Biometrics to the rescue

As I was browsing the web today – at light speed and without being able to pay attention to anything, as usual – a little blurb caught my eye.

Talking about gold farming, it said something a bit scary. Not scary in itself, perhaps, but scary how we should have seen it coming earlier. Mentioning the new ‘trends’ in RMT and gold farming, the blurb said how some professional gold farmers were turning into hacking and mass raiding of accounts instead of the dirty daily business of collecting gold the hard way. Some farmers were finding this to be faster and more ‘efficient’. My thinking is that if it really is faster and more efficient, it’s only a matter of (short) time until the rest of the farmers catch on.

How to combat this? Biometrics.

The thought of having to identify oneself to play a game seems preposterous enough at first, but that’s what we’ve been doing ever since we started logging into our online games. So it’s not the act. What is it then?

A login and a password is a good system, and worked well for a long time. In fact, it still works well for the vast majority of players. The problem comes when RMT enters the picture (something that was unheard of a few years ago, by large) and gold farmers are turning to be more and more proactive. Before RMT, the thought of hacking any game account seemed ludicrous. Ridiculous. What was the point? Very little, in fact. Other than a prank, a revenge attack or some other precise and minuscule reason, it made no sense. Game accounts had no value. It was just players playing a game. Silly.

But RMT changed that. Now, after RMT, game accounts are not silly and they have value. How much value? As the old adage goes, as much as people are willing to pay for them. Or, in this case, their value goes as far as hackers are willing to go to hack and raid them of game valuables.

Because, think whatever you want about RMT and gold farmers, but if one thing is certain is that these people are not stupid. Money – real money, not chocolate game money – is their bottom line 24/7. It’s a business. And if they are, in fact, turning to hacking and raiding to acquire the game gold they resell, it means that it makes financial sense for them to do it. Otherwise they would not do it, period.

This means that if game accounts are valuable to them, they should be valuable to the players as well. Protect your game assets sounds so terribly silly. But then again, most of us come from a time where that sentence was in reality silly. Nowadays, it’s not as silly. Question time: Would you play a game, or be happy with a game that would let anyone access your account? Quite possibly no. Your account is yours. In that case, we should really go to whatever lengths are necessary to protect that account.

Logins and passwords work and work well for a vast majority of people. It’s a simple, elegant solution that most people immediately understand. But, if these reports of proactive RMTers are to be believed, if this thing of raiding accounts continues it remains to be seen how effective logins and passwords ultimately are. They worked, undoubtedly, in the times when game accounts were not a target. When they were not under attack. So, if accounts have become a target. If logins and passwords are phished or trojaned ten or twenty times as often, would they still hold as a solution? I have a hunch that no. Specially considering the thought and care your average gamer puts into selecting a complicated password and keeping it safe.

So, enter biometrics. It’s a solution, just as many others (security professionals, feel free to chime in, please). How to apply biometrics to all this? It needs to be cheap, it needs to be simple and it needs to have a backup plan for when it doesn’t work.

Cheap – Because we’re talking about games here, not six-figure security IT solutions. Sure, you wouldn’t probably pay $100 or something like that for a fingerprint reader dongle to log into your game. But if the game maker were to strike a deal with the dongle maker, and bundle the dongle with the game? And if all you paid was a $2-$5 extra on your monthly sub? How’s that for a deal? Would you go for it then?

Simple – Because simplicity is good and we’re not trying to break into Fort Knox here, just to log into a game. And because gamers are dumb (there I said it).

Backup – Because gamers will most probably end up treating this thing with the same care as a controller. And we know how that always ends up. Once it breaks, there needs to be a vanilla login/password system in place, because hell hath no fury like a gamer who can’t log in.

Looking around in less than a minute I found this little thing. It’s probably not exactly what we’re discussing here, but it does fits the parameters of cheap and simple. It’s $60. If Verant could bundle a stick of RAM with your cereal box for EQ years ago, others can bundle something like this and charge it a little bit on your monthly sub. I’m sure there are other systems, better suited to the task at hand and possibly cheaper even.

Now the obligatory final disclaimer: If people would take care of selecting, rotating and protecting their passwords, account raiding wouldn’t be as viable. If people would take care to avoid downloading trojans, many, many passwords wouldn’t be stolen. There is no IT security solution that can replace having common sense and gray matter between the ears.

Gamers and ITSec peeps, feel free to chime in.


3 Responses to “Biometrics to the rescue”

  1. 1 Cameron Sorden April 20, 2007 at 9:09 am

    Convenience is king for most consumers. Rotating passwords is far too much of a hassle, since you need to do it for ALL your services (and none of them should be the same, ideally). So yeah, we do need a new solution to the problem as more people (and thus, more scammers) start to clue in that virtual assets DO have real value.

    Would biometrics really be more secure though? I feel like it’s just a password in digital form that you can’t change. Sure, it’s more complicated to steal and spoof than a conventional password, but once you’ve got the data for someone’s thumb-print, well, they’re pretty much SOL, right? You can’t get a new pattern burned on. That’s why I’m skeptical of widespread use of biometrics.

    Hi, by the way! I found by way here by following your comment on Kill Ten Rats. You’re on my blog roll now. 🙂

  2. 2 Julian April 20, 2007 at 9:24 am

    And hi to you right back. Grab a chair, get some coffee, stick around.

    Regarding passwords and thumbprints, yeah it’s all 1’s and 0’s in the end. If you can steal one, you can steal the other. I suppose a possible solution would be to start encrypting both. I imagine even a simple 128-bit key (which is about the standard, or below the standard nowadays as I understand it) would be more trouble than the farmers would like to put up with.

    That’s probably a good middle point between passwords in the wild and biometrics: encrypted passwords. It won’t solve the the problem of them being stolen, but at least most farmers couldn’t use them. I doubt they’re gonna set up to crunch and crack the encryption on the passwords they collect. Although you never know.

  3. 3 Mopy June 19, 2008 at 4:48 am

    Somehow i missed the point. Probably lost in translation 🙂 Anyway … nice blog to visit.

    cheers, Mopy.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: