I was about to hop on the Caltrain to San Francisco when I got the call. Over the metal on metal screech of the locomotive pulling into the station I could only make out the last few words, "to verify a few recent transactions". After boarding the train, I stood in the vestibule whispering for 20 minutes. It was my bank. Someone had gotten access to my debit card information and was making purchases in a country I'd never visited.
Prepping for the embarrassing chat with my wife about how I let money get stolen from our bank account, I had to come up with a way to downplay the fact that it was all because of a video game. Back in 2008 I had registered for a game service using the only card whose number I memorized. I figured the card info was a formality, and that I would rarely make any purchases with it. And besides, it's not like I was using my debit card at a gas station in a strange town, or on a shady website. This was a REALLY BIG company. Surely, my debit card info would be under lock and key.
Alas, the company experienced a catastrophic data breach. Whatever they had done to prepare for a cyber attack hadn't been enough.
It took about 3 months to get the issue resolved with the bank and get the funds restored. I had to randomize my usernames and passwords across every online account (which is good practice anyway), and I studied my credit card and bank statements for years. It's not really over yet; not in my mind.
This moment scarred me. I NEVER use my bank info on any website. When I get the message telling me my card is about to expire, I'd rather let the account lapse than reach for a convenient card. This embarrassing and scary experience left a lasting impact on me and a profit affecting impact on the companies I do business with. I'm slower to trust, which means I'm less likely to buy.
A recent player study we fielded with EEDAR revealed that 86% of respondents are likely to avoid playing a new game if they heard it had suffered account hacks. 60% of game companies report having been targeted by cyber attacks within the past 6 months.
In our industry we WANT players sharing info with us. We NEED them to be inclined to spend more money with us, and we expect it to be as frictionless as possible. Unfortunately, they don't trust us, and for good reason. Some of the industry leaders I talk to say their plan is to hope they don't get attacked.
I suppose, in a way, that was my plan back in 2008 when I shared my bank info. I can say, from firsthand experience, it's not the best plan.
See most posts from about game security.