Ted McKendall

The theft of personal information is a very real threat in today’s digital world, particularly due to it often resulting in financial loss. According to a recent RSA survey, consumers are more concerned about losing control of their financial data than of any other personal information. More than half worry about the security of online banking, while almost two thirds of online shoppers have abandoned a purchase because of security fears.  

 

The recent discovery of a vulnerability in a distribution platform for video games suggests that the digital economy has opened up lucrative new opportunities for criminals looking for valuable personal information. 

 

Researchers recently uncovered a critical vulnerability in the EA Origins platform which, if exploited, would have allowed criminals to access the user accounts of more than 300 million gamers. Had it not been discovered, attackers would have used phishing messages to distribute the URL of an inactive subdomain – confident that as the link was to an EA domain, unsuspecting players would click on it without thinking twice. Then, as they logged in, malicious code injected into the subdomain would obtain single sign-on (SSO) authorisation tokens for every visitor, which in turn would grant the attackers access to their accounts without the need to steal login credentials.  

 

Although the intention here was to trick users into logging onto the platform via a fake landing page, the technique used to obtain the SSO tokens themselves was not unlike that seen in recent Magecart attacks, where malicious JavaScript code was injected into the checkout and payment pages of online merchants including British Airways, Ticketmaster, and AeroGrow 

 

Both sides of the transaction 

Criminals are naturally opportunistic. It’s safe to assume that gaming platforms such as EA Origins contain a wealth of user data, both financial and personal, that would prove highly valuable if sold on the black market. By combining two tried and trusted techniques in this way – one for distribution, the other for harvesting – bad actors add to their arsenal an efficient and effective ways of capturing that data.  

 

The level of consumer concern over data security is already high and attempts like this to steal personal credentials are likely to do nothing but raise it furtherWhile increasingly cautious users may load up their machines with the latest security software, there’s only so much they can do to protect themselves from suitably determined criminals.  

 

It’s the responsibility of businesses, whether banks, e-commerce retailers or gaming companies – to ensure that any information input on their site is secure; guaranteeing that it won’t (or can’t) fall into the wrong hands. Fundamentally, this requires them to acknowledge that every transaction has two sides. Rather than concentrating on just one or the other, businesses should instead focus on both the user side and the web server side at the same time if they are to prevent attacks from succeeding.  

 

Trusted Knight’s Protector Air offers that preventative measure. A cloud-based solution, invisible to the end-user, it’s injected seamlessly into every transaction request, thwarting any attempts to steal personal information.  

 

Click here to learn more about how Trusted Knight can protect your customers’ information. 

blog-post-logo