Are you a PC gamer? Do you take appropriate measures to keep your game accounts safe? Chances are, unless you’re a security nerd like myself, you might not be threat modeling with your gaming accounts. It’s extremely important, especially as your accounts’ libraries grow and you interact more with the different platforms’ communities (if they have one), which gradually raises the real-world value of your accounts. In this post, I will offer some tips that any user can implement to better protect your valuable PC gaming libraries!
General tips
-
The obvious answer is “use a strong, unique password”, and this is true. Make sure you generate a unique password or passphrase with a password manager, and do not share that password between your gaming accounts. Make sure each account has a fully unique and randomized password.
-
Make use of multi-factor authentication wherever possible.
-
As a rule: if a platform offers a security feature, it’s best to use it. None of the major PC games stores offer a true passkey solution yet, but if they happen to, consider using passkeys if you’re able.
-
Avoid keeping your credit card or payment accounts linked to your accounts when you’re not planning to make a transaction. It’s less convenient to keep them unlinked but it also reduces the risk of your payment info being exposed in a breach, as well as making it less likely that a hijacker could cause you a financial or credit headache.
-
Unless you absolutely need to (such as on key reseller platforms), avoid keeping your game accounts linked to external accounts (such as a Google account). Though a hijacking on one account won’t inherently lead to a hijacking on a linked account, giving a potential attacker knowledge of your other accounts can be problematic, especially if you don’t have unique passwords for every account.
Securing Steam
Steam is the world’s largest PC games platform and one of the largest gaming platforms on the planet. Moreover, it’s also a full-featured social network,even though many users don’t realize that. It has countless forums, personal messaging, community-made groups with Discord-like group chats, along with community creation feeds, extensive profile pages and an activity feed that functions like a more traditional social networking feed. As such, I’ve found that many people underestimate the threats that you might face as a user.
Display names
Steam the option to use display names. I’d advise you to use this feature. If you’re first creating an account, make your username something harder for someone to guess through your online presence, then use the display name system to show up as whatever you want.
If you have an existing account, this won’t be as easy or useful unless you have a small friends list consisting only of people you trust.
By keeping your username difficult to guess, and using the display name system to show your name as something more personal, this makes it much more challenging for someone to be able to even attempt to log into your account.
You need to clear your username history on your profile to do this properly. Visit your Steam profile, click on the downward arrow next to your name on the profile, and select “Clear previous aliases”.
Steam Guard
Steam has a fantastic mobile app that includes “Steam Guard”, their own two-factor authentication system. This not only makes your account more secure, but it also gives you an option for a very quick and easy login process.
What’s more is that this process appears to be phishing resistant, much like passkeys are. You scan the QR code on their site with the Steam mobile app, and it easily allows you to authenticate that way. To my knowledge, this method will not work on a phishing site due to the fact that the QR code is regularly cycling and authenticates with your account directly, but please don’t quote me on that: you should still take every precaution to avoid getting caught up in a phishing scheme.
Either way, enabling Steam Guard and using the mobile app to log in will make your account significantly more difficult to breach.
Use Steam through its official client and app only
This one is a bit more optional but the most surefire way to ensure you stay on official Valve pages when using Steam is to only access Steam’s features through the official client or their mobile app. In the client, Steam will always warn you if you click on a link that takes you outside of their network, and this is a helpful feature to ensure you don’t accidentally end up on a convincing phishing page.
The reason I say this is optional is because accessing the Steam site through your browser is secure thanks to TLS, using the client guarantees you won’t leave the Steam network without being warned about it.
Keep in mind, the same warning doesn’t apply to the mobile app but it’s a better experience than browsing the site through a mobile browser anyway.
Enhancing Epic Games Store
Epic Games Store is the second-largest PC games store right now. While it is often maligned by Steam users due to its minimal feature set, many people do enjoy using Epic Games Store due to its lower royalty fee for developers and their regular game giveaways. Despite its popularity, Epic Games Store doesn’t have quite as many threats from within, but it’s still best to use every security feature you can use.
Authentication options
On Epic, you actually have three authentication methods: SMS, email or app-based authentication. You can use all of these, none of these, or a combination of them.
SMS authentication
Ideally, you’ll want to avoid SMS authentication entirely, as SMS is not secure. There are multiple, well-documented threats. SMS is unencrypted, meaning anyone listening in on your local cell network can see everything that’s sent. Additionally, SIM swap attacks can allow an attacker to retrieve your SMS authentication code and easily log in to your account.
App-based authentication
App-based authentication is the strongest option. For this, you would use your preferred TOTP authentication app (I recommend Aegis Authenticator) and set it up for your account.
Always remember to back up the secret phrase, backup codes and your app’s database!
If you’ve never used TOTP-based two-factor authentication, Josh from All Things Secured has a great video on the subject.
Email authentication
You can also consider email authentication if you really don’t want to use an app, but keep in mind, this is also less secure. I advise you to only use email authentication if you don’t have another option or if you use an encrypted email provider like Proton Mail. If you keep your email secure and it’s also an encrypted provider, this option is viable.
The reason why it’s not as good of an option as app-based authentication is that most email providers are not encrypted at rest, meaning that employees of the company can theoretically read anything in your inbox. This, as well as the fact that most codes for email authentication expire slower, makes it inherently a less secure version of authentication unless you fully secure your account and use an encrypted provider.
I, personally, have my email authentication enabled as a backup and only on a dedicated encrypted Proton Mail address that I keep very secure. App-based authentication is always the go-to, with the email authentication left as a backup.
Only buy within the game client
Similar to browsing Steam’s site only within its client, if you buy games on Epic, it’s advisable to stick to the client for that. Epic lacks most of Steam’s social media features, so phishing through the community itself isn’t quite as big of a concern, but that doesn’t mean malicious and convincing phishing replicas don’t exist. Using the game client to buy your games instead of using the website in your browser will, again, guarantee you’re buying from the correct store.
On Linux, the Epic client isn’t available but you can access it through Heroic Games Launcher which is an open source game client for GOG, Epic and Amazon game stores.
Guarding GOG
GOG.com isn’t as large as Steam or Epic, but it is still quite a large platform. They stand out for two reasons: they keep old games alive through their Preservation Program and they offer all games DRM-free; even the game client is completely optional. Unlike Epic, and similar to Steam, GOG offers community features that border on a social network: community forums, profile pages and a lightweight activity feed.
Two-factor authentication
GOG offers two authentication options: app-based and email authentication. Unlike Epic, you can only use one of these options at a time. As with Epic, I recommend using app-based authentication if you’re able to, for the same reasons I mentioned before.
Sessions
GOG offers you the ability to de-authenticate all of your login sessions. This is a useful feature if you suspect you’ve been phished, or if you change devices a lot. You’ll also want to do this if you end up needing to share a device with someone else.
Check your privacy options
I’ve used GOG for many years and have only run into one or two scammers within its community. However, if you want to defend against the possibility, double-check your privacy options within your account.
There’s an option that’s labeled Allow chat messages from. Set that to “friends only” unless you plan to take part in community giveaways.
You can also control who can see your profile page, your library, list of friends and reviews. This is up to you, but the less you have public, the more challenging it will be for an attacker to socially engineer you. Additionally, there’s a feature to disable your profile entirely. Use this if you don’t plan to make much use of community features on GOG.
GOG recently added the ability to attach a phone number to your account for SMS-based notifications but I would recommend against this for many reasons, both security- and privacy-related.
Client options
As mentioned prior, GOG’s game client, GOG Galaxy, is completely optional. It’s a useful resource for managing your games on your system but it’s not required for anything other than some online multiplayer features in specific games. There’s also the aforementioned Heroic Games Launcher for Linux, as GOG Galaxy is not available on Linux yet (it’s being developed).
Because of this, the whole “stay in the client” suggestion isn’t really a major help here.
Avoid piracy
Because GOG is a DRM-free platform, access to pirated content is significantly easier. Not only is this a major security risk, for obvious reasons, but it also actively harms the DRM-free cause and makes publishers just want to crack down harder with DRM schemes and tools. Piracy of a DRM-free platform harms literally everyone and puts you, and your account, at risk. It’s just not worth it.
Other stores
As far as I can tell, most other games stores fit within the same security rules that governed the above suggestions, with two exceptions.
Amazon games
Amazon accounts offer passkey support, in addition to the more ’traditional’ security methods. I would advise you to consider enabling a passkey for your Amazon account. This will allow you easier login access to your Amazon account while keeping you more secure in the process. This will inevitably give your Amazon game library better security as well, though I know it’s not nearly as popular of a games library as other options.
Humble
Humble offers two-factor authentication but, for whatever reason, it implies it only supports Google Authenticator. This is false. You can use any sort of standard TOTP authentication app to enable two-factor authentication on your Humble account.
Final thoughts
PC gaming is amazing due to the level of freedom and choice it offers, but with that, you also have many more avenues for an attacker to approach from. In most cases, attacks will follow common phishing patterns, which is why you absolutely must educate yourself on common phishing tactics, and how to detect and avoid them. At the same time, if you make use of a platform’s security features, you’re significantly lessening the possibility of your account being stolen.