Video games fast becoming a victim of credential stuffing

Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5, explains how video games are becoming a prime target for credential stuffing.

The video gaming business is booming. And not just booming, but mega booming.

Forced to stay inside, a broad and very diverse customer base has driven the video gaming market in the US alone to increase by 37% year-over-year to $3.3 billion, according to market research firm NPD Group.

This feeds an increasingly popular—and profitable—business model called “free to play.” The game is free and offers the option to purchase in-game digital assets via microtransactions. Candy Crush, if you recall, was one of the first to make this model a reality. Indeed, the Candy Crush series of mobile games collectively made more than $1.5 billion in revenue from microtransactions in 2018 across iOS and Android. That works out to a staggering $4.2 million USD spent per day, on average.

I will admit to contributing to this increase, as our entire household spends our entertainment budget these days on in-game assets. Not games, necessarily, just in-game assets. Most gamers have tens or hundreds of costumes and emotes and other digital cosmetics. The cost quickly adds up.

This model is increasingly profitable. In 2019, Epic Games’ popular battle royale, Fortnite, brought in revenues of $1.8 billion, according to data reported by SuperData Research, a Nielsen Company. Its business model is based entirely on microtransactions.

Of course, microtransactions are backed by credit cards and payment processors like PayPal. That is the information attackers are really looking to get their hands on by gaining access to gaming accounts.

This makes recent data analyzed by Atlas VPN both logical and terrifying. After all, “follow the money” is a phrase just as applicable to understanding motives of attackers as that of politicians. The firm found that hackers attacked gamers 9.83 billion times from July 2018 to June 2020. In other words, 14 million attacks per day or 584 thousand attacks per hour.

Gamers are not unaware of the potential impact. Another Atlas survey, on gamers’ concerns, conducted during the summer of 2020 found that they were most worried about their credit card information (49.1%) were their accounts to be hacked. It should be noted that access to their account and loss of in-game assets were not far behind. With the rise of competitive gaming and streaming gameplay as a source of income, these concerns are not as superficial as you might think.

These accounts are valuable to attackers, so it’s no surprise to find such substantial attacks against them. Given that these accounts—like those in other industries—can be used across platforms (website, console, mobile phones) to gain access, they pose a lucrative target with multiple attack vectors for those savvy enough to go after them.

And if the account doesn’t have financial data, they can always sell the digital account in the illicit game account market.

Yes. It’s against every game company’s policy and terms of service, but it happens, frequently.

Credential stuffing, which is when a criminal tests large numbers of compromised credentials (i.e., usernames and passwords breached from another site) against your login application, is a real threat to every industry with a digital presence, even video gaming. As we increasingly turn toward not just a digital economy, but a digital-first economy, this threat needs to be addressed.

That’s why it’s important to continue to improve the technology used to detect and thwart fraud and abuse.

We need AI-infused analytics capable of ingesting and analyzing vast quantities of data in minimal time. We need analytics capable of correlating data across the entire workflow to prevent fraud at the speed it occurs.

Detecting fraud today requires more than just data. It requires correlation of data, collected from as many points in the digital workflow as possible and the ability to quickly analyze results.

Every industry can benefit from putting in place the best protection they can against credential stuffing attacks.