Current Gaming Security Topics (part 1, Child Security Thoughts)

Ok seat back, stuffed in this plane, ready to put some thoughts together.



So as I mentioned in my last post the main trends I have seen in the Online Gaming market have been (I've added):

• Child Protection (My post below)
  
• Keylogger/Trojan Protection (I wrote about this one a few weeks ago, I need to revisit this I think)
  
• Payment Protection
  
• Hosted Security Options
  
• Code/IP Protection
  
• End to End Security
  

I'll refine that list as I pull my thoughts together.



Let's start with the one that is closest to my heart, child protection. So I have 4 children that range in age from 16 to 4, which means I have many walks of life in the gaming space. My oldest is all about Facebook and other social gaming apps (Farmville, etc.). My 11 year old is all about pushing his boundaries, so he wants to play WoW and is dying to get on Facebook , but I've managed to sway him to stay on Wizard101, FreeRealms and FTP Flash Games for a little longer. My 6 year old is all about whatever the 11 year old is doing...but...WoW and Facebook appear to be out of his comprehension at this point, so he has stayed pretty much on Wizard101, Club Penguin and <insert web based gaming>. My youngest is content with watching her older brother run a character named for her through Wizard101 collecting pets and telling him where to move the little computer girl around the screen.

So the landscape of security risks for them are all over the place for me on a personal level. On a technical level, so far I don't even think one of them has thought about security at all yet. I sat my 11 year old down to chat about security on Facebook as he is just about ready to make the leap. I explained all about the "bad" people out there. His comment "Ok Dad, can I just set one up now?" I kinda expected that but the thought of him on Facebook is scary, I mean the 16 year old almost shocks me on a daily basis as I find out more through Facebook about her than I do when I chat with her. So for me security has to be introduced and I'm making a big push for it everywhere.

Since I work for the largest Token Manufacturer in the world (30 different hardware models alone now), it's hard not to let the kids play with them. My WoW account is protected by one and I must have a couple dozen hanging around with different logos that they have picked up and asked me how to use it. It's really my WoW account that really pointed me to what I thought should be investigated. I avoided having my account hacked and got the Authenticator on it as soon as they were ready. This stopped my kids from being able to login to move my character around (and get him killed). As long as I had my keys on me they were stuck. Then came the weekends, and since I am not a morning person, they would have the keys and off and running on my WoW running up my repair build. What I found interesting was exactly who was using the account now. I assumed it would be oldest boy (the 11 year old) but instead it was the 6 year old. He found it easier for himself to login, because he "didn't need to remember which keys were the password ones". Well this isn't really security but it sure sold me on the devices for children.

As far as the security goes, my account still hasn't been hacked and I still end up with new level 1 characters created in my account every few weekends. What I noticed on their Wizard101 accounts, is they have their passwords written down on scraps of paper everywhere, and not just once, there have be 3 or 4 scraps of paper with the password and username laying around my computer room. What shocked me even more was they were sharing it with our neighbors so that they could help them play (I stopped this activity pretty quickly I think). Additionally if my 6 year old left the desktop computer to play on the laptop he always needed my help, either to type in the username or to help remind him what keys he needed to press. I attempted an experiment and changed his password once, and the effect was pretty much the same. He just asked me to write it on more scraps of paper. The concept of security seems to be lost on children under 10. If it stops them from playing a game they will move on to the next game.

And what about the "bad" people. In the Industry I have been having lots of discussions about using a token to prove that the user is a child. It is an interesting concept. Basically if we put it in a store and ask the potential user to come into the store and buy the device we expect that we will get less people that will pretend to be children. It seems logical as I would imagine people might be more hesitant to walk into a store and buy a token that is labeled and packaged with kids toys. I do imagine that if a person wants to attack a child then this will probably be less of a hurdle for them, but it removes the anonymity of the user too and captures them on store surveillance video as they are purchasing the item.

So I think the last point of concern is the FTP (free to play) and social games. There are security issues here that are similar to the other games but for children the accounts appear to be too liquid (they create new ones every time they forget their passwords). As my company starts to roll out new security options soon I suspect that these types of games will have new options to embrace. As business goes I think these new technologies will help usher in a different type of thinking. No longer will it be the cost of doing security, instead it might be the cost of not doing security. I'll write up more on this technology at a later time.