Security issues in Online games - Thesis Example

? Security Issues in Online Gaming by 24/09 Contents 3 Introduction 4 Background 6 History of Online Games 6 Business Model of Online Games 7 Massive Multiplayer Online Games 8 The need of security 9 Different kind of people who threaten security. 10 Security Issues 11 Literature review 11 Compromising Accounts 12 Protection Methods 13 Legal Protection Available 13 Creating Strong Authentications 14 Blizzard Authenticator 15 Dial –In-authenticator 15 Monitoring Players for Bots 16 Regular Updates to Users 16 Victim Support 17 Room for Improvement 18 Conclusions 18 References 19 Abstract This thesis deals with the security issues in online gaming. The thesis gives background information about online gaming. The history of online gaming is discussed along with the major security issues which are being faced by online games. The thesis basically deals with MMOs and the complexities being faced by them. We also discuss the different business models being used by online game developers and how they differ from the traditional video game market. These security threats are analysed in detail with the help of available literature. We try to see the different kind of threats to cyber security, the pole who pose a threat and how to identify them and the most important topic which will be discussed in this thesis is how to solve the security issues that exists in online games. The different legal and technical methods to fight cyber criminals have been discussed in the article. We also talk about methods such as providing education to the consumer and the benefits of it. Hacking issue and lose of accounts by online game players to hackers has been a major issue and this has been discussed in the thesis. We try to find out the different methods of authentication which might be used in order to increase the effectiveness and prevent false log on. We have also discussed the advantages of providing automatic patches improving the security as and when required. Some important methods used by companies such as blizzard to monitor the player and the ethical issues associated with such monitoring are also discussed in the thesis. We end the thesis by discussing the areas of improvement and what can still be done to improve the security of the online games. Introduction Online games have taken the world of computers by storm. Gaming remains one of the main drivers of computer technology. It has grown like wild fire over the last 10 years and online gaming can now be found in millions of households According to Microsoft gaming is the third most important source of revenue for them on their platform after web browsing and email checking. According to Price Water copper the video game industry earned $41.9billion in 2007 and the sales is expected to cross $68.3 billion by 2012. (Mulligan, 2003)The online gaming industry’s contribution to these figures is approximately $6.6billion and is increasing day by day. Along with the growth of internet, online gaming as also increased and along with this increase there have been the host of issues mostly concerning problematic and pervasive computer security issues. Online gaming started off as mainly single player games but this trend has changed recently and the games of today involve multiple players at the same time. Online security games and especially massively multiplayer online role playing games (MMORPG) suffer from such security issues directly. Some of the examples of MMIRPG games which are extremely popular among the youth are world of War crafts, second life, Everest quest, EVE online e, Star Wars and Ultima online. As the number of players grows the games are faced with the issue of authentication and cheating. If either one of these fails the credibility or the business of the game are at stake. Online gaming provides an experience which games played by a single user or even by multiple users cannot provide. One of the most important aspects of online gaming is the fact that a player is able to compete against anyone in the world. This is a big motivating factor for many players and they spend hours trying to compete with unknown faces a try to be best. Online games are also anonymous and some of the games like “Afterlife” allow a user to be free of his inhibitions and become what he likes to be. These games fill an emotional void in the life of individuals which is not being filled by the real world nowadays. Online games have created fanatics who are absolutely mad about these games .Some games are hugely popular and help people to interact with people from all over the worked using this gaming platform, although the quality of this interaction is suspect as the main focus is on playing and winning the game. Some online games have also introduced digital items such as online currency. This currency can be exchanged between players thus attaching immense monetary and emotional value to the account of each player. As the items collected are tradable, sometimes in lieu of real currency; these account become target of cybercriminals which try to steal away these accounts from the players. As the threat to the accounts increases so does the need to improve security of the account and make them safe from any outside attacks. us we will try to address the following issues in the thesis in a nutshell. All the research done on the following topics will be based on secondary sources and review of the available literature. (Castronova, 2011) History and background information on online games Business model of online games and why they are target of Cybercriminals Level of security needed for online games Security issues currently being faced by online games Protection against the above discussed issues Room for improvement. Background History of Online Games The first computer games such as NIMROD, OXO were single or at the best two player games that could be played by sitting at single computer. Later with the advent of time sharing technique in computers multiple users could share a computer and thus the number of users which could play a game increased substantially. Soon the invention of modems made sure that users didn’t need to sit in the same building s the computer .The advent of online gaming can be said to be practically dependent on the time sharing technology. As time sharing technologies have improved and progressed over the years; the games have become capable of handling more and more players. Many games can be played by hundreds of players nowadays. In1984 CompuServe launched Islands of Kesmai which was the first commercial multiplayer online role playing game. The game was able to process one command in every 10 seconds. Habitat can be said to be the first attempt at a large scale commercial virtual community which created a parallel world for the users. The 190s was the era in which the online games really came to the force with the burst of MMORPGs .As the number of games increased and the system performance, sped of playing and the graphics and the speed of the internet improved the advantages of playing games online started to outweigh the disadvantages. This led to the creation of games which created the imagination of million so f customers and also earned immense revenue for the company. Business Model of Online Games Developers use different business models in order to deploy and promote their games. It is necessary to study these business models as each type of business model will face different security issues.Chen et.all categorise business model into three groups .a fourth business model has also been explained in this thesis. The fourth business model has come to the fore recently and is becoming quite popular. One time charge – This is the most often used method to sell games whether online or offline. The customer pays only once for the game just like the way he purchases the compact disc containing the game. Once the charge has been paid, the user is free to play the game as many times as he wants. Charge for services – Many online games distribute the game software free of charge to anyone who wishes to play the games but a fee is charged for the various services that might be required by the player during the game. This business model almost solves the problem of piracy of the game software as the software is essentially given free to the consumers. Charge for game software as well as the services – These types of games is usually few and very popular. They ask the user to pay one time fees and also charge the user for any services or events which are to be performed during the game. Free to play – This model of gaming does not extract any charge on the player. This model tries to earn revenue through advertisements or micropayments. Micropayments are made by the players to gain an edge in the game over the competitors. Massive Multiplayer Online Games Massive multiplayer online games or MMOs support and allow a large number of players to play the game at the same time. MMOs allow the different players to co-operate and compete with each other via the game. These games virtually create community on the internet which the gamer identifies with and develops an emotional bond with. The most important type of MMO is the MMORPG. Hoglund and McGraw says that MMORPGs are very interesting case study in the world of software security as these games are made up of sophisticated software built around massively distributed client server architecture. In order to get an idea about the number of users who play MMOs the amount of paid subscription for MMos was about 16 million in 2008.Blizzard entertainment has announced that the number of subscriptions to its online game World of War craft has crossed 12 million subscriptions in 2010. MMORPGs are unique in the aspect of creating a virtual world for the player. This virtual world consists of different items which are very valuable for the players in the game. These virtual items are constantly traded among the players .The walrus magazine in 2004 claimed that GNP of Ever Quest , which was measured by the wealth created by all the players in the game came out to be $2,266 per capita. This would have made Ever Quest the seventh richest country of the world if it had existed in the real world. This gives an idea of the value of the virtual items traded in the games and how much are accounts with huge sums of money lucrative targets for cybercriminals. Cheating and hacking have become a part of these virtual items due to the huge amount of money involved. (Carless, 2004)The real economic value of the items lies in their trade. Most games allow players to sell their items which they have collected to other players for real money. Game play in itself becomes less important as virtual items and experience items have more value. Many sweatshops have opened on the web which sells these items to the players to gain an edge in the virtual game. This leads to a lot of activity among the hackers in order to cheat the system and gain the points undetected by the system. The need of security In order to understand the need of security for online games we can take the example of World of War craft. There is a lot of client-server and real time interactions which regularly take place, opening up the chance to intercept, change, add and remove the messages which will directly affect the game and decrease its popularity if glitches occur on a regular basis. The second issue is that of virtual items which can be traded in the real world as discussed previously and the third reason for security is that that player base of this game is huge. So it is an ideal base to strike at for hackers and criminals. Cyber criminals love to affect as many people with their viruses as possible and a number of people connected to play a game are a dream come true for such cyber attackers (Davis, 2009). A game which is fair and free from attack of hackers and cyber criminals will attract more and more players. However as the number of players increase so will the hackers who try to penetrate your defence. Matthew Pritchard discusses two rules regarding this – if you build a good game; the hackers will come and the number of hacking attempts will be directly proportional to the success your game has. Another reason why security is very essential in online games is the need for protecting the privacy of players. Some players are very protective of the virtual world they have created for themselves. They do not want even their friends and family to know what role are they playing in afterlife(the virtual real life game).The protection of this privacy is important not only to increase the popularity of the game but is also the responsibility of the gaming company according to law. Different kind of people who threaten security. MMOs are being placed by people of all age groups and almost all nationalities. (Foxtrott, 2011)How do we segregate the players who have come with the intention of harming the security of the game? When it comes to cheating Been-Lirn duh et. All claim that little is known about the motives that drives people to cheat or hack. People behave in a completely different way on the net under anonymity than they behave in the real world where they are constantly under the glare of other around them. However we can classify the threats according to their motives – (Fujita, 2008) Hackers who wish to test the limit of the software and want to show off Criminals who make a living out of it Pranksters just like in the real world – they want to create nuisance online too Occasional cheating by honest players to gain an edge in the game Security Issues Apart from cheats various other terms may be used for security breakdown issues in the online games. These terms may be hacking which means remotely breaking into computers, exploit (take advantages of bugs, glitches and vulnerabilities), cheat (playing unfair to gain an advantage) and attack which is the term to be used when dealing with security issues. The difference in security issues is between cheat and attack. A cheat may be identified as any attempt to gain unfair advantage in the game by the player .This is basically same as cheating in the normal sense. An attack on the other hand can be compared to robbery. In this a particular player or a hacker attacks and tries to capture the resources which rightfully belong to other player. He tries to get hold of his account in order for an attack to be successful. Once the account details are compromised, he can access all the virtual items as well as the personal information which the user might have used in the game. (Griffiths, 2003) Security issues in online gaming are relatively new and this research topic is also new. Online gaming as a phenomenon is just 10 years old as we have discussed in the introduction part. Due to this limited amount of research is actually available in this topic. Literature review There have been many efforts made in order to provide framework for online cheating. One of the most commonly cited framework for cheating has been given by Matthew Pritchard and consists of six categories. an and choi later increased this framework and increased the categories to 11.The number of categories were further increased by Yan and Randell to 15.the basic framework consisting of the original six categories which are mentioned below w- (Himma, 2007) Reflex Augmentation – In this type of cheating a computer program usually replaces a human reaction in order to produce superior and faster results. Exploiting Authoritative clients – A particular player creates a modified copy of the online game which informs all the users that a particular event of major importance has taken place in the game. This leads to reaction from the different players which might be exploited. Information Exposure – On a client who has been compromised, access or visibility to hidden information is gained by the player leading to monetary as well as non-monetary benefits for the player. Compromised servers – Some elf the games which are client-server games can be customised by the user who is running the server. Bugs and design loopholes which allow cheating to take place. Environmental Weakness – This causes extreme lag in network communications which might lead to momentary disconnections to place multiple command requests in the queue. (Hobgen, 2007) Compromising Accounts Almost all the information in online games is stored in accounts which are protected by passwords. Hackers normally try to gain hold of this password to barge into the account and make changes. Various methods are used by hackers to get hold of these passwords. Literature is full of methods which is used by hackers to gain hold of people’s accounts of the methods which may be used are the following – (Hoglund, 2008) Dictionary or the Brute Force attacks Use of malicious software Social engineering which means tricking honest players to hand over their user name and password by sending mails which seem to award them Exploiting the lack of authentication if the game provider does not provide a high degree of authentication to the players before logging in. Protection Methods We have till now discussed the background of online gamin and have also discussed as to why it is so susceptible to attacks by cybercriminals. We have also tried to identify the cheats and the framework for cheating and methods of cheating used have also been explained. Once we have explained all these factors we need to shift our focus on the second most important issues – what are the different methods of protection which are available to the players and the gaming companies in order to ensure that cheats are kept at bay and everyone has a good experience with online games? Legal Protection Available The first legal document of importance here is the copyright act, title 17 of the US code. Then we have the DMCA or the Digital Millennium Copyright Act of USA which criminalises production and distribution of technology that aims to violate the rights of the game producer. Piracy or copyright issues are not such a big issue in inline gaming nowadays because as I explained earlier most of the online games do not charge any fees or charge a very nominal account for the software itself In all online games whenever a new user signs up he has to agree to the EULA and TOS i.e. end User License Agreements and terms of service as well as the TOS (Terms of conduct.)These documents are the legal protection of the company against hackers and other cybercriminals. These documents identify the rights as well as the responsibilities of the players and also make them liable for any activity that is taking place from their accounts. These terms and conditions which the end users normally tend to agree to without reading also describe the liabilities of the company in case a cybercriminal compromises information of honest players Creating Strong Authentications This is the simplest and the most foolproof method of ensuring security of online games. The authentication needed to play the game should be made very strong and powerful so that unwanted elements are not able to enter and disrupt the honest players. Use of biometric scan or other such technique is very costly and is thus not feasible and economically viable. Companies have to use different layers of security in order to ensure that only the correct person is able to log on to the system. We will provide some examples here of the different layers of authentication with the help of examples – Blizzard Authenticator The player has to maintain a username and password just like in any normal log on. Apart from this he has to download authenticator software on to his mobile. This software generates a user specific code which keeps on changing every 8 seconds. Every code generated by the software will be valid for 2 minutes. After entering the username and the password the user also has to enter this 8 digit code. Thus the code acts as another level of authentication and increases the amount of work which needs to be done by the cheats in order to barge into the account of others. This authenticator has been used in the game world of War craft. In 2010 this system of log in failed as hackers found a workaround. They installed a file on the players’ computer which was able to track not even the username and the password of the player but also the code generated by the authenticator. Once this information was tracked, it would send a false message to the player saying that his log in has failed. As the user tries to log in again with the new information the hacker barges in during the small window of opportunity. Subsequently the hackers have also been able to replace the code generator with their own version of generator. In order to combat this gaming company made only one log in possible with a single code. Dial –In-authenticator The dial in authenticator works on a very crude but highly effective system. Once a player signs up for it tracks the activity of the players. If the player tries to log in from an ip address which is different from his normal ip address, log in takes place only after the player calls the customer service and provides his pin number which has been provided to him earlier Monitoring Players for Bots The use of Bots in online games has an interesting history. This history deals with the case that blizzard won against an individual who was using a bot to win the game of World of War craft. The court ruled that the game is licensed to the players for a fee and is not sold to them. Thus they could not make any changes in the way game is played by using soft ware’s or bots. The defendant claimed that since he has paid for the game, it belongs to him now and he can do any customisation that he needs to do including the use of software to make the game easier for him. After winning this case blizzard has been using software called as Warden which analyses each and every activity of all the screens of the users who are playing the game at a particular point in time. Warden tracks any suspicious activity by comparing the activities over a number of days and reporting and deviance from the normal activities which take place. However there has been a lot of hue and cry over the invasion of privacy of player with the use of warden as personal information can also be available to blizzard with the use of warden. How effective is the sue of these intensive monitoring methods and is ethical to invade in the privacy of players to ensure security of the game is a question which will take time for answering .This kind of monitoring is economically very expensive and requires a huge economic backup to be carried out. Regular Updates to Users This is one of the major advantages which the online games provide and cannot be explored in offline games. There may be some bugs which have not been discovered by the company at the time of development. These bugs can be traced and even fixed later through updates or patches. These patches help to remove the bugs quickly and thus thwart any attempt by the hackers. The patches may run as a back job which takes place after fixed intervals of time or may be run on a priority basis which is generally known as hot fix. Educating Players This is probably the most important job of a gaming company. It is said that the chain is only as strong as its weakest link. Many users will be careless or will be complicit with the cyber criminals and may cause harm to other users. Some of these people may not even be aware of federal laws and the ways in which they can affect the privacy of others and cause huge economic losses. Thus it becomes very important to make the players of the most common methods of cheating being used bit he criminals and also make them aware of the security provisions that can be done from their side on the system they are using in order to ensure that the game runs smoothly without causing any trouble to the players as well as the gaming organization. Victim Support If the game is a MMO then it becomes very important to provide customer support to people whose account has been hacked or compromised. This is because this hacked account usually becomes the gateway through which the criminals try to attack others in the gaming system. Proper customer support at this point of time and de-activation of the account till the problem is resolved should be provided quickly and promptly by the organisation. Room for Improvement As far as cyber security is concerned there is an immense room for improvement which is available. The most important thing is cyber law which is usually very weak and reactive as compared to being proactive. (A. Dannenberg, 2010) Researchers claim that lawmakers have generation gap with the cyber world and are thus not able to make laws with the same efficiency that they do with other laws. Cyber laws are also not given the attention and the importance that they deserve. A lot of scope for improvement is available into his way ToU and EULA are framed by the organisations. A lot of small changes to protect security such as using the latest up-to-date browser , enabling plug ins from the game provider , using pop up blockers , the latest version of anti-virus – all these are small tips which can save the player from potential malicious software. Conclusions In this in-depth thesis about online gaming and the security issues associated with it all the questions which have been introduced in the beginning of the thesis have been answered. We have begun the thesis by giving background information about online games and why security is an important issue in online games. We have also tried to analyse the reason as to why the cybercriminals like to attack the online games. The level of security which is needed by online games has also been discussed. We have also tried to analyse the different kinds of threats, the different sources of threats and how they attack the online games. (Avizieni, 2004) We have also analysed the benefits – both economical as well as psychological associated with online games due to which criminals target them. After analysing the above questions we have gone on to analyse the protection methods available. Different protection methods have been studied. We have also studied different types of authentication systems currently prevalent in the market and how effective these system of log ins have been. A discussion was made about the role of enhancing user knowledge and legal protection in order to improve security of online games. In the end we have finished the thesis by listing down the areas of improvement where improvements can be made in order to improve the security of online games. Online games as a phenomenon have grown very big and are likely to grow even more. As internet spread in the developing world so will online games. If Online games are able to create a market in India and China the market will increase in size tremendously. At that point of time – security will be an even bigger and a more troublesome issue – the gaming companies need to be armed with all the solutions in advance. References A. Dannenberg, R. (2010) Computer games and virtual worlds: a new frontier in intellectual property law, New York: American Bar Association, p... Avizieni, A. et al. (2004) Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Trans. Dependable and Secure Computing, 1(1), p.11 - 33. Carless, S. (2004) Gaming hacks, London: O'Reilly Media, Inc, p... Castronova, E. (2011) Synthetic Worlds : The business and culture of online games, Chicago: University of Chicago Press, p... Davis, S. (2009) Protecting Games: A Security Handbook for Game Developers and Publishers, London: Charles River Media/Course Technology, p... Foxtrott, C. (2011) Mmorpg, London: Charlie Foxtrott, p... Fujita, H. and Zualkernan, I. (2008) New trends in software methodologies, tools and techniques: proceedings of the seventh SoMeT_08,7th ed. USA: IOS Press., p... Griffiths, M. et al. (2003) Online computer gaming: a comparison of adolescent and adult gamers, Journal of Adolescence, 27(1), p.87 - 96. Himma, K. (2007) Internet security: hacking, counterhacking, and society, Washington DC: Jones & Bartlett Learning, p... Hobgen, G. (2007) Security Issues and Recommendations for Online Social Networks, Social Networks (2007), 1(1), p.1 - 36. Hoglund, G. and McGraw, G. (2008) Exploiting online games: cheating massively distributed systems,3rd ed. USA: Addison-Wesley, p... Mulligan, J. and Patrovsky, . (2003) Developing online games: an insider's guide, USA: New Riders, p... Pritchard, M. (2001) How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It, Information Security Bulletin, .(.), p.33 -47. R. Galloway, A. (2006) Gaming: essays on algorithmic culture, USA: U of Minnesota Press, p... R. Galloway, A. (2006) Gaming: essays on algorithmic culture, USA: U of Minnesota Press, p... Rice, R. (2006) Mmo Evolution,2nd ed. New Jersey: Lulu.com, p... Rymaszewski, M. (2007) Second life: the official guide, USA: Wiley-Interscience, p... Veen, E. (2011) Mmorpg: How a Computer Game Becomes Deadly Serious, New York: CreateSpace, p... Wilbur, M. (2001) Dmca: The Digital Millenium Copyright Act, USA: luniverse.Com, p... Yan, J. and Randel, B. (2009) An Investigation of Cheating in Online Games, IEEE Security and Privacy , 7(3), p.37-44. Yan, J. and Choi, H. (2002) Security Issues in Online Games, The Electronic Library, 20(2), p.125-133. Read More