When Microtransactions Go Real Wrong

Data breach pwns Fortnite players.

Fortnite, the misspelled craze that has taken the nation, is a simple game. Your character is dropped onto a map with a bunch of other players, you all try to kill each other, sometimes you build steps, last crudely drawn toon wins. Its simplicity is one of the things that makes it so popular: I once finished second in a game by basically hiding in a basement the whole time, until the winner found me and destroyed me with a rocket launcher as I ineffectually tried to stab him with my pick ax.

The game is also free… ish. Like many modern massively multiplayer online games, Fortnite is “free to play.” Instead, the game makes money through a series of microtransactions. In Fortnite’s case, it’s mainly character customization options that you have to pay for with real money.

To me, microtransactions are the worst thing that’s happened to video gaming in my lifetime (also the sexism and racism). I’m willing to buy the game. If it’s good, I’m willing to pay a monthly subscription fee to support new updates to the game. I’m willing to pay a fair price for my entertainment, but what I’m not willing to do is to two dollars so my doll can have a better hairdo, or $8.99 so my spaceship can be orange. [Ed Note: I once paid $5.99 so my spaceship in Elite Dangerous could be orange and I’ve hated myself ever since.]

But, I’m old, and the younger generations have voted with their wallets. They want the game to be free, and decide for themselves what extras they want to spend real money on. My belief that you should “get what you pay for” and dying and antiquated. I’m just a bitter man who wants to kids to keep their mats off of my lawn.

Just don’t expect me to feel sorry when the hackers exploit the open security risk of microtransactions and steal people’s money. From Variety:

Researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in ‘Fortnite’s’ user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account.

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

Sponsored

In Fortnite terms, you’d say that Epic forgot to put a roof on their structure, which allowed hackers to one-shot players’ accounts from an elevated position.

It’s one of the key flaws in the microtransaction regime. If every game requires your credit card information, then your credit card information is at the mercy of every game publisher’s individual security system. PlayStation and X-Box and Steam are centralized locations where you kind of have to put in your info in order to buy the game in the first place. That’s bad enough. But if you are doing microtransactions, you aren’t even getting the benefit of the security system of a corporate behemoth. Instead, you’re taking one-off risks with game publishers more concerned with trying to sell you a pair of virtual sunglasses than protecting your data.

It’s a particular problem for a game like Fortnite which is marketed to teens, many of whom have never read Isaac Asimov and don’t respect the fact that technology will one day destroy us all.

For the most part, law enforcement goes after the hackers and let’s the market take care of companies who don’t do enough to protect private information. But if this keeps happening, eventually people will start suing game publishers out of business. Epic is the last best line of defensive for the private information of kids, eventually parent will come for them.


Sponsored

Elie Mystal is the Executive Editor of Above the Law and the Legal Editor for More Perfect. He can be reached @ElieNYC on Twitter, or at elie@abovethelaw.com. He will resist.