Unshakeable Salt

I’m sure that the back story to this blog post will resonate with a few readers. The youngest and his mate are playing Fortnite Battle Royale online, a game they technically aren’t old enough for. Thats okay though, as I’ve deemed it okay ‘just this once’. He’s out of sight and I suddenly hear “Yeah, my authorisation code is A-E-P-5-5-P-B”. My brain goes into overdrive as I wonder what on earth he has just given out. Was it safe for him to disclose that, who has he just given it to?

I’ve been through online safety with him a few times already. He’s also been present at (ISC)² Safe and Secure online presentations that I’ve given to local schools and clubs. It doesn’t mean though that he hasn’t just done something silly.

He received a nifty headset as a present last Christmas, which he now cherishes as it means he can chat with his fellow gamers for the first time. It also introduces a few new risks though, as it means he’s now more likely to receive verbal abuse when playing online. Of course, there are some good practices to follow there and I’m including them further down in this article.

But for now, let’s just reflect on how I started this article. Is it okay to let a child play a game that they technically aren’t old enough for? What is okay, who gives the ratings and what do they apply to ?

Ratings reflect gameplay

The problem comes is that my young player is only 9. Fortnite Battle Royale is rated as an ‘12’ by PEGI, the European rating system and ‘T’ for Teen by ERSB, for our cousins across the pond.

These rating systems are important about the content of the game as provided by the developer. There is a debate about which system is better and personally, I do believe PEGI is superior. In addition to an advised age rating they also provide a brief description of why a game should be limited to younger players.

“PEGI 12: Titles rated 12+ have been assessed to be suitable for gamers above the age of 12. May contain graphic violence towards fantasy characters, non-graphic violence towards humans or animals, explicit sexual descriptions or images (nude people in a sexual context, although not necessarily explicit in content), and mild swearing.” — Pan European Gaming Information

On Fortnite underneath the 12 symbol there is the ‘’Violence Content Descriptor’. The game contains non-graphic violence, but what is this level of violence? As someone who was born in the sixties my Saturday afternoons involved watching Tom & Jerry cartoons on TV. This is a favourite defence for most video games as it was probably the most violent of the bunch. But don’t forget that ‘Popeye’ usually just involved beating someone to a pulp and ‘Road Runner’ killed a dozen coyotes per episode. If you want to roll out the Content Descriptor for discrimination, then ‘Speedy Gonzales’ and ‘Foghorn Leghorn’ provided racial stereotyping beyond what is now considered acceptable.

Establishing that the graphics onscreen do not depict reality is key to the rating system. If it is a fantasy world containing caricatures, then we can move onto the next problem; that the rating is only for offline content as provided by the publisher.

Most of game modes are now online. Content comes from other sources which sometimes can’t be trusted. The other players are not being operated by a smart Artificial Intelligence but are real people. This is where the rating systems fail dramatically.

Ratings don’t reflect security

I provide the (ISC)² Safe and Secure online courses to youth groups in Leeds and usually break from the presentation to elaborate the dangers within the gaming environment.

Handing over a 12+ rated game to your 13-year-old to play in their bedroom doesn’t mean it is safe and secure. Your teenage (or younger) player is submerged in a gaming environment of all age groups that is comprised of a cross section of global society. They are playing everyone and ‘anyone’. There is no filter to get access these environments.

Thanks to a lazy British media, most parents think that the biggest risk is from child grooming and exploitation. The reality is that theft, fraud and online bullying are far more common and Fortnite is no exception to this. Where micro-transactions are required to achieve in-game objectives there is always going to be abuse. The spending of virtual currency within games makes younger players more vulnerable. If the gaming platform of your choice is linked to real money, then run the risk of financial loss too.

Technically aren’t old enough , but easy to resolve.

The first step is a discussion with your young player.

Let them know what is acceptable and what the dangers are when playing online. It is important that children understand what social engineering is and that people aren’t always who they say they are, especially online.

Institute a time limit for game playing, make sure online gaming only takes place when you can monitor it.  From first hand experience I know that 8 year olds are capable of getting up, turning on the xbox silently and playing the 5.30am-7am slot. Use the gaming consoles security settings to control access times to young players.

Have a process through which your child can link to friends. Ensure they know who a gamer tag actually is before they are allowed on friends list. Then use the gaming platforms options to restrict messaging /chats between friends.

When they are playing with a headset, make sure the volume remains on the TV/Monitor too. Make sure you can hear both sides of the conversation whilst they are playing.  You don’t have to watch every minute of game play, but if you can over hear them at all times it easy to pickup when they are not following safety advice.

Personal data

Now this is the hardest bit – make sure they NEVER (even to friends) give out personal, private or secure information over a gaming network.  The talking bit is easy to do,  but ensuring they know what is personal information is difficult. 

A good way to help do this is to coach your kids to keep online chat conversations relevant to the game. Let them know that chat is fine,  but make sure it stays contextual to the game. There’s should’t be any games out there where they need to tell their team mates real information.


Ensure that they know that they should never have to provide payment details for buying things online. XBox Live / PlayStation network allows the for linking of a payment card to your Adult account.  Young players must use a Kids account that is directly linked to your adult account. Whenever the child wants to make a payment you get the option to approve or reject the purchase before any transaction takes place.  This is very useful security feature and it is strongly recommended that you use it.

You can also set budget limits for each player too. If your young player has a set amount of Pocket-money (allowance) you can set that to be spent without the need to ask every time.

For even more security, use a pre-pay debit card (such as Revolut) for gaming purchases can help limit financial loss.


Online gaming isn’t dangerous as the media make out, but you do need to take precautions before allowing children or vulnerable people to play online.

The above is just a start of many Best Practices for safety and security for online gaming. I go through a longer list and give technical examples during my  (ISC)² Safe and Secure presentations. These are given for free across Leeds and usually advertised via the @UnshakeableSalt twitter feed. If there isn’t one coming up,  feel free to drop us a line and we might be able to arrange one for your group, club or association.

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post