Who thought it was a good idea to e-mail activation codes?

[doveman]

I just bought FC3 and got an e-mail containing my activation code. As everyone knows, e-mail is not secure and is easily sniffed by any rogue node in the chain, so sending activation codes or passwords using it is a basic security no-no.

 

I hope you read this and stop doing this ED.

[cichlidfan]

I just bought FC3 and got an e-mail containing my activation code. As everyone knows, e-mail is not secure and is easily sniffed by any rogue node in the chain, so sending activation codes or passwords using it is a basic security no-no.

 

I hope you read this and stop doing this ED.

 

How do you want them delivered to you?

[doveman]

How do you want them delivered to you?

 

I don't. They're displayed in my DCS account on the website, both when I buy them and any other time I need to check them (although I store them in my Lastpass as well just in case).

[tsumikae]

I just bought FC3 and got an e-mail containing my activation code. As everyone knows, e-mail is not secure and is easily sniffed by any rogue node in the chain, so sending activation codes or passwords using it is a basic security no-no.

 

I hope you read this and stop doing this ED.

 

If you really feel that uncomfortable about emails, video games activation codes should be the least of your problems :D

[doveman]

If you really feel that uncomfortable about emails, video games activation codes should be the least of your problems :D

 

Not at all. I don't send any sensitive or financial information or codes/serial numbers for products I've purchased by e-mail and I don't recall any other company sending such information to me by e-mail.

[cichlidfan]

Not at all. I don't send any sensitive or financial information or codes/serial numbers for products I've purchased by e-mail and I don't recall any other company sending such information to me by e-mail.

 

I can think of plenty of software companies that send keys by email. Microsoft being the largest that comes quickly to mind.

[doveman]

I can think of plenty of software companies that send keys by email. Microsoft being the largest that comes quickly to mind.

 

Not to me they haven't and if they did, I'd point out that it was pretty stupid to them as well. Most companies don't send passwords via e-mail as they realise that's not a good idea, so it's bizarre if they're sending out product codes that way.

[cichlidfan]

Adobe, Ubisoft, The Flight Sim Store, FS Pilot Shop,...

 

Here is an example MS email.

 

EDIT: Now that I have given it some thought. I can not think of a single instance where, given the following circumstances...

 

1) Software was bought online

2) Delivery was digital download

3) A key was required to activate the software

 

..., I did not receive a key in an email.

 

Now in most, if not all of these cases, I can also visit the appropriate website and view/retrieve the key but that doesn't change the fact that the key was sent in an 'open' email. I don't have a single receipt with a link labeled 'Go Here for Activation Code'.

 

Passwords are a different story altogether.

Edited June 9, 2014 by cichlidfan

[doveman]

Adobe, Ubisoft, The Flight Sim Store, FS Pilot Shop,...

 

Here is an example MS email.

 

EDIT: Now that I have given it some thought. I can not think of a single instance where, given the following circumstances...

 

1) Software was bought online

2) Delivery was digital download

3) A key was required to activate the software

 

..., I did not receive a key in an email.

 

Now in most, if not all of these cases, I can also visit the appropriate website and view/retrieve the key but that doesn't change the fact that the key was sent in an 'open' email. I don't have a single receipt with a link labeled 'Go Here for Activation Code'.

 

Passwords are a different story altogether.

 

None of which changes the fact that it's a bad idea. Pointing out that the other kids are doing something stupid as justification for doing it yourself isn't much of a defence ;)

 

I'd rather someone got my password to some forum or other than nicked my product code and sold it, forcing me to have to buy the product again. Even on the odd occasion where I've had a password sent via e-mail, it's been made very clear that I should change it immediately via the website. I can't change a product code in the same way, so it just shouldn't ever be sent insecurely.

[cichlidfan]

None of which changes the fact that it's a bad idea. Pointing out that the other kids are doing something stupid as justification for doing it yourself isn't much of a defence ;)

 

A bad idea perhaps, but considering that even AV companies like McAfee and Kapersky do it, I doubt your concerns are going to create any change in the way companies operate.

 

EDIT: I was also trying to point out that it seems to be the norm not an aberration, like some kids jumping off of a cliff.

Edited June 9, 2014 by cichlidfan

[Winfield_Gold]

Buy anything from Humble Bundle or Bundle stars and you receive both origin and steam keys via e-mail. You actually need to supply an e-mail address to receive the keys

 

EDIT: also another company I use is cjs-cdkeys.com who also require an e-mail address in which to receive the keys

 

This is just 3 out of many that I use regularly.

Edited June 9, 2014 by Winfield_Gold

[cichlidfan]

GoGamer, Digital River, Stardock,...

 

The list goes on and on.

[Winfield_Gold]

GoGamer, Digital River, Stardock,...

 

The list goes on and on.

 

I concur sir,

 

so to answer the question to the OP, I thought it was a good idea to e-mail activation codes. Best idea I have had all day. I'm an ideas man, full of good ideas

[doveman]

A bad idea perhaps, but considering that even AV companies like McAfee and Kapersky do it, I doubt your concerns are going to create any change in the way companies operate.

 

EDIT: I was also trying to point out that it seems to be the norm not an aberration, like some kids jumping off of a cliff.

 

Well if companies are going to ignore a quite obvious security risk and refuse to start acting sensibly and help me protect my purchases, I'll take my money elsewhere and then maybe they'll care. I'll likely only buy modules on Steam, rather than from ED directly, in future, as Steam don't seem to think it necessary to send my product codes via e-mail (for those games I have bought from them anyway but I presume it'll be the same for DCS modules). I've always bought my modules direct from ED to date, to make sure they get as much money as possible but if ED doesn't respect me enough as a customer to help me protect my purchases, then **** them.

[cichlidfan]

Well if companies are going to ignore a quite obvious security risk and refuse to start acting sensibly and help me protect my purchases, I'll take my money elsewhere and then maybe they'll care. ...

 

Good luck with that. ;)

 

EDIT: Consider that if the problem actually existed to any significant degree, the companies whose IP was being subverted would be the first ones to worry about it (i.e. Autodesk who sells 4 digit price tag software in this manner). One could argue that re sellers (i.e. GoGamer) might not care but the OEM software companies would certainly sit up and take notice.

Edited June 9, 2014 by cichlidfan

[doveman]

Good luck with that. ;)

 

EDIT: Consider that if the problem actually existed to any significant degree, the companies whose IP was being subverted would be the first ones to worry about it (i.e. Autodesk who sells 4 digit price tag software in this manner). One could argue that re sellers (i.e. GoGamer) might not care but the OEM software companies would certainly sit up and take notice.

 

You don't ignore a security risk just because no one's exploited it yet. Just cross your fingers and hope that one day a load of customers don't contact you saying that someone has nicked their product codes. Not a good plan. Is ED going to accept their word for it and supply them with a new product code (and finally stop sending them by e-mail) if that happens, or treat them all like liars and thieves and require them to somehow prove that their code was stolen (which is obviously impossible).

 

Even if the problem doesn't currently exist to a significant enough degree for ED to care about, it will be very significant to me if I get my product code stolen thanks to their refusal to recognise and fix the problem.

[doveman]

Let's wait until the first issue cause by emailing activation keys before we denounce it as a security risk.

 

Has anyone had a problem with someone stealing their activation key?

 

When it happens, we can all worry together, until then I think it's safe. :)

 

Some folk probably never check their activation keys at the DCS site so I believe emailing them is an important step in making DCS easy to access.

 

That's totally the wrong way to approach security. You don't wait until all your stuff has been nicked before locking the door :doh: Once you've identified a security risk, you fix it before someone nasty notices it and takes advantage of it.

 

The activation key comes up as soon as you buy a module via the website and an e-mail could go out with a link to the website and instructions to login to check activation keys if necessary, so e-mailing the actual product keys is quite unnecesssary and foolish. Considering how complicated DCS aircraft are, I think users will be able to cope with logging in to a website to get their keys ;)

[AlphaOneSix]

While I think it would be more secure to not send the key in an e-mail, I also think that the security threat is being FAR overstated. Nothing is lost when you have a key stolen, unless you count the time it takes to receive a new key when you are out of activations. ED has been quite good about replacing keys up to this point, I don't see a reason to expect that to change.

[Gerg]

If someone could sniff SSL traffic to steal the keys from an email, they would be able to break SSL on Steam or on a website too and read it off a webpage you would need to copy/paste it from anyways.

Edited June 9, 2014 by Gerg

[Sabre-TLA]

Why not just encrypt the emails?

 

Here is one solution.

[EtherealN]

Why not just encrypt the emails?

 

Here is one solution.

 

Great idea, it'll be a good step towards ensuring that we get even more support questions about "where are my serial numbers" and "what is this". :)

 

Remember: the majority of computer game customers, including simulators, are not computer nerds like you and me. Most of them are happy they can turn the computer on and run a game or three, and we really cannot except them to figure their way around encryption programs.

 

That said, I do agree with the OP, actually mailing the serial numbers might not be necessary.

[cichlidfan]

That said, I do agree with the OP, actually mailing the serial numbers might not be necessary.

 

If the OP had actually said that it 'might not be necessary', I would have agreed with him, too. :)

[SkateZilla]

Odd,

Everything from AMD Gaming Evolved Codes, to Codes won through contests etc, were always emailed to me for the last 10 years..

 

shrug...

[Home Fries]

The difference between an ED module and a single-use DLC code (which are also, by the way, sent via email) is that the module serial number is tied to your account. While that means that you can check it using your account, that also means that even if somebody else gets your code through illegal means, the only thing they will be able to do is burn one of your activations. They won't be able to get online (that's tied to your account), and any activations can be identified on your account and traced back to the IP at activation. Besides, ED can always add activations to your account as required.

 

Bottom line: it may not be Ft. Knox secure, but it's as secure as it needs to be without sacrificing convenience.

[SkateZilla]

I still get codes through Facebook and Twitter Direct Messages for Steam Games.. from Vendors....

 

nothing can be more insecure than that.