This article looks at several of the issues regarding security aspects of online based games and virtual worlds.
As online gaming becomes a billion dollar industry and game companies are making revenue from subscription charges, new problems emerge which need to be taken very seriously. Online games containing graphical glitches, sound defects and poor performance will not be very popular. However, an online game with security flaws and mass-cheating will simply fail.
Several security issues related to online gaming are shared with other network applications, however online gaming has a unique set of problems that need to be dealt with. The aim of creating a secure game is not only to ensure customers credit card numbers are protected, but to ensure that all players receive a fair and entertaining experience. Otherwise, they won't play.
This rest of this article looks at some of the security related issues in online gaming. Note that not all of the issues will apply to all types of games.
This has traditionally been the most important aspect of security in computer games. There are many different technologies that provide copy protection, but nearly all of them can be overcome. However, piracy is not so relevant to online games, as the game companies make money from subscriptions. Money can be made from selling boxed-versions of online games by giving added-value content such as manuals, maps, and the box itself.
Hacking the Client
Many online games store game logic and player data on the server, and store graphics and sound on the client. This makes it difficult for hackers to cheat by altering statistics such as health or ammunition; however it gives them full ability to change the graphics in a game. For many gamers, the ability to make modifications (known as mods) to games is almost as important as playing the game itself. However, imagine if one player modifies the game so that he can see through walls, and plays against somebody who can't. You can guess who will win. A simple solution to this problem is by ensuring all players are using the same modifications.
There are many programs available that let users examine, modify, send or block packets that are being transmitted to and from their computer. This causes several problems for online games such as blocking packets that may have a negative effect on a player, or replaying packets that shoot an enemy player, even though you have no ammunition left. Such situations can be avoided by keeping important variables on the server, and by encrypting packets. Even encrypted packets can be repeated though; therefore a sequence number system should be used so that the server can verify the packets.
Area of Interest Management should also be used to minimize the data that the client has to receive. If a tree falls in a forest and no one is around to hear it fall, does it make a sound? In a virtual world using AoIM algorithms, the answer is no. AoIM algorithms limit network traffic in a virtual world to only what is necessary for each player. In a large virtual world, there could be thousands of players, with millions of variables that are constantly changing. If the client were to be kept updated with all variables, it could easily use up more bandwidth than available, causing network congestion and increasing latency. To put very simply, AoIM solves this problem by dividing the world into different geographical zones, and then only sending data regarding the zone that is directly related to each player.
Players in virtual worlds can have a lot of freedom to do as they please. This could include running around causing sexual and racial abuse. Such abuse reduces and spoils the fun and can damage the popularity of the game. There are two ways around this problem; first of all by allowing other players to report such abuse. This requires adequate logging facilities so any allegations can be proved and then the offending player can be dealt with accordingly. Another solution to limit the damage in the first place is to give players the option of censorship. This relies on intelligent game software detecting offensive behavior and hiding it from players who wish to be protected. Another form of social abuse could be using a game for commercial or advertising purposes, or tricking people into giving out credit card numbers etc. This can be prevented again by reporting such abuse, and by educating users.
Since a password is the key to accessing account information and the player's character, it is important that the same password protection techniques are used as in other sensitive applications. These can include encryption when transmitting sensitive data, and educating players not to use obvious passwords or inadvertently giving them out. In some situations, server authentication may also be necessary to ensure hackers have not setup bogus servers that can be used to collect a user's password.
Denial of Service
Such attacks can be used to reduce the responsiveness of other players. This is hard to avoid when using a peer-to-peer topology, however in client-server based games, simply not distributing other players IP addresses will avoid this problem. Attacks on game servers are also possible. This is unlikely to give any specific player an advantage, but it is likely to make the game unplayable for everybody. Using server software that drops non-game packets and technology such as XenoService will help to reduce the effects of such attacks.
This could be either accidental or deliberate. System administrators responsible for the virtual world are probably enthusiastic players in the game itself. But can they be trusted not to abuse their god-like position? Or perhaps a system administrator decides to make a few changes to the game world without fully considering possible implications. Therefore powers should be restricted where possible, monitoring is necessary, and procedures must be set in place and followed.
Due to the complexity and nature of virtual worlds, it is essential to keep several versions of backups from different time periods. For example, if a serious bug is found after many players have taken advantage of it, this could cause a major unbalance in the economics of the world. It is often better to restore the game from a time before the bug was taken advantage of, than letting play carry on as is - even if it means losing several days worth of play. Most players would prefer this than having to start again from scratch.
By logging access to game servers, recording important events (e.g. player advancement), and keeping track of key quantities such as the number of rare items in the game, game administrators can identify or verify where cheating is taking place.
A player may disconnect from a game seconds before being killed, perhaps then reconnecting with another character and finishing off the battle. Although two can play at that, nobody will die, the game becomes boring and good players will stop playing. This can be solved by game design, for example by making a character go into an auto-pilot mode for a period of time after disconnection.
Games should include a comprehensive list of terms and conditions that will allow termination of players who break the rules. However, it is essential mistakes are not made, as one wrongly banned customer could cause an uproar. Also, it could be difficult to stop banned users from signing up again, especially from free systems that do not require credit cards numbers.
It is probably impossible to make a perfectly secure online game; however it is certainly possible and desirable to reduce and limit misuse, allowing customers a good experience in a virtual world. Good design and programming, increased user awareness, ongoing maintenance and supervision will help to achieve this.
Becker, David, ZDNet Article, Cheaters take profits out of online gaming, June 2002
Internet Security Systems, Packet Sniffing
Gamasutra, How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It
Nathaniel Baughman, Brian Neil Levine, Cheat-Proof Playout for Centralized and Distributed Online Games, 2001
Wired, Blizzard of Cheaters Banned