Security experts are advising gamers to implement two-factor authentication for their Nintendo accounts in response to a recent string of fraudulent attacks. The scam takes advantage of the fact that people can link their PayPal account to their Nintendo account to make purchases on the Nintendo Switch. The feature gives players a more convenient way to purchase online games, or to complete in-game microtransactions in a game like Fortnite.

That last detail is what makes a Nintendo account so appealing to potential fraudsters. A hacker who gains access to an account can use the linked PayPal account to purchase large amounts of an in-game currency like Fortnite’s V-bucks. Those V-bucks can be resold to other players in exchange for real-world cash.

The scam has been going on for months, though the number of victims seems to have increased in the past few weeks, most likely because people are spending more time online (and more time gaming) during the COVID-19 pandemic. It’s also worth noting that many of the victims were using a unique password for their Nintendo account, which means that a simple password change may not be enough to keep people safe.

While the ultimate source of the breach is not yet clear, it could be related to Nintendo’s older Network ID account system, which was used on previous consoles and handheld devices. Those Network ID accounts can be linked to a more modern Nintendo account, so the new account would still be vulnerable if the older Network ID password has been compromised.

That’s why Nintendo is urging gamers to adopt two-factor authentication. The company has not addressed the attacks directly, but 2FA is still a security best practice that provides a second line of defense against a hacker who does manage to get their hands on a valid password.  

At the very least, the Nintendo incident highlights the limitations of password-based security, and gives greater urgency to the calls for stronger authentication protocols.

Source: BBC