Is it feasible to apply biometric authentication to online gaming

2014
StudentID:1096594
5/23/2014
Is it feasible to apply Biometric
Authentication to online gaming?

IS IT FEASIBLE TO APPLY BIOMETRIC AUTHENTICATION TO ONLINE GAMING?
May 23,
2014
2
Abstract ..................................................................................................................................7
Is it feasible to apply Biometric Authentication to online gaming? ..........................................8
1. Introduction ....................................................................................................................8
................................................................................................................................................8
2. Literature Review............................................................................................................9
2.1. General Threats to Cloud/Online Gaming Services .................................................9
2.1.1. Addressing cloud computing security issues – Zissis, D and Lekkas, D............9
2.2. Threats to Online Gamers......................................................................................10
2.2.1. Online Gaming Crime and Security Issues – Cases and Countermeasures
from Taiwan - Chen Y-C, Chen P, Song R, and Korba L .................................................10
2.2.2. Security in Online Gaming - van Summeren, R..............................................11
2.3. Biometric Types and Reviews................................................................................11
2.3.1. Biometrics and User Authentication - Zimmerman M...................................11
2.3.2. Biometric Authentication: System Security and User Privacy – Jain A K, and
Nandakumar K...............................................................................................................12
2.3.3. Biometric Recognition: Security and Privacy Concerns – Prabhakar S,
Pankanti S, and Jain A K. ...............................................................................................13
2.3.4. Biometric Authentication: A Review – Bhattacharyya D, Ranjan R, Farkhod A
A, and Choi M................................................................................................................14
2.3.5. Biometric Scanning Technologies: Finger, Facial and Retinal Scanning –
Spinella E.......................................................................................................................14
2.4. Privacy Concerns....................................................................................................16
2.4.1. A Formal Study of the Privacy Concerns in Biometric-based Remote
Authentication Schemes- Tang Q, Bringer J, Chabanne and Pointcheval D.................16
2.5. Products .................................................................................................................16
2.5.1. Palm Vein Pattern Authentication Technology..............................................16

May 23,
2014
3
3. Research Question........................................................................................................17
3.1. Aims and Objectives ..............................................................................................17
3.1.1. Aims................................................................................................................17
3.1.2. Objectives.......................................................................................................18
4. Methodology and Design..............................................................................................18
4.1. Waterfall Technique ..............................................................................................18
4.2. Research Methods .................................................................................................18
4.3. Ethical Issues..........................................................................................................19
5. Planning.........................................................................................................................19
5.1. Gantt Chart ............................................................................................................19
5.2. Waterfall Diagram..................................................................................................20
5.3. Basic Activity Planner.............................................................................................20
5.4. Personal Target Sheet............................................................................................20
5.5. Risk Register...........................................................................................................20
5.6. Student-Supervisor Agreement.............................................................................20
6. What are the threats in online gaming.........................................................................21
6.1. Hijacking Accounts.................................................................................................21
6.1.1. Brute Force Attacks ........................................................................................22
6.1.2. Malicious Software.........................................................................................22
6.1.3. Social Engineering ..........................................................................................23
7. Biometric Authentication..............................................................................................24
7.1. What is Biometrics?...............................................................................................24
7.1.1. False Acceptance Rate and False Rejection Rate...........................................25
7.1.2. Crossover Error Rate (CER).............................................................................26

May 23,
2014
4
7.1.3. Other factors to consider ...............................................................................27
7.2. Experiment.............................................................................................................28
7.3. Why use Biometric Authentication Methods ........................................................28
7.4. Benefits and Drawbacks of Biometric Authentication ..........................................29
7.4.1. Advantages of Biometric Authentication.......................................................29
7.4.2. Disadvantages of Biometric Authentication ..................................................29
7.5. Example of biometric authentication....................................................................31
7.6. Weaknesses with biometrics.................................................................................32
8. Types of Biometric Authentication methods ................................................................33
8.1. Fingerprinting ........................................................................................................33
8.2. Facial Recognition..................................................................................................36
8.3. Retina Scanning .....................................................................................................38
8.4. Iris Pattern Recognition .........................................................................................40
8.5. Palm Vein Recognition...........................................................................................42
9. Analysis of Results from Survey ....................................................................................45
10. Is the storage of Biometric Data to Intrusive? ..........................................................46
10.1. Overview ............................................................................................................46
10.2. Privacy Concerns ................................................................................................46
11. Recommendations ....................................................................................................48
11.1. Fingerprinting.....................................................................................................48
11.2. Facial Recognition..............................................................................................48
11.3. Retina Scanning..................................................................................................48
11.4. Iris Scanning .......................................................................................................49
11.5. Palm Vein Recognition.......................................................................................49

May 23,
2014
5
11.6. Final Recommendations.....................................................................................49
11.6.1. Current Recommendations ........................................................................49
11.6.2. Future Recommendations ..........................................................................50
12. Conclusion.................................................................................................................50
13. Evaluation..................................................................................................................52
14. References.................................................................................................................53
15. Bibliography...............................................................................................................58
16. Appendices................................................................................................................59
16.1. Appendix A – Ethical Monitoring Form..............................................................59
16.2. Appendix B – Gantt Chart ..................................................................................60
16.2.1. Original Gantt Chart....................................................................................61
16.2.2. Updated Gantt Chart ..................................................................................61
16.3. Appendix C – Waterfall Diagram........................................................................62
16.4. Appendix D – Basic Activity Planner ..................................................................62
16.5. Appendix E – Work Log ......................................................................................63
16.6. Appendix F - Risk Register..................................................................................64
..........................................................................................................................................64
16.7. Appendix G - Meeting Log..................................................................................65
16.8. Appendix H – Deceptive Download Screen .......................................................66
16.9. Appendix I – Biometric Technologies (Present and Future) ..............................67
16.10. Appendix J – Best Practices................................................................................68
16.11. Appendix K – Detailed Analysis of Survey Questions ........................................69
16.11.1. Have you heard of biometrics?...................................................................69
16.11.2. Which types of biometric authentication have you heard of and how
secure do you think they are? ......................................................................................70

May 23,
2014
6
16.11.3. Which of the above types do you consider most secure? .........................72
16.11.4. Did you know that biometric authentication methods are found in most
smartphones? ...............................................................................................................73
16.11.5. If you play MMORPG (Massively Multiplayer Online Role Playing Games),
how secure do you think your data is?.........................................................................74
16.11.6. Do you think applying biometric authentication to online gaming is a good
idea? 75
16.11.7. Do you think biometrics authentication is too intrusive? ..........................76
16.11.8. Do you believe that biometric data needs to be regulated? .....................77
16.11.9. A small palm vein scanner can be used to login to supporting programs.
Would you like to see gaming companies support this method? ................................78
16.11.10. If you have any ideas in ways which you believe that biometric
authentication can be applied to online gaming, please leave any comments. ..........79

May 23,
2014
7
Abstract
Since the introduction of high speed internet, online gaming has grown considerably, most
notably in the last decade or so. Therefore personal data found on the internet increases
significantly. This poses the question of how secure is this data. This paper therefore intends
to look at the threats and offer biometric solutions to online gamers and gaming companies.
The paper will take in to account cost and effectiveness of each proposed solution as well as
look at the future of data security, specifically in the online gaming market. From the results
gathered in this paper it becomes clear that users are concerned with the security of their
data. The main data was gathered from external resources such as journals and a custom
survey. Both gamers and non-gamers were chosen to complete the survey as it gives a
clearer overview of whether people know of biometrics and whether they consider them to
be useful. This paper looks at how biometric authentication works to help gain a clearer
understanding of the technology and ways in which it can be applied. It also details the
weaknesses associated with biometric data, most notably the way in which it is stored and
whether in can be seen as a breach of privacy. This paper also considers how biometric
authentication may not be relevant now for online gaming, but with the increasing reliance
on smartphones, it is an area that should be seriously looked at for the future.

May 23,
2014
8
Is it feasible to apply Biometric Authentication to online
gaming?
1. Introduction
Online gaming is an ever growing market. Many people sign up to new online games on a
daily basis, therefore the amount of personal data on the internet increases. Figure 1 below
shows the global population vs. gamers
Figure 1. Global population vs. gamers (newzoo, 2013, online)
The above chart however, covers the complete online gaming market not just massively
multiplayer online role playing games. This is therefore indicative of the amount of personal
data stored across the world on many different servers. With this level of data, security is
paramount to the users. Considering the high volumes of personal data, biometric
authentication offers enhanced security for all users of all types of online games.
This report aims to offer a range of biometric security options for protecting user data
specifically protecting user account from illegal access. It will detail what biometrics are,

May 23,
2014
9
how biometrics work, a critical analysis of biometric authentication methods; including
benefit and drawbacks, as well as the feasibility of applying this to the mainstream online
gaming market. It will also include some of the more ethical issues associated with biometric
authentication and whether the field may need regulating in the future. A survey has also
been sent out primarily to a variety of different gamer groups, but also to researchers in the
field. Once completed, the data will then be analysed, which links in with the feasibility and
possibility of adding some sort of biometric authentication methods to online gaming.
2. Literature Review
This section will look at some of the literature suitable for this project. The papers will be
split in to sub-sections as outlined below
2.1. General Threats to Cloud/Online Gaming Services
2.1.1. Addressing cloud computing security issues – Zissis, D and Lekkas, D
Although this project is not specifically aimed at the cloud, this paper was deemed relevant
to the final project as it gives a good overview of general threats. When playing a Massively
Multiplayer game all user details are stored in a big data centre, exactly the same as a cloud.
This paper looks at security threats to the cloud, all of which can easily be applied to the
gaming market.
Zissis D, and Lekkas D, states that "Cloud computing in its quintessence, has the capability to
address a number of identified deficiencies of traditional architectures due to its unique
characteristics, but the adoption of this innovative architecture may introduce a number of
additional uncategorized threats"
There are many threats to security out there to data. Many requirements as set out in this
paper are perfectly relevant to online gaming. All users online will want their data kept
confidential, this means that only authorised users are able to access the data. Massively
Multiplayer gaming is ever growing, therefore the threat of data being compromised

May 23,
2014
10
increases with every new user or server. Other issues include data deletion, a breach of
privacy and impersonation.
All of these issues could easily be addressed with some sort of biometric authentication, but
as always the cost of biometrics is an issue. Other solutions include certificate-based
authorisation and creation of security domains.
2.2. Threats to Online Gamers
This section will look at two papers that detail some of the threats to online gaming as well
as detail some crime statistics relating to online games.
2.2.1. Online Gaming Crime and Security Issues – Cases and
Countermeasures from Taiwan - Chen Y-C, Chen P, Song R, and
Korba L
This paper offers data on a variety of different criminal activities found in the virtual world
from the like of simple password stealing to actually thieving people's money. The current
security systems in use by gaming companies are very weak and can easily be hacked. This
paper also offers a selection of preventative measures to help ensure user security including
the use of biometric authentication devices. Other offerings consist of digital certificates,
smart cards, and passwords transmitted through a mobile phone.
Over the last ten years or so, technology has advanced at an incredible rate, and with the
introduction of global broadband online gaming has become more accessible to the masses
including the likes of hackers. These threats come in many forms; every user has an ID and
password, which with some basic key logger software can gather this information. “User
authentication for online gaming has mostly adopted the static password mechanism since
it provided simplicity, ease and convenience.” (NRC.CNRC, 2004, online).
Other threats include in game cheating, ID theft and stealing bank details. This paper details
some crime statistics from Taiwan. The figures for this show that 3553 cases were reported
and 3983 criminals were prosecuted. Unbelievably over 1300 of which were related to the

May 23,
2014
11
online gaming scene. All these figures were taken from the National Police Administration of
Taiwan.
2.2.2. Security in Online Gaming - van Summeren, R.
This paper details a wide variety of threats found in online gaming and is highly relevant to
the final project. It defines the difference between cheating and attacking which are often
found under the same category. They are in fact two very different threats.
The focus of this paper was primarily on the types of cheating and attacking methods
available to hackers. However this project will only look at the attacking side of security
threats. There are many forms of attacking, such as brute force attacks and social
engineering.
The brute force attacks are the least used as stated in the paper as users are making more
and more complex passwords to prevent this, but some users still use the very basic
passwords such as ‘password’. This method is often very slow and tedious.
According to this paper the biggest threat is social engineering where illegitimate players
will try to gain people information in a variety of ways such as external emails stating their
account has been hacked and they need to confirm their details.
This paper does however offer some more simple solutions such as strong passwords,
regular updates and educating players about the dangers of these individuals.
2.3. Biometric Types and Reviews
2.3.1. Biometrics and User Authentication - Zimmerman M
This paper looks at a variety of different areas within biometrics. It details how important
data is to our everyday lives. “One of our highest priorities in the world of information
security is confirmation that a person accessing sensitive, confidential, or classified
information is authorized to do so.” (SANS Institute, 2002, online).

May 23,
2014
12
Other key area in this paper help to explain the primary types of authentication; finger
prints scans, retina or iris scans, voice recognition and facial recognition. The previously
mentioned methods are the most plausible therefore use of this paper will play a key role in
determining which, if any methods are suitable for the online gaming market.
Although biometric authentication does seem a good idea for additional security, there are
concerns relating to the actual use and storage of biometric data. This paper also looks a
privacy issues relating to the storage and use of biometric data, and offers the idea that the
“purpose of
authenticating an individual user, the system does not try to determine the user's identity –
only to confirm it.” (SANS Institute, 2002, online). Other areas this paper look at is the
efficiency of the biometric authentication process.
2.3.2. Biometric Authentication: System Security and User Privacy – Jain A
K, and Nandakumar K.
This paper looks at some of the key areas in respect of biometric authentication. It looks at
how these systems work, the vulnerabilities and types of attack, it goes in to detail about
the biometric template security and the pros and cons using these kind of systems.
Thispaperwill prove veryuseful forthisproject.One of the areastobe includedwasacritical
analysisof biometrics. Asthispaperdetailsthe advantagesanddisadvantagesof authentication
methods,itwill prove useful whenitcomestothe critical analysis.This papershowsthatany
biometricsystemsisnotinfallible.“Whilebiometricsystemsaren’tfoolproof,the research
communityhasmade significantstridestoidentifyvulnerabilitiesanddevelopmeasurestocounter
them.”(IdentitySciences,2012, online).The primaryweaknessesare thingssuchasdenial of service
attacks and anyproblemswithacceptance rates.Otherweaknessesare thatof employeescausing
the systemstomalfunctionaswell assome of the usual attacks such as manin the middle.
As withanysystemthere are advantagesanddisadvantages,butaheadof these wouldbe the
concernof privacy,as usersmaybe concernedwhatisactuallyhappeningtotheirpersonal dataonce

May 23,
2014
13
it hasbeenstoredonthe biometricdatabase andthisbegsthe questionwhetherbiometric
authenticationshouldbe regulated.
2.3.3. Biometric Recognition: Security and Privacy Concerns – Prabhakar
S, Pankanti S, and Jain A K.
This paper will be very useful to this project as it covers many of the aims. It looks at how
the biometric authentication systems work and distinguishes between verification and
identification, these are two very similar methods but are essentially the same, so are often
referred to as jut simple recognition. “A biometric system is essentially a pattern-recognition
system that recognizes a person based on a feature vector derived from a specific
physiological or behavioral characteristic that the person possesses.” (Biometrics, 2003,
online)
This paper looks at the security associated with biometric authentication systems. This
includes areas such as systemerrors. It flags up how most of the authentication systems are
affected by environmental factors. For example taking two impressions of a person’s same
finger, the impressions are highly unlikely to match exactly due to various environmental
factors, therefore any system is going to have to allow for some leeway to allow the correct
person their access.
This paper also looks areas where biometric authentication systems have been applies such
as commercial application such as network logins and government applications such as ID
cards. It also explains the difference between the commercial systems and the government
systems and how both systems can withstand malicious attacks.
This paper also looks at the privacy concerns again relating to the storage of personal data
and how secure the databases actually are. It details what they can and cannot be used for.

May 23,
2014
14
2.3.4. Biometric Authentication: A Review – Bhattacharyya D, Ranjan R,
Farkhod A A, and Choi M.
This paper is relevant to my final project as it details the different types of biometric
authentication methods currently available and how they work. Bhattacharyya, D et al. state
that "Advances in the field of Information Technology also make Information Security an
inseparable part of it. In order to deal with security, Authentication plays an important
role.” This paper also looks at how biometrics has improved over the years with the intent
to look to the future of the field.
In recent years the biometric authentication has become more popular as a way to boost
security and provide personal information. With many forms of fraud on the rise, biometrics
could easily pave the way for a more secure world.
In the present day this field has seen massive funding boosts, however now it is beginning to
raise privacy concerns with people. It can be seen as perhaps too intrusive. The main
investment seems to be in the facial recognition field presently, however other areas are
not being ignored. This again raises privacy concerns, and now countries are looking, if
needs be, to regulate this field.
Many types of biometrics have been tested according to this paper using a variety of
different areas such as equal error rate. The primary fields tested were face, finger print,
hand geometry, iris, key strokes and voice.
2.3.5. Biometric Scanning Technologies: Finger, Facial and Retinal
Scanning – Spinella E
This relevancy of this paper to the final project is high. This paper looks at three of the four
authentication types that could be deemed suitable for online gaming. The three areas in
which this paper looks at are: finger, facial and retinal scanning.

May 23,
2014
15
Fingerprinting technology is the “oldest of the biometric sciences and utilizes distinctive
features of the fingerprint to identify or verify the identity of individuals” (SANS Institute,
2003, online). The paper looks in detail at the five stages to recognising a finger scan. It
evidences the popularity of finger print scanning, but also covers strengths and weaknesses
associated with it.
Facial recognition is also a well-tested method of authentication. It again explains the stages
for a successful facialscan, but highlights the concerns also. The main concerns will be the
accuracy and how easily environmental factors can affect a successful scan. The paper also
highlights that this method can be used at a less intrusive distance, as most of the time
people being scanned to not realize this. The paper also explains what features the scanner
requires to make a match.
Retinal scanning is a much newer method of authentication. It is also one of the most
accurate methods. Again this paper looks at how the systemworks explaining that a retinal
scan is “based on the blood vessel pattern in the retinal of the eye” (SANS Institute, 2003,
online). The paper looks at both benefits and drawbacks. However, overall this paper
recommends that retinal scanning is one of the best methods available for accuracy albeit
the difficulty and costs related to this method.

May 23,
2014
16
2.4. Privacy Concerns
2.4.1. A Formal Study of the Privacy Concerns in Biometric-based Remote
Authentication Schemes- Tang Q, Bringer J, Chabanne and
Pointcheval D.
This paper is suitable for the one of the last sections of this project. Privacy is a growing
concern within the biometric field. Biometrics has been introduced to offer more secure
methods of storing personal data. However the storage of biometric data is based on a trust
relationship with the provider. This paper presents ideas of how privacy can be kept using a
complex array of algorithms at each stage of authentication from enrolment to
authorisation. This intends to offer a new security model which covers many of the
concerns users have such as identity theft.
Although this paper may not be quoted directly in this project, it will offer an insight
towards the range of privacy concerns user may or may not have. It also offers a general
authentication method which will fill the properties found within their specific security
mode.
2.5. Products
2.5.1. Palm Vein Pattern Authentication Technology
This paper is relevant to the final project as it details about a specific products available,
however it only details palmvein reader products, not the well-known products such as a
fingerprint scanner. "This technology is highly secure because it uses information contained
within the body and is also highly accurate because the pattern of veins in the palm is
complex and unique to each individual" (Fujitsu, 2006, online)
This method of authentication works by comparing the pattern of a person's palm and the
information stored on a database. As the pattern is stored within the body it makes it
impossible to forge therefore ensuring very high levels of data security. The palm can be

May 23,
2014
17
used as it offers the most complex patterning available; the pattern would then be matched
by comparing either an infra-red photograph or by using reflection photography.
Fujitsu performed an experiment using 70,000 individuals for various different age groups
and the test proved that this technology has a very low false acceptance rate (less than
0.00008%) and a low false rejection rate (0.01%)
There is a wide choice of products using palm vein technology including the likes of ATMs,
an access control unit and a PalmSecure login unit. The login unit can also be built in to
existing technology so for example it could be added to the computing labs at Colchester
Institute to verify user login details.
3. ResearchQuestion
As previously mentioned online gaming is an ever growing market, therefore this posed the
question how secure is the actual login systems and whether biometrics is a reasonable
solution to helping secure user data, hence the question for this report was chosen as “Is it
feasible to apply biometric authentication to online gaming?”.
3.1. Aims and Objectives
3.1.1. Aims
 To discover the dangers posed to online gamers
 To discover what biometrics and biometric authentication methods actually are
 To find out if biometric authentication can be applied to gaming
 To get the opinion of those who play online
 To see if it is feasible and necessary to apply biometrics authentication to online
gaming
 To see if it is too intrusive

May 23,
2014
18
3.1.2. Objectives
 Explain how biometric authentication works
 Explain some of the benefits and drawbacks to the most feasible methods
 Determine which type of biometric authentication method is best suited for the
industry
 To analyse the accuracy of the favoured authentication methods
4. Methodology and Design
My project consists of no practical work as I feel this is not going to help me reach my goals,
therefore I need to investigate the most suitable methodologies for my research. There are
a variety of different methodologies that can be used; they include things such as Scrum,
Waterfall and Agile techniques. Another option could be the use of the V-model.
4.1. Waterfall Technique
The most suitable option would be the waterfall technique. “In a waterfall model, each
phase must be completed fully before the next phase can begin." (ISTBQ Exam Certification,
2012, online). The waterfall model will hold some key advantages for me. As it is required
that each stage is to be completed before the next one can begin, this should help force the
issue. An example would be that when the questionnaire is created and people are asked to
fill it out, it will need to be to a set timescale, essentially completed at least two weeks prior
to the deadline for analysis. This method is by far the most suitable for this project.
4.2. Research Methods
There are two primary methods of research methodologies qualitative and quantitative
research. Both methods provide different approaches to research. Qualitative research "is
more focused on how people feel, what they think and why they make certain
choices."(Business & IP Centre, no date, online). Quantitative research is "a more logical
and data-led approach which provides a measure of what people think from a statistical and
numerical point of view." (Business & IP Centre, no date, online). For my project I intend to
use quantitative research. The data will be obtained by the use of questionnaires. From

May 23,
2014
19
those questionnaires I would like to get a good overview of how users feel about potentially
having this in place of a user ID and password.
As I am unable to do the testing between different login systems myself, during the research
process I will need to ensure that all discovered results have had the same criteria applied to
them. The criteria I wish to apply specifically to biometric authentication will be type of
biometric recognition (e.g. fingerprint and facial), accuracy, and cost. I feel that these are
the most important areas in answering my research question.
4.3. Ethical Issues
As this project is focused on research rather than testing, it raises no ethical issues.
Although I have chosen to present a questionnaire, there is no need for any personal details
to be added, it is completely anonymous I have completed an ethical monitoring form which
confirms that no personal data will be gathered and retained.1
5. Planning
This phase requires the creation of important charts to give direction to the project. The
minimum a project like this requires is a Gantt chart. The next section will detail supporting
planning documents
5.1. Gantt Chart
The Gantt chart is an essential tool to any project as it details deadlines for each stage of
any project. It will also help improve my time management. I used a tool called Smartsheet
to help me create a complete and accurate Gantt Chart2. There were some significant
changes to the timings as originally set out, this did not affect my overall report but the
most notable change was the increased time that the questionnaire was kept available.
1 See Appendix A
2 See Appendix B for the original and updated version of the gantt chart

May 23,
2014
20
5.2. Waterfall Diagram
Although my project is a research project, and doesn't fit exactly within any project
management technique, I have therefore decided to manipulate a simple waterfall diagram
to suit some of the targets that are mandatory for the next to start3.
5.3. Basic Activity Planner
I have chosen to represent some of the key activities in a flow chart type diagram. This
shows the intended direction I wish to take. It is based on the waterfall diagram and I have
included more detail in the activity planner. The milestone tasks are in the larger circles.4
5.4. Personal Target Sheet
I have created a personal target sheet with end dates for certain tasks, I feel this will help
me as I plan to select the check box to indicate that have completed that task. There will
also be included a weekly work log5
5.5. Risk Register
A risk register is made to provide "project managers with a list of risks identified, stated
clearly and assessed as to their importance to meeting project objectives". (Hulett &
Associates, no date, online). I have compiled a risk register stating the areas of my project at
risk.6
5.6. Student-Supervisor Agreement
I would hope to have at least bi-weekly meetings with my supervisor if not weekly. During
the Easter break and inter-semester gap weeks it is likely that all communications will be
handled through emails. I have chosen Wednesdays to meet with my supervisor.7
3 See Appendix C
4 See Appendix D
5 See Appendix E
6 See Appendix F
7 See Appendix G

May 23,
2014
21
6. What are the threats in online gaming
Online gaming poses many security threats, these can be split in to two categories, cheating
and attacking. These are two very different, but similar methods used by unscrupulous
users. “The main difference between these 2 categories is cheats being used in-game, and
attacks being used at the game, or at the game’s players.” (Security in online gaming, 2011,
online). The intention of this report is to look at the security threats at the login level rather
than the in game level; this would be classed as attack rather than cheat.
The reasons for attacking would be primarily to:
 Steal a player’s game account.
 Steal personal data for malicious reasons such as ID theft.
 Disrupting or compromising a game server.
6.1. Hijacking Accounts
All user accounts are generally protecting merely by a password, most of the time these are
weak passwords that are very easy to remember. Should a player’s account be hacked, then
the hacker will have access to their personal data. This can include anything from name and
address to bank account and credit cards. All of these can potentially cause harm to the
effected player. The personal data such as name and date of birth can easily be used for
identity theft and the hacker can then use these for things such as financial gain such as
taking out a bank loan or forging official documents such as passports. The outcome of this
could be very serious for the victim, they could easily have their credit history damaged, or
even more serious their name could be used by illegal immigrants to gain passports, and
country benefits.
There are many different methods available for hackers to gather the information they
want.

May 23,
2014
22
6.1.1. Brute Force Attacks
Brute force attacks are the most basic forms of attack. This method is basically
“A password and cryptography attack that does not attempt to decrypt any information, but
continue to try a list of different passwords, words, or letters.” (Computer Hope, 2014,
online). The most basic brute-force attack software will likely have an imbedded dictionary
of the most commonly used passwords such as ‘password’. The more advanced attack will
attempt to enter every key combination in the hope of finding the decryption passwords.
However this can take a very long time. The success of this attack is based on, the password
strength, the computer power, the knowledge of the target and the strength of the
encryption. This method is not the most commonly used one mainly due to the length of
time required to conduct an attack and that most companies offer protection for this by
only allowing false credentials to be entered three or four time.
This method can be easily prevented by the use of a biometric login as passwords may not
need to be used, or if they are a two stage login process can be applied, biometric checks
and password checks. This attack can only access the password and not the saved biometric
data.
6.1.2. Malicious Software
Malicious software or malware is a major risk in the security of online gaming. “When a
game’s popularity increases, the amount of game-related websites and fan sites grows
accordingly.” (Security in online gaming, 2011, online). As the level of legitimate websites
increase so do the fake websites. Both experienced and non-experienced computer users
can be caught off guard by one of these illegitimate websites. It is a very simple process for
websites to fill a browser full of toolbars. These toolbars can often be problematic to
remove and may contain some sort of malicious code or programs such as Trojan horses or
key loggers. An example of a toolbar that is incredibly difficult to remove is the Babylon
toolbar; this toolbar cleverly changes the user’s homepage and search engine preferences. A
more common method of putting unwanted software on a user’s computer is the use of full

May 23,
2014
23
screen popups or small hidden download links also known as deceptive download links8.
Biometric authentication will be unable to help prevent this. Malware is solely the
responsibility of the player being careful when not logged in to the game.
6.1.3. Social Engineering
This is by far the most common methods for attackers to gain user data. This is executed by
the attacker ‘persuading’ the innocent user to hand over their ID and password by making
them think that they have gained a rare item or something has happened to them.
There are many methods used by these attackers to gain this information. For example a
player could be informed that he has won a rare or exclusive item. The user will then be
directed to a website which looks exactly the official website and requested to enter their
user data, the only way to tell the difference would be the URL. Another example would be
an email sent to the user stating that their details have been compromised and they need to
click the link in the email to reset their password. There are many ways to distinguish
between legitimate and illegitimate messages, often these illegitimate messages are full
grammatical and spelling errors and the URL will often have some form of extension on the
end.
8 See Appendix H for an example of deceptive download links

May 23,
2014
24
7. Biometric Authentication
Biometric Authentication has been around for years, its routes can be traced back as far as
the 14th century where “Joao de Barros recorded the first known example of fingerprinting,
which is a form of biometrics, in China” (Bhattacharyya D et al., 2009, online)
7.1. What is Biometrics?
Biometrics basically means life measure from the Ancient Greek of bios meaning life and
metrikos meaning measure. The meaning is not entirely true and generally would be
connected with the use of distinctive physiological characteristics of a single person.
Prabhakar, S et al. states that “A biometric system is essentially a pattern-recognition system
that recognises a person based on a feature vector derived from a specific physiological or
behavioral characteristic that the person possesses.”
The concept of biometric authentication really is a simple one. Biometric authentication
systems work with a two stage process, enrolment and authentication. “In the enrollment
subsystem the biometric data are captured from a subject and checked for their quality.”
(gtti, 2007, online). Once that process has been completed the key biometric features are
then stored in a database. This then leads to the verification (authentication) stage.
Verification is more likely to be used for secure logins. Verification works by a user scanning
in a fingerprint for example, the data is then forwarded to the storage database and
matched. If the data is correct then the user will be authorised to proceed, if a match is not
found, then the user will be unable to progress. This method could be used to replace the
standard UserID and Password login, but the technology would require very high accuracy.
“Different metrics can be used to rate the performance of a biometric factor, solution or
application. The most common performance metrics are the False Acceptance Rate FAR and
the False Rejection Rate FRR” (Biometric-Solutions, 2013, online). The image shown in
figure 2 details how a standard generic biometric system works

May 23,
2014
25
Figure 2. A generic biometric system (Wayman et al. 2005)
7.1.1. False Acceptance Rate and False Rejection Rate
False acceptance rate (FAR) is when a biometric authentication systemauthorises an
intruder or non-authorised person. This can also be known as the False Match Rate (FMR) as
detailed further on in this paper.
False rejection rate (FRR) is when a biometric authentication systemrefuses access to an
authorised person, due to failing to match the biometric input with the data stored on the
system. FRR can be affected (mainly increasing) by many external factors, such as lighting
conditions or dirt on a fingerprint scanner.

May 23,
2014
26
7.1.2. Crossover Error Rate (CER)
The CER is the singular most important measurement in testing the accuracy of any
biometric authentication system “This is also called the equal error rate and is the point,
generally stated as a percentage, at which the false rejection rate and the false acceptance
rate are equal. This has become the most important measure of biometric system
accuracy.”(Krause and Tipton, 2004). The crossover error rate (CER) is also known as the
equal error rate (EER)
As EER is the most important measure of biometric accuracy, systems have the capability to
adjust sensitivity. For example FAR are highly likely to be an undesirable therefore a system
can be set to require practically perfect matches of both the enrolment data and input data.
Alternatively, should the FRR need to be reduced then the systemcan be adjusted to only
accept imprecise matches to enrolment and input data. Therefore adjusting the system
either way will negatively affect the other. Figure 3 gives a graphical representation of
where the false acceptance rate and false rejection rate meet giving the crossover error rate
(equal error rate).

May 23,
2014
27
Figure 3. A graphical representation of FAR and FRR errors, indicating CER (biometric-
solutions, 2013 online)
7.1.3. Other factors to consider
As well as the likes of FRR, FAR and EER, there are other factors essential to a biometric
authentication system, this include things such as failure to enrol rate (FER) and the speed
and throughput rate.
Failure to enrol is the level of users that haven’t enrolled successfully, usually measured in a
percentage, this is primarily caused by a lack of instruction and these rates are likely
affected by environmental factors as well.
Speed and throughput are key characteristics of any biometric system. It is generally related
to how fast the system can process the data received, match it up with the information on
the database, and decide whether to accept or reject the user. “Generally accepted
standards include a systemspeed of 5 seconds from startup through decision annunciation.”
Krause and Tipton, (2004). Although the speed of today’s systems are considerably quicker

May 23,
2014
28
than they were 15 years ago, the can still be seen as somewhat cumbersome, which
unfortunately has prompted the removal of biometric systems. Although as the level of
research in to biometrics has increased considerably, it will not be long until the systems are
extremely fast and cause little or no delays.
7.2. Experiment
Currently the rates of false matches are very low. Figure 4 shows the effectiveness of some
of the existing biometric authentication techniques available now referencing the EER, FAR
and the FRR
Figure 4. A table detailing biometric authentication methods accuracy (Bhattacharyya D et
al., 2009, online)
7.3. Why use Biometric Authentication Methods
Biometric authentication methods offer a much more secure way of accessing your personal
accounts. All gaming companies offer a simple UserID and Password security system; this
however is the easiest and simplest method to enforce both for the user and the gaming
company. More often than not gaming companies have now added and additional security
layer which involves a pin number to access the user’s inventory and characters. Still, this
only offers a small additional layer of protection.
Biometric authentication could quite easily do away with the previous mentioned methods
as the user can use something such as a palm vein scan or retina scan to log in. As is well

May 23,
2014
29
known every person has unique characteristics and the veins within a human retina and
palm will be individual to the person and cannot be forged. However, the use of biometric
data does have its drawbacks such as all the data will be stored collectively on a database
which may be compromised by and external or internal source. There are a few potential
solutions to this but that will be covered later on in the paper.
7.4. Benefits and Drawbacks of Biometric Authentication
Biometric authentication is far more secure than a physical token, such as a password as
previously mentioned. However, for all its advantages, biometric authentication comes with
disadvantages.
7.4.1. Advantages of Biometric Authentication
Biometric authentication has many advantages but “the main benefit of using a biometric
authentication factor instead of a physical token is that biometrics can't easily be lost,
stolen, hacked, duplicated, or shared.” (eSecurityPlanet, 2012, online).
Biometric authentication systems are also resilient to social engineering as the user is
always required to be present for access to any data that has been saved on the gaming
servers. Another advantage is that the game company can track any user that may have
cheated during their online gaming time. It would be extremely difficult to deny this as the
player would have had to log on using some form of physical technique such as facial
recognition. Different types of biometric authentication methods offer different advantages
such as contact with a surface; this paper will look at that in the next section.
7.4.2. Disadvantages of Biometric Authentication
Although biometric authentication offers far greater security for a user, it does have its
drawbacks. “The main drawback of any biometric systemis that it can never be 100 percent
accurate.” (eSecurityPlanet, 2012, online).
The accuracy of any authentication system is measured by two key indicators: false non
match rate (FNMR) and false match rate (FMR). The first indicator, false non match rate,

May 23,
2014
30
measures the regularity of a matching biometric not being authenticated when it should.
Whereas the second indicator, false match rate, measures how frequently an incorrect
match is made. A company called Griaule Biometrics has run some experiments on this and
has the results below show that FNMR and FMR happen, although this is based on a score
value of 0.4. “The biometric community uses to define two cumulative distribution functions
for error analysis.
For every score value i on range (0.0 , 1.0) the following functions are created:
FMR(i) (False Matching Rate) : The FMR value for score i is the number of imposter
comparisons with score higher that i divided by the total number of imposter comparison.
FNMR(i) (False non matching Rate): The FNMR value for score i is the number of genuine
comparisons with score lower than I divided by the total number of genuine comparison
Figure 5. Cummulative score functions FMR e FNMR. For the score value 0.4 the FMR and
FNMR are respectively 0.0034 e 0.0239” (Understanding Biometrics, 2008, online)

May 23,
2014
31
The results gathered by Griaule, are relevant to the disadvantages of biometric
authentication. These clearly show that biometric authentication is by no means 100%
secure and backs up the statement from eSecurityPlanet. However albeit these false
matching and false non matching rates, biometric authentication is more secure than a
standard security measure currently in place for gamers.
A further issue with biometric authentication is the basic knowledge of any user be it gamer
or otherwise, should the user be unable to successfully enrol then they would have no
access to their data, this could cause a headache for anyone affected by this, therefore
gaming companies would be required to send out basic instructions to all users, ideally
through email, this unfortunately will increase costs which could lead to an increase in game
price, or the in game shop that uses micropayments.
7.5. Example of biometric authentication
A good example of where biometric authentication is used is at the UK border patrol. The
biometric passports primarily use two main forms of identification which are facial
recognition and iris recognition. Although this is not directly related to UK border patrol, the
table in figure 4 gives a good overview of how successful biometric authentication methods
may be. Facial recognition is used by the UK border patrol and has one of the highest FRR at
10%, but its saving grace is that it also has one of the lowest FAR at 1%. The high level of FRR
could easily be caused by many factors such as atmospheric conditions, and a change in
personal appearance.
Also the use of iris recognition has proven to be one of the most secure authentication
methods as both its FRR and FAR are below 1% at 0.94% and 0.99%.

May 23,
2014
32
7.6. Weaknesses with biometrics
Biometrics is a superb way to enhance data security; however, it is by no means infallible.
There are some major concerns associated with biometrics, primarily with the storage opf
such data.
The first concern would be related to privacy. The technology is deemed individuating and
can easily communicate with any database technology. If weaknesses are exploited within
any database, it would make any violations easier and far more devastating to the victim. A
solution to this would be ensure that defences are fully integrated to any system, as it
would be considerably more challenging to apply extra defences to an existing system
A second concern is the initial quality of the ID, gained through enrolment and registration;
this is a critical stage for any biometric system to work effectively. “Biometric systems are
only as good as the initial identification, which in any foreseeable system will be based on
exactly the document-based methods of identification upon which biometrics are supposed
to be an improvement” (Electronic Frontier Foundation, 2003, online).
A third concern is that these systems do not offer and clear immediate data for potential
threats, although this is not essential in the world of online gaming, it is otherwise a concern
elsewhere such as in government. Once the biometric data has been acquired, only then can
the authorities consider applying warning flags to a person provided there has been enough
suspicion around their daily routine.
A fourth concern is “Biometric systems are useless without a well-considered threat model”
(Electronic Frontier Foundation, 2003, online). This again is not particularly important to
online gaming, certainly not yet at least, but a solid threat model could help determine
cheaters or hackers in the online gaming world. However, this does require the sharing of
data among companies, which in effect breaches privacy. The only solution to this is to seek
user permission to share data.

May 23,
2014
33
A fifth concern is the security associated with the database in which user biometric data is
stored. The security of the database is paramount for any data storage especially
biometrics. To ensure that the data is kept safe, the company must have an extremely
strong security policy to help both external and internal hackers. The database itself will
need to have the most robust security available. Unlike user ID and password, if biometric
data is lost or stolen then it is gone completely and cannot be recovered. “Any biometric
system must be built to the highest levels of data security, including transmission that
prevents interception, storage that prevents theft, and system-wide architecture to prevent
both intrusion and compromise by corrupt or deceitful agents within the organization.”
(Electronic Frontier Foundation, 2003, online).
8. Types ofBiometric Authenticationmethods
Biometric authentication is available in a variety of different forms. The most commonly
known ones are fingerprint scanning and retina scanning. There are however many other
methods available to users. The most widely used techniques are fingerprinting and facial
recognition; however these methods are by no means the most accurate. Other
technologies9 such as iris scanning and hand geometry have lower FAR’s, FRR’s and EER’s
than fingerprinting or facial recognition. However this report will only consider the methods
that could be deemed relevant to the final outcome of applying biometric authentication to
online gaming.
8.1. Fingerprinting
Fingerprinting has been around for centuries, as mentioned earlier the origins of using a
fingerprint as a form of identification can be traced back to 14th century China. Nowadays it
is most commonly used by law enforcement agencies such as the police or MIT. A
fingerprint is unique to every individual and consists of regular ridges and valleys. “These
ridges are characterized by several landmark points, known as minutiae, which are mostly in
the form of ridge endings and ridge bifurcations.” (Second Generation Biometrics, 2010
9 A largelistof technologies can be found in Appendix I

May 23,
2014
34
online). An image of a fingerprint including the information a verifier would consider can be
seen in figure 6.
Figure 6. A fingerprint with the key points identified
As with any biometric authentication method the finger print has to be ‘captured’ and
stored. This can be achieved in more ways than one. The traditional method of capturing
this data is through visual representation using an optical fingerprint scanner as can be seen
in figure 7. Other options to capture the fingerprint data include methods involving the use
of semiconductor generated electric fields to form an image of the fingerprint.

May 23,
2014
35
Figure 7. A Topaz IDGem Backlit HID USB, RoHS Compliant, Optical Fingerprint Sensor.
Fingerprint recognition can be found in some smartphones such as the Apple iPhone and
high specification laptops, mainly business laptops. The general accuracy on these more
basic versions of a fingerprint recognition sensor will not yield the same level of accuracy as
equipment used in law enforcement or in the Topaz IDGem mentioned previously in this
report.
Fingerprint verification works in the same way that any other form of biometric
authentication the data is taken from the enrollee and stored on a database. The sensor
captures the image and is that image is then interpreted and the key features10 are
extracted via algorithms to a data file which is then stored on a database. When a user tries
to log in to any systemsecured by their fingerprint, the systemuses pattern matching
algorithms to attempt a match of the users fingerprint and the stored copy. However drawn
out this process may be modern technology allows for all this to happen in seconds.
As with any authentication method fingerprinting does come with benefits and drawbacks.
The benefits associated with the use of fingerprint technology consist of high levels of
10 See figure 7 for the key features of a fingerprint

May 23,
2014
36
accuracy. The accuracy of fingerprint recognition is very high with only a 2% FRR, FAR and
EER11. This level of accuracy surpasses many other methods excluding the much newer and
experimental techniques. It is also by far one of the easiest methods integrate into existing
systems and requires only small storage space but this is only for the lower resolution
fingerprints. This allows for more data to be stored using less space and power whilst in turn
reducing overall costs of the technology. Fingerprinting is also highly developed and is
widely accepted by everyone as a secure login method.
However there are disadvantages to this technology such as “for some people it is very
intrusive, because is still related to criminal identification.” (biometrics, 2006, online). A
further problem with fingerprinting technology is that the FRR and FAR may go up should a
person’s finger be dry, greasy or dirty. A serious problem is that a devious criminal actually
lifting the fingerprint from the scanner and using it maliciously. If a criminal was able to get
a good enough copy of the fingerprint they could then produce a mold of it and using to
gain access illegally to confidential data. This can unfortunately be achieved by something as
simple as Sellotape, although this method would be considered an extremely rare event.
Another factor is that fingerprinting cannot be used on children as the size of their
fingerprints will grow as they grow up.
8.2. Facial Recognition
There are many ways for biometric scanners to recognise a person’s face. The existing
technology captures facial data in much the same way that a fingerprint scanner does. As
with any biometric authentication technique it has a basic four stage process from capture
to verification. Facial recognition is deemed one of the least intrusive and natural methods
of authentication. Most people will initially recognise a person by their face and then
followed by their voice.
11 Data gathered from the table in figure 4

May 23,
2014
37
Although facial recognition is deemed the most natural authentication method, it does have
a lot of constraints tied to it such as the distance a person has to stand away from the
scanner, the level of light and the quality of the scanner.
There are four readily available techniques, “The main facial recognition methods are:
feature analysis, neural network, eigenfaces, automatic face processing.” (findBIOMETRICS,
2014, online).
Feature analysis is the most commonly used form of authentication. Feature analysis will
look for three key areas of the face, these areas are the least likely to change over time
 The upper sections of the eye sockets
 The area surrounding the cheekbone
 The sides of the mouth
The picture in figure 8 demonstrates how a facial recognition systems detects and verifies a
person using the key features in the aforementioned list
Figure 8. The key areas that a facial recognition systems analyses
A more advanced method of facial recognition is eigenface, this works in a similar way to
feature analysis, but rather than scanning for three key areas, it will divide the primary
image in to light and dark areas. Vacca, 2007 states that “Both the initial facial image and
the facial image in question are also captured in two-dimensional form. Then, the two
images are compared according to the points of the two eigenface images”. A very similar
option is also available known as eigenfeature. This method works similarly, but it will pick
out certain features and then calculate the distances between them.

May 23,
2014
38
Newer methods, such as facial thermography and three-dimensional facial recognition are
undergoing extensive research.
Although facial thermography has been around for many years it has recently gained
interest. This method works by scanning a face at the infra-red level.
8.3. Retina Scanning
Retina scanning works by capturing and analysing the patterns of the blood vessels found on
the nerve at the back of the eyeball. “The principle behind the technology is that the blood
vessels at the retina provide a unique pattern, which may be used as a tamper-proof
personal identifier” (SANS Institute, 2003, online).
Original retina scanning was devised in 1976 by a US company called EyeDentify, Inc. The
technology used was incredibly complicated and expensive it was never widely used. The
equipment also had the drawback that it made subjects feel uncomfortable, this was mainly
down to the extreme light required to get a clear picture of the vessels at the back of the
eye.
Following this, a new more advanced technology was developed in 1981, this utilised the
use of infra-red technology to create a clearer picture of the vessels, and allowed for
increased accuracy. Infra-red energy was chosen as it quickly absorbed by the blood vessels
found in the retina. Retina-scan technology is most commonly found amongst high-security
installations such as military or government.
Retina scanning is often referred to as the ultimate biometric as it is one of the most
accurate methods available, the downside of this is that it can be heavily affected by certain
factors. Some of the factors include lack of user cooperation, the correct eye distance is not
maintained, a dirty lens on the scanning equipment, light factors, very much like the facial
recognition systems and unavoidable issues such as pupil size.

May 23,
2014
39
For a successful retina scan the user must stand incredibly still during the whole process,
specifically the acquisition phase as any movement will negatively impact the alignment of
the lens in the retinal scanning device. Another difficulty to overcome is maintaining the
correct eye distance between the user and the scanning lens, for an accurate scan, the user
is required to focus their eyes extremely close to the lens. The other aforementioned
problems are generally unavoidable excluded the dirty lens which is a general maintenance
issue.
Having looked at the issues behind errors, this paper will now discuss some of the general
advantages and disadvantages of retinal scanning. Advantages include the blood vessels on
the retina are very unlikely to change unless the user contracts ailments such as cataracts of
glaucoma. The retinal database can store thousands of retinal scans as each scan is
extremely small about 96 bytes, this helps reduce already very high costs required for
implementation. A retinal scan can compare the blood vessels found in the retina at up to
400 data points allowing for extreme accuracy and this method is relatively resistant to
environmental factors that other methods are not.
There are quite a few disadvantages to this technology. The most prominent issue would be
the cost to buy and implement this method is still extremely high. Other disadvantages
include, users often feeling uneasy having their eye scanned at close range, the perception
that this method damages the eye and that a person with glasses must remove them before
using the technology, The scanner is unable to scan the vessels if the user is wearing glasses
as the infra-red scanning beam may well be deflected off the glasses.

May 23,
2014
40
8.4. Iris Pattern Recognition
Iris pattern recognition is generally considered to be the most accurate of all the existing
technologies available. Iris recognition is also one of the easiest methods to use from the
initial capturing stage to the final authentication stage. Iris pattern recognition is completed
in three stages unlike most other methods which require a four stage process. The first
stage involves capturing the image, generally completed by someone standing in front of a
camera. The camera then takes the picture using either or both infra-red and visible light.
The second stage converts the data in to what is known as an Iriscode. “In this step, the
digital image is filtered, by an algorithm, to map segments of the iris into hundreds of
vectors, also known as phasors” Vacca (2007). The third stage is recognition; the system
searches the database for the correct iriscode and matches it with the user, figure 9 gives an
example of how iris recognition works.
Figure 9. The basic methodology behind how iris recognition works (BBC, 2009, online)
This method of authentications is far easier to enrol in comparison with retinal scanning,
although it does require the user to stand perfectly still, it is only momentarily, whereas
retina scanning could take upwards of a minute. This method however does also lose
validity if the user is wearing glasses, primarily to the glare that is reflected back to the
scanner.

May 23,
2014
41
Iris recognition is a highly developed technology therefore backing up its high accuracy level.
Although other methods do have some advantage over iris scanning technology such as
ease of use with fingerprinting, this method still boasts many advantages. Iris recognition is
often chosen over other methods such as retina scanning and facial recognition as it is
deemed as stable, unique, flexible, reliable and non-invasive. The characteristics and
reasons for favouring iris scan technology over other methods can be seen below.
Characteristic Reason for choosing
Stable The iris pattern is always unique from the age of 10 months, and
therefore is not subject to change at all through any one’s lifetime
Unique It is virtually impossible for two irises to produce the same iriscode.
Flexible Iris recognition is one of the easiest methods to implement in to
existing systems
Reliable An individual iris pattern cannot be stolen, lost or compromised
Non-Invasive It is non-contact and offers supreme accuracy as far as 10 foot away
from the scanner
Iris recognition is incredibly quick compared to many other methods of authentication. For
example on a 300 MHz CPU, searching for a match occurs at 100,000 irises per second.
However on a more modern CPU such as 2.2 GHz, up to one million iriscodes can be
searched for per second.
As well as the prior mentioned characteristics, iris recognition has many more advantages
such as unmatched search speed12, very high levels of accuracy13 and ease of use. It is also
relatively cheap to implement.
Iris recognition is already widely used today. It is often found at border crossings. Examples
of this can be found at London Heathrow Airport and Amsterdam Schiphol Airport as well as
some other major airports. This method of recognition does not require the person to
present their passport. The person has to pre-register their iris scan, so that it can be
recognised quickly and allow them to pass in to the country14. This is ideal for frequent
12 See previous paragraph to support this
13 Data obtained from the tablein figure 4
14 See Appendix J for a use guide

May 23,
2014
42
flyers, and after a survey was conducted by the airports “1013 frequent business
passengers, all having made on average 6 long flights in the previous year, were surveyed
before flying from Schiphol, Heathrow, Frankfurt, and Singapore airports. It seems that
increased security measures were a common request. The survey found 81% wanted to see
more advanced biometric features installed in airports globally” (Eye Tracking Update, 2010,
online)
8.5. Palm Vein Recognition
Palm vein technology is a very new authentication method; it has only been in use since
2004, but actual vein recognition has been in existence for more than 25 years. In 1984 a
gentleman by the name of Joseph Rice had his identity stolen, which led to the fraudulent
use of his bank account, therefore “he decided to something about it, which led to his first
vein recognition prototype around 1985” Vacca, (2007).
Vein photography can be photographed in two different ways, reflection and transmission.
The research conducted by Fujitsu uses reflection photography, which is the more widely
used method across the board.
Palm vein recognition works by a camera taking an infra-red image of one’s palm. “The
reflection method illuminates the palm using an infrared ray and captures the light given off
by the region after diffusion through the palm.” (Biometric Newsportal, no date, online).
The image is created by deoxidized haemoglobin in the blood vessels absorbing the infra-red
rays, hence reducing the reflection rate and causing the veins to appear as a black pattern,
the pattern is then checked and approved against a preregistered pattern stored in a
database, the process can be seen in Figure 10

May 23,
2014
43
Figure 10. The process of authenticating one using palm vein recognition (Fujitsu, 2004,
online)
The bulk of the research in to this method is being performed by Fujitsu, and they have
successfully produced a variety of different palm vein recognition products from a small and
portable login unit to a permanent wall-fixed unit.
Palm vein technology has many advantages, with few drawbacks. The key advantage with
this method is that it has extremely low FARs and FRRs. Following research conducted by
Fujitsu, based on “data from 140,000 palms (70,000 individuals), Fujitsu has confirmed that
the FAR (false acceptance rate) is 0.00008% and the FRR(false rejection rate) is 0.01%, with
the following condition: a person must hold the palm over the sensor for three scans during
registration, and then only one final scan is permitted to confirm authentication.” (Sarkar, I
et al., 2010, online). The use of palm veins is the fact that they are unique to each individual
person and will not change as they grow. It is also virtually impossible to forge or duplicate,
preventing any form of misuse. Another advantage with this technology is that it is
contactless, hygienic and non-invasive. Palm veins can be read correctly even if the hands
are dirty and will in no way be affected by external factors such as light due mainly to the
use of infrared technology. The cost of the equipment is well priced with products15 starting
from as low as £213.33
15 Figure 11 shows the basic availableproduct

May 23,
2014
44
Figure 11. Fujitsu PalmSecure OEM Sensor STD (PalmSecure, 2014, online)

May 23,
2014
45
9. Analysis of Results from Survey
To help with the completion of this report, a survey tailored towards all age groups was
created. It was then sent out to a selection of people from all age ranges. Personal
information such as name and age was not requested for this survey as it was deemed
irrelevant for the report. The survey itself looks at people’s opinions on biometric
authentication, whether they have heard of, and used them and whether they think it
would be suited for the online gaming market.
All respondents had heard of biometrics and most of the common authentication types.
However the newer methods such as palm vein had not been heard of. Fingerprinting was
the most recognised method and deemed the most secure, however according to the
research this is not true, it can be classed as one of the weakest methods a long with facial
recognition, but these two methods are the easiest to apply to online gaming.
The idea of applying any biometric authentication methods to online gaming was favoured
with a majority of 70%, but this result is bought in to question by some of the comments
found at the end of the survey.
After considering all the responses received, overall there is some considerable concern
over the security of personal data stored by gaming companies. The current security
methods do suffice but would clearly benefit from the use of biometric authentication. The
drawback with biometric data is that can be seen as too personal for private companies to
have access to.
The results show that the idea of biometric authentication is generally supported by the
majority of respondents, but there is a feeling that this industry need strict regulation, this
can be clearly seen in the results as 100% of respondents felt this was a necessity.

May 23,
2014
46
10. Is the storage ofBiometric Data to Intrusive?
10.1. Overview
Biometric data had been around for many years, whether it be fingerprint data or an iris
scan. However, there are a number of ethical and moral concerns in relation to the storage
of biometric data. “The main issues concern the personal privacy, the conflict with one’s
beliefs and values and the collection, protection and use of personal biometric data” (bcs,
2005, online). The civil liberty organisations feel that the storage of biometric data is a
breach of human rights and that it undermines the right of privacy and anonymity. Other
concerns would be that if the data centre storing biometric data is hacked, any personal
data stored there will leave people vulnerable to ID theft. On the flip side the storage and
use of any biometric data can be advantageous, with many issues and threats from all
across the globe having access to this data will make it easier for the law enforcement to
track a potential suspect. However, if a mistake has been made then this can be seen as a
breach of human rights and an invasion of privacy.
10.2. Privacy Concerns
The use of biometric data lends itself to the well-known phrase of a ‘big brother’ state. With
access to this data government agencies can easily monitor anyone anywhere. Although this
may be used simply to ascertain whether a person has a criminal record, it could also be
used to socially label someone.
A more serious concern with biometric data is that it is “personal and might reveal sensitive
information, such as ethnic origin, kinship, gender, or diseases a human being is suffering
from” (IEEE, 2009, online). An example of this would be the suggestion that there is an
association between schizophrenia and a certain fingerprint pattern. Therefore using
biometric data to gather highly personal information can be seen as an invasion of privacy.
To help lower privacy concerns, biometric data can be stored on a smart card. Liu, Y (2008)
states that “Storing the biometric information on a portable token such as a smart card is
often welcomed by data protection advocate, though some security concerns still exists”. As

May 23,
2014
47
the data is not centrally stored it is unlikely to fall prey to the potential weaknesses16. With a
smart card the user will be able to keep their data with them at all times, but unfortunately
the data controller (smart card owner) is likely to have full access to this data as well. This
does raise ethical issues, for example if the user has some very personal information they
wish not to share; the data controller should therefore not have any access to it.
16 See section 6.6 for details on the weaknesses

May 23,
2014
48
11. Recommendations
This section will look at whether the chosen method is suitable for use within the online
gaming industry. There will be detail on all of the chosen methods for review
11.1. Fingerprinting
This method of authentication could be relatively easily implemented in to online gaming, as
it is simple to use and has a relatively low cost compared to methods, however this is only
particularly effective if the user has finished growing, essentially this may be unsuitable for
younger gamers.
11.2. Facial Recognition
Although these methods are tried and tested, they do not offer very good accuracy17, but
could easily be applied and implemented to the gaming market as the user would require
only a webcam and some software provided the resolution is suitable, as many people
already own webcams it is also one of the cheapest methods to implement.
The other available methods including neural network and automatics face processing
would be unsuitable for any gaming company to employ as their databases would need
regular updating whereas the other methods will not require gaming companies to update
their systems as regularly.
11.3. Retina Scanning
This method is not suitable for online gaming due to the cost and difficulty of
implementation. Retinal scanning requires specialist hardware and software which costs
thousands of pounds to buy and would defeat the object of playing online for free or at a
low subscription cost.
17 Data taken from the tablein Figure 4

May 23,
2014
49
11.4. Iris Scanning
However, unfortunately this method of authentication would be deemed unsuitable for
online gaming as specialist equipment is required for this too work. This method would be
completely unfeasible for any online gaming company to deploy, unless they were willing to
offer the service and equipment for free to the end user. With each unit costing upwards of
£5000 the average home user and online gaming company would not be willing to pay that
amount of money.
11.5. Palm Vein Recognition
This method is a relatively new method of authentication. It has only been around publicly
since 2006 when Fujitsu started testing prototypes. This method is by far the most accurate
available offering the smallest of FARs, FRRs and CERs. The testing that Fujitsu performed
clearly details this.
This method of authentication could potentially be suitable for the online gaming market
but only if computer manufacturers or online gaming companies are willing to include one
of these devices with the machine or game. Otherwise it costs over £200 per unit, which is
too expensive for many average gamers. This method is recommended but only if the price
reduces dramatically or it comes as part of a package.
11.6. Final Recommendations
11.6.1. Current Recommendations
The most suitable methods of authentication to be applied to the online gaming market are
likely to be fingerprint technology or facial recognition through a webcam. Both of these
methods offer adequate security, which is still superior to the traditional user ID and
password. However to ensure security it would be worth looking at providing both the
standard user ID and password supported by either of these two biometric authentication
methods.

May 23,
2014
50
11.6.2. Future Recommendations
In the future, it may be worth considering some of the more advanced methods such as
retina scanning or palm vein recognition. Both of these authentication types are far superior
to the current recommendations, but cost twice as much. However, as this type of
technology improves, it is likely that prices will drop. This is evident in other forms of
technology such as a basic CPU (Central Processing Unit) on a home computer.
12. Conclusion
This report looked at many areas relating to the biometric industry, and answering all of the
aims and objective I feel that this report has answered the original question: Is it possible to
apply biometric authentication to online gaming?
The first key aim was to look at the threats out there to online gamers, mainly concerning
attacking a user account. I was able to detail some of the most common attacking methods
from brute-force attacks to malware. All of these pose a threat in their own way. Brute force
is especially effective at password level, considering a lot of gamers may not use complex
passwords. With malware this is generally outside control of the gaming company therefore
biometric authentication cannot prevent any of these types of programs attacking a user
computer. However, the use of biometrics could do away with the threat from brute force
attacks. This lends itself to it being a good idea to apply biometric authentication.
Other key aims included discovering what biometric authentication is, some of the products
available to the public, and the opinions of gamers. During this report I considered a variety
of different options from getting an external device to adding software for something such
as a webcam allowing for facial recognition. This threw up some concerns about accuracy
with the mentioned products, overall it was clear that the most accurate form of
authentication was the use of palm vein scanning and the least accurate was facial
recognition. When comparing the research to the questionnaire, they conflicted. However,
the highest rated methods by respondents were also the easiest methods to apply, which
made me consider whether users are more concerned about security or ease of use.

May 23,
2014
51
Thankfully, one of the methods rated was iris scanning; this could be possible to implement
using existing hardware such as a webcam but would require one of very high quality and
some very expensive software.
Another key aim that was I investigated was relating to privacy concerns with biometrics
and the way they are stored.
It was clear to see that there are some major concerns relating to the privacy of biometrics.
An example of this is “during Super Bowl XXXV, faces of fans were scanned and compared to
mugshots of known criminals using a visual recognition technology.” (SANS, 2002, online).
This could easily be seen as a breach of privacy, as the scanning was done without the
knowledge of the spectators. In respect of privacy overall, I feel that this is a concern to be
deliberated, however, if applied to online gamers, the users will be fully aware that their
biometric data is stored by the gaming company. This therefore prevents ones privacy from
being breached.
As I mentioned in this report, the storage of biometric data on a central database is a major
concern. Liu, Y states that “The storage of the biometric data is perhaps at the centre of
concern for biometric technology”. Overall the biggest threat to biometric data is external
and internal hacking. Should a hacker gain access to any the database and steal user data
they could easily use for personal or financial gain such as illegal immigration and ID theft.
To answer the primary question posed by this report one needs to consider that the most
suitable methods of biometric authentication for online gaming come in the form of either
fingerprinting using a low price device or facial scanning using a webcam. Both these
methods are perfectly suited to the role. However, the current security measures set out by
game companies will suffice for now, but in the future with gadgets such as smartphones
becoming ever more smarter and wireless connectivity becoming ever more the norm, the
real threat to gamers, I feel, comes from these. Using the war-driver approach, hackers can

May 23,
2014
52
drive around residential areas looking for unsecured networks and gather data from packets
being transmitted; this can then be saved and used for malicious purposes at a later time.
13. Evaluation
This project did fall under some limitations. The initial idea was to consider biometric
authentication for online gaming. It would have useful if I was able to actually perform my
own experiments using biometric technology to gather my results. Unfortunately this was
not possible and was limited primarily by cost and access to the necessary equipment. I feel
that an experiment may have yielded better results for my question, but nevertheless the
questionnaire did suffice.
Another problematic area was the responses to my questionnaire, I successfully got a
reasonable amount of them but it would have been better to have received more as this
could have given me a clearer overview of people’s opinions and draw perhaps a wider
range of conclusions for myself.
Recently, biometrics has received an increased interest among the world of computing and
data security. This allowed me to find some fantastic sources for use in my research, most of
which was no older than six years. However, there was some significantly older papers used,
although, after some deliberation I felt that these slightly older papers were suitable for this
report as the data in them was still relevant for today and in some cases backed up by
newer papers.

May 23,
2014
53
14. References
Schutte, W. (2013). Global Games Market Report Infographics. Available online url:
http://www.newzoo.com/infographics/global-games-market-report-infographics/.
[accessed 09/03/2014].
Bhattacharyya, D., Ranjan R., Farkhod A A., & Choi M. (2009). Biometric Authentication: A
Review. International Journal of u- and e- Service, Science and Technology. Vol. 2, No. 3, pp.
13-28
Maiorana, E and Ercole, C. (2007). Secure Biometric Authentication System Architecture
using Error Correcting Codes and Distributed Cryptography. Available online url:
http://www.gtti.it/GTTI07/papers/GTTI07%20Maiorana%20-
%20Secure%20Biometric%20Authentication%20System%20Architecture%20using%20Error
%20Correcting%20Codes%20and%20Distributed%20Cryptogra.pdf. [accessed 16/03/2014]
Rubens, P. (2012). Biometric Authentication: How It Works. Available online url:
http://www.esecurityplanet.com/trends/biometric-authentication-how-it-works.html.
[accessed 23/03/2014.]
Griaule Biometrics. (2008). Understanding Biometrics. Available online url:
http://www.griaulebiometrics.com/en-us/book/understanding-biometrics. [accessed
23/03/2014]
Krause, M and Tipton, H F (2004). Handbook of Information Security Management. 6th ed.
Boca Ranton: CRC Press pp. 64.
Wayman J L, Jain A K, Maltoni, D, Maio, D (2005). Biometric Systems. 14th ed. London:
Springer Lodin. pp. 1-20.

May 23,
2014
54
Jain, A K, Kumar, A. (2010).Biometrics of Next Generation: An Overview. Available online url:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.389.7907&rep=rep1&type=pdf.
[accessed 28/03/2014].
IDSuperShop. (2014). Fingerprint Capture Devices. Available online url:
http://www.idsupershop.com/Catalog/Fingerprint-Capture-Devices. [accessed 31/03/2014].
PBworks. (2006). Comparison of the advantages and disadvantages of biometric
technologies. Available online url:
http://biometrics.pbworks.com/w/page/14811349/Advantages%20and%20disadvantages%
20of%20technologies#Fingerprint. [accessed 31/03/2014].
findBIOMETRICS. (2014). Facial Recognition. Available online url:
http://findbiometrics.com/solutions/facial-recognition/ [accessed 01/04/2014].
Spinella, E. (2003). Biometric Scanning Technologies: Finger, Facial and Retinal
Scanning. Available online url: http://www.sans.org/reading-
room/whitepapers/authentication/biometric-scanning-technologies-finger-facial-retinal-
scanning-1177. [accessed 06/04/2014].
Vacca, J R. (2007). How Iris Pattern Recognition Works. In: Biometric Technologies and
Verification Systems. Oxford: Butterworth-Heinemann. pp73-84
Vacca, J R. (2007). How Vein Pattern Analysis Recognition Technology Works. In: Biometric
Technologies and Verification Systems. Oxford: Butterworth-Heinemann. pp195-197
Vacca, J R. (2007). How Video Face Recognition Works. In: Biometric Technologies and
Verification Systems. Oxford: Butterworth-Heinemann. pp95-103

May 23,
2014
55
BBC. (2009). Biometric Technology. Available online url:
http://news.bbc.co.uk/1/shared/spl/hi/guides/456900/456993/html/nn3page1.stm.
[accessed 06/04/2014].
Amsterdam Schiphol. (2014). Iris scans at Amsterdam Airport Schiphol. Available:
http://www.schiphol.nl/Travellers/AtSchiphol/Privium/Privium/IrisScans.htm. [accessed
06/04/2014].
Eye Tracking Update. (2010). Passengers Accept Iris Recognition Technology in Major
Airports. Available: http://eyetrackingupdate.com/2010/10/14/passengers-accept-iris-
recognition-technology-major-airports/. [accessed 06/04/2014].
Biometric Newsportal. (no date). Palm vein biometric systems. Available online url:
http://www.biometricnewsportal.com/palm_biometrics.asp. [accessed 07/04/2014].
Sarkar, I, Alisherov, F, Tai-hoon, K, Bhattacharyya, D. (2010). Palm Vein Authentication
System: A Review . International Journal of Control and Automation. Vol. 3, No. 1, pp.27-34
Fujitsu. (2014). Fujitsu Palm Secure. Available: http://idency.com/fujitsu-
palmsecure?gclid=CN6Bj-rwzr0CFZDKtAod-TsAOA. [accessed 07/04/2014].
van Summeren, R. (2011). Security in online gaming . Available online url:
http://www.cs.ru.nl/bachelorscripties/2011/Rens_van_Summeren___0413372___Security_
in_Online_Gaming.pdf. [accessed 27/04/2014].
Computer Hope. (2014). Brute-force attack. Available online url:
http://www.computerhope.com/jargon/b/brutforc.htm. [accessed 27/04/2014].
Kujawa, A. (2012). Pick a Download, Any Download. Available online url:
http://blog.malwarebytes.org/intelligence/2012/10/pick-a-download-any-download/.
[accessed 27/04/2014].

May 23,
2014
56
Zissis,D.& Lekkas,D..(2010). Addressingcloudcomputingsecurityissues. FutureGeneration
ComputerSystems.Vol. 28,No. 3, pp. 583-592.
ISTQB. (2012). What is Waterfall model- advantages, disadvantages and when to use
it?. Available: http://istqbexamcertification.com/what-is-waterfall-model-advantages-
disadvantages-and-when-to-use-it/. [accessed 07/05/2014].
Business & IP Centre. (no date). Qualitative and Quantitative Research. Available online url:
http://www.bl.uk/bipc/resmark/qualquantresearch/qualquantresearch.html [accessed
07/05/2014]
Chen, Y.-C, Chen P., Song R, and Korba L. (2004). Online Gaming Crime and Security Issue -
Cases and Countermeasures from Taiwan. Available online url :
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.83.7767&rep=rep1&type=pdf.
[accessed 08/08/2014].
Zimmerman, M. (2002). Biometric and User Authentication. Available online url:
https://www.sans.org/reading-room/whitepapers/authentication/biometrics-user-
authentication-122. [accessed 08/05/2014].
Jain, A K and Nandakumar, K. (2012). Biometric Authentication: System Security and User
Privacy. Available online url:
http://www.cse.msu.edu/biometrics/Publications/SecureBiometrics/JainNandakumar_Biom
etricAuthenticationSystemSecurityUserPrivacy_IEEEComputer2012.pdf. [accessed
08/05/2014].
Prabhakar, S Pankanti, S and Jain A K,. (2003). Biometric Recognition: Security and Privacy
Concerns. Security & Privacy, IEEE. Vol. 1, No. 2, pp. 33 - 42.

May 23,
2014
57
Bhattacharyya, D., Ranjan R., Farkhod A A., & Choi M.. (2009). Biometric Authentication: A
Review. International Journal of u- and e- Service, Science and Technology. Vol. 2, No. 3, pp.
13-28
Rosistem. (no date). Handwriting/Signature Recogniton. Available online url:
http://www.barcode.ro/tutorials/biometrics/signature.html. [accessed 13/05/2014].
Shaikh, A Dr.. (2005). Ethical Issues in the Use of Biometric Technology. Available online url:
http://bcs.org/upload/pdf/ashaikh.pdf. [accessed 15/05/2014].
Simeons, K, Tulys, P, and Preneel, B. (2009). Privacy Weaknesses in Biometric Sketches.
Available online url:
http://www.cs.washington.edu/research/projects/poirot3/Oakland/sp/PAPERS/2009/oakla
nd2009-22.pdf. [accessed 15/05/2014].
Liu, Y. (2008). Identifying Legal Concerns in the Biometric Context. Journal of International
Commercial Law and Technology. Vol. 3 No. 1, pp. 45-54.
Abernathy, W. (2003). Biometrics: Who's Watching You?. Available online url:
https://www.eff.org/wp/biometrics-whos-watching-you. [accessed 16/05/2014].
Penny, W. (2002). Biometrics: A Double Edged Sword - Security and Privacy. Available online
url: http://www.sans.org/reading-room/whitepapers/authentication/biometrics-double-
edged-sword-security-privacy-137. [accessed 16/05/2014].
Hulett, D. (no date). Risk Register Development. Available online url:
http://www.projectrisk.com/risk_register_development.html. [accessed 17/03/2014].

May 23,
2014
58
15. Bibliography
Krause, M and Tipton, H F (2004). Handbook of Information Security Management. 6th ed.
Boca Ranton: CRC Press
Pfleeger, C, and Pfleeger, S. (2012). Biometric Technologies and Verification Systems.
Boston: Pearson Education Inc.
Vacca, J R. (2007).. In: Biometric Technologies and Verification Systems. Oxford:
Butterworth-Heinemann.
Wayman J L, Jain A K, Maltoni, D, Maio, D (2005). Biometric Systems. 14th ed. London:
Springer Lodin.

May 23,
2014
59
16. Appendices
16.1. Appendix A – Ethical Monitoring Form

May 23,
2014
60
16.2. Appendix B – Gantt Chart
Task Task Name Duration
(days)
Start Date Planned
End Date
Amended
End Date
1 Complete Planning
Document
14 15/01/2014 03/02/2014 03/02/2014
2 Produce a Presentation 3 04/02/2014 06/02/2014 06/02/2014
3 Present Idea 1 07/02/2014 07/02/2014 07/02/2014
4 Gather further Research 11 08/02/2014 21/02/2014 21/02/2014
5 Produce a Questionnaire 2 13/02/2014 14/02/2014 14/02/2014
6 Plan Structure 3 20/02/2014 24/02/2014 24/02/2014
7 Request Questionnaire
Completion
30 13/02/2014 26/03/2014 12/05/2014
8 Complete Draft 41 23/02/2014 18/04/2014 18/05/2014
9 Report Feedback 6 18/04/2014 25/04/2014 20/05/2014
10 Complete Final 21 25/04/2014 23/05/2014 23/05/2014

May 23,
2014
61
16.2.1. Original Gantt Chart
16.2.2. Updated Gantt Chart

May 23,
2014
62
16.3. Appendix C – Waterfall Diagram
16.4. Appendix D – Basic Activity Planner
Choose
an Idea
Planning
Document
Complete
and
Present
Idea
Create
Survey
Send
out
Survey
Further
research
Analyse
Data from
survey
Produce
Draft
Complete
Report

Is it feasible to apply biometric authentication to online gaming

Is it feasible to apply biometric authentication to online gaming

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Is it feasible to apply biometric authentication to online gaming

Similar to Is it feasible to apply biometric authentication to online gaming (20)

Is it feasible to apply biometric authentication to online gaming