Many gaming companies and gaming-related websites prioritize user experience and easy access above security and strong authentication. They have found that increasing friction at login can drive customer attrition… which then translates into decreased revenue. But are they taking security seriously enough?
This is a theme Enzoic’s CTO, Mike Wilson, recently explored in a conversation with Threatpost’s Tom Spring. The resulting article, “Gamers Are Easy Prey for Credential Thieves,” highlights the gaming industry’s security conundrum and outlines why someone would pay a criminal for stolen gaming accounts in the first place.
Why would a criminal even want to access your gaming account?
Gaming credentials are lucrative, especially in larger numbers.Gaming credentials can be worth a surprising amount depending on the type of game, the hashing algorithm they are stored in and what is on the account. Here is a sampling of how much some gaming accounts are sold for on the dark web:
- Fortnite combolists: 100K credentials for $5
- Fortnite accounts: 6.50-900.00 eur (depending on skins on account)
- Minecraft accounts: $0.10-40.00
- League of Legends accounts: $4-115 (depending on skins and level on account)
- Apex Legends accounts: $2
- The Sims accounts: $3-4
- Origin accounts: $1.50-6 (depending on games available on account)
- Uplay accounts: $1
- Grand Theft Auto accounts: $8.50-12.50
- PlayerUnknown’s Battlegrounds accounts: $15-28
- ARK: Survival Evolved accounts: $20
- Call of Duty accounts: $15-26
- Steam product keys: $6
By comparison, here is a sampling of other types of accounts:
- Google Cloud accounts with $100+ credit – $6
- PayPal Account with $100 balance – 13 eur
- PayPal Account with $500 balance – 80 eur
- cryptocurrency accounts – 94 eur
- Western Union account – 30 eur
- Netflix account: $3.00-4.00
- Hulu account: $0.50-10.00
- Sling accounts: $5.00-15.00 (depending on lineup)
- HBO accounts: $3.00
- Creative Cloud account: $10.00
- Porn accounts: $3-10
- VPN accounts: $1-5
- Streaming video accounts: $3-7
- Streaming music accounts: $0.50-3
- Spotify accounts: 1-2 eur
- Pizza accounts with reward points: $.50-18.00 (depending on points on account)
- AT&T Uverse – 10-12 eur (depending on lineup)
- DirecTV Now – 8-15 eur (depending on lineup)
- Grubhub with CC – 4 eur
- Fandango with CC – 2 eur
- Starbucks accounts with $100 – $25
Why is the Gaming Industry at Risk?
Another recent piece of Enzoic media coverage analyzes the key factors that make the gaming industry so vulnerable. As our CEO, Michael Greene, wrote in an opinion piece for VentureBeat gaming is particularly susceptible for 2 main reasons:
- Gaming sites use weak authentication security measures during login and since so many users re-use passwords, criminals can easily access their accounts using stolen credentials.
- Many gamers use weak passwords on gaming sites because they are young and don’t know better, or because they feel there is really nothing of value in their account.
The good news is that Akamai saw a slight decline in gaming accounts for sale on the dark web between 2017 and 2018, which could indicate that the gaming industry is starting to take security more seriously. By hashing their passwords in more complex algorithms, they are worth less on the dark web, which makes it less lucrative for criminals.
How can gaming sites improve security at login without creating user friction?
Besides using more complex hashing algorithms, the gaming industry can adopt newer low user-friction authentication methods.
Because most people reuse passwords across multiple sites, credentials for non-gaming sites can be used in credential stuffing attacks against gaming sites and vice-versa. Increasingly, gaming sites are quietly screening user accounts for compromised credentials. When an account is found to be using compromised credentials, the gaming site can either make the user reset their password or they can limit access within the account (like hiding credit card data) to reduce the threat.
For more on security in the gaming sector, you can read more about it in the following articles:
Threatpost: Gamers Are Easy Prey for Credential Thieve
VentureBeat: The Video Game Industry is a Black Hole for Cybersecurity
Learn more about how your site can screen for compromised credentials or passwords.