It’s all fun and games until someone gets hacked.
This week marks the end of one console generation and the beginning of a brand new adventure. The Playstation 4 and Xbox One were both released to consumers in November of 2013. In the years since, both consoles have given gamers plenty of reasons to celebrate. A slew of award-winning exclusive games on PS4 and the launch of several consumer-friendly initiatives from Microsoft, like Xbox Game Pass, pleased both sides of the console wars.
But now the year is 2020, and gamers are ready for something new. The Xbox Series X began launching for consumers starting on November 10th, and the Playstation 5 is gearing up for its first phase of launch on November 12th. This undoubtedly is an exciting time for the booming industry.
But how safe are these new consoles going to be? Gaming consoles are no stranger to massive and expensive security breaches. This problem is compounded further by the fact that consoles in today’s modern age are expected to be “all in one” media systems that store tons of personally identifiable information (PII), including login credentials, billing information, and more.
In this blog post, we’ll be covering the many common ways that hackers infiltrate game consoles and networks and how you can defend against these types of attacks.
While learning the history of cybersecurity in gaming through our previous blog is important for us to learn for the future, detailing common ways that hackers breach gaming consoles TODAY will prove to be just as — if not more – important.
With this being said, here are five of the most common ways that nefarious attackers use to infiltrate consoles like the Playstation 5 and Xbox Series X:
Distributed Denial of Service, or DDos attacks are used frequently by hackers to overwhelm and then take down a website, web service, or network by flooding a server with massive amounts of data and traffic. This makes the server “fall over,” crippling the service.
These attacks are very common with gaming consoles, as attackers frequently target online services like the PlayStation Network, Xbox Live, Nintendo Switch Online, Steam, and much more. For example, 2011’s massive attack on the Playstation Network was in large part due to DDoS attacks.
While DDos attacks are an annoyance to gamers and companies alike, they rarely lead to massive data or monetary loss, doing more damage to a company’s reputation.
Spoofed websites, a popular type of malware attack, are extremely common in the gaming industry. These attacks, which can be carried out on legitimate websites from reputable businesses or through faked websites, can be devastating to gamers.
You have seen examples of spoofed websites obtaining thousands of login credentials with big companies like Netflix, but gamers are equally in danger. For example, the video game streaming platform Twitch was hit with a spoofed website attack back in 2015. This attack exposed thousands of individuals’ information to the attackers.
Spoofed websites are one of the most effective tactics that attackers use to obtain personally identifiable information like names, addresses, and even banking information.
It is no secret that attackers are constantly on the lookout for login information, regardless of the sector. This is just as frequent of a target in the gaming industry, and there are many real-world examples of data leaks from Sony, Microsoft, Apple, and more.
Additionally, since gaming — much like the cybersecurity industry — is a highly technical industry, attackers know specific behaviors and social engineering tactics that help them infiltrate accounts on consoles.
Sure, most breaches on personal accounts are done by simple guessing and trial-and-error, but attackers also make use of brute force and keylogging techniques.
Brute force — A hacking technique of cracking an account password by using a large library of saved passwords.
Keylogging — Hacking software that tracks and records the keys struck on a keyboard to obtain passwords.
While not typically associated with attacks in the gaming industry. However, gaming ransomware attacks exist, especially with smaller hackers. For example, hackers can gain access to your gaming console or account and inject them with ransomware, preventing the gamer from playing their favorite games.
The attackers then demand a payment from the individual in order for them to have their game files decrypted and returned safely. This is especially common in the PC and Mac gaming space, as injecting ransomware into a secure console like a Playstation is a challenge.
In addition to ransomware, scareware is also used to pry money from gamers. Scareware is an attack designed to mimic the look and feel of a legitimate organization in order to scare individuals into paying to “unlock access” they usually already have in the first place. For example, many scareware campaigns exist for the computer gaming platform Steam. Steam is a free-to-use service, but many campaigns are carried out to dupe victims into paying attackers.
Attackers often breach gamers and gaming organizations by using phishing or social engineering. For example, a hacker may obtain personally identifiable information like your name or account ID and send a spear phishing email to you posing as a reputable company. If the email is convincing enough it can be almost indistinguishable from the real thing, which leads to many compromised accounts.
In today’s world, much of your general information is public knowledge. This is great news for attackers, as they use this information to build campaigns designed to trick you into believing someone from Sony or Microsoft is trying to contact you.
This is one of the most common (and effective) tactics to breach a gamer’s account and steal valuable information.
Mistakes happen, and that’s why it’s so important to have defenses to serve as your Player 2. Now that you know this tactic and the many others that attackers use to open an attack vector, it’s time to learn valuable steps to take in order to maximize your defenses against attackers:
1. Create complex passwords and protect them
Good passwords are a surefire way to protect your front lines. A “good” password is largely subjective, but usually includes both uppercase and lowercase letters, numbers, and special characters. Additionally, using easily obtainable information (like your cute puppy’s name) as a password is a big no no. Make sure to protect these passwords, and never reuse passwords on multiple high-value websites.
2. Don’t click that link!
A message coming from PlayStation, Xbox, or Nintendo may seem harmless enough. However, it’s important to vet the email’s validity before you click on anything in the email. If there is ANY chance the email is a fraud, simply delete it. It is better to reach out to the company individually than risk a breach into your valuable account.
3. Enable multi-factor authentication
The use of multi-factor authentication is a lifesaver for many individuals with high-value accounts. Enabling multi-factor authentication with a 3rd party email address or phone number ensures that even if an attack breaches your front lines, you can be there to intercept them before they can do any real damage. All the large gaming companies (including Sony, Microsoft, and Nintendo) have multi-factor authentication functionality with their accounts.
4. Keep your software up to date
While vulnerabilities that exist in your hardware or software are rarely your responsibility, it IS your responsibility to ensure all of your devices are up to date. Software updates, on top of giving you cool new features, exist to patch vulnerabilities and bugs. When you get a notification that there’s an update available for your gaming console, be sure to update right away.
The honest truth is that we can’t defend against all attacks. And we can’t protect every single account on the Internet. But, if secured correctly, your defenses can be the difference between a protected account and a breach that will cost you time, money, or both.