Online gaming has surged—and so has fraud—as children play more during the coronavirus crisis
After his high school switched to remote learning last spring, Luke Martin had a lot of extra time on his hands. He filled his idle hours playing videogames. Then he got hacked.
One day in April when he tried logging into the online gaming platform Steam, he received a message saying his credentials were incorrect. After Steam’s customer-service desk helped him get back into his account, he discovered that $200 of games he had purchased had vanished. Even the $1.10 he had remaining in his account was gone. He checked the login history and found that someone had been signing into his account from an IP address in Moldova.
The quarantine-induced surge in gaming last spring, especially among children, has brought with it a surge in fraudsters looking for opportunity. Online gaming traffic rose 30% in the second quarter compared with the first and attempts to hack into players’ accounts and steal their digital goods rose, too, according to Kevin Gosschalk, chief executive of Arkose Labs, a fraud-and-abuse prevention company for gaming merchants and other retailers.
While you might not consider a videogame hack to be as devastating as a bank-account breach, let alone a home burglary, victims do lose personal property and funds as a result. Digital currency and items ranging from weapons to “skins,” the outfits worn by players’ avatars, can be worth a lot to hackers who sell them in online marketplaces.
Account logins, often using stolen passwords, are the most common method of attack, according to Arkose. If you reuse your passwords in multiple sites and one gets breached, that password might end up on a list that hackers buy on the black market. They try those exposed passwords and associated usernames on other sites, hoping to get lucky.
Out of roughly two billion videogame login attempts in April, May, and June, 31% were fraudulent—up from 11% in the prior-year period, the report said. Game giant Nintendo NTDOY -5.07% reported at least 300,000 of its world-wide users’ accounts had been hacked since April, and the company added additional security measures in response.
The loss of an account and its inventory can be devastating to serious gamers who spent a lot of time or money—or both—acquiring digital goods and skills.
“It’s like having your favorite toy stolen,” said Mr. Gosschalk. And for some players, he said, it’s like having their very identity stripped from them. He estimates that hackers, in aggregate, make hundreds of millions of dollars a year selling stolen digital goods.
Luke was lucky that Steam reinstated his games, and even refunded his $1.10. The 16-year-old from Mohnton, Pa., said he thought he had set up two-factor authentication on his account but might not have done it properly.
“I’m usually very secure with my user data, and I’ve gotten pretty good at not falling for phishing scams,” Luke said. “I don’t know how it happened, but it did. My friends laughed at me, but I know it’s happened to them, too.”
Once he regained access to his account, he made sure to lock it down. (See tips below for keeping your accounts safe.) Within two hours, he said he received about 10 text notifications that someone was trying to log into his account. Some of the notifications were in Russian. When he checked the login history he could see that some of the attempts were coming from a Russian IP address. He didn’t receive any more notifications after the initial wave.
Aarush Dey had just made his first-ever in-game purchase in April: He used real dollars to buy gems to spend in “Brawl Stars,” a game he’d been playing on his iPad for more than a year. The purchase was a gift from his parents for his 11th birthday. Not long after that, his account was hacked.
His mom, Suchi Ray, had received purchase notifications from Apple AAPL -5.64% in amounts of 99 cents and $2.99 and didn’t think much of it. One night, around 1 a.m., her phone dinged with notification of yet another charge in the game. But Aarush was sleeping, and his iPad was charging next to Ms. Ray’s bed.
“Aarush doesn’t spend a lot of time gaming, and this was the first time we had done an in-game purchase and that was enough to expose him,” she said.
Ms. Ray, of Houston, was so worried about where the breach had occurred that she deleted the app and changed her Apple ID and password. Because her Apple ID was linked to her PayPal PYPL -2.88% account, which is linked to her American Express card, she changed her passwords on those accounts, too. She even changed her Google GOOG -3.64% password.
“We don’t know what is linked to what anymore,” Ms. Ray said. “The monetary loss was very small, but the effort to protect ourselves was big.”
The hackers took 300 gems from Aarush’s account, which were worth around $20. In July, Ms. Ray allowed Aarush to start playing “Brawl Stars” again and decided to have him use gift cards to make in-game purchases to minimize financial exposure.
Luke and Aarush’s small losses are the norm, which is why gaming fraud is so common: It’s a high-volume business. But sometimes hackers get a big prize. Colby Bruno’s account was one of them.
Although his Steam account was hacked in August last year, he’s still reeling from the experience. The 17-year-old from Knoxville, Tenn., had more than $1,000 worth of weapons and skins in the game “Counter-Strike: Global Offensive” that he’d accumulated over more than three years.
One day Colby logged in to find a message informing him that his account had been flagged by an administrator for breaking a rule. His name had been erased from his account profile, and his icon had been changed to a default icon. “At that point, I knew I had been hacked,” he said.
He said his friends in the game began messaging him saying that they saw his account was in trouble and recommended that he transfer all of his items to another account of his where they’d be safe. He then confirmed the trade on his phone. But when he logged in to that other account, his entire inventory was gone: He realized then that the hackers had spoofed his friends, tricking him into transferring the goods.
He still isn’t sure exactly how the hackers pulled off the stunt—he says he had two-factor authentication enabled—but he realizes now there would have been no way his actual friends could have known right away that his account had been flagged. “I was in the moment and I was freaking out about losing my stuff,” he said. He didn’t even try to seek his items back from Steam because he’s familiar with its policy on not restoring digital goods that have left accounts for any reason.
A spokesman for Steam owner Valve Corp. didn’t respond to requests for comment. Steam states on its website that it doesn’t replenish goods because duplicating items lowers their value. “It is your responsibility to secure your Steam account,” the policy states.
After he lost all that inventory, Colby changed all of his account passwords to long sequences of letters, numbers, and symbols. “There’s nothing you can do but learn from your mistakes and hope you’re not a victim of the next scheme,” he said.
What You Can Do
Here are some ways to protect yourself and your children from online gaming fraud.
Set up two-factor authentication: 2FA, as it’s known, is an extra layer of security that requires an additional piece of information, beyond a username and password, to log into an account. In many cases, it’s a text message with a one-time code, sent with each login attempt. While phone numbers can sometimes be spoofed, this is still safer than not having two-factor turned on.
Create a strong password: “The primary reason accounts get stolen is they have weak passwords or use the same password across different products,” said Kevin Gosschalk, of Arkose Labs. It’s also a good idea, he said, to change passwords frequently. A password manager can help.
Never share account details: It’s important never to share login information, even with friends, because they might be hackers in disguise.
Check the URL: When logging into a game on a PC or Mac, it’s always a good idea to check the web address to make sure it’s the right URL. Hackers can set up identical-looking emails and websites to trick you into revealing your login credentials. Bookmark your gaming platform, and don’t click a link from an email saying there’s an account problem.
Set up parental controls: Parental-control settings in gaming consoles and in Apple’s App Store or Google Play Store can ensure parents approve any in-game purchases before they are made.
WSJ / Balkantimes.press