Posts

It’s Not a Game Anymore!

What if Transferwise (or pick any other bank or financial institution of your choosing) announced that 170M of their user accounts have been stolen? Would you still trust them with your hard earned money? Makes you think twice, doesn’t it…

But if I tell you that a company with turnover five times bigger than Transferwise witnessed the security breach of this enormous just last year and yes, a lot of people still trust them with their dollars, euros, yen’s, how would you feel?

I’m talking about Zynga’s security breach last September, when 173 million usernames and passwords were stolen. While the company and general public may want to downplay it — it’s just a game after all — the consequences for the gamers may be dire. Lots of gamers use the same credentials in multiple games and platforms. While they may not have a lot in stake in Farmville, they may have accounts worth tens or hundreds of dollars in Fortnite.

Since the era of free-to-play games and in-game transactions, the value of personal gamer accounts have increased significantly.

Game developers employ a multitude of different strategies to monetize the so-called free games and store the value in user accounts.

For example, Overwatch has a progression bar system for loot boxes, which means users anticipate the next drop. Each loot box contains something called “weapon skin.” The game then allows you to sell your weapon skin for the in-game currency. The in-game currency gives you access to the more premium loot boxes (Superior and Enhanced Battlepacks) which have a higher chance of containing premium weapon skins. You’re taught to keep trying to get the premium loot boxes, eventually making you take out your credit card.

Another popular title Candy Crush makes people buy extra moves. Once you run out of moves, you’ve technically lost, but there’s a popup that tells you that you can use one Lollypop to get three extra turns.

There are plenty of other examples based on the mystery boxes, wait-time-reducers, skill boosters etc. In short there’s a whole economy going on in the games. And to facilitate that economy, a lot of in-game currencies have been developed.

Here are just a few examples of in-game currencies based on RUSI’s research.

Gamers are working hard to earn the in-game currency whether to advance in the game, or actually monetize the rewards in player exchanges.

The gaming accounts may store more value than the average teenager bank account. And yet, we wave off the issue of gaming security as a child’s play.

Luckily, more and more game developers are now turning their heads and improving the security. Most common approach is to introduce two-factor authentication (2FA) mechanisms for enhanced account protection, either using Authy, Google Authenticator or custom-developed one-time access code generators.

While improving the security, the typical 2FA has its own downside, something that the game developers may fear even more than security breaches. It’s called friction. Users do not want complicated authentication mechanisms, they hate those 6-digits one-time codes they have to manually type into the login screens. The drop-off rates of the potential gamers may be a more serious problem for the game developers than the potential exposure of the account stealing.

When we at Agrello started to look at the gaming industry, it was immediately clear to us that we need to develop a solution somewhere in between — maintain the benefits of 2FA while trying to reduce the friction as much as possible.

Our technology is based on the cryptographic protection of a person’s digital identity that enables private-public key pair based digital signatures to authorise the transactions or issue digital signatures. In order to decrypt your private key stored in your mobile phone, you need to know the personal PIN-code. Once a private key is decrypted, it can be used to prove the identity and authorise the transaction. It is a widely known concept that is the basis of E-Estonia’s national digital identity.

For the gaming industry we take it one step further in usability. While you still can use personal PIN-codes, we also offer the user an option to authenticate herself using either fingerprint reading, or face recognition, if the device supports that. So — to sign in, all you need to do is open the .ID app and read the fingerprint or let the phone scan your face. No more 6-digit codes to type in.

To sum up, one-way or another, the gamers deserve better security. Some, if not most, have more value in their gaming accounts than in their bank accounts. It’s not a game anymore, it’s a serious business, real money.

Btw, check out our Game.ID site and participate in the survey.

Jarmo Tuisk
Head of Business and Product Development