Once upon a time, video gaming was strictly an offline, console-based affair. Even PC-based titles were relegated to the safe confines of the player's local desktop machine. The arrival of affordable and ubiquitous high-speed internet transformed gaming into a highly interactive online activity; these days, the online component is an integral part of gameplay. But are gaming vendors doing enough to protect users against today's cyber threats?
Millions of eager gaming fans will again be clearing the shelves of local retail outlets this holiday season, as well as making purchases directly from gaming vendors' online stores. Unfortunately, they will also be unwittingly exposed to a myriad of cyber risks. The industry has already proved to be lucrative stomping grounds for cyber attackers: as you may recall, Sony PlayStation Network's (PSN) massive 2011 data breach resulted in a 23-day outage and 77 million accounts exposed. PSN was hacked again earlier this month, this time locking UK-based users out of their accounts and drawing large sums of money from associated bank accounts.
With 2016 revenues at an all-time high in a global market worth $99.6 billion, gaming vendors are flying high—but has this unprecedented growth been tempered with ongoing security improvements? From account signups to online credit card purchases, gaming activities are now irrevocably intertwined with the assumption of cyber risk. Let's take a look at how the leading video game enterprises fare when it comes to security fitness and resilience.
Gaming Vendor Roundup
The following companies run the gamut from popular PC gaming studios to the world's leading console vendors. All of their websites handle sensitive customer data via digital storefronts, online account creation/management portals, or a combination thereof.
1. Electronic Arts - 751 out of 950
Electronic Arts needs little introduction—the Redwood City-based video game publisher has dominated the industry for well over three decades. Its CSTAR score of 751 is good but nonetheless short of the ideal when it comes to website perimeter security: lack of HTTP strict transport security, HttpOnly/secure cookies, DMARC, and DNSSEC leave it vulnerable to cyber attackers.
2. Valve / Steam - 523 out of 950
Past titles like Half-Life, Counter-Strike, and Left 4 Dead have made Valve a household name amongst gamers. Furthermore, the company's Steam digital distribution platform offers thousands of games to over 65 million players worldwide. Despite this impressive user base, Steam's online storefront scores an mediocre 523 CSTAR rating for a number of security shortcomings: missing sitewide SSL, disabled DNSSEC, and lack of secure cookies, among others.
3. Activision Blizzard - 513 out of 950
Formerly known as Blizzard Entertainment, Activision Blizzard is the publisher of wildly popular titles like Warcraft, Diablo, and StarCraft. Blizzard and its holding company Vivendi Games merged with Activision in 2009; unfortunately, it didn't inherit the parent company's security posture (Activision scores a decent 789 CSTAR rating). Activision Blizzard's low 513 CSTAR score is a result of various website perimeter security flaws like lack of sitewide SSL, server information leakage, and missing DNSSEC/DMARC, to name a few.
4. Xbox - 428 out of 950
Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?
Despite various consumer hardware flops (Zune media player, anyone?), Microsoft's foray into the gaming world has been a lucrative one. The Xbox One console is second only to Sony's PS4 and its Xbox Live online multiplayer gaming service was recently dubbed the fastest, most reliable gaming network by analytics firm IHS Markit. Unfortunately, it scores a poor CSTAR rating of 428 due to various shortcomings such as lack of sitewide SSL, missing DMARC/DNSSEC, non-secure cookies, and other security flaws.
5. Nintendo - 475 out of 950
From the original NES to the DS and Wii, Nintendo's run of hits over the years is nothing short of legendary. However, its record for cyber security fitness is another story: despite falling victim to a data breach and series of brute force attacks back in 2013, the century-old video gaming behemoth has yet to bolster its security posture. Flaws such as lack of sitewide SSL, HTTP strict transport security, secure cookies, and DMARC/DNSSEC contribute to its low 475 CSTAR score.
6. Double Fine - 304 out of 950
Double Fine Productions is credited for introducing crowdfunding to the game development arena—its Broken Age point-and-click adventure game remains one of the largest Kickstarter-funded projects to date. Other popular titles created by the San Francisco-based game studio include the critically acclaimed Psychonauts, Brütal Legend, and Amnesia Fortnight. Its abysmal 304 CSTAR score represents a number of critical website perimeter security issues: lack of sitewide SSL, server information leakage, missing DMARC/DNSSEC, and open file sharing/mail ports.
7. Bethesda Softworks - 789 out of 950
Bethesda is credited for developing the first physics-based sports simulation engine used in early titles like Gridiron! and John Madden Football. The Elder Scrolls, Fallout and Dishonored series are considered groundbreaking titles in the gaming world. The company's website scores a good 789 CSTAR score despite security flaws like the absence of HTTP strict transport security, server information leakage, and lack of DMARC/DNSSEC.
8. Playstation - 836 out of 950
Sony's PS4 may be the leading video game console by market share, but claiming this pole position puts it constantly in cyber attackers' crosshairs. Its 2011 data breach remains one of the biggest security compromises in history, and certainly the largest ever to befall a video game company. A small handful of security flaws like lack of HTTP strict transport security and disabled DMARC/DNSSEC result in a less-than-perfect CSTAR score of 836.
Cyber attackers have a natural affinity for gaming vendors due to the volume and nature of exploitable data available: personal and player status information, credit card records, resellable game credits, and more. And because today's gaming systems cost a pretty penny, consumers with the means to indulge themselves make for high-value targets. Clearly, video game companies need to ratchet up security measures so as not to subject their customers to undue cyber risk. Find out for yourself how other game vendors stack up using UpGuard's CSTAR risk grader web application and chrome extension for instantly validating a website's security posture.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >