‘Call of Duty: Warzone’ Cheaters Are Getting Owned by 2FA

Activision is forcing Warzone gamers to use their cellphone number to log in, and using it as a way to permaban cheaters.
May 14, 2020, 7:43pm
Call of Duty Warzone
Image: Activision

If you've been getting owned in Call of Duty: Warzone a lot before you even hit the ground and thought it would be more fun to play if you could use cheats to see other players through walls, you're not alone.

Last month, the developers of the hugely popular game banned more than 70,000 cheaters and promised to combat the game's cheating problem.

“We are watching. We have zero tolerance for cheaters,” tweeted the official account of Infinity Ward, the game's developer.

This week, Infinity Ward rolled out a new, basic security feature which appears to have had the added bonus of locking out many cheaters: two-factor authentication. Infinity Ward announced that new Warzone players on PC will have to use SMS to login to the free version of the game, “as another step to provide an additional layer of security for players.”

Infinity Ward and Activision did not immediately respond to a request for comment, but cheaters are currently complaining about the effect this simple move has had on them.

Do you develop cheats for games or reverse engineer anti-cheat software? Or do you work on anti-cheat software? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Two-factor authentication is a common and very effective security feature to stop hackers from taking over your email or Facebook accounts. Two-factor, also known as two-step, multi-factor, or 2FA, is a mechanism where a user has to provide another code or number (or even physical token) to login, after providing a password.

But, in this case, it also works as an anti-cheat feature, as it allows Infinity Ward to tie a cellphone number to known cheaters.

In the vast majority of cases, game developers can actually effectively and quickly detect players who are cheating with a combination of automated and manual reporting tools. If a Warzone player is suddenly killing dozens of opponents in a match, shooting them from across the map, and generally behaving like he can see through walls, they'll get detected and banned fairly quickly.

The problem, especially with a free game like Warzone, is that players then just go on to create another, fresh account, and rejoin the game to cheat again. At that point, developers and cheaters enter a cat-and-mouse game where developers try to permanently ban users by identifying them by their IP address or unique hardware IDs, which cheaters try to circumvent by using virtual private networks or hardware ID spoofing methods.

In this case, two-factor authentication functions as just another method to identify a cheater. Since cheaters need to provide a phone number to play Warzone for free now, and since they can't reuse the same phone number to create infinite accounts, many cheaters are locked out once their number is tied to a banned account. At least for now, the new measure seems to be quite effective.

In fact, cheaters are already up in arms about this new feature.

“So, i've been banned on modern warfare multiple times and I've been making multiple accounts to the point where it now requires me for each account i make, to add a phone number and verify it and obviously online disposable numbers aren't helping out, and detaching my actual number and attaching it to multiple accounts doesn't work either. Anyway to bypass this?,” wrote a user of a well known forum for people who develop and share video game cheats.

“As soon as you hit play, they ask you your phone number and you can't do nothing about it,” wrote another user.

Another one responded: “if you have enough mobile numbers for new accounts.”

“The cheats work but you will never be able to play the game again,” a gamer wrote in a post that was shared in a subreddit dedicated to the game on Wednesday. “Now I can never play Warzone again because the account that had my phone number on it is shadowbanned! And you HAVE to have a valid phone number to play the game!”

Bill Demirkapi, a security researcher with experience reverse-engineering and hacking games, is skeptical that this new solution is going to stop cheating entirely. Cheaters who are motivated enough, and who are willing to spend money, can bypass two-factor.

"Even if Infinity Ward was blocking voice over ip (VOIP) phone numbers, there are several online services that allow you to purchase a real number for quite cheap,” Demirkapi said in an email. “Spammers use services like this to get past a variety of online registration that requires a phone number and I am confident that cheaters can use these same services to get past Infinity Ward's phone verification.”

Of course, just like anything else in the world of cybersecurity, cheating and anti-cheating solutions are a constant cat and mouse game. But it seems Infinity Ward may have put Warzone cheaters in the gulag for a while.

Subscribe to our new cybersecurity podcast, CYBER.

This article originally appeared on VICE US.

Advertisement