in a way that non-security literate developers may not be.
While it is becoming par for the course in larger development and publishing houses to integrate cybersecurity at the development stage, I believe we are still lagging a little behind in fully adopting penetration testing and digital security measures industry-wide. Security should never be an after-thought when building a game. It should be a must-have priority right from a game’s inception, handled not by developers but by native security experts with a proven background in cybercrime prevention. This is how we protect our profits, our players, and the lifecycle of our games for years to come. Staying safe, staying secure, and staying vigilant.