Recently, it has been revealed that several EA Sports accounts were compromised by hackers via phishing techniques. The threat-actors exploited EA’s live chat, targeting high-profile players for account takeover. The attackers utilised social engineering methods, exploiting errors within the customer experience team and using this to bypass two-factor authentication.
As a result, EA has released their strategy on how to prevent similar issues going forward and better secure player accounts. The steps are outlined below:
- All EA Advisors and individuals who assist with service of EA Accounts are receiving individualised re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.
- We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
- Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.
Commenting on the news, Ciaran Byrne, head of security operations at Edgescan, stated:
“EA seems to be taking a good approach here, although one would ask why it has taken until now to implement these new security measures. It is no secret that gaming accounts have been targets of hackers for as long as there’s been online gaming, and EA have been around even longer than that. The new measures are welcomed but could always be improved further.
There will always be a trade-off between usability and security. The trick is to have the security mindset ingrained in users and staff from the beginning rather than introducing it under pressure from users. There will always be a risk of users raising concerns over the measures slowing down their experience, but they will likely continue to play the game and get used to the additional layer of security if they ever feel the need to change account settings. In the long run, users should will be happy their accounts and data are secure.
All in all, good job EA for identifying and correcting a security risk rather than burying their head in the sand.”