Account takeover and fraud: An opportunity to build trust with gamers

With the expectation of continued growth in the microtransaction market over the next few years,¹ it is possible to anticipate an influx of threat actors targeting gamers. ATO attacks introduce fraud risk by creating an opportunity for an unauthorized party to initiate payments or inappropriately transfer virtual currencies and/or goods from a compromised user account. Unauthorized in-game reward redemptions and other promotion fraud could also stem from compromised user credentials. These redemptions appear to come from an authorized party, yet the fraud results in potentially large financial losses for customers.

Through credential stuffing techniques, cybercriminals leverage compromised credentials and bots to breach individual user accounts across social media, email, and financial institutions. These techniques are predicated on the cybercriminals’ hope that people reuse passwords. Many large gaming platforms offer different degrees of security controls to their customers. Gamers, specifically children, may not have the experience or technical literacy to understand the importance of security controls offered to mitigate such threats. Beyond the immediate financial impact of stolen virtual goods, successful ATO attacks could undermine a gamer’s trust in the gaming organization that should have protected their account.

A siloed approach to addressing interconnected gaming cyber and fraud risks is becoming unsustainable. Many risks associated with fraud involve:

• Verifying and authenticating your customer;
• Monitoring and detecting transaction and behavioral anomalies; and
• Responding to a threat and mitigating (real-time) risk.
  

Each of these activities, whether taken in response to cyber or fraud attacks, is supported by common frameworks, processes, and tools. Therefore, bringing these capabilities together with data and analytics can significantly improve visibility while providing much deeper insight to improve detection capabilities. In many instances, it also enables prevention efforts.

To combat fraud occurring through ATO, some questions to consider include:

• How do you maintain consumer trust through the use of security tools?
• How are you addressing cyber-based fraud risks?
• How does your multi-factor authentication (MFA) strategy align with your evolving business and technological landscape?
• How are you detecting anomalous network traffic?
• How are you automating response actions to mitigate threats to your end customer?

In our experience, the capabilities most implemented in Customer Identity & Access Management (CIAM) programs and capabilities include:

How Deloitte can help

• Managed Extended Detection and Response (MXDR) by Deloitte is a security service that is cloud-native, composable, integrated, and modular, delivered as Software as a Service (SaaS). The MXDR Identity Prevention, Detection & Response (IPDR) module provides near real-time identity threat protection coupled with proactive management and optimization of identity configuration and policies.
• Digital Identity+ from Deloitte combines flexible architecture and design patterns with an integrated platform plus tangible outcomes delivered by managed services—designed to provide economies of scale and predictable cost of optimization and expansion. Organizations get the outcomes, packaged services, and technologies without the cost, risk, and complexity of deploying tools on their own. Integrated services include Identity & Access Management; Consumer Identity; Data Privacy & Consent; and Dashboards & Analytics.
• Digital Fraud Prevention by Deloitte offers a suite of services in the Digital Fraud Prevention space via fraud program modernization (establishing and/or maturing fraud programs); capability maturity and technology mapping (mapping identity verification, transaction authentication, transaction monitoring capabilities to tools); end-to-end anti-fraud platform implementations; and response remediation and resolution services.

Game on: Cybersecurity for customer trust

Historically, gaming organizations have larger growth opportunities relative to leaders from other industries (e.g., financial services, commercial aviation) from a cyber perspective. With gaming organizations’ expanding attack surface and using advanced technologies to enable innovative triple-A titles, live service gaming ecosystems, and niche mobile games alike, a strong cyber strategy is needed to address the risks introduced by these capabilities. The data² shows the specific organizational actions to protect consumer data have a positive impact on their trust, and critical cyber failures such as ATO attacks promptly erode trust. Showing competence and intent regarding the protection of data and IP alike could help first movers within the sector influence engagement, loyalty, and purchasing behavior among gamers. This can be achieved at the intersection of fraud, identity, and detection and response teams and capabilities by sharing risk indicators to predict emerging threats.

Endnotes

¹ Akamai, “Gaming respawned: Cyberattacks on players and gaming companies rise again,” State of the Internet 8, no. 2 (August 2022).
² Michael Bondar et al., “Quantifying customer trust,” Deloitte Insights, 2022.