After the data breach

The massive data breach in the entertainment industry seems to have been plugged for the time being – now the time has come for it to count its losses: online games and online entertainment are a profitable target for criminals, making them ripe for up-to-date security standards. Many companies in the sector have long since anticipated this eventuality.

What starts out as a bit of fun can quickly end in tears. This has been only too true in recent times. Already hit by one tsunami, Japan quickly had to contend with a digital version. A hacker attack brought all the protective barriers crashing down, unleashing a flood of no fewer than 77 million personal datasets into the Internet, where they quickly seeped away into the dank sewers of the shadow economy.

Alarm broke out once again among all the authorities: data theft, especially of security-related files, not only severely damages reputations, but also brings the public prosecutor into play: according to German law for example, those who collect personal data are also responsible for their safe storage and must therefore also pay the cost of damage caused by their misuse.

The Federal Commissioner for Data Protection, Peter Schaar, makes no bones about the fact that: “The company must be held liable for any damage caused.” And the compensation culture in the USA is traditionally even more rampant than Germany.

Yet again, politicians join the fray: FDP General Secretary Christian Lindner demanded in an interview with the newspaper “Rheinpfalz am Sonntag” that Federal Minister of the Interior Friedrich take the necessary legal measures, claiming that there is a need to find a “responsible balance” between user-friendliness, electronic application and the protection of the privacy of citizens.

It is no real surprise that Internet gaming platforms are increasingly being targeted by criminals: according to the latest PricewaterhouseCoopers study “Global Entertainment and Media Outlook 2008-2012”, they can look forward to average annual growth of 10.5 percent per annum looking ahead to 2012, taking turnover to around 68 billion US dollars.

In the field of e-gambling, i.e. betting and gaming of all kind – the 2012 forecast is even expected to exceed the 630 billion dollar mark. However, chances are that the optimistic forecasts will have to be adjusted downwards as the data leaks that occur on a regular basis are likely to curb the enthusiasm of players.

A catastrophe in the making – the main weaknesses

The data leaks that have hit the headlines are avoidable and are down to a string of lax security concepts: personal customer data, such as the password, continue to be saved without encryption, many customer and employee accesses continue to be protected with obsolete systems. Companies continue to try to increase security levels on the basis of questionable recommendations. However, other fundamental weaknesses will continue to prevail. Gaming platforms are still wide open to attacks by hackers.

Take the customer account for example. If accessed via a PC platform, there is a danger of attacks by keylogger or sniffer programmes. They are often planted using Trojan horses, briskly log all password entries and transfer them to the hacker’s server, the so-called drop zone.

Even if virus scanners are installed, even if the user is careful, they are powerless against the sophisticated ploys hatched by the hackers. Spy programmes still infiltrate the computer time and again, despite all warnings.

Experts agree: consumer terminals are invariably left out of a professional security system and therefore should be considered as fundamentally insecure. There is nothing groundbreaking about that. It is also widely acknowledged that there is not much point in putting the burden of responsibility for security on the user. Should they be expected to come up with a new monster password containing digits and special characters every week … and commit it to memory if you please? This kind of concept fails to find the right balance between security and user-friendliness.

Better prevention – Strong Authentication

It doesn’t have to be this way, as shown by the example of the Japanese company Square-Enix. The game provider protects its online platform with a cutting edge two-factor authentication. All participants in its Final Fantasy XI role-play game receive a key-ring sized authenticator.

At the click of a button, it generates a one-time password that is only valid for 32 seconds. Each time the user logs in, the device calculates a new value. This means that the passwords gleaned by the hackers are useless. Access is also possible via PlayStation 2 and Xbox 360 as well as Windows PCs, the one-time password applies for each of these terminals.

This investment was far from superfluous, as demonstrated by the official figures of the Japanese Ministries: in 2009, there were 2,289 cases of unauthorised access to online services – up by around a quarter compared with the previous year.

The online gaming business PartyGaming has also long since been protecting its players with strong authentication. After all, there is a lot of money at stake – money that the hackers also want to siphon away. PartyPoker, PartyCasino, PartyBingo and PartyGammon customers register by downloading the PartyGaming customer software.

After registration, they can obtain an authenticator called PartySecure from the online store. “The solution is highly scalable”, stresses a PartyGaming spokesperson. “It can grow with us and effortlessly cope with the growing number of online-players on our platform.”

You can also play poker and bet safely on the online-platform BetClick. “This has allowed us to increase the turnover per player and reduce the fluctuation rate of our VIP players,” boasts Sargon Petros, IT Operations and Infrastructure Manager with Betclic. “The implementation of the new security solution has boosted our profits.”

Naturally, effective security comes at a price, as Square Enix, PartyGaming or Betclic were naturally aware of. The damage caused time and again by the hackers show however that these companies – and many others in the industry – acted with foresight. At the same time, with the hardware solution they have succeeded in preventing unauthorised account-sharing and managed to increase customer confidence, frequency of use and turnover. Strong authentication brings economic advantages – also and precisely because nothing gets through.

A rewarding goal – the company network

Frequently, a company’s entire network can fall victim to a digital attack. The large amount of user data saved on the network is more than tempting for criminals. There is a brisk market for stolen accounts on the net. Even if each of them only generates a few cents on the black market, there are enough badly secured datasets out there to turn a hacker’s drop zone into a goldmine.

When it comes to the safety of a company network, the weak spot is usually human error. In many cases, a so-called spear phishing attack opens up the gateway to the company LAN. With this very personal attack, the hackers exploit the large number of freely available personal data. The modern internet user is networked on XING and Facebook, chat to friends via Twitter about what they are currently working on. What they don’t know is how many fake friends they have caught up in their net along the way.

Spear phishing – Personal data as bait

While the individual pieces of information may appear trivial in themselves – accumulated they can have quite an impact. If you are networked on XING with your boss and your system administrator and then announce on Twitter that you are “stressed at the moment because of the database maintenance“, you provide enough ammunition for a cyber attack.

An e-mail is suddenly sent from admin or from the departmental manager saying that there are problems with the database and that therefore the password must be changed: simply enter the old and a new one – following the enclosed link. While circumspect peers will immediately smell a rat and confirm the instruction with a telephone call, there is always one employee that will fall for the sophisticated spear phishing. The popular home office work stations with a VPN connection run a particular risk.

That is why the same applies to the employees as to the customers: static passwords for access control are no longer up to the job. VPN customers in particular must be equipped with an effective two-factor authentication. The user must know something – a PIN in this case – and have something – an authenticator, which calculates an individual one-time password that is only valid for a short time. Even if one of these passwords is lost, not all of the data doors are thrown wide open at the same time.

Digital Signature – protection against identity theft

The spear phishing attacks strike time and again not only because of the sloppiness of the employees. In fact, hackers exploit a fundamental weakness of e-mail communication: there is no clear possibility of ascertaining whether the sender is actually the person they claim to be.

Nothing could be easier than to send a recipient a mail purporting to be from another sender. And as long as the recipient is dependent on a simple plausibility check to authenticate a sender, a small data collection is enough in order to send a bogus mail from the boss. And who wants to anger the boss by querying the “order from above”?

A clear authentication of messages is as important as protection against falsification in electronic communication within companies in particular. Both are achieved by a digital signature. In doing so, the contents of a document are encrypted and included in a hash value. The sender and recipient have a special authentication device that guarantees the integrity of senders and mails. With security-relevant messages and requests, the digital signature should therefore become a standard within companies.

Scalable servers – Cloud computing creates margins for manoeuvre

The introduction of a strong authentication infrastructure for all employees and customers naturally requires the corresponding capacities within the authentication server. Hence the importance of also allowing for the fact that, in some areas of the online gaming industry, growth prospects of around 30 percent per annum are expected.

The spiralling user numbers mean that many systems come up against their limits. Here it is necessary to opt for platforms that have proved their worth already in the major companies of the financial industry. However, a cloud solution offers the biggest margin for manoeuvre for expansion, such as Digipass as a service. This allows global authentication of hosted systems. The customer does not need to purchase either hardware or software and only pays for the service that it actually uses.

Tsunamis and hacker attacks have one thing in common: The question is not, whether they will take place, but when and with what severity they will strike. And past experience has shown that barriers need to be set up in good time – barriers with enough reserves to also deal with severe incidents on a scale yet to be seen.

Targeted attacks on companies, especially in the entertainment industry, are already common. Only strong authentication and the digital signature protect against losses incurred by compensation claims and lost confidence. Hence the need to implement them across the board…before the dams burst.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Jan Valcke is VASCO’s President & Chief Operating Officer and has held this position since 2002. Jan has been an officer of the company since 1996. From 1992 to 1996, he was VP of Sales and Marketing at Digipass NV/SA, a member of Digiline group. He co-founded Digiline in 1988 and was a member of the Board of Directors. He received a degree in Science from St. Amands College in Kortrijk, Belgium.