Origin, Hacks and Putting the blame on us.

As many today find that their Origin accounts have been hacked quite dramatically, attention once more falls down onto the ideals of online security, and how these companies would like us, the users, to take responsibility for it, even sneaking it into their Terms of Service. And this… this is very bad.

 

Hacking is nothing especially new nowadays.

From X-Box Live to PSN and beyond, it doesn’t seem to matter how much money is spent on the latest security measures and it doesn’t seem to matter how securely a password is maintained, hacking is a modern problem that perhaps we should all be taking far more seriously than we do. Not that I believe all hackers are inherently bad – or out for personal gain, because much like people every single one has their own motives and their own tale to tell. As much as I wag my finger at hackers and tell them they are naughty, there are different levels of naughty. Some do it for the ‘lulz’ as it were, more to show off or deface. Others do it to effectively expose and/or undermine a companies security measures and then yes, there are those who do it for the financial or monetary gain of getting access to your account credits or financial details. The latter of course is something that we should be concerned about the most; effectively, people trying to commit fraud with your details.

Which is why the recent Origin hack was so spectacular in its methodology; because simply changing passwords and locking a person from their Origin account simply isn’t enough. For EA use the persons birth date to verify an accounts holder, as an added security measure – and the hackers have managed, somehow, to change the dates tied to a persons account, thereby ensuring that they cannot re-verify their ownership of an account, and therefore can’t make sure their credit/debit card details are safe, secure or removed. Unlike similar services, there is no secondary or alternative security measure meaning that those whose accounts have been compromised simply have no means of accessing the content they have paid for. It’s a very sophisticated operation; one that admittedly exposes the weak security that EA have tied to Origin – a service that is far from popular, even now. In the public consciousness, Origin has never really taken off; it has been forced upon people in games like Battlefield 3, Mass Effect 3 and The Old Republic, and there is a deep-seated resentment already there. This current episode will do little to affirm confidence in EA or the Origin service.

But others are noting that EA would like to hide behind their own terms of service which appears to put the onus of responsibility (I am fully aware that they mean the same thing thanks, but it is the correct terminology for the statement I am making!) on the user. Especially when the user is pointing out that obviously there has been hacking when the birthdates have been changed. How can they be held responsible for something like that? It’s not just EA, most companies will try to shift the bulk of the blame to the customer in these difficult times as the admission of guilt and responsibility is somehow no longer in the interests of a company. We are told to ensure our passwords are secure, contain one number and one capitalised letter and in some cases, one alphanumeric symbol like ‘%’ or ‘$’. Not to share our accounts. Not to let others who use the computer have access to the account. And so on. It’s supposedly OUR job to keep our accounts safe.

Except, it isn’t, is it? Not all the time. We have one thing to do, and the majority of us do it… well… rather well.

For as much as it is our responsibility to ensure our passwords are unique and kept safe, it’s becoming clear that this simply isn’t always enough. Let us be clear here; secondary authentication like mobile number authenticators and CAPTCHA are a good means to ensure that the person at the user end is indeed a human being but there are many other ways into accounts, and not everyone will kick down the front door. Others will look for a window or a back door or some other means to get into the very things they desire. As much as companies want us to be responsible, we can only take care in keeping our front door keys safe. If someone breaks in through the back and then also proceeds to change the locks, we as customers can’t really do anything on our end. We’ve done what we were supposed to do; the security and upkeep of that security is the job of the proprietor of the service, and in this case that would be EA.

It can be hard to really cover all bases; all security is fallible as human beings are fallible. The recent surprise break in at the Tower of London one very good real-world demonstration of how a determined and reckless individual with no regard for their or other peoples safety and well-being will do what they want, when they want and in a way that eventually gets a successful outcome. But in these rare cases when the service itself is compromised, Customer Service and company policy rhetoric simply isn’t good enough. People need to feel safe and secure; if something doesn’t look safe and secure, then they won’t use it and herein lies the real nub of EA’s woes in this situation – Origin is already damaged goods. This only serves to further instil into the gaming world that Origin is simply a cheap, nasty DRM device that EA have no real intention of improving with any real gusto. The slow state of development within Origin compared with the leaps and bounds coming through Steam and other rival services is tangible, regardless of the intentions and some good additions it’s so little and so slow. Slow doesn’t work in this instance. EA need to take it seriously, and get to grips with it very quickly or find themselves saddled with a compromised service that will shed users at an alarming rate, because they either can’t actually use the service or they have decided it isn’t worth the risks involved.

But what if you are affected and worried? Here are some words of advice;

  • It’s not your fault. Do not accept responsibility for their actions – this is clearly a problem on their end.
  • Be firm but polite. No swearing. Try, “But network security is your job, not mine. I know my password was safe and secure.”
  • If you are concerned about your financial details, contact your bank and let them know of the situation. In the vast majority of cases, banks will send you a new credit or debit card free of charge when there are extraneous circumstances beyond your control. It will also ensure the old details can no longer be used to bleed your bank balance.
  • If you are concerned about problems on your computer, run a virus check, and if possible run a Malware check as well. There are good tools out there, the free version of Malwarebytes has been a popular choice for many years now, and is more than enough for most home users.
  • Always mouse over links in an e-mail before clicking it. Check that URL. If it isn’t legit, send it to your spam box and/or trash it!
  • And obviously, try to use a separate password for each account. If you have a dodgy memory, store it as a text file on a small flash drive or keep a small diary where you can write them down. Never store them on your computer – computers break down, Windows sometimes needs reformatting. You do NOT want to lose these passwords!

Remember that when it comes to security, all you can do is make sure your password is as secure as it can be. Always go for a maximum strength password where possible. Some tips I picked up over the years;

  • Pick a short phrase. A Dog Called Barney, for example.
  • Remove spaces. “ADogCalledBarney”
  • Whilst more capitals can be good, don’t overuse them. “AdogcalledBarney” is fine.
  • Add a number. “AdogcalledBarney6”
  • Where allowed, replace a letter with an alpha-numeric symbol. “@dogcalledBarney6”
  • If you need to change the password, don’t reuse the same phrase. Some tools are programmed to assume all you do is change one or two letters. Make sure you note down the new password.

If you do this, then you are doing all you can to ensure that you are keeping your account as safe as you can. The rest, as they say, is completely out of our hands. The ultimate responsibility for the safety and security of a service is not ours; it is the providers. And any suggestion we are responsible should never be accepted.

If they can’t keep their service safe and secure, then simply don’t use it. Harsh as that sounds… use your head. And take your custom elsewhere.

Nothing hurts them like hitting their bottom line in the goolies…

You can leave a response, or trackback from your own site.

Leave a Reply

Powered by WordPress