AHQ Archive Oct 2023: Interview with Elise Murphy, Sr. Director of Game Security & Anti-Cheat

Hey everyone!

Welcome to the final days of Answers HQ Cybersecurity Awareness Month!

Please join us for an interview with Elise Murphy, the Senior Director of Game Security & Anti-Cheat at Electronic Arts. We will discuss Elise's team role and, of course, focus on online safety and awareness.

Q: What are the main tasks and responsibilities of you and your team?

A: I lead EA Security’s Secure Product Engineering & Anti-Cheat Response (SPEAR) team.  We are responsible for ensuring that EA’s games, platforms and services are safe and secure throughout their entire lifecycle, from the ideation phase until they are sunset or deprecated.  EA has a large game portfolio, and there are many dozens of services and platforms that power them, so our remit and the scope of work we do is quite large.  In a nutshell, we support 3 key areas:

• Game Security
• We conduct security design reviews, threat models, & penetration tests of our games & services.
• We operate a Coordinated Vulnerability Disclosure program, ensuring that security researchers all over the world can confidentially submit potential security issues for us to address.
• We build powerful, yet simple, security tools that allow EA developers to find and fix security issues in real-time.
• Anti-Cheat
• We build and operate custom anti-cheat technology to keep our games fair and free of cheaters and bots.
• We try to find all possible ways that someone could cheat in our games, we monitor for working cheats, and work with the game teams to prevent them.
• Security Product & Program Management
• We play a pivotal role in ensuring that the entire EA Security team is successful and that we meet the needs of our partners and customers by overseeing the development, launch, and ongoing success of security products and services.

Q: Can you provide an explanation of the role of EA anticheat in games for those who may not be familiar with it?

A: EA anticheat is a suite of in-house developed anti-cheat technologies that protect both our games and our players.  EA anticheat prevents reverse engineering of and tampering in our games, making it more difficult to create or utilize cheats.  It also has robust detection capabilities that allow us to flag when cheating behavior is happening and take action accordingly.  If interested, you can read more about EA anticheat in our deep dive article.

Q: How can players actively contribute to maintaining a secure gaming environment? Do you have any tips or best practices to share?

A: We ask that all players respect and understand EA’s Positive Play Charter by:

• Understanding and playing within the rules of the game.
• Understanding that fair competition is in everyone’s best interest.

And not:

• Using exploits, cheats, undocumented features, design errors, bugs, or problems to get a leg up on others.
• Disturbing the peace or making it harder for someone else to play the game.
• Promoting or being involved in in-game currency buying / selling / farming.
• Offering to sell, buy, trade, or transfer your EA Account.

As with many security-related issues - if you see something, say something! Let us know if you believe there is a systemic cheating issue in one of our titles!

Q: What are some common signs or red flags that players should be aware of to spot scams, phishing attempts, and malware?

A: In email, always check the sender’s email address (not just their name) and be wary of clicking on links or attachments that you don’t recognize or were unsolicited.  

Never provide personal information, passwords, or payment details to anyone over the internet, no matter how insistent the requestor is.  Beware of urgency and grammatical errors, oftentimes fraudsters will prey on our human urge to respond quickly when pressured.  

Don’t download “cracked” or free versions of paid games – often these cracked versions contain malware that allow bad actors to use your computer for crimes or other bad things without your awareness or leak your personal data.

Watch out for unusual activity within your own account and if you see something you don’t recognize, change your password and report it right away! 

Q: Are there any specific security features or tools that players can use to improve their online gaming security?

A: Protect your accounts from theft or takeover by ensuring you have two-factor authentication (2FA/TFA/MFA) enabled. This requires a second form of authentication, such as a code sent to your phone or a time-bound value from an authenticator app, in addition to your password.

Ensure you don’t re-use passwords across multiple sites, especially when the same email address is linked.  Use a password manager to generate and store strong passwords so that you don’t have to remember them.

Check to see if your computer is capable of “Secure Boot” and enable it, if possible.  Secure Boot is a security feature developed by Microsoft to prevent malicious programs from running on your computer.  If you make a mistake and download malware, which can happen to anyone, Secure Boot can help prevent the program from being able to run.

If you’re a parent, consider adding parental controls to help prevent children from accessing inappropriate content or interacting with strangers online. 

Q: Are there any initiatives or collaborative efforts in place to involve gamers in creating a safer gaming environment?

A: Yes - sign up to become an EA Playtester!  Our game teams want to hear your feedback, not only on story, game mechanics, and performance, but also in other aspects of the game such as accessibility, inclusivity, and safety.  Playtesting gives you a voice in the development process so that we can create the best experiences for all our players.

EA also participates in many partnerships with non-profit organizations and collaborations with others in the industry to make our games safer, more inclusive, and more accessible for our gaming community.  As someone who’s encountered toxicity in games before, I don’t always feel up to participating via audio.  So, one of my personal favorite innovations in this space is Apex Legends’ ping system.

Q: Can you give an overview of the current cybersecurity threats in the gaming community? What are the most common risks that gamers should be aware of?

A: Security in the gaming industry is really interesting because not only are we subject to the same attacks that are common against all software companies (ransomware, supply chain, phishing, etc), but game companies also attract a niche set of attackers with a variety of motivations like cheat development.

Distributed denial-of-service attacks aren’t new, but they do happen regularly and they have a huge impact.  By taking online gameplay servers offline, attackers can not only ruin the ability for others to play but can cause financial loss for game companies.  

As more and more games look to leverage user generated content or experiences, and that content is picked up by other players, ensuring it is free from toxicity and malware is vital to protecting not only our games and our brands, but also our players machines.

Account takeover, where a fraudster steals a players account, is important to protect against in games.  Particularly accounts with a high value of in-game currency / items or accounts that have obtained a high level in competitive play are compelling targets.  We also see that specific players with a higher public profile (streamers, competitive gamers, etc) targeted. 

And then there’s cheating.  Cheaters and hackers can exploit vulnerabilities in game code or logic to gain an unfair advantage over other players.  Cheat development can actually be a pretty lucrative business! Many cheats sell using a subscription model and can sell for over USD $150 / month to use!

Q: What important message would you like to share with our gaming community regarding cybersecurity awareness?

A: Security is everyone’s responsibility and it only takes one mistake to be compromised.  Stay vigilant and don’t take security for granted!  If something looks suspicious, say something and verify it’s legit through another medium (e.g. text or phone call) before you take any action.

Q: What's your favorite game, and what do you like about it?

A: My all-time favorite game is The Legend of Zelda: The Wind Waker.  It was the first game in the Zelda franchise I played and I had an absolute blast getting on my boat to explore new islands and using the Wind Waker to change where and how I moved around the sea.  It ignited my love for the franchise and inspired me to play most of the other Zelda games (I’m still working on Tears of the Kingdom now).

As far as EA games go, Battlefield has a special place in my heart.  In college, my husband, brother and I would spend countless hours in the evenings and on weekends squadding up and playing Conquest or Capture the Flag in Battlefield Bad Company 2 and Battlefield 3.  We’d set up multiple tvs and consoles in the same room when we were together and when we were all in different places we’d play online, which provided us a fun way to stay connected and spend time together. Those are some of my favorite memories from that time in my life.

Q: Where's a good place to start for someone interested in learning more about a career in cybersecurity?

A: There are so many different career paths in security, I’d start with exploring what types of roles and focus areas are out there.  There are also so many different resources out there, understand what your learning style is and search out resources that play to your strengths.  There are a vast variety of podcasts, videos, books, trainings, certifications that all teach the same information in different ways.

Some of my personal favorites:

• The Darknet Diaries Podcast provides compelling stories around the background of security issues and attackers and the real-world impact the attackers have had.
• Visit the Villages at your local BSides Conference or DEFCON.  The Villages provide a fun, interactive way to learn about various aspects of security like AppSec, Bio Hacking, IoT, or Social Engineering just to name a few.
• Attend a free SANS workshop and learn directly from industry experts.  
• Dive deeper by checking out interactive training courses provided by online training providers like Udemy or Coursera.
• Keep up to date on industry trends and attacks in the wild with newsletters like tl;dr sec or KrebsOnSecurity.