· 6 min read
Cybersecurity for Game Developers: Top Tips to Stay Safe
Sarah Impey
Content Creator at GameAnalytics
There’s a common misconception that cybercriminals only target big business. But small businesses are actually three times more likely to be a target than larger companies. From the hacker’s perspective, it’s easy pickings. Small businesses have less security and fewer safeguards in place to protect themselves.
But protecting yourself isn’t necessarily hard. Not if you’re aware of the techniques hackers use. So, with data breaches becoming increasingly common in the news, we thought we’d give a little advice about how to protect yourself.
How do hackers attack game developers?
It’s not just your game that hackers might target. They could target your business and infrastructure, too. That’s why it’s important to think about how your game, backend systems, and internal tools link all together – especially if you’re making a multiplayer game.
For example, if you’re a small developer, you might decide to host your multiplayer matches on your own servers. But if those are the same servers where you store your player database, filled with usernames and passwords, you’re making it easy to find that data.
Social engineering is the biggest threat
Research from CS Hub found that social engineering is the number one business threat. This is just a fancy way of saying that the easiest way to hack someone is to trick the people themselves – your players or your employees. In other words, if you want to break into a vault, it’s far easier to get the manager to open the door for you than to drill your way in.
Hackers will go to extreme lengths to trick you. It might be as simple as an email that looks like it’s from one of your tools. Or it might be complicated. For example, they might look at your CEO’s Facebook page, hack their daughter’s account, and send a message from her asking for information that could help them guess a password.
Eventually, they could end up being able to send emails directly from the CEO’s personal account. Would you question an email from your boss telling you to send you an access code? Probably not. But you should.
Exploiting your game
Hackers can either look at your game code directly, try to inject code, or just generate random inputs until they strike lucky. This is usually fine in a single-player game, where spawning in an item doesn’t matter. But in a multiplayer game, where there might be real-world value to those items – it can be a serious problem.
Admin commands are particularly juicy for hackers. If you’re running an MMO, those admins might have tools to block players, reset passwords, or see people’s real names. Having those commands could help them trick a player or even blackmail them.
Targeting your infrastructure
A Distributed Denial of Service (DDoS) attack is where a hacker will send thousands – if not millions – of commands at your servers in a hope to overload them and make them crash.
At the very least, it can be irritating. Your game falls down and you lose revenue. But hackers might also use it to blackmail you by holding your game hostage.
They could target your file storage, your databases, your employee’s laptops, your emails – everything around your game.
Protecting your game from hackers
Most security experts tout one rule: Zero trust. Approach everything with scepticism. Do that, and you’re far less likely to succumb to trickery.
Teach staff and players about social engineering
Education is key. If people know the techniques hackers might use, they often think twice before giving away valuable information. They question whether that email is legitimate or whether they should really be giving that code they were texted to the person on the other end of the phone.
Obviously, it’s far easier to teach your staff. But you want to educate players, too. If you have an in-game chat function, remind players that you’ll never ask them for their password. Or to never tell anybody the two-factor authentication code you just sent.
Check through another medium
Now that your people are familiar with the types of attack, they will hopefully avoid giving out sensitive information. But what if your CEO really does need that access code?
Simple. Check using another communication tool. Give them a ring or set up a video call. That way, you’ve got proof it’s actually them asking for the information.
Make sure every layer of encryption is strong
It’s all well and good to have super strong encryption on your player database. But it’s all for nothing if someone’s email is just “password123”. There’s a reason “the weakest link” is a common phrase.
Keep everything up to date
As tempting as it is to hit “remind me later” whenever you get a popup for an update, just update it. Whether it’s your operating system, your game engine, or some third-party plug-in you’re using. Make sure everything is up to date.
Test your game for exploits
Try breaking your own game. Think like a hacker and see if you can summon items, use admin commands or launch services. Generate random inputs and try to inject code into every text box you have.
You can even offer rewards to players if they find bugs. Sure, most of those might not have any serious ramifications. But some might.
Hide sensitive code from the client-side image
Put blockers in place to stop hackers from directly seeing the code that’s requesting information. And make sure the data itself is encrypted. For example, if you need to call on a player database to get their name, don’t call it directly from the player’s image. Otherwise, the hacker could find out what service you’re calling and even get the IP address of the database.
Instead, call the server-side image and get it to do the heavy lifting. It can then encrypt the specific data and send it back to the player. Even if they break the encryption, they don’t get access to the database itself.
Keep your data safe with DataSuite
If you’re collecting and storing analytics data from lots of different sources, you probably want a data warehouse. With DataSuite, we host and keep all that data secure on our servers. And we never share it with any third-parties, so you have total control over it. Read more about DataSuite and see if it’ll work for you.