Recent Fortnite Hack Heightens the Need for Multifactor Authentication

            Fortnite, a multiplayer, shooter-survival game, developed in 2017 by Epic Games based in Cary, North Carolina was recently added as a member of the growing list of applications hacked by internet hackers. The Fortnite hack occurred back in November 2018 and was recently patched to mitigate the effects of the hack. The nature of the hack was a flaw found on two of Epic’s sub-domains that allowed for a malicious redirect of legitimate user’s authentication tokens to be intercepted by the hackers. In turn, these tokens were then used to gain control of the legitimate user’s account, purchase in-game items using that user’s credit card information, and allowed the hackers to listen in on in-game chats while impersonating the legitimate user. 

            The malicious redirect was enabled through a well-crafted email phishing link that was designed to look like legitimate email from Epic Games and their company’s domain. When the unsuspecting user clicked on the link, the payload was executed and obtained the authentication token that Fortnite generates for its users to logon to their accounts. This token allowed the hackers to bypass the typical login credentials and gave the hacker full access to the user’s account and personal information.

            The issue here is not new but instead the next generation of phishing attacks that are becoming commonplace in our online lives. Phishing attacks are a practice used by hackers to appear likes legitimate messages coming from, what appears to be, the company or organization. Usually contained within these emails is an attachment or link, which entices the recipient to open the attachment or click on the link. Opening the attachment or clicking the link would then grab the user’s logon credentials or request the user to input credentials or other personal information.

            One has to ask, what can we do to ensure that we do not fall victim to a phishing attack? While security is never 100% and is always evolving there are steps one can take to be more vigilant:

  • Look over the email to see if it looks suspicious, has typos or poor grammar, if in doubt delete the message or follow up with the business, company or organization.
  • Hover over the link in the email to see if it is directed back to the legitimate business’s website, watching for typos or an improper website.
  • Do not open attachments or click on links in emails from unknown individuals or in messages that were unsolicited.
  • Be wary of any email requiring urgent attention or action.
  • Always think before you click and never give out personal information including passwords.

The best way to protect yourself, even in the case of the Fortnite hack, would be to use two-factor or multi-factor authentication. Multi-factor authentication is a method of confirming that a user is who they claim to be. This is completed by the combination of two different factors:

  1. Something the user knows (password, pin);
  2. Something the user has (token, smartphone);
  3. Something the user is (retina scan, fingerprint reader)

Upon enabling multi-factor authentication in Fortnite or other sites and providing two of the factors above the user would be allowed access to the site or gaming environment. Even if a hacker gained the users authentication token they would not be able to access the environment without first providing the additional information from the second source. Most security experts would agree that enabling multi-factor authentication would have protected the hacked users from having their accounts compromised. Finally, the usage of a password manager would also allow for the creation and storage of difficult to compromise passwords. Password managers like LastPass would also help to limit these types of attacks in the future.

About Dr. Mathias Plass

Dr. Matt Plass is an Assistant Professor in Management Information Systems. Areas of interest include cyber and information security education, security awareness, critical infrastructure protection and the growing world of IoT. He earned his DSc in Cybersecurity from Capitol Technology University in 2015, is a Certified Information Systems Security Profession (CISSP), a Certified Ethical Hacker (C|EH), Certified Penetration Tester (CPT) and Network+ professional.

Leave a Reply

Your email address will not be published. Required fields are marked *