Everything you need to know about security in social games [Interview]
If you're playing social games on Facebook, chances are you've at least seen the scam attempts. But security issues go far deeper than News Feed posts that claim "There's free Farm Cash here, we swear!" Truth is Facebook and Google+ are just as vulnerable to a wide-scale attack à la Sony's PlayStation Network debacle of 2011 as any other web service.
In fact, word on the street is that hacker activist group Anonymous plans to attack all of the Internet later next month. The threats don't come close to stopping there, and it's tough to keep up. So, we sat down with Citrix Systems Chief Security Strategist Kurt Roemer to get a better idea of what to expect, how to stay secure while gaming and his take on the state of secure gaming on Facebook, Google+ and even mobile.
What are the most common security threats to social gamers on Facebook, Google+ and mobile today, and what can players do to avoid them?
When you take a look at Facebook, people are able to sign up with minimal credentials, and Facebook really doesn't validate anything. I could basically sign up as you, Joe, just knowing a couple of things about you, and if you weren't on Facebook I could pretend to be you very easily.
There have been several bugs in Facebook in the past where a friend of a friend would have visibility to applications used by friends. You have to constantly be reviewing your privacy settings to make sure that you're not giving up your email address, what games you're playing, what your location is, who your friends are and several other things that are very important to you from a privacy perspective.
Are there any security threats that you think could hurt a player's financial security?
I even look at my son Kevin when he's playing games--there's a lot of additional money that you have to spend on add-ons. That money adds up, and a lot of times when you establish the account it's just out there. He can go in with my credit card right now and be able to buy a $10 add-on. Well, he could buy 10 a day and I wouldn't know until the next time I check the account.
There could also be a bug in the software or somebody could pull up an ad that is auto-clicking on all this and paying for services that you don't really intend. That's a real problem today with the way a lot of this is stored. But it's going to be a continued problem when things like near field communication and Google Payments roll onto mobile devices and more people are using them for more of their life, including gaming.
What's the likelihood of some wide-scale, crippling attack to happen on a platform like Facebook or Google+?
You look at groups like Anonymous, and they're saying they're gonna bring down the Internet on March 31 by attacking all of the root DNS servers. And they're gonna be having all of these attacks on corporations during the NATO Summits in Chicago in May. They definitely have the wherewithal and the tools to be able to go out and attack basically anyone.
They haven't targeted Facebook and other groups haven't, but there have been tools like Firesheep that can go through and read exactly what other people are doing in Facebook that are sitting there in the wireless network with you at the local Starbucks. The innovation in attacks and people being able to get in and manipulate these systems is really only going to increase.
In the past, the games were locked into a ROM and it was very difficult to see the code. Nowadays, it's very simple the reverse-engineer any of these web protocols, read what's going on and be able to manipulate. Really, you have to assume, if you're the gaming company, that people are manipulating data on the client, you can't trust anything that comes from the mobile platform and you have validate everything.
When a player suffers a security breach through a social game on mobile or on the web, what are the usual steps to reverse the damage?
The first thing that players should do is take note of what they were doing at the time and exactly what happened. Then they should get on and report it through the gaming platform. You know, and professional gaming platform is going to have a way to report this, because they want to make sure the gameplay is fair. Let's face it: If the gameplay's unfair, it really should be because of superior skills, not because of inadequate security.
Any of the professional platforms are going to have a way to report this, be able to go back and look at what happened and rectify the situation. You can't have somebody beating you just because they were able to hack the game. If that's the case, people are going to stop playing the game.
Aside from keeping passwords private and avoiding scams, how can players play games on Facebook and other social networks more securely?
If you're on Windows, you need to make sure it's patched and up-to-date and anti-virus--all things that people tell you how to do. Don't run [in Windows] as an administrator so that you don't have too many rights. Many of the other platforms kind of take care of that for you, like iOS. There's not a lot you have to worry about there.
Pick strong passwords and don't use the same password across multiple sites and games. If somebody can read your password going into just one game, and it's the same password you use everywhere else including Facebook, it can really mess with you then. If you suspect that there's a problem, make sure that you understand what's being paid in there as well and hopefully be able to restrict some of the transactions.
Instead of leaving a credit card out there that might have a $1,000 available credit on it, you might want to use one of the one-time use credit cards for some of the gaming platforms or one the cards that has limited value.
How effective do you think HTTPS on Facebook and other social gaming platforms is for gamers?
HTTPS just provides more encryption between the laptop or mobile device and the web server on the back end. What it does is it keeps people from being able to see information going across the wire or wireless network. The tool that I had mentioned before, Firesheep, only worked because there wasn't SSL [Secure Sockets Layer].
That only covers one portion of the equation. It doesn't cover anything in terms of the mobile platform that somebody is gaming from. It doesn't verify the identity of the user and it doesn't really help with security on the back end. But it is an essential piece in making sure that you can't manipulate data that's in transit.
What do you think future developments in gaming technology on social networks, like HTML5 and streaming through services like Gaikai, could mean for gamers' security? What can we do to prepare for that now?
HTML5 is being designed with security in mind, and it's an open standard that anyone can address, but it's still implemented through browsers. And the browser has typically been the least-secure application on any device, so you can plan on their being continued problems.
Even with HTML5 you can get in and manipulate the DOM, called the document object model, and be able to directly manipulate any objects that are shared back and forth between the client and the server. Really what it means that any vendor that is making one of these games needs to make sure that critical decisions aren't made on the client, and anything that is sent from the client is double-checked and verified before it's accepted as true.
Streaming games are great to play. But from a security perspective, typically you're relying on somebody just picking their own streaming method and sending that down and often requiring some plug-ins to support it. Because of that, if it's not a widely-accepted standard that's much more unique, usually there's going to be security issues as a result.
Generally speaking, what's your take on the state of security in social gaming, and what can be done to improve it overall?
When you look at security in social gaming, I would liken it to Battleship. Every once in a while you'd figure out, 'Oh, I can move the ship or lie about a hit or a miss.' Now, multiply that by everybody you're playing with, and know that people can pick up the ships, can lie about their positions and move things around.
If you don't take that into account as a game developer, you're gonna have some real problems on your hands. You need to think about, first of all, how somebody could cheat or manipulate the system, and then design around that. You really need to be watching as well, how people are using it, and if you do get somebody who's very creative and able to work around the rules, very quickly address that.
As a user as well, keep up to date on forums and Twitter messages associated with the game, so if there is a problem that gamers need to be aware of, they have more information available to them now than they would have in the past. I guess that's one big positive: It's harder for the problems to hide, because everybody can get this out on Twitter in seconds.
[Image Credits: National Newspaper, TechnoBuzz]
How do you stay secure while gaming on Facebook or elsewhere? Do you think Facebook and the game creators do enough in the security department? Sound off in the comments. Add Comment.