Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

How Kids’ Videogame Accounts Get Hacked: Advice for Parents

Wednesday, September 9, 2020

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.wsj.com/articles/videogame-hackers-are-stealing-players-accounts-and-loot-during-pandemic-11599570006?mod=tech_lead_pos4

After his high school switched to remote learning last spring, Luke Martin had a lot of extra time on his hands. He filled his idle hours playing videogames. Then he got hacked.

One day in April when he tried logging into the online gaming platform Steam, he received a message saying his credentials were incorrect. After Steam’s customer-service desk helped him get back into his account, he discovered that $200 of games he had purchased had vanished. Even the $1.10 he had remaining in his account was gone. He checked the login history and found that someone had been signing into his account from an IP address in Moldova.

The quarantine-induced surge in gaming last spring, especially among children, has brought with it a surge in fraudsters looking for opportunity. Online gaming traffic rose 30% in the second quarter compared with the first, and attempts to hack into players’ accounts and steal their digital goods rose, too, according to Kevin Gosschalk, chief executive of Arkose Labs, a fraud-and-abuse prevention company for gaming merchants and other retailers.

While you might not consider a videogame hack to be as devastating as a bank-account breach, let alone a home burglary, victims do lose personal property and funds as a result. Digital currency and items ranging from weapons to “skins,” the outfits worn by players’ avatars, can be worth a lot to hackers who sell them in online marketplaces.

Account logins, often using stolen passwords, are the most common method of attack, according to Arkose. If you reuse your passwords in multiple sites and one gets breached, that password might end up on a list that hackers buy on the black market. They try those exposed passwords and associated usernames on other sites, hoping to get lucky.

Out of roughly two billion videogame login attempts in April, May and June, 31% were fraudulent—up from 11% in the prior year period, the report said. Game giant Nintendo NTDOY 4.19% reported at least 300,000 of its world-wide users’ accounts had been hacked since April, and the company added additional security measures in response.

The loss of an account and its inventory can be devastating to serious gamers who spent a lot of time or money—or both—acquiring digital goods and skills.

“It’s like having your favorite toy stolen,” said Mr. Gosschalk. And for some players, he said, it’s like having their very identity stripped from them. He estimates that hackers, in aggregate, make hundreds of millions of dollars a year selling stolen digital goods.

Luke was lucky that Steam reinstated his games, and even refunded his $1.10. The 16-year-old from Mohnton, Pa., said he thought he had set up two-factor authentication on his account but might not have done it properly.

“I’m usually very secure with my user data, and I’ve gotten pretty good at not falling for phishing scams,” Luke said. “I don’t know how it happened, but it did. My friends laughed at me, but I know it’s happened to them, too.”

Once he regained access to his account, he made sure to lock it down. (See tips below for keeping your accounts safe.) Within two hours, he said he received about 10 text notifications that someone was trying to log into his account. Some of the notifications were in Russian. When he checked the login history he could see that some of the attempts were coming from a Russian IP address. He didn’t receive any more notifications after the initial wave.

Aarush Dey had just made his first-ever in-game purchase in April: He used real dollars to buy gems to spend in “Brawl Stars,” a game he’d been playing on his iPad for more than a year. The purchase was a gift from his parents for his 11th birthday. Not long after that, his account was hacked.

His mom, Suchi Ray, had received purchase notifications from Apple AAPL +3.89% in amounts of 99 cents and $2.99 and didn’t think much of it. One night, around 1 a.m., her phone dinged with a notification of yet another charge in the game. But Aarush was sleeping, and his iPad was charging next to Ms. Ray’s bed.

“Aarush doesn’t spend a lot of time gaming, and this was the first time we had done an in-game purchase and that was enough to expose him,” she said.

Ms. Ray, of Houston, was so worried about where the breach had occurred that she deleted the app and changed her Apple ID and password. Because her Apple ID was linked to her PayPal PYPL +4.05% account, which is linked to her American Express card, she changed her passwords on those accounts, too. She even changed her Google GOOG +1.54% password.

“We don’t know what is linked to what anymore,” Ms. Ray said. “The monetary loss was very small, but the effort to protect ourselves was big.”

The hackers took 300 gems from Aarush’s account, which were worth around $20. In July, Ms. Ray allowed Aarush to start playing “Brawl Stars” again, and decided to have him use gift cards to make in-game purchases to minimize the financial exposure.

Luke and Aarush’s small losses are the norm, which is why gaming fraud is so common: It’s a high-volume business. But sometimes hackers get a big prize. Colby Bruno’s account was one of them.

Although his Steam account was hacked in August last year, he’s still reeling from the experience. The 17-year-old from Knoxville, Tenn., had more than $1,000 worth of weapons and skins in the game “Counter-Strike: Global Offensive” that he’d accumulated over more than three years.

One day Colby logged in to find a message informing him that his account had been flagged by an administrator for breaking a rule. His name had been erased from his account profile, and his icon had been changed to a default icon. “At that point I knew I had been hacked,” he said.

He said his friends in the game began messaging him saying that they saw his account was in trouble and recommended that he transfer all of his items to another account of his where they’d be safe. He then confirmed the trade on his phone. But when he logged in to that other account, his entire inventory was gone: He realized then that the hackers had spoofed his friends, tricking him into transferring the goods.

He still isn’t sure exactly how the hackers pulled off the stunt—he says he had two-factor authentication enabled—but he realizes now there would have been no way his actual friends could have known right away that his account had been flagged. “I was in the moment and I was freaking out about losing my stuff,” he said. He didn’t even try to seek his items back from Steam because he’s familiar with its policy on not restoring digital goods that have left accounts for any reason.

A spokesman for Steam owner Valve Corp. didn’t respond to requests for comment. Steam states on its website that it doesn’t replenish goods because duplicating items lowers their value. “It is your responsibility to secure your Steam account,” the policy states.

After he lost all that inventory, Colby changed all of his account passwords to long sequences of letters, numbers and symbols. “There’s nothing you can do but learn from your mistakes and hope you’re not a victim of the next scheme,” he said.

What You Can Do

Here are some ways to protect yourself and your children from online gaming fraud.

Set up two-factor authentication: 2FA, as it’s known, is an extra layer of security that requires an additional piece of information, beyond a username and password, to log into an account. In many cases, it’s a text message with a one-time code, sent with each login attempt. While phone numbers can sometimes be spoofed, this is still safer than not having two-factor turned on.

Create a strong password: “The primary reason accounts get stolen is they have weak passwords or use the same password across different products,” said Kevin Gosschalk, of Arkose Labs. It’s also a good idea, he said, to change passwords frequently. A password manager can help.

Never share account details: It’s important never to share login information, even with friends, because they might be hackers in disguise.

Check the URL: When logging into a game on a PC or Mac, it’s always a good idea to check the web address to make sure it’s the right URL. Hackers can set up identical-looking emails and websites to trick you into revealing your login credentials. Bookmark your gaming platform, and don’t click a link from an email saying there’s an account problem.

Set up parental controls: Parental-control settings in gaming consoles and in Apple’s App Store or Google Play Store can ensure parents approve any in-game purchases before they are made.

Photo: BRIAN STAUFFER

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.