Here’s a glaring example of how recreational online gaming of any sort can lead to unintentional expense and headache.

On May 27, Angela Moscaritolo at SC Magazine wrote an article about Symantec having discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites.    You can see the article on the ERE RSS feed or at http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/e.

Online gamers own virtual assets within their games.  These assets can be bought and sold for real dollars, up to thousands of dollars.  An individual who steals and uses a gamer’s identity will gain access to the gamer’s assets which they can then use, sell and vandalize.

In any instance, where a gaming siter has access to their gaming membership’s credit card and banking information, the potential for identity theft and credit theft is escalated if a gamer’s credentials are already stolen.

Online gamblers face similar risks as online gamers whose credentials are stolen, with the added grief of facing a foreign jurisdiction when attempting to claim for losses against the gaming site.  This is because most gaming sites, for reasons of US law, reside outside of the jurisdiction of the USA.

The same problem is faced by members of online transaction sites, where the members’ authentication credentials are stored by the transaction site.  If a member’s user name and password are stolen, the member faces exactly the same potential risks as the online gamer, and is exacerbated if the member’s credit information is also electronically stored with the site.

While credit companies are implementing multi-factor authentication in order to mitigate potential fraudulent transactions, electronically stored credit card information is still a potential security and theft vulnerability.    In these critical situations, my preference is to err on the side of conservatism; if anyone has access to electronic information, than potentially anybody has electronic access to that same information.

So the question is “What should gamers and transaction site members do to protect their electronic identities?”

The answers are pedantic but effective:

• Regularly change passwords.  Chances are that a stolen old password will be used by a theft and, of course, will be useless.
• Use groups of passwords, prioritized by importance, for different uses.  The best advice, of course, is to use a different password for every single use, including logon to your home and work computers, online banking, transaction sites, etc.  This is not practical for most folks, so a tradeoff is to have a few different passwords but never use the same password for both critical and less critical applications.
• Consider storing (new!) passwords in an encrypted file or an electronic vault.  Various programs and utilities are available for assisting with this process.  The immediate two benefits are that people do not store their passwords in an unencrypted state and that the stress of remembering all the passwords and their use immediately disappears.
• Store the password for your  “password vault” in a secure, non-electronic format or encrypt it with your own personal encryption system.  For instance –  add a suffix and prefix that are meaningful only to you and which are not composed of any personal information.
• Do not log onto any system over Wi-Fi or cellular network without the logon sequence being encrypted.  Otherwise the logon credentials are easy prey for “man in the middle” attacks.
• Do not share passwords with anyone.  Ever.

Have a secure week.

Ron Lepofsky, CISSP,  B. A. SC. (Mech Engineering)

Tags: Games Online, Gaming Websites, Identity Theft, Internet Security, IT Security

This entry was posted on Wednesday, June 2nd, 2010 at 4:58 pm and is filed under Security Postings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.