Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Games a 'Playground' For Organized Crime

Posted by Soulskill on from the criminals-need-to-level-their-death-knights-too dept.

New submitter cadenceaniya sends this excerpt from Polygon: "Online games are a 'playground' for organized crime and cyber criminals, JD Sherry, vice president of technology and solutions at Trend Micro said following the news that League of Legends accounts were compromised. Earlier this week, account information — usernames, email addresses, salted password hashes, and some first and last names — for some North American League of Legends players were 'compromised' by hackers. Riot was also 'investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.' The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.' The simple and functional systems created so players can spend money effortlessly creates 'playgrounds' for cyber criminals take advantage of. 'Game platforms can have millions of users all storing sensitive information or code access for more features,' Sherry said. 'These are highly sought after in the cyber-crime underground for trading and selling in the black market. These platforms can fall victim to cyber-attacks just like any organization, especially if they have vulnerabilities that go unpatched.'"

16 of 73 comments (clear)

  1. I'm shocked!!! by Anonymous Coward · · Score: 3, Insightful

    VP of online security firm warns people the internet isn't safe.

    What's next? Glock's VP says streets aren't safe?

    1. Re:I'm shocked!!! by Nidi62 · · Score: 4, Insightful

      Cars kill 30,000 people a year too. We don't need more cars, or people with them.

      And there are fewer cars in the US than there are guns. That means more deaths per car than per gun.

      It's true.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re:I'm shocked!!! by duke_cheetah2003 · · Score: 2

      Why stop there? Giving birth is a death sentence. We should put a stop to it!

  2. Way to sensationalize by wbr1 · · Score: 5, Informative

    The headline makes it sound as if the criminals are -playing- the games to steal info. They are just stealing the info same as they would from any other company. It has absolutely nothing to do with the fact that it is a game, except for the fact that the amount of players and possibly lax security make it a valuable and vulnerable target.

    --
    Silence is a state of mime.
    1. Re:Way to sensationalize by RogueyWon · · Score: 4, Insightful

      Indeed. And it's more about accounts than it is about games (though of course most MMOs have issues with this).

      If you have a Steam account these days and you aren't using the Steamguard added security, you're mad. The trade in compromised Steam accounts is quite terrifying (and unsurprising given the value of the games stored on many of them). The same is true for PSN accounts. It's even more true for XBox Live accounts where there are fewer additional layers of password security you can bolt on (unless they've added them since I last checked) and where there are FIFA Soccer DLC packs that are tradable and essentially allow "real money" to be laundered through the accounts.

    2. Re:Way to sensationalize by RaceProUK · · Score: 3, Insightful

      Trend Micro saying "Online Games a 'Playground' For Organized Crime" is like ADT saying "Private Homes a 'Playground' For Organized Crime".

      --
      No colour or religion ever stopped the bullet from a gun
    3. Re:Way to sensationalize by blueg3 · · Score: 2

      Why on earth would one store hashed and salted credit card information? If you're going to bill people, you need the original credit card number, no? Hashing isn't reversible.

    4. Re:Way to sensationalize by xevioso · · Score: 2

      You know, this sounds like the beginning of a plot for a possibly amazing movie.

      To wit: A teen and his friends gang up on a ship on EVE that is carrying an absurd amount of money. The Russian mafia tracks the IP of the teens and then goes after them, and the teens have to run for their lives.

      Or even better, the Russians kidnap their parents or something, and hold them for ransom, and the kids have to go back online in EVE and capture even more ships to save their parents. Or something like that.

  3. Stephenson by gmuslera · · Score: 2

    Someone has been reading Reamde lately. Anyway, that something that enables you to interact with other people can be used to interact in "wrong" ways is something that don't applies just to games, and yet, that argument is being used to demonize internet, games, even the Tor network. If you want to be free must accept that people could use that freedom to do bad things, and the solution is going after those people, not punishing everyone taking out freedom.

  4. MADLIB TIME! by Ignacio · · Score: 4, Interesting

    Replace FOO with some type of online service in the following soundbite:

    "FOO a 'playground' for organized crime."

    Congratulations, you are now a security expert! Let's try it out:

    "Social network services a 'playground' for organized crime."
    "FTP servers a 'playground' for organized crime."
    "VoIP providers a 'playground' for organized crime."

    See! Wasn't that easy!?

  5. hashed and salted credit card info by rapiddescent · · Score: 2

    why would you bother storing hashed and salted credit card information? The only thing you could do is match it against the credit card used on the next transaction - but what does that really get you? The hashed/salted card number would be usable again (if hashed+salted properly)

  6. Not surprising ... by gstoddart · · Score: 2

    The increase of free-to-play online gaming across all platforms over the years 'have opened the doors to micro-transactions in-game.

    I've always avoided any game which relies on these in-game purchases.

    Firstly, because I'm cheap and have no interest in having to pay for baubles in a video game with real money. But second, because I don't necessarily trust that companies put enough effort into safe-guarding my financial information -- they put a lot of work in the glossy bits and setting up a way to get my money, but they're not as interested in keeping it secure.

    If you know that a system has a vast number of credit card details stored in it, it's going to be an attractive target, because any exploit of it is going to yield a lot of stuff. In this case, it's a big giant database of credit cards and names, stored by a company who may or may not have put enough effort into protecting that.

    This is why I'm of the opinion that companies need both restrictions on the kind of data they collect and use, but also some steep penalties for failure to safeguard it once they have it.

    If someone can do an incompetent job of security and have their users be the ones affected by it, it has to be a lot more than "ooops, sorry".

    --
    Lost at C:>. Found at C.
    1. Re:Not surprising ... by cyber-vandal · · Score: 2

      It's much harder to compete in pay to win games if you don't pay yourself. That's why I don't play them at all.

  7. to authenticate in game purchases by raymorris · · Score: 3, Informative

    One use would be for ongoing purchases in / for the game. When you sign up, they store the CC on a protected payment system that's not directly accessible from the internet. The internet-accessible server has only a secure salted hash of the CC. For a purchase, the client prompts for the CC to use, then sends the hash of it to the public server. That confirms that the user truly has presented the correct card number. The public server can then call the one and only function exposed by the payment server, billcard(hash,amount).

    That way they can prove that the customer entered the card number into their game, without sending the card number over the internet.

  8. No Security but Monitoring? by Sir+Holo · · Score: 4, Interesting

    A bit off-topic, but if games with online playability lack security, it by their choice. They certainly spy on their players enough.

    Get an IP sniffer.

    When I play StarCraft II, which insists on being online even for single-player, I get tons of connection attempts going places other than Blizzard. I block them, and gameplay does not suffer.

    * www.reuters.com
    * www.googleanalytics.com
    * akami (OK, that's for downloading updates)
    * sevreral other all-digit IPs, which I also block.

    1. Re:No Security but Monitoring? by EmperorArthur · · Score: 2

      Out of curiosity, have you ever run a reverse DNS lookup on those IPs? Or is that how you figured out who the outbound connections were attempting to talk to to begin with? Google analytics sounds like SC2 is rendering a web page somewhere, and triggering the javascript. I don't own the game, so I can't check.

      This is why per process firewalls are so important. I'm personally using Comodo Free myself. It pains me to admit it, but this is actually one area where Windows is ahead of Linux.

      Yes, that's right, Windows is ahead of Linux when it comes to security.

      We need to fix this.

      --
      So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera