Major Security Threat - Authenticator useless

yes the auth did prevent him from changing any account info but i could not log into my account because my email and pw were changed via origin, and an EA rep on tech support confirmed that changing my origin inf would change my swtor info. and bioware did not lock my account i called them and had to ask them to lock it.

i am relatively tech savvy, i dont go to gold websites or respond to phishing emails let alone even open them, ive had kaspersky AV for several years now and keep it updadted daily, did several full scans over the last few days and notheing.

as others have pointed out my point isnt that i got hacked its that theres a workaround to change the username and pw on a account, granted they cannot acces any other info they can still lock you out

Authenticator codes do expire, depending on the level or security the key provider offers. RSA normal is 15s, and if you don't enter in that code within 15s then you have to request a whole new code because the OLD code is invalid and you get a message telling you so.

If this wasn't the case then there are a lot of companies with road warrior users that access sensitive company information that are at risk, that would be a serious issue.

Yes you can.
Create a code.
Have a typo, or just plain out leave the field for the authenticator code empty.
Use the code again (before it times out on the device).

It does not lock the code as basically all other authenticator systems with a onetime passcode do. I think you got about 5 minutes to try over and over again with the one generated code.

5 minutes? Source?

15-30 seconds is standard for this sort of device.

What are you failing to understand here? Changing account info on the Origin site makes changes to the SWTOR account without checking the authenticator. That's bypassing authentication. Linking the two systems such that access to an unprotected account can alter the details of a protected account *is* a significant security flaw.

The thing is, if your account is not known, they can't go hacking it. Password also is no easy to generate if it includes special marks, numbers and lower/upper case all mixed, so you rarely need to worry about it.

Only way you lose your account is:
- If in rare case the database gets hacked in the root.

- You give your account name or password somewhere, or get involved to program/website that spreads keyloggers. In Wow many smaller addons did this. This includes using links given to you by others or in emails, and using your browser through that link. (Rather than use a link given to Swtor website, just open new browser and write the url yourself.)

- You give your accounts email in something that seems legitimate questionair or anything related to said game. These results are not always used properly, nor protected well and may get in wrong hands. Getting email or accounts is the first step for hackers to get into your accounts - it's why I tend to use different email for official use and things such as these games.

The code countdown on my iphone takes way longer than the 1 minute autolock for the phone itself. Even if it is 'only' 3 minutes, that is a lot of time for attackers.

I have been working with RSA systems a couple of times.
The usual 15 seconds are plenty of time for 6 and 8 digit codes.

On Android it is exactly 1 minute.

You're being silly, the authenticator was never bypassed.

They are also talking about the actual authenticator I believe, not the iPhone and android ones.