Account Security & You
Although the recent issues with PSN have many of us thinking about a different kind of security, I delve into individual account hacking in this column. Individual account hacking is the kind of hacking that has plagued WoW for years and that cropped up in Rift nearly as soon as the game went live.
As I have said before, I am a big believer that strong communities are the lifeblood of a successful MMORPG. There are certainly other critical factors as has been brought up in a number of the previous articles' replies but without a successful community, the overall MMORPG is not going to succeed. By community I do not necessarily mean any specific guild. Rather the overall community of the game. The people that post to the forums... the ability to get groups in game... the ability to meet up with friends... the ability to form guilds if you wish... a thriving economy to buy and sell what you need from the game and within the rules of the game and so on.
One of the key components of a successful community is security. The idea that you can log off and go to work and your account is as you left it when you return home. The idea that you can invest hundreds or thousands of hours of yourself into a virtual world and that your investment will not be lost in the blink of an eye. Security within the gaming space is as important to a thriving community as security within your town is to a thriving community there. Businesses can't thrive and people will not move to a place if there is poor security. The same parallel applies to the online world. Why play a game where at any moment you can lose everything? Increasingly players are developing a lack of tolerance for games that do not take security seriously or put enough controls in place. A key differentiator in future MMORPG success may well be which games provide robust security and which games do not take the threats seriously.
Before we delve into securing accounts, let’s first talk about the inevitable idea that people will get hacked. It is foolish to think that any security system is hack-proof because some of us are going to be stupid and leave the door unlocked and the keys in the ignition and thus get hacked. There will also be those who take every reasonable precaution yet the hackers find a way to circumvent the controls and they too get hacked. So the first priority of any good security system for a virtual MMO is that "when" people get hacked, put in place a system to restore what they lost to them. By all means do not do what EA does in Ultima Online. "You were hacked? Sorry.. try not to get hacked anymore." The completely hands off approach cost them many thousands of subscribers over the years.
The flip-side to that model is what many modern MMOs will do. I will use WoW as an example but it is certainly not the only game with good customer service in this area. Throughout its life, WoW has restored hacked accounts and lost items to players. It began as a two week long wait but has evolved into often less than 24 hours. To their credit Blizzard recognized early on that players are attached to their 'stuff' and giving them a 'too bad.. so sad' reply will cost them customers. As such, they do a good job helping people return their accounts to close to the way they were before being hacked. That, however, costs them a great deal of money in labor to sort all of that out. That expense along with the massive amount of angst and anger that constant hackings cause within the player community lead me into the second major point.
We players having a growing expectation that the games of today should be secure. Facebook freaks out if you try to login to your account from a PC that is too different from the one you normally use. I know I have experienced being locked out of various social networking accounts every time I visit a trade-show and some vendor wants you to "Like" their product when you take their survey. A free T-Shirt isn't worth the hassle. But if Facebook can figure it out (albeit their model is far from ideal and far from completely secure) then a company we spend a great deal of money with each month "owes" us good security... or so the perception of much of the community is evolving to become.
Gaming companies are starting to get that. The WoW restoration example above is a big time money and PR 'sink' for them. Eliminating the need for that investment is a far wiser move than pumping more money into faster restorations and smiling customer service reps to tell you not to worry. So from a purely economics standpoint, preventing as many of the hacks as possible is a good way for developers to head. Additionally in some game models, a hacked account can be used to create false charges against the credit card. Many millions of dollars are lost to the gaming industry in reversed charges each year due to those hackings.
Looking at WoW, they addressed enhanced account security first offering Parental Controls (i.e. lock your account so it can only be played during certain hours and that required a second password and a special place to click off their website to unlock it). Those didn't work out. Not enough of the community took advantage of it and it did not solve the issue of being hacked during the hours you left the account unlocked. So they began offering Authenticators. Those that bought one and applied it to their account stopped being hacked. Their authenticators are from VASCO but they are very similar in technology to RSA (the company that was recently hacked and much of its data stolen... but not enough of it to compromise its tokens, thankfully). While that technology is not fool-proof it has blunted the tide of accounts being hacked in WOW. The real problem with that system is twofold. First, it took several years for them to get enough tokens into circulation to make an impact and to meet demand. Second, players have spent several hundred (or even upwards of a thousand dollars with Blizzard) and were then being asked to spend $7 more.
Doesn't that seem just a little bit greedy? I recently dealt with VASCO so I know that they sell their tokens for about $7 and that is if you just buy a few thousand. If you buy millions one would think you get a decent discount on top of that. If so, then is Blizzard actually making a profit on the tokens they are selling us to secure our accounts we are already paying them hundreds of dollars to have? Now its starting to sound alot more greedy. My overall point here is that: Developers need to provide account security as part of the core product and they need to bake that cost into the revenue stream and not nickle and dime players for it down the road. Yes, I do know that you can get a free authenticator for the iOS or Android OS but there are millions of players without either smart device or that prefer a physical token.
While most games have a hacking problem, its the truly massive games that make headlines due to the volume of people being hacked. Its a supply and demand equation. The more potential accounts there are to compromise the easier time the hackers have obtaining vulnerable ones and the more money they can make from stealing them. One of those larger games is Aion. I only have limited experience with that game. I played it a little.. received plenty of phishing emails trying to steal account information on email addresses that never had Aion accounts to begin with... but I haven't seen much news on gaming news sites about hacking plaguing that game.
Rift, on the other hand, ran into the account hacking issue nearly as soon as it launched. On the one hand, it is very disappointing the game didn't launch with stronger security. But on the other hand, they reacted swiftly and that was great to see. They started by implementing a system they called Coin Lock. In a nutshell, if you got hacked you were somewhat protected because your email account would also needed to have been hacked in order to give the perpetrator the code needed to allow them to sell off your items, delete your characters and other similar things. That was a pretty good stop-gap measure that they implemented very rapidly (why wasn't it in place at launch?).
Rift soon augmented that system with their own authenticator which was free for iOS and the Android OS much like Blizzards. They don't yet offer physical tokens though. There are posts dating back to launch day on their forums with players commenting that they expected, in light of the massive WoW hackings, to see an authenticator bundled with their game. The community was raising the call early and often but it was unheeded. Psst.. Trion.. call VASCO. Their tokens are much cheaper than RSA's and last about 10 years.
In short... developers need to address the problem of account security as part of the launch of a game and they need to do so in a way that is easy for players to use and secure enough to volley the ball back to the hackers side of the court for their next advance in the security arms race.
The final leg of my thought process is that there is the overall premise that security is important to the community. For me the logic flows like this: Player gets hacked... player gets pissed... player quits game. When the player quits the game, they break some of the bonds that form the spiderweb that is their community network. That spiderweb could be their guild... could be their buddies.. could be the people they supply (or buy from) in the auction house... could be the group they pvp with or against regularly. Its likely all of those things. One person leaving impacts all of those communities in a small way. If they happen to be a lynchpin person in any of those activities (say, the leader of a guild or the main tank for a raid team) then the impact could be much greater. If hacking is rampant enough, and enough strands of the spiderweb get broken faster than new ones can get formed then the social fabric of the community breaks down and the community suffers. When the community suffers not only do current subscriptions suffer but future ones as well. Friends no longer tell friends to join them in their game of choice. The forums get vocal and people get turned away by the bad press. Security is one of the critical building blocks of a stable, successful, healthy community. And community is one of the critical building blocks to a successful MMORPG.
So here we are in an evolution of MMOs and the audience they appeal to... account security is becoming an expectation of many players and it is necessary for stable communities which are important to a MMOs success. Hackers become increasingly sophisticated and diversified in their methods to get your account info (one of the most creative instances happened a few years back when the website for the stadium hosting the Superbowl was hacked and updated to steal the WoW account information of people who visited that site and then logged into WoW). With some major MMOs on the horizon such as SWTOR, it will be interesting to see if developers take account security as seriously as players expect them to. There was recent talk that SWTOR will see a million subscribers in its first year. That number could even be on the low side if the game plays well because there is such a need in the community for another solid MMO. That will be a very tempting target for hackers especially since that franchise is likely to bring in fresh faces to the MMO community who are not as diligent at account security as some veteran players are.
What are your thoughts on security? Do developers take it seriously enough? Is it as important to you as I seem to think it is to the overall community? Any creative ideas on how the problem could be better addressed?