Since becoming popular in the mid-1990s and early 2000s, online gaming websites have experienced steady yet significant gains in users and monetary value. In fact, according to Newzoo’s 2014 Global Games Market Report, the international games market is expected to surpass the $100 billion mark by 2017, bringing in an estimated $102.9 billion. This projected growth represents a compound annual growth rate (CAGR) of 8.1%, fueled by substantial growth in both the Asian market and mobile games. The market for smartphones and tablets is expected to rise from $17.6 billion in 2013 to $35.4 billion in 2017, accounting for about one-third of the overall gaming market.
As the saying goes, however, “with great power comes great responsibility.” As online gaming sites continue to try to capitalize on this booming market by innovating and pursuing new global opportunities, they must also remember that the threat of increasingly complex attacks grows as well. Therefore, it’s essential for them to take website security seriously, as site attacks and downtime can damage brand reputation and inhibit them from capitalizing on the virtual gold mine that is today’s web. Here are five essential security considerations for webmasters that are attempting to protect their online gaming site from potential threats.
Become PCI DSS Compliant
The PCI Data Security Standard (PCI DSS) “provides an actionable framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents.” This set of standards has been upheld by the credit- and debit-card industry and helps guide online merchants that process or transmit cardholder data. Those looking to achieve PCI compliance should follow these three steps:
- Assess: Identify all technology and process vulnerabilities that pose risks to cardholder data.
- Remediate: Fix vulnerabilities, including technical flaws in software code as well as unsecure processing procedures of cardholder data.
- Report: Website owners should submit regular reports to the acquiring bank and global payment brands with which they do business (merchants and processors must submit a quarterly scan report to remain certified).
Complying with the PCI Data Security Standard is more than a helpful tip, especially for the online gaming industry. There are two ways to achieve compliance: either go through the steps for your data center and website or work with a PCI-certified content-delivery network. Compliance can bring significant benefits. For example, when online gamers see that a site is in compliance, they will be much more likely to trust it with their information and become a repeat customer.
Use SSL Certificates
When usernames, passwords, credit-card numbers and other critical information is sent across the web, it passes from one computer to another to reach the end server. SSL certificates can be thought of as electronic ID cards issued to servers by trusted third parties to verify the identity of the server. They also encrypt the data so only the intended recipient can understand the information being transmitted. Web browsers typically offer visual cues to users (see the lock symbol in the URL line of the image below) to ensure they know when they are on a site with a secured connection.
Shawn Hess, software-development manager for VoIP Supply, said in a CIO article, “SSL certificates are a must for transactions. To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout. This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company.” Much like having a PCI-certified site, using SSL certificates and SSL encryption will increase trust levels among your users, allowing them to make worry-free transactions.
Employ a Strict User Enrollment and Authentication Process
Similar to entering a brick-and-mortar casino, online gaming sites should have measures in place for user verification and authentication. One of the quickest ways to verify users is by matching their IP address’s geolocation to the provided billing address. Although these locations may vary, it’s a nice check to have in place. Sites should also identify (and keep out) known fraudsters and monitor app stores for fraudulent apps that may be posing as a gaming site to gather sensitive information.
Once registered, the user then must be able to access the system (login). Gaming sites should have password-strength requirements in place and should also consider frequent password-change mandates (but ensure that the user experience and site engagement is not taking a big hit when applying these mandates). Beyond secure password standards, many gaming sites use geofencing to set geographical limits on locations from which users can login (this approach may or may not be appropriate depending on the mobile usage frequency of the game or site). Lastly, online-gaming webmasters should consider using two-factor authentication (SMS, Google and so on), which is much like presenting your ID alongside your credit card when making a physical purchase at store.
Have DDoS Protection in Place
DDoS attacks can bring online gaming businesses to a halt, making protection against them a critical security measure. These sudden increases in (unwanted) traffic can lead to lost revenue and a damaged reputation. In fact, it’s been reported that ecommerce sites lose $200,000 to $500,000 per hour of site downtime (typical DDoS attacks last between two and six hours).
Gaming-site owners should consider working with a DNS solution provider in the fight against DDoS attacks. By having a network of points-of-presence in place, sites that use a DNS methodology are able to absorb massive amounts of attack traffic for customers located anywhere. The malicious traffic is then filtered and quarantined while the legitimate traffic is allowed to flow to the intended customer websites.
Monitor for “Bad Traffic” and Suspicious Activity
Another critical step when minimizing fraud on gaming websites is to monitor traffic patterns and understand visitor behaviors. One way to do so is by looking at the network layer in an effort to separate good traffic from bad traffic. Gaming-site managers should consider building user behavioral profiles to track what is “typical” behavior so they can then detect and investigate irregular activity. For example, site owners could be notified if a user typically places $5 bets on the site but their bets have suddenly spiked to $5,000. Security-incident monitoring systems (SIMs) and other logging/monitoring tools are available to give site owners a broad view of user behaviors and abnormalities. Once malicious traffic is discovered, a content-delivery partner can reroute this traffic to “sponge” servers and keep the valid traffic flowing.
As the methods of cyber-attacks continue to become more innovative, online-gaming site security must become more versatile and advanced to prevent and/or absorb attacks of all forms. Cyber-attacks are damaging to a website’s performance and reputation if not properly protected against. Although this list of recommendations is by no means the complete guide to online-gaming website security, it provides critical factors to consider.
About the Author
Sharon Bell is the Director of Marketing for CDNetworks, a global CDN provider that assists industries such as online gaming, media and entertainment, ecommerce, and travel with delighting their online users through website speed and security.