Blockbuster, consoles, games, Gaming & Culture, IT Security, redbox, rentals

Mourning the end of the video game rental era

Amateur photograph of a Redbox rental station.

Enlarge / This image, like game rentals as a whole, is now a relic of a bygone era.

On Monday, Redbox confirmed to The Verge that it was “permanently transitioning out of the games business.” That means Redbox would remove the option to rent physical game discs from its thousands of self-serve kiosks (Redbox game sales will still be available through the end of the year).

For many in the United States, Redbox kiosks had been the only convenient way to rent games ever since rental mega-chain Blockbuster went belly up over the course of a decade (along with most of its smaller brick-and-mortar competition). GameFly still offers a rent-by-mail service, but that service’s monthly subscriptions and long postal wait times mean those loans are not much like just going down the street and paying a few bucks to sample a game for a few days.

Redbox’s decision to exit the game-rental market, just as the 2010s come to a close, marks a poetic and somewhat anticlimactic end to a practice that has been in a steep decline for well over a decade now. Like using a slide rule or blowing into a Nintendo cartridge, renting physical games is a practice we’ll harbor nostalgia for even though it’s not necessary anymore (assuming you have good-enough Internet access, that is).

A brief history of video game rentals

Video game rentals can trace their lineage back to the late ’80s, when stores that loaned out a flood of new VHS movies started adding NES software to their shelves as well. But while a movie studio could control when a theatrical release would hit the home video-rental market, video games could appear on rental-store shelves the very same day they were available for sale.

In David Sheff’s seminal history book Game Over, Nintendo of America’s then-chairman Howard Lincoln called this state of affairs “nothing less than commercial rape” for the video game industry.

I can spend thousands of hours and millions of dollars creating a game. I expect, therefore, to be compensated every time the thing sells. All of a sudden, out of the blue, comes a system that distributes my game to thousands of people and I get no royalty. The video-rental companies exploit the thing—renting it out over and over again, hundreds and even thousands of times—and I get nothing. The guy who developed the game and Nintendo get screwed. What does the guy who’s renting the cartridge contribute? What does he pay in terms of a royalty for the commercial exploitation of copyrighted work? Zip.

While a Japanese copyright law allowed Nintendo to prohibit the rental of its games in that country, the first-sale doctrine allowed such rentals to flourish in the United States. In 1990, the Computer Software Rental Amendments Act cemented the right to rent out console video games while also barring the rental of computer software (which is more easily copied).

Lincoln pushed for a compromise bill that barred console game rentals for a year after their release, but it died in legislative committee. Nintendo also tried to sue Blockbuster for copyright infringement over its use of photocopied game manuals in game rental boxes, but the case was settled out of court, and Blockbuster just started writing its own instructional copy for games instead.

Blockbuster's game-rental business got so big that exclusive versions of games like <em>Donkey Kong Country</em> were produced just for in-store rentals and competitions.

Enlarge / Blockbuster’s game-rental business got so big that exclusive versions of games like Donkey Kong Country were produced just for in-store rentals and competitions.
2-Step Verification, 2fa, Breach, bug, Cybercrime, games, gaming, humble bundle, IT Security, phish, Phishing, Security, Social Engineering, spear phishing, two-factor authentication, video games

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

bug notice

Click to enlarge

The mail reads as follows:

Hello,

Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.