They're talking about the 'titlekey' system that the eShop uses. The overview of the process is:
1) You attempt to purchase a game on the eShop
1a) Nintenedo servers verify you have funds
1b) Nintendo charges your account credit equal to the amount of the game
2) Once payment is received, the eShop application installs the selected game's 'titlekey' to your 3DS system. These titlekeys are unique per game, not per console -- herein lies the biggest part of the problem. These titlekeys are used as decryption keys for the game contents hosted on Nintendo's CDN (which doesn't need authentication!).
3) If the eShop app senses you have the game's titlekey installed, it will let you download it to your system.
So, once people figured out how to dump the titlekey databases from their systems, and how to import titlekeys into their other systems, they were able to essentially get free games directly off the eShop, using Nintendo's servers!
And then a few weeks after that, a homebrew app called freeShop came by that automated the process -- it has a GUI that lets you browse the games in the eShop, pull and install the titlekey from an online database, and grab/decrypt/install the game straight from Nintendo's servers.
Because Nintendo doesn't tie purchases to your Nintendo Network ID, but rather to the hardware itself, they left themselves wide open to this.
(It should be noted that the Wii U eShop uses a very similar system that has been similarly exploited recently.)
Okay, wow, that's a huge hole in their system. Is there any indication that Nintendo is aware of this and is trying to patch it? Or has it been patched already?
1) You attempt to purchase a game on the eShop 1a) Nintenedo servers verify you have funds 1b) Nintendo charges your account credit equal to the amount of the game 2) Once payment is received, the eShop application installs the selected game's 'titlekey' to your 3DS system. These titlekeys are unique per game, not per console -- herein lies the biggest part of the problem. These titlekeys are used as decryption keys for the game contents hosted on Nintendo's CDN (which doesn't need authentication!). 3) If the eShop app senses you have the game's titlekey installed, it will let you download it to your system.
So, once people figured out how to dump the titlekey databases from their systems, and how to import titlekeys into their other systems, they were able to essentially get free games directly off the eShop, using Nintendo's servers!
And then a few weeks after that, a homebrew app called freeShop came by that automated the process -- it has a GUI that lets you browse the games in the eShop, pull and install the titlekey from an online database, and grab/decrypt/install the game straight from Nintendo's servers.
Because Nintendo doesn't tie purchases to your Nintendo Network ID, but rather to the hardware itself, they left themselves wide open to this.
(It should be noted that the Wii U eShop uses a very similar system that has been similarly exploited recently.)