Patrick Wyatt's presentation from GDC 2010: Developers versus Cybercriminals: Protecting your MMO from online crime

1. Developers versus Cybercriminals Protecting your MMO from online crime Patrick Wyatt En Masse Entertainment Copyright March 2010 by En Masse Entertainment. This document is distributed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States. Please see http://creativecommons.org/licenses/by-nc-nd/3.0/us/ for further details.

2. Please note: this presentation differs from the one I gave at GDC 2010 by the inclusion of my notes in additional slides. All other content remains the same.

3. MMO profit potential Game hacking Gold farming Billing fraud Chat spam Phishing Account theft Griefing

4. MMO profit potential - notes Everyone is aware of the amount of money that has been made by a few standout titles in the MMO space, and consequently there’s a lot of interest in challenging those front-runners by making a great game that users will love. But you can spend $30-70 million making a great MMO that users love to play that still won’t be successful unless you’re prepared to face a challenge that's unrelated to making a fun game: hacking. The problems associated with hacking can destroy the fun of your online world, cause paying customers to leave in rage, and result in billing fraud issues that can ruin your business.

5. Background Credits Warcraft: Orcs versus Humans Warcraft 2: Tides of Darkness Warcraft 2: Beyond the Dark Portal Diablo Diablo 2 Starcraft Starcraft: Brood War battle.net Guild Wars Prophecies Guild Wars Factions Guild Wars Nightfall Guild Wars: Eye of the North Aion TERA (releasing early 2011) http://www.mobygames.com/developer/sheet/view/developerId,1019/

6. Threatmodeling / attack surface

7. Threatmodeling / attack surface If you read security literature it seems incredibly abstract, with discussions about minimizing the “attack surface” exposed to hackers, but few practical examples about what to look for or how to fix the problems. This presentation is an attempt to eliminate the disconnect between the theoretical approaches and the problem we’re trying to solve: stopping hackers from ruining our games!

8. Game hacking Hacking games is as easy as it was 20 years ago when I began hacking in earnest. My earliest successful attempt at game hacking was with a game called Armor Alley on the Macintosh. It was a hybrid 2D, side-scrolling helicopter simulator (similar to ChopLifter) coupled with a real-time strategy component where ground-units (infantry, tanks and anti-aircraft guns) could be purchased for cash. By simply changing the amount of cash in memory I was able to buy as many units as I liked and trivially win the game. But more to the point, I could do the same thing in a two-player game! It would have been easy for the developers to ensure that the other player’s computer validated that purchases were legal, and that the opponent was making a purchase that was backed up by money already in the account, but apparently it wasn’t considered important. The developers of Modern Warfare 2 seem to have taken the same approach to game hacking: ignoring it. Given that aimbot, wallhack, speedhack, field-of-view-hack, and many other hacks have been developed since the invention of First-Person Shooter games, they apparently spent little time developing solutions. Perhaps the most egregious hack was one where the hackers *tried* to get killed; every time they were killed by another player, instead of that player getting rewarded with kill-points, they would lose 800,000 points from their kill-score! This is simply a failure on the part of the developers. At the same time, since their game sold $1 billion dollars worth of product (perhaps more by the time you read this), it may not be critical for FPS games. In an online virtual world game, where our goal is to attract and *retain* players for long periods of time, stopping hacking is (apparently) more important.

9. How did my early attempts fare? With my early knowledge of game-hacking, and a Computer Science degree to my name, I thought I would be able to do a good job of preventing game exploits, but hacks affected my early attempts too. Warcraft (more specifically, Warcraft 1, Warcraft 2 and Starcraft, which all used the same engine) has a fully-synchronized network model that is “unhackable”. All actions from each player are simultaneously validated on every computer before they’re allowed to be activated, and invalid actions aren’t permitted. So if a hacker were to alter the amount of gold in his counting-house, while it would register on his own computer, other computers would disallow purchases which attempted to use the illegal gold. Unfortunately it turns out that, because every computer knows the entire state of the world in order to be able to validate player orders, it also means that it is possible to peek into the game state to see what the other player is buidling, how many units he has, and where they’re deployed, effectively destroying the fog-of-war that makes the game particularly hard (and fun). This is known as an information disclosure vulnerability, and means that the game needs trusted referees to be played securely. Another problem is creating a game-desynchronization bug to avoid a loss. If there are two computers in the game and they disagree about the state of the game, the only recourse is to throw away the results. Diablo was originally going to use the same network model as Warcraft, which would have prevented some amount of in-game cheating, but it was basically impossible to retrofit a secure networking model onto what was basically a giant hack to begin with. Consequently I had to invent what I now refer to as a “loosely synchronized network model”, where the first player who visits a level becomes the “level master”, and is responsible for tracking game state and performing some minimal level of validation of player actions. But because one player’s computer is the level master, that player has godlike powers to modify the game state as well as exploit or even kill other players. Repeated attempts to correct these problems were only moderately effective because the basic network model was flawed.

10. Hackers – Why do they do it? Rather than thinking about the “attack surface” of the game, I think a good conceptual way to start looking at the problem of hacking is to understand the motivations of hackers. There are lots of reasons that people hack, and we need to focus our efforts on the ones that have deleterious effects on the game-world: griefing, gold-farming and gray-sharding, which I’ll describe in the next few slides. Education Fun Challenge Reducing grind Causing grief Profit Outright theft of business

11. Griefing Griefers get their jollies causing anguish. No, really! Exploiting game system weaknesses Exploiting network protocol weaknesses Exploiting operating system weaknesses ! #*!! ! What # ? What ? #*!! You You #

12. Griefing Notes Griefers like to make players angry; that's how they have their fun. Unfortunately their behavior is incredibly detrimental to the community, game stickiness and player longevity. Victims of griefing are more than unhappy; they can be so enraged they quit the game in anger. The behavior is so common it’s known as “rage-quitting”. Here are some methods that griefers have used to annoy gamers: Exploiting game mechanics: Spamming messages in chat channels to overwhelm legitimate chat. Substituting worthless or inexpensive items for valuable ones during trades. Blocking access to areas players would like to visit. Monopolizing game markets to prevent players from purchasing items they need. Many, many more. To address these types of exploits it’s necessary to hire designers who think about griefing. In fact, hiring one or more griefers on the design team will likely make for a better play experience for players because those designers will be more aware of the exploits of the systems they’re creating. Ultimately, play mechanics must be designed with the idea that players will attempt to exploit the game 2. Exploiting game programming weaknesses: Send messages to appear to be from another player or from the server. Flood other players’ Internet connections to overwhelm their network router. Send messages that are designed to crash the game client or even the operating system. It was possible to send the so-called “Ping of Death” to Windows 95 computers that could crash the computer, and many games have similar bugs. Overwhelm servers with computation ("gray goo" in Second Life). It’s necessary for the programming team to develop strong network protocols that validate every message that’s sent to the server, and to ensure that client systems in peer-to-peer games can differentiate between messages sent by different players using a cryptographically secure mechanism. 3. Meta-griefing or large-scale hacking: Distributed denial-of-service attack. (Aion was attacked on launch day by determined hackers who tried to flood it off the ‘net). Slowloris: too many connections from one or more computers These types of hacks can be considerably more difficult to deal with, and can require coordinated efforts on the part of the development and network operations teams.

13. Why griefing is so pernicious Victims are mad and may leave the game = loss of revenue It costs money to provide help to griefing victims = customer support costs In addition to the loss of revenue that occurs when victims of griefing drop out of your game, it can cost more money when the Customer Support department is called in to help with the problem.

14. Gold Farming Notes $1B – $10B industry with many negative effects: Economic inflation Game exploitation Chat spam Billing Fraud Phishing Account Theft Physical Goods Theft

15. Gold Farming The next major area of hacking I’d like to address is gold farming. It's big business: - 400,000 - 1,000,000 professional gold-farmers worldwide - Somewhere between $1 - $10 billion dollar industry; potentially higher revenues than the game business! Why gold farming is a problem: - Economic inflation: games lack enough cash outflows because renting and leasing aren't "fun"; we're not playing Papers & Paychecks. - Design ideas have to be watered down because of the risks of exploitation by players. - Perception that rewards aren't earned diminishes the bragging rights associated with owning those rewards. - Gold farmers are in business to make money, and have no scruples about breaking terms-of-service and criminal laws: Account theft Masquerading as a figure of authority, like a GM Phishing emails, use of similar URLs, theft of account databases Fraudulent credit card and other payment methods Theft of physical goods (trailer trucks of game boxes) There is no disincentive to stop: because they generally live in countries with minimal intellectual property rights (e.g. China, Russia, etc.) there are no criminal charges or fines; the only disincentive is the inability of the hackers to generate revenue and turn a profit.

17. Prevention costs - licensing and per-transaction fees; technology integration and management costs

18. Loss of customers who appear to be fraudsters (false positives)

19. High chargeback rates lead to high fines (six figures or more) or revocation of the ability to take paymentThe console business model is based around a short shelf-life, but sales are critical to the life-cycle of MMOs because they need to continue to attract customers to stay healthy. Because games stay on retail shelves for such a short period of time, if the company can't sell the game online the game will die a certain death.

20. Gold-farming solutions Stopping the supply of illegal gold Device fingerprinting Proxy detection Phishing site detection and takedown Transaction review Telephone verification Shipping address verification Two-factor authentication Analytics: Banning players who “fit the profile” of gold farmers There are no easy solutions to stopping the *gold-supply* problem; it requires a substantial effort by an experienced security team that stays on top of phishing sites, tracks bot rings, reviews billing transactions, and analyzes player behavior to eliminate suspected gold-farmers from the player-base. Further, it’s necessary to consider how to reduce the risk that players lose their accounts to gold-farmers, so looking into solutions like two factor authentication using security tokens or mobile phone apps that can generate “one time passwords” (OTP) is a good idea.

24. Theft of the game source code. Valve Software lost the source code to Half Life 2 via a Trojan program sent via email.

26. Require operations staff use two-factor authentication when accessing servers to reduce the likelihood of Trojan attacks against datacenters.

27. Use TPM chips on hardware to encrypt the contents of hard-drives so that their theft doesn’t allow hackers to get access to code and/or binaries.

30. The fundamental issue for Western games is to shorten the path to detecting and eliminating problem users. If it takes an hour for a report to make it through the petition-queue before a player is banned, he will already have had time to create another account to start spamming. It’s necessary to look at solutions that can immediately eliminate the problem.

32. Finding the weakest link for single sign-on services; there may be many different login gateways and one has weak authentication or rate-limiting. Solution: make sure all authentication gateways share a common pathway that monitors and prevents rapid account attacks.

33. Steal database with passwords stored in plaintext (compromised RockYou database contained 32 million passwords). Solution: use the SRP-6a password storage algorithm, puh-lease.

34. Password guessing against known accounts using common passwords (10% of users in one game I worked on used trivially weak passwords). Solution: like Twitter, you should disallow users from choosing weak passwords like “1234567”, “qwertyioup” and “password”.

35. Phishing: copy a real site and steal user credentials. Solution: your security team will need to seek out and report phishing sites daily.

36. Host a game forum and try logging in using the same credentials in the game. Solution: consider two-factor authentication.

37. Steal the accounts of users who sign up for your “power leveling” service. Solution: tell users to change their passwords after power-leveling; we don’t *want* them to power level, but like kids having sex, it’s gonna happen – do you want your high school kid to be pregnant, or use a condom?

38. Listen on unsecured channels; some college networks are sometimes weak. Solution: make sure you’re using good crypto to forestall listening attacks.

39. Use password reset process to get new password, because users many times choose bad password reset “hint” questions. This hack was used successfully to exploit Sarah Palin’s account; the hacker answered a security question about her mother's maiden name. Solution: try to select questions with answers that can’t be guessed by hackers using Google.

40. Scam other players by making modifications to the trade window. Solution: call out modifications to the trade window! Show players the estimated value of the trade they’re making (both what they’re giving and what they’re getting).

42. Accounts hacked via Flash vulnerability; Guild Wars web site updated to detect obsolete Flash version and suggest that users upgrade.

44. Two Factor Authentication: notes When I first prepared this presentation I was prepared to talk about an unexploited weakness of two-factor authentication, but in the four weeks since writing the talk (and delivering it to a test-audience of University of Washington students) a cybercriminal had already implemented and successfully deployed an attack program. It’s not a true “man-in-the-middle” exploit of two-factor authentication. Instead, the hacker manages to get a Trojan program installed on a gamer’s computer, and that program intercepts the security value intended to be used to authenticate the user, redirecting it to one owned by the hacker. What we need is two-channel authentication, for example, logging into both the game client and via a mobile phone to securely authenticate through two channels instead of just through two-factors.

50. Make sure that security questions actually provide some security

52. Questions?