Security Trends to Address Now, on Our Way to the Metaverse
The metaverse is kind of a big deal. It’s even hit the point where major news outlets are writing about it.
But what is it? Why should a CSO Care about it?
The metaverse is essentially the next iteration of the internet. While the mainstream press might say that no one knows what it will look like, that’s only partially true. There are plenty of people who know what pieces of it will look like, since they’re building them now. Besides, there are plenty of others with a fairly solid vision for what it has to look like to function.
To get a sense of it, think about the show ‘Alter Ego’, a talent competition (also known as ‘The Voice’) allowing people, who feel encumbered by their physical appearance, to sing ‘behind’ their avatar. It is pretty cool, giving us a glimpse into what the metaverse will feel like. As Wired’s Kevin Kelly wrote in a story about it back in 2019: “when [the metaverse] is complete, our physical reality will merge with the digital universe.”
Matthew Ball is a venture capitalist, who has written an extensive primer and framework for the metaverse. I’ll quote him here:
“The Metaverse is an expansive network of persistent, real-time rendered 3D worlds and simulations that support continuity of identity, objects, history, payments, and entitlements, and can be experienced synchronously by an effectively unlimited number of users, each with an individual sense of presence.”
I’ve broken down this definition assembling some of the challenges we can expect the metaverse to deliver for CSOs and their teams.
Definition |
Challenges |
The Metaverse is an expansive network |
authentication, access policies, malware, encryption and secure traffic, DNS security, web app attacks |
of persistent, |
uptime, DDoS attacks, flash crowds |
real-time |
security vs. performance trade-offs, API security, stream protection, anti-piracy |
rendered 3D worlds and simulations |
fraud, physical/access security, hardware/IoT security, content integrity |
that support continuity of identity, |
secure registration, credential provisioning, authorization |
objects, |
encryption, PII, fraud prevention, intellectual property rights |
history, |
PII, encryption |
payments, |
PII, encryption, fraud prevention, PCI compliance, tokenization, payment risk |
and entitlements, |
encryption, PII, fraud prevention, intellectual property rights, payment security |
and can be experienced synchronously by an effectively unlimited number of users, each with an individual sense of presence.” |
flash crowds, MFA, security at scale |
Gaming security offers insight to the metaverse
To prepare for the metaverse, and everything that comes between then and now, we recommend that all CSOs, regardless of the industry, become familiar with the audience and security challenges of the gaming industry.
Gaming is already providing and influencing a significant portion of the metaverse’s foundational technology. Beyond technology, its business models are likewise being adapted and leveraged across industries. Video, music, sports, fitness, medicine, and industrial training industries (among others) are already borrowing from gaming, making it a useful microcosm of what is to come in the metaverse.
The gaming industry tends to concern itself with four major buckets of security problems:
1. Account takeover
2. Intellectual property theft (data exfiltration)
3. Cheating
4. Uptime threats (DDoS, etc.)
Here, we’ll focus on account takeover, as it provides a useful illustration of security trends to watch between now and the metaverse. At Akamai, we have strong visibility into the problems in the gaming space. I’ve authored a piece on how and why criminals attack the gaming industry and my colleagues at Akamai have authored two recent ‘State of the Internet’ reports on gaming security: You Can’t Solo Security and Gaming in a Pandemic. Each of these examines several aspects of what it takes to keep systems online and running despite the relentless efforts of attackers. You Can’t Solo Security also features results of a survey of hard-core players, which Akamai undertook in partnership with the international gaming conference organization DreamHack (now ESL Gaming) to better understand how players feel about the security of their games and how much personal responsibility they believe is warranted when it comes to securing their own gaming accounts. Key findings include:
- Criminals are in it for the money (obvi!), and the value often isn’t in PII — it’s in the account itself. This is an important point that will be important in the metaverse as well. 10 years ago, the primary value of any account was in credit card numbers, and any information that could help a criminal get into a bank account. Now the accounts themselves have value in the form of a player’s time and in-game items. Accounts that have put in time playing and racked up gear can allow purchasers of stolen accounts to play at a high level without putting in the effort. In-game goods can also be sold in third-party markets for real cash. This form of virtual value is already being reflected in the investment community with people buying up NFTs. As the world, and your business, move toward operating in the metaverse, securing accounts and access will continue to be a top priority.
- Criminals are highly focused on industries such as gaming, where the user community has disposable income and frequently makes transactions. Gaming is under constant assault. In the past year, we’ve seen web attacks grow by 340 percent and credential attacks increase by 224 percent. These credential stuffing campaigns are often successful. We learned from our DreamHack/ESL survey of 1,253 hard-core gamers (81 percent play games every day) that 52 percent have had at least one of their accounts hacked, and 70 percent have come across hacked accounts being sold online. Consider the state of gaming accounts here to be a bellwether for the treatment of future metaverse accounts across a variety of industries and services.
- Customers want help from you. Our survey with DreamHack/ESL also revealed that 76 percent of respondents felt that gaming companies were responsible for account security. However, it was a multiple-choice question: 67 percent of those same respondents indicated that they, the players, should be responsible as well. As every company moves to do business in the metaverse, partnership with your users and employees around account security will become a larger part of the customer experience and the brand relationship, expanding security’s role in the enterprise.
As we move into the metaverse, your organization’s attack surface will grow by levels of magnitude. To keep that ‘other world’ turning, security strategies will need to better align across industries, and competitors and their security vendors may all need to partner to keep users’ account information secure. In the meantime, security leaders who deeply examine the current state of their account security practices and consider new ways to partner with and train their users will be best prepared to manage the other complexities yet to come.