When I was on vacation a few months ago, I got a strange, scammy looking email from Origin, EA’s digital distribution application, explaining that there had been an unusual login to my account... from Ukraine. It suggested that if this wasn’t me, I should log in to the account, change my password, and turn on two-factor authentication. After a few quick and easy header checks, it was clear this email was in fact from EA/Origin, and that someone had breached my account. I don’t often use Origin, so the password I had for it was easy to crack and was probably picked up during one of the many data breaches in recent years.
To my surprise, the password still worked but my security question (which I would need to answer to change any information, including my now compromised password) was in Russian. My account was basically locked out via a loophole that avoided email account confirmation which, strangely enough, didn’t require any secondary authority to change. At this point, I reported my account as compromised to EA, who diligently sent a code to my email to prove my ownership; before long my security question was in English, password changed, and 2FA turned on.
Over the next few months, both my Ubisoft account and my Epic Games account (Fortnite) were both compromised, (with different passwords mind you!) – with very similar notifications. “Your account was accessed from a strange location”, they both claimed. “You should check it out”. In both cases, again, I was able to log in and turn on 2FA - but I’m one of the luckier ones. My nephew found his account completely compromised, to the point where a video was emailed to him of someone playing on his account. Fortnite’s recent overwhelming success has pushed a boatload of attacks towards Epic, which has made some changes, but not nearly enough.
If you are a PC gamer - and increasingly now, a console gamer too – you've probably found that almost every single publisher and developer has some sort of native authentication service. Where once it was only a handful of gatekeepers – Microsoft, Sony, Steam, and Nintendo for example – other major publishers found that they’d also like access to the incredible amounts of data and control over their software, as well as the ability to offer microtransactions and packages in a way that got around the larger existing distributors. So, when we once had maybe two or three logins to contend with, we now have up to and possibly more than ten. And it ciould be more still if you play games as a service, such as League of Legends, or basically any MMO.
There’s a lot to lose here. A compromised account can mean the loss of access to hundreds if not thousands of dollars in software. It can mean unauthorised payments thanks to stored credit card details, and possible transfer or deletion of hard earned progress. It can also be a great gateway to phishing information and other details via friend list contacts, who would be completely unaware they weren’t talking to the true owner. It’s also frustrating as hell to prove to poorly designed automated systems, or bored call centre reps that, yes, you do own the account, and yes, you would like it back.
You may think that the real issue is people not taking security seriously enough, and that therefore these problems are of their own creation. But in many cases, most ordinary people don’t want to make a specific password for every single application they install, or have no idea what 2FA is or how it works. Even those who do don’t think their incredible 32-character passwords can ever be cracked forget that if they use it more than once it’s vulnerable to being leaked in a data breach. Companies need to consider security first and foremost during the original account creation stage, as well as implementing common sense security profiles.
First, most users do not travel regularly outside of their country of origin. If they are playing from their home in Dullsville, Idaho 99% of the time, if they’ve suddenly logged in from Pakistan or China it’s very unlikely this is going to be them. Publishers, please, just block any logins from locations that are overwhelmingly unlikely to be accessed by that user and make that email a request rather than a post-intrusion advisory. In most cases a simple manoeuvre like that would block most attacks, unless the attacker already knew the location of the target (very unlikely).
Secondly, make some sort of 2FA mandatory during account creation. Even the crappiest form – email – is still a 100 times more secure than a weak password, and takes about only 15 seconds longer to login. You can offer users the chance to store devices, once secured, for a period to avoid pestering them every single day; at the very least, again, this will stop a significant bulk of accounts being taken over. Almost every service now offers some element of 2FA, whether weak (email), adequate (text), or best (Authenticators) but almost none of them are mandatory on signup. This needs to change.
Companies like Blizzard, Microsoft, and Steam have been front and centre here, offering benefits to users for turning on 2FA, as well as offering different and increasingly simpler options to action them. Blizzard, for example, just pops up on your phone on request and asks you to tap a single button. Easy. Steam offers you the option of email or an installed app for Steam Guard, and to be honest, most PC users have a lot to lose and should be taking the stronger option here.
The third option is to block/quarantine IPs, and even ranges of attackers, to stop bulk attacks. I’ve seen services that let users brute force for days if necessary, which is utterly pointless. Ubisoft and EA are some of the worst offenders, breaking almost every rule when it comes to effective account security, making it simple for attackers to compromise hundreds if not thousands of accounts in a second, before doing it again a week or two later once everyone manages to get back in again. If an account is compromised, 2FA, at the very least, should be a condition of reactivation.
Again, it’s easy to blame users but it’s not fair to either. Many players have accounts dating back to the dinosaurs when 2FA wasn’t even considered, and plus most companies don’t make a lot of effort to convince or force users to turn them on. I didn’t know Ubi or Origin even had the features until I’d logged into the dashboards for the first time in at least four years, and it wasn’t until attempted attacks on other accounts (Microsoft, Google) that I discovered them too.
So please, publishers, protect your users. It will save you time, money and grief in the long run, and make everyone’s day a little bit more pleasant.