When reports surfaced on 14 November 2016 that the leader of a group of hackers who made several millions off Electronic Arts (EA) had gone on trial, it brought to our consciousness how vital security is even for gaming companies and other online businesses.
According to the FBI, the hackers led by Anthony Clark conspired to commit wire fraud by mining FIFA coins from EA’s servers and then selling the coins to online black market dealers in Europe and China. The hackers are estimated to have made anywhere between $15milion and $18million from this system which started back in 2013 and lasted until September 2015.
If you’re wondering what FIFA coins are, they are the in-game currency of EA’s popular FIFA football game. The coins are either gained by playing football matches or by buying them with real-life currency. However, FIFA coins can be bought from several black market dealers, especially in Europe and China. And it is this opportunity that Clark and his group exploited undetected for about two years.
A Trail of Security Breaches for Major Companies
Clark and his codefendants Ricky Miler, Eaton Zveare and Nicholas Castelluci formed a hacking group named Rane Developments. Rane Developments is directly linked with infamous hacker group Xbox Underground charged in 2014 for stealing software from several big players in the gaming industry including Microsoft and Valve.
According to one of the members of Xbox Underground, Austin Alcala, he had worked with Rane Developments to obtain Xbox development kits and reverse-engineered a reproduced copy of FIFA 14 which ultimately allowed them to develop a tool for mining FIFA coins.
Server Anomalies Undetected
The hackers mined FIFA coins by sending false game signals to EA’s servers to spoof matches and then generate FIFA coins at a quick rate. While this can (but shouldn’t) go undetected for a short period, spoofing matches over the course of two years highlights embarrassing security loopholes for EA.
It is not clear how the scheme was exposed although reports suggest investigations started after the FBI seized property and cash in the name of Anthony Clark. Would the scheme have come to light if the FBI didn’t take interest in Clark’s suspicious newfound wealth?
For a game where the digital coins are an integral part of the gaming experience and the company’s commercial operations, you would expect that there would be adequate security. FIFA is already well-known to be attractive to third-party vendors (read black market dealers), and EA should have measures to guard against loopholes such as spoofing which serve the dirty players. Such a scheme going undetected for so long speaks poorly of the company’s security.
Server Security Remains Paramount
Every year, a large number of both large and small businesses experience security breaches or security breach attempts. No matter how secure a system is there is almost always a point of failure especially if insiders are involved. But, having a security breach go unnoticed for so long presents a whole new challenge to gaming industries and businesses at large.
Experts and novices alike have asked questions of EA such as:
- Is there no way to identify normal game playing patterns from spoofed ones?
- How did such rapid generation of coins worth about $18 or more in total go unnoticed for so long?
- Was the attack on a single server location or distributed?
Major gaming companies use Content Delivery Networks to enhance gaming experience for users worldwide. CDNs multiple points of failure and this article on Tech Target suggests what may have happened with EA’s servers.
EA had another publicized security issue in 2015 when hackers tricked the company into releasing EA origin accounts of targeted users to an email address owned by the hackers. Other gaming companies and online businesses at large can learn from this.
According to security expert Mike at cloud and CDN service provider Free Parking, “internet security is more than a set of precautions and protocols. It’s an attitude and culture history has shown even big players take for granted”. The company’s services ranging from domain names, accessible at www.freeparking.co.nz/domain-names-nz to webhosting are designed with security in mind.
Hackers will always attack secure systems either for financial gain or just for the sake of the challenge. For gaming companies and other online businesses, however, the risk is more serious and the damage is often more than just financial losses.
Here’s hoping that EA and other gaming companies do more to make gaming a secure and authentic experience for us.
- Can EA please do away with the micro transactions?