Defending online games from piracy, cheating and fraud

Earlier this year the online gaming hit Grand Theft Auto V (GTA) fell victim to a hack that saw $1billion fake dollars flooding into the gaming coffers.  The attack caused huge disruption for GTA’s publishers Rockstar Games and resulted in the game being taken offline in order to remove the counterfeit cash, prompting countless complaints from disgruntled players.  This attack was one of a number of such incidents caused by gaming cheats that undermine the profitability of the industry.
This article investigates the nature of the most common attacks in the online gaming industry and asks what can be done to more effectively guard against them.   And as the industry watches Destiny, the next big blockbuster, high-budget video gaming production, begin its globally, we examine why games developers and publishers do not build security into gaming software as a matter of course. 

But let’s begin by taking a look at the challenges for gaming software developers themselves.  Developing a chart-topping online game is no simple task.  For example, the World of Warcraft game contains 5.5 million lines of code, and ensuring that each line of code is bug and flaw free is no easy exercise.  What’s more, the pressures placed on developers are typically focused around building in extra functionality or getting the games to market more quickly rather than ensuring that the code doesn’t offer any open invitations to hackers to exploit software vulnerabilities to their own ends.   
Industry analysts Gartner estimate that the worldwide video gaming market was worth an estimated $93 billion in 2013.  However, according to another study, only 20% of games realise a profit.  One of the main reasons why some 80% of games don’t generate a profit is down to piracy and cheating.  But how can gaming companies protect against piracy, cheating and other types of attacks prevalent in the online video gaming market place?

What Makes Games Different? 
In order to understand the issues at stake here it’s important to examine how gaming software is different from other types of software?  Business models for games range from the traditional single/multi-player packaged games to massively multi-player online games and freemium games.  Regardless of the business model, the majority have a client/server architecture, where the client software runs on the player’s mobile device, gaming console or PC and the server operates remotely interacting with all the players.  Because online games require immediate feedback from the client, there is generally insufficient time for the server to receive the inputs (“fire”), make decisions (“did I hit?) and respond to the player instantaneously (“you missed”).  This means that game servers must trust clients to determine outcomes (e.g. whether the bullet hit the target or not).  This means that the clients are trusted to play the game according to the rules, with the server not verifying game play in real-time. Due to the high latency and low bandwidth of many players’ network connections, this design and this element of trust will continue to be the de facto norm especially for massively multiplayer role playing or first person shooting  online game designs (MMORPG or FPSOG) for the foreseeable future.  
Herein lays the problem.  Players wishing to cheat are able to abuse this relationship of trust in a variety of ways.  One example is with a simple ‘lag switch’ which slows down the actions of other players in a user’s game client, and allows the user to steal a march on other players.  Cheaters also exploit the client-side trust issues by modifying game clients and data files on disk and in memory and by intercepting messages between the game client and the server.  Other techniques include modifying operating systems and device drivers, or even modifying hardware.  The end goal is to gain an unfair advantage over opponents.  For example a player might use an “aimbot” that ensures that his/her weapon hits the target every time.  Other common cheats are “texture hacks” designed to make walls invisible and depict enemies in bright technicolour, and “radar hacks” that equip players with radar vision enabling them to see targets beyond the regular field of vision.  Cheat programs can even allow players to teleport themselves or fly, by manipulating the character’s location in the local computer’s memory.  
Another problem with doing a lot of work on the client side is that the server does not need to do much except keep game clients informed of other game clients’ states.  Professional pirates often reverse engineer the client/server communications and create counterfeit servers or “gray shards” setting up their own communities of gamers, directly stealing revenue from the game publisher.  Pirates also make slight modifications to popular video games, rebrand them, and sell them.  This also results in revenue loss as gamers may choose to purchase the rebranded video games instead of the original authentic video games. 
Another area of revenue leakage for online games is where software licenses are subject to tampering attacks.  While some games overcome this by requiring constant connectivity to a server, always-on measures are hugely unpopular with users so routines that verify and enforce licenses are a challenge.  Finally, as in-game commerce grows in importance, more and more financial transactions are conducted within the game itself.  Unsurprisingly where there is money to be made, there are hackers – and a growing area of risk and revenue leakage is in preventing billing fraud.  

Mobile Games
A massive area of growth in gaming that is likely to attract increasing attention by cyber criminals is mobile gaming.  According to Gartner, mobile gaming will grow from 15 per cent of the gaming market in 2010 to 20 per cent of the gaming market in 2015, making it the fastest growing gaming platform.  Revenue from mobile gaming is set to almost double between 2013 and 2015 from $13.2 to $22 billion.  One of the largest challenges for a developer in this space is the proliferation of different devices and operating systems available, making the task of developing games tough enough without the added challenge of building in extra security layers.  Whilst most mobile devices are based on ARM processors, there are a variety of operating systems including iOS, Android, Palm OS, Windows Phone and others.  Add to this the multiplicity of programming languages available including Java, Objective C and .NET and the need for any game to support 80 to 90 per cent of all these platforms in order to achieve popularity – and the challenge is obvious.  

Solving the problem
Developing a best-selling game requires a huge investment.  It’s the special effects, videos and other proprietary IP that contributes significantly to the fun factor and compelling nature of a game.  There is also a substantial criminal infrastructure that specialises in selling cheating software and creating counterfeit games.  So how can developers prevent their software from being tampered with, reverse engineered and ripped off?  
Currently a common way for games developers to protect their software is by adding in surveillance technology outside of the game itself.  These additional modules don’t contribute to the game play, but instead monitor the other programs that run on a user’s PC or device, looking for processes that might constitute a threat to the game’s integrity.  Surveillance programs such as these not only create privacy concerns for gamers, but also have little impact on preventing tampering; essentially just closing the gate once the horse has bolted.
There are more effective ways for developers and publishers to protect against a variety of attacks, from piracy and tampering to just plain cheating and fraud.  The challenge, of course, is in ensuring that these measures don’t detract from the enjoyment factor of the game.  Application hardening solutions protect the integrity of software without impacting performance significantly or making the developer’s job more onerous.  These solutions allow applications to protect themselves by embedding logic that not only defends against code compromise, but also detects attacks and responds appropriately.  Small pieces of software known as Guards are inserted into the software binary after the development process is complete to deter hackers.  What’s more, when they detect, these guards will notify a forensic server. 
Building security into the game itself early in the development lifecycle is also critical.  The need for real-time responsiveness for players makes traditional preventative security controls infeasible.  Detective controls can offer a valuable compromise.  For example, some cheaters can be identified through server-side statistical analysis.  Players with nearly perfect aim or movement in unusual patterns are candidates for extra scrutiny.  Game operators can act on that information centrally banning players or taking other measures to restrict cheating.  Rich statistic gathering is just one example of a security control that cannot be added to a game easily after the game is launched. Paying attention to security early in the development lifecycle enables intelligent decision making about controls that should be implemented on the client side and the controls that should be implemented on the server side to prevent or detect piracy, tampering, cheating, fraud, etc. The right set of controls for a given game depends on the type of game, the business model, the supported platforms, etc.
Combining attention to security throughout the software development lifecycle with an effective hardening strategy can protect the game against cheating, piracy, reverse engineering and tampering and enforce usage terms without impacting the customer experience in any way.  This is a ‘win-win’ scenario for everyone but the cheats and hackers.