EA's Origin service leaves gamers exposed (The 3:59, Ep. 578)
The Daily Charge
Notification on
Notification off
Transcript
Welcome to the 3:59.
I'm Roger Chang.
I'm offering Electronic Arts faced a vulnerability to its origin gaming servers that exposed 300 million gamers over, what happened here?
Yeah.
So this was research from two security companies called cyber and checkpoint.
They had found a security vulnerability where they were able to take over an EA subdomain.
Websites, so they basically took over a URL that ended in ea.com.
Okay.
And they were able to basically create a website with that URL that stole security access tokens.
So you know when you go on a website, and it lets you log in with Facebook, and log in with Google, and stuff like that?
So you can do that for origin and instead of typing in your password, it sends a security token to EA instead.
So like it's all done behind the scenes and it's just like a like a snippet of code, there that serves as your password and login instead.
So it's sent to this fake EA website.
But the thing was is that it's got sent to the security researchers instead of EA themselves cuz they had taken over the page.
Okay.
So once that happens, they can take that security access token and then use that to basically log into anyone's accounts.
Scary stuff.
So, I mean, what In terms of what happened was they wouldn't actually lose their account information or?
No, because this was basically a vulnerability that security researchers discovered, and not malicious hackers or any criminals or anything like that.
So, they found it around February and they.
Informed EA about it, which had fixed it within three weeks or so.
And do they know if anyone else had taken advantage of this exploit?
Yeah, there's no evidence that anyone had used this exploit, because the the website that was taken over, that was taken over by [CROSSTALK].
Got it.
Okay,
Alright next up Verizon visible service, which is its stealth prepaid offering that kind of runs off of an app.
It's it's all based on the app, just remove the speed cap from its $40 a month service a previously used to limit your your plan to five 5 megabits per second, which is not fast.
Very fast.
Super not fast at all.
But that cap is gone.
It's a limited offer, they just say it's a limited time, we don't know when it'll actually expire.
But if you do sign up now, or if you are Visible service member, take advantage of this cap.
Once the offer is gone, you'll still get that you'll still enjoy us or the limit for the cap free speeds.
We don't know when the offer expires.
Now visible despite its name is pretty much invisible like Verizon barely acknowledges that exists.
It kind of runs off of this Kinda quiet guerilla marketing campaign and you really can only do it through an app so basically means older folks are just not gonna wanna sign up this
Is there a reason why they keep it so secretive?
It's partly Is by design probably, Verizon doesn't wanna I think make it known.
Would they lose money if more people knew about it?
I mean, the fear obviously some of its older customers on expensive $100 plans jump to this $40 plan.
That's 5 megabit per second cap was always sort of the, that was sort of the hook or the catch-
Yeah, [UNKNOWN] senior citizen [UNKNOWN] I don't think that you-
Right, which is not in their [UNKNOWN] they say, they really trying to target
Really ideally customers from T mobile and sprint like younger customers who have kind of flocked over to.
Yeah.
Those other services.
Aren't those like unlimited like, isn't that the whole point why they fly?
Yes.
Yeah.
Well, the idea here though, that's I think that's why they remove this limit basically to say, hey.
Is come on over.
We've got the nice.
We've got the nice Verizon network,
Yeah.
But we don't have the limits.
So, all right.
Lastly, we may finally get some consistency when it comes to security our area of things devices the Fido Alliance is stepped up and What are they doing?
Yeah, so the FIDO Alliance is a group that essentially set the standard for online authentication.
When you can sign into your accounts using a security key or biometrics, or anything like that, that's because of the FIDO Alliance.
Okay.
They set the standard for that.
It was two-factor authentication from Google, and Yubico, the security key company.
Yep.
So now they're setting their scope on Internet of Things security, which has no standard at all.
There's no laws regulating it.
Basically like you don't know if the smart light bulb you get is safer than some smart decal that you got and they're notoriously bad on their cyber security.
Like when you go to the store and you buy like a smart sneakers.
It's not like Energy Star where there's a label on it that you had like this meets this standard right.
And that's like a big concern for a lot of people.
All right.
So I mean with this are we going to start seeing like a vital alliance approved seal.
That's kind of,
[CROSSTALK] Products.
That's the goal that they're looking for.
They want to have that, so that when you go buy something, you know that it meets at least a certain standard of security.
But the group is just starting now and it might be a little bit before like that comes out.
All right.
For more of these stories, check us out on CNet.
I'm Roger Cheng.
I'm Alfred Ng.
Thanks for listening.
[MUSIC]