\u00a0<\/p>\n
Most people in our society today are familiar with the concept of MMO gaming. \u00a0World of Warcraft, for example, is something most everyone has heard of. \u00a0Most MMO games operate under a fairly strict client\/server paradigm. \u00a0A company that desires to produce an MMO will create a client that handles the graphics processing, user input and output, and perhaps may store some basic per user settings, usually again related to display settings and interface options. \u00a0The remainder of the game, including all user character data and user interaction with the online world, is stored and run on company controlled servers. \u00a0This assists the company in its endeavor to give the users the experience they intended as well as control various types of cheating. \u00a0In addition, users generally cannot play offline \u2013 this means that a given user must authenticate with the server in order to access a given character or play with others in the virtual world.<\/p>\n
<\/p>\n
I would like to briefly discuss some security issues related to this paradigm of MMO gaming. \u00a0With the number of users of such games seemingly always on the rise, the need for security will become more and more significant, as any system with a large number of users is an attractive target for various malicious behavior.<\/p>\n
One asset these systems have is character data relating to a user\u2019s time. \u00a0Such games usually require many hours of playtime on any given character in order to increase their strength and their ability to access or be viable in various areas of the game. \u00a0Thus one security goal is that such data be unalterable by outside parties except for the way they were intended to be altered (i.e. playing the game). \u00a0One reason this is important is to prevent users from cheating by altering their attributes to be more powerful than they should be or by creating a character instantly that normally takes hundreds of hours of play time to acquire. \u00a0If such things were to happen it would be damaging to the gameplay experience of legitimate users.<\/p>\n
Another asset these systems have is a real-world value of virtual assets. \u00a0The relevant security goal is to ensure that in game assets cannot be generated or obtained except by legitimate means. \u00a0Another possible goal in this area would be to limit a users ability to trade virtual assets for real money, but this is more of a policy (and enforcement of that policy) problem than a security problem. \u00a0Keeping the virtual assets secure is important both for the sake of the proper operation of the in game virtual economy, as well as because having a real-world monetary value makes this area appealing to malicious individuals.<\/p>\n
Two possible adversaries are 1) players of the game and 2) those that wish to exploit the game for monetary gain. \u00a0A player of the game might wish to alter their own character for their own benefit, or perhaps somehow bypass the monthly fee. \u00a0Those that wish to exploit the game might have no desire to actually play the game, but would be interested in instantaneously creating (or obtaining) virtual assets that could then be sold for real-world monetary gain.\u00a0<\/p>\n
One potential weakness of this system is user login credentials. \u00a0If such credentials were compromised, a malicious party would gain instant access to the virtual assets of the player, and could then proceed to transfer or sell those assets before the player next attempts to log in. \u00a0Another potential weakness in this system is insider misconduct. \u00a0An administrator of the game may legitimately have the power to, for example, spontaneously create in game currency, but then use this ability inappropriately with a desire to sell the created virtual assets for real-world monetary gain. \u00a0<\/p>\n
User login credentials could be defended by instructing users to keep their name and password secure. \u00a0A system could (and should) also be in place to email any user if their name and\/or password is ever changed so they can respond as quick as possible should such a change be unauthorized. \u00a0Also, the transmittal of login credentials should of course be encrypted using up to date standards.<\/p>\n
Insider misconduct could be defended against by ensuring no one has \u201cinvisible\u201d power, such that anytime administrative privileges are used to create virtual assets or change something outside of normal intended cause\/effect in the game, a log is created which several people in the company see and review.<\/p>\n
The risk of an account being compromised seems to be fairly significant. \u00a0Many malicious users take this route, especially because credentials could be obtained by social engineering (such as phishing attacks) which is often easier than a more technical route of actually trying to find a flaw in the login system. \u00a0As far as a malicious insider, I have no information on how often that occurs, and companies would in general not want their users to know if an insider had done something they shouldn\u2019t have. \u00a0Still, the threat certainly exists, and will become more and more of a concern if the monetary value of virtual assets continues to increase, as \u201cprinting your own money\u201d is a tempting proposition to many.<\/p>\n
In conclusion, the establishment of real-world monetary value for something that can be created in infinite supply without cost (such as MMO in game currency) makes this a fairly new phenomenon. \u00a0While the consequences don\u2019t seem to be all to drastic (it is \u201cjust a game,\u201d after all), a breach in the security of an MMO is something that should be more carefully considered, especially for MMO\u2019s that have users bases in the millions. \u00a0People that are paying for a service, even recreational, deserve to have the integrity of that service upheld regardless of its attractiveness as a target to malicious individuals.<\/p>\n
\u00a0 Most people in our society today are familiar with the concept of MMO gaming. \u00a0World of Warcraft, for example, is something most everyone has heard of. \u00a0Most MMO games operate under a fairly strict client\/server paradigm. \u00a0A company that … Continue reading