Maybe it was a short name or word...
You know who has a rock solid account secure customer service? Square Enix.
I tried to get access to my old FFXI account for around the 5th time over a couple years recently. This time I got so close I could taste it, and the guy on the phone seemed like he was playing charades, I was close, maybe I made up something with a word or two being real (I was super paranoid about putting real info on the internet, still am). I kept trying to give up but the guy kept motivating me to think about it and try again. He moved on to just needing the phone number along with the other attempts I may have missed or wasn't accurate enough on concerning the full address. I even ended up making a call to my mother asking if she remembered the number at that time. I just didn't care about messing around in FFXI for that one week bad enough. I was probably on the phone with him for 30 minutes, I was getting annoyed, maybe he wanted me on trying to remember things so he could take a break hah.
People constantly say in these kind of threads "well, Sony should do better!" but when you logically think through the problem, its a nightmare.
The scenario is this: person A owns the account. It gets hacked by someone guessing the password, social hacking, whatever. Now the obvious answer is, A should just call Sony and get the account back!
But how? Whatever they do to get the account back, IS A BACKDOOR FOR HACKERS TO TAKE OVER ACCOUNTS. If its not rigorous enough security wise, I can just say I'm a victim of a hacker and attack a legit account pretending to be the victim. Banks and brokerages have procedures where you have to go in to a branch somewhere and prove your identity with drivers license, etc. Should Sony set up branches everywhere? It'll just turn into another attack vector where someone figures out how to dupe IDs and info to pretend to be you.
Obviously things like a security team that can quickly trace back the hack steps and do some basic stuff like restore original email address is good, but even that is not perfect because a lot of these accounts use the same password in gmail as PSN, Nintendo, eBay, Facebook, Xbox, etc so once you break into one system you break into everything.
Our digital "world" has raced ahead so fast and ahead of security that its become a huge problem. Pre 1900s you didn't have much identity theft because there wasn't much you could do with a name. Now you can borrow millions, own vast amounts of digital property with nothing tied to them other than account names, passwords, and some secondary authorization (2FA) and its all different everywhere. We are sort of coalescing around your mobile phone === YOU but thats going to turn into a million new problems soon enough, as people clone phones and stuff just by walking next to you.
That is the important question, isn't it?
Maybe you cant link due to forum rules, but where is that information available? I see that haveibeenpwned.com has Sony listed, but my email isnt listed as a part of that hack. EDIT: Ah, they "only" have 37,103 accounts under that, and that includes the SonyPictures.com hack as well.Database compromises (since Almighty's account is pre-2011 hack, that info is still out there)
triangulate your data (say if you've mentioned your PSN name from somewhere that exposes your real name. they can easily go from there)
protecting against it? well, be careful where you reveal your account names, be aware about how much personal info you reveal in general.
My understanding is Sony made some internal changes the last time I ran a story about PSN security, so I hope that happens here, too. My one request is to remove the ability to disable two-factor over customer service.
What happened if you tried to set the system as primary from the console itself? What would have happened if someone else had enough information about you, couldnt they also be able to do this over the phone? Thats kinda the problem with social engineering, it can be hard to know if its the actual person owning the account or not, and what proof should be enough and what should the customer support be able to do. In 99.99% percent of the cases, its likely legit cases, so they try to be helpful towards the consumer, but it sucks when its someone trying to hack the account.My account is also been compromized once, or at least my console was disabled as primary and I couldn't activate downloads from a distance. Basically, their customer support couldn't do anything but say you have to wait half a year and disable all devices, change your pw and activate. You get punished, basically. I had proof it was me, more than any stupid fuck who compromized my account would have. I've enabled 2FA since, its also weird that Sony doesn't really push this feature up front. Now we see 2FA isn't all that hot with Sony either.
Maybe it was a short name or word...
There's been a reset of inactive Gamertags on Xbox a few years ago. I had luck and grabbed a four letter one, a name of game character.
Since then people send me messages offering to buy it from me or they threaten me to boot me offline, to get my account banned etc, because I never respond to these messages. Yesterday I got a message of a burner account saying that he's going to report me. I don't know for what because I never played with this person according to the recent players list. I know it's a burner account because it only has around 1000 Gamerscore and a few f2p games on it. People also try to get my personal information by asking specific questions.
I get a lot of random party invites, probably because they want my IP.
It's annoying as hell but it goes further.
There are clubs on Xbox, they can be compared to the communities on PSN. People openly trade accounts in these clubs for money. Some of them probably stolen because the offers include comments like "has 100.000 gamerscore, has x amount of games, has x amount of followers etc."
Microsoft don't care. It's against the terms of service to trade/sell Xbox accounts but Microsoft never do anything about it.
I imagine it's the same for PSN.
In the scenario in Patrick's article it would be incredibly easy for Sony to identify who the hacker is, and who the actual account owner is.
The hacker is the person who is asking to deactivate the 2FA over the phone. If Justin put it in place as soon as it was offered in 2016, and it was only deactivated for the first time in 2018, whoever did that at Sony displayed a staggering lack of common sense.
This is 100% on Sony.