Waypoint: "The Long, Weird Story Explaining Why I Bid $700 for a Stolen PSN Account"

[Ploid 6.0]

You know who has a rock solid account secure customer service? Square Enix.

I tried to get access to my old FFXI account for around the 5th time over a couple years recently. This time I got so close I could taste it, and the guy on the phone seemed like he was playing charades, I was close, maybe I made up something with a word or two being real (I was super paranoid about putting real info on the internet, still am). I kept trying to give up but the guy kept motivating me to think about it and try again. He moved on to just needing the phone number along with the other attempts I may have missed or wasn't accurate enough on concerning the full address. I even ended up making a call to my mother asking if she remembered the number at that time. I just didn't care about messing around in FFXI for that one week bad enough. I was probably on the phone with him for 30 minutes, I was getting annoyed, maybe he wanted me on trying to remember things so he could take a break hah.

 

[J_ToSaveTheDay]

Whew... Article made me heed all those "your account was attempted access unsuccessfully" emails I had tied with my Epic Games account, which didn't have any sensitive info associated with it but I went ahead and made sure I still had ownership (I did) and enabled 2FA as a bonus. I don't even play Fortnite anymore but I guess someone was trying to hijack it to try and sell on this hacked account market...

 

[wild_fire]

Wow, great article from Patrick. I've got 2FA on a bunch of accounts, but this is a kick in the pants to get it set up on as many accounts as I can.

 

[TheZynster]

Wait wait wait

Sony lets you disable 2FA over the phone with literally no proof?

What the honest fuck SONY!!!!

 

[Khanimus]

Wow, it *does* sound like that thread, doesn't it? :)

Click to shrink...

Hold on, I'm gonna go make a TheWokeGamer PSN account.

 

[Deleted member 48201]

Companies should give you the option to secure your account with a key such as a Yubico key or a Google Titan key WITHOUT an option to remove it if you don't have the key. This would solve a lot of these problems.

Maybe even give you the option to require the key to be plugged in to your console to boot games. This would discourage stealing accounts.

 

[guybrushfreeman]

Great story. Sony really needs to get it customer service together. Stuff like this shouldn't be happening

 

[Cth]

Great read, thanks for posting!

Managed to find the board mentioned in the article.. kinda curious to see what's on there but admittedly paranoid that registering or search terms will somehow be exploited.

I've got 2FA on my account, but I've been getting a lot of notifications lately on the phone.

 

[WarrenD]

Weird article. I'd wager someone inside Sony if I'm honest. There's too many weird things happening like the flagging and the 2fa being turned off. Definitely some missing info.

Also account for 13 years? I swear psn launched with the ps3 which was what? Match 2006?

 

[Windrunner]

Weird article. I'd wager someone inside Sony if I'm honest. There's too many weird things happening like the flagging and the 2fa being turned off. Definitely some missing info.

Also account for 13 years? I swear psn launched with the ps3 which was what? Match 2006?

Click to shrink...

November 2006. So yeah, 13 year old PSN accounts aren't a thing.

 

[NCR Ranger]

November 2006. So yeah, 13 year old PSN accounts aren't a thing.

Click to shrink...

It's a typo. The quote in the article says almost 12 years.

 

[BGA]

Wow, I don't know what I'll do if Sony did this to me. It's the reason why I'm buying digital games on sale and not full price compared to physical. How are Steam and Microsoft regarding this issue?

 

[InfiniteCats]

Great read Patrick. Glad someone is holding Sony's feet to the fire on this, because their customer support system sounds absolutely ripe for abuse. It's wild that they don't have protocol for locking accounts down, and verifying identitiy with real life paperwork. The fact that someone is removing 2fa from an account should be an enormous red flag.

I remember back when I played WoW, well over a decade ago at this point, account hacking was a big business. Many people I knew had their accounts hacked and emptied multiple times, I learned my lesson after the first time. The process for getting it back involved creating tickets, waiting days, and submitting paperwork for my payment cards and personal identity. An enormous hassle at the time, and possibly overkill, but there has to be some sort of documentation requirements when someone wants 2fa wiped, otherwise why would anyone want to trust Sony with hundreds or even thousands of dollars worth of digital goods.

 

[Gashprex]

It's absurd - if I can correct my stolen identity and credit report where somebody took out thousands of dollars in my name through a process (lengthy) which included affidavits, copies of drivers license and police reoort, there is no good reason why this couldn't be cleared up without some effort.

 

[cmdrshepard]

This is scary stuff. I have lost access to my psn and blizzard account before and I can tell you one was much easier to get back then another. Blizzard CS was awesome and got me the account back in less than 20 minutes once I was able to provide real world ID. PSN even though little was changed took almost 2 hours on the phone to get back and at times my heart was in my hand as it felt like they were umming about giving me access. Sony really needs to invest in better CS and you think that would have been a no brainer considering the PSN hack that happened in PS3 era.

Both of these occurred years ago and both of these accounts now have a lot more value (not just in terms of games/$ but also saves etc...) and I would dread having to go through anything close to losing any of my accounts like people on this and the old forum or in this story went through.

 

[Klotera]

I've been leaning more toward going all-digital recently, as I try minimize clutter, but this really gives me pause. Not saying I'm suddenly giving that up purely based on this, but it's definitely a consideration.

 

[Edward]

If my username was "MechaMothra," I'd pay $700 to get a new one too. :P

Click to shrink...

Imagine having a name based on the Kenshin anime before realizing the creator is a scumbag? I'd pay good money to change my name.

Also, horror stories like this is why i will never buy digital on consoles.

 

[take_marsh]

That's a cool story (only because he got his account back and Sony did something, despite likely being due to pressure), but Sony appears to really have either the shittiest security, shittiest policies, the shittiest support team, or some combination of the three.

 

[Wolfgunblood]

Sony scares me. I would feel like the biggest asshole if my account got stolen knowing full well how shockingly bad their security and cs is, and yet I still buy digital. I have no such worries with Microsoft.

 

[Riderz1337]

Edit - NVM

 

[thediamondage]

People constantly say in these kind of threads "well, Sony should do better!" but when you logically think through the problem, its a nightmare.

The scenario is this: person A owns the account. It gets hacked by someone guessing the password, social hacking, whatever. Now the obvious answer is, A should just call Sony and get the account back!

But how? Whatever they do to get the account back, IS A BACKDOOR FOR HACKERS TO TAKE OVER ACCOUNTS. If its not rigorous enough security wise, I can just say I'm a victim of a hacker and attack a legit account pretending to be the victim. Banks and brokerages have procedures where you have to go in to a branch somewhere and prove your identity with drivers license, etc. Should Sony set up branches everywhere? It'll just turn into another attack vector where someone figures out how to dupe IDs and info to pretend to be you.

Obviously things like a security team that can quickly trace back the hack steps and do some basic stuff like restore original email address is good, but even that is not perfect because a lot of these accounts use the same password in gmail as PSN, Nintendo, eBay, Facebook, Xbox, etc so once you break into one system you break into everything.

Our digital "world" has raced ahead so fast and ahead of security that its become a huge problem. Pre 1900s you didn't have much identity theft because there wasn't much you could do with a name. Now you can borrow millions, own vast amounts of digital property with nothing tied to them other than account names, passwords, and some secondary authorization (2FA) and its all different everywhere. We are sort of coalescing around your mobile phone === YOU but thats going to turn into a million new problems soon enough, as people clone phones and stuff just by walking next to you.

 

[Falconbox]

I'm still lost on how the person managed to disable their 2FA through a phone conversation.

WTF ARE YOU THINKING SONY?!

 

[Braaier]

This is crazy. Would a similar thing happen with Xbox or switch? Or is Sony just this incompetent?

 

[PeakPointMatrix]

Fuck, is there really no way to avoid this? What can one do?

 

[CthulhuSars]

I'm still lost on how the person managed to disable their 2FA through a phone conversation.

WTF ARE YOU THINKING SONY?!

Click to shrink...

This was my exact reaction... absolutely bonkers.

 

[monketron]

Blizzard customer service once gave my account over to some Polish dude (I'm from the UK and have only ever logged in from the UK).

When I asked the CS agent over the phone - in disbelief - why they just gave my password, which also had 2FA set, to some guy with an IP showing as Poland when the account is clearly UK based, they informed me he had emailed them a scan of a drivers licence with my name on it. The idea that some random guy had found my real name and gone to the trouble of making a fake drivers licence with it, just to get access to virtual items, was pretty disturbing, but not as much as how easily Blizzard just gave over my 10 year old Blizzard account.

Thankfully they gave access back and reimbursed all the items/gold he had taken. What a ball ache though. I now have SMS protect also on the account, but it's not much good if the Blizzard reps can so easily be fooled. I also told them to add a note to my account making it nigh on impossible for someone to do this again, although it's going to screw me over if I actually do need to reset a password myself. It's worth the risk.

So it's not just Sony who have this sort of issue. Any system with a human element is open to getting socially engineered. Better training needed I guess.

 

[Malverde]

I had my account hacked and every time I called the rep said "we'll look into it and send you an email." The hacker had deactivated my account and made their account the primary one (but luckily did not change my password). I told Sony I needed them to deactivate all the consoles so that I could reestablish mine as the primary because I have family who play in my home and thus they rely on my account being the primary to play digitally purchased games. After two weeks of calling one of the service reps said it was my fault and I was probably game sharing with strangers. That was pretty much my "fuck this" moment and so I opened a claim with the Better Business Bureau and two weeks later that was finally what got them to fix it.

WHY THE FUCK DID IT TAKE A MONTH TO FIX THIS BULLSHIT?!?!? After this I have heavily cooled it on buying stuff for the Playstation. The story in the OP isn't the least bit surprising. Sony deserves to be dragged for being such an utterly incompetent piece of shit company when it comes to security.

 

[NCR Ranger]

People constantly say in these kind of threads "well, Sony should do better!" but when you logically think through the problem, its a nightmare.

The scenario is this: person A owns the account. It gets hacked by someone guessing the password, social hacking, whatever. Now the obvious answer is, A should just call Sony and get the account back!

But how? Whatever they do to get the account back, IS A BACKDOOR FOR HACKERS TO TAKE OVER ACCOUNTS. If its not rigorous enough security wise, I can just say I'm a victim of a hacker and attack a legit account pretending to be the victim. Banks and brokerages have procedures where you have to go in to a branch somewhere and prove your identity with drivers license, etc. Should Sony set up branches everywhere? It'll just turn into another attack vector where someone figures out how to dupe IDs and info to pretend to be you.

Obviously things like a security team that can quickly trace back the hack steps and do some basic stuff like restore original email address is good, but even that is not perfect because a lot of these accounts use the same password in gmail as PSN, Nintendo, eBay, Facebook, Xbox, etc so once you break into one system you break into everything.

Our digital "world" has raced ahead so fast and ahead of security that its become a huge problem. Pre 1900s you didn't have much identity theft because there wasn't much you could do with a name. Now you can borrow millions, own vast amounts of digital property with nothing tied to them other than account names, passwords, and some secondary authorization (2FA) and its all different everywhere. We are sort of coalescing around your mobile phone === YOU but thats going to turn into a million new problems soon enough, as people clone phones and stuff just by walking next to you.

Click to shrink...

My solution to my particular incident would be to just allow the customer to opt into putting their account on lock, or whatever you want to call it, meaning no reps or anyone at Sony can change it. If I was able to do that this would have been all avoided. The risk is that if you forget your stuff you are screwed as well, but in my case that would have been well worth it.

 

[Garlic]

Sony really needs to get their shit together. Too many horror stories about dealing with PSN's customer service.

Click to shrink...

I know at least half a dozen people who've either had their account stolen or been temporarily locked out of their account by an attempted theft. It's crazy how little importance Sony seems to put on security.

 

[Minilla]

How do hackers get around the 2 step phone checking procedure??

 

[Jabari Marley]

This is absolutely terrifying.

 

[Terryfromyokosuka]

I'd drop Sony for good if this ever happened to me.

 

[EvilBoris]

Great article and good on you for helping that victim

 

[Slime]

Hope this blows up more. Sony deserves to be thoroughly embarrassed for how negligent they are with their security, especially after the 2011 hack. Unforgivable.

 

[JoeyJungle]

idk why, but the tug of war with accounts are fascinating/horrifying to me. Didn't Patrick just do one a few months ago about a Steam account, where a dude's estranged father was stealing his Steam account to play Skyrim for thousands of hours? God I can't stand thinking about losing my PSN/Steam accounts, I've dumped so much money into games for them.

I actually had a case a few weeks back where my Apple ID was randomly flagged as making fraudulent purchases (I have a debit card tied to it so don't even have an option for a chargeback, no idea what flagged it for them). I emailed back the notification, response was "Something like thanks for replying! Your account's been permanently locked." I called and spoke with the Apple people until I ran out of minutes on my phone, but they kept telling me they weren't able to do anything (they said the account was so locked that the option to unlock it in the tool that they used was greyed out) and I'd need to make a new AppleID. When I asked what would happen to all the apps I purchased, the person said I'd need to email my receipts to the developers and they'd need to give me a code to redeem as an app purchase (wtf!), and the same thing for any in-app purchases (wtf! I didn't even bother asking about gacha purchases).

Luckily I pleaded over email to the dude who locked down my account, and they were like "Whoops, my bad!" and my account's been fine since. I don't think anyone was trying to steal the account, I think a random anti-fraud audit just automatically flagged my account for some reason and almost made me permanently use it.

 

[saenima]

What fantastic work by Klepek.

Sony needs to do much better than this.

 

[Water]

Great read. Sad to see he had to go thru so much because Sony doesn't have their processes straight. Glad he got his account back in the end.

 

[Mzo]

Had then been true

Awesome article, though.

 

[DanSensei]

How do the accounts get hacked? I have a strong password, but no 2fa (though judging by the stories on here today 2fa on psn is useless at best and helpful to hackers at worst.) Are there any other steps I should take?

 

[Grigorig]

There is absolutely no excuse for allowing people to just disable two factor authentication over the phone without concrete proof of identity. That's unacceptable and needs to change asap

Click to shrink...

100340934039% this.

 

[Ardiloso]

I fear for the people who buy anything digital on PSN. Looks like only a matter of time to lose all their investment and it's all Sony's fault.

 

[Musubi]

There is absolutely no excuse for allowing people to just disable two factor authentication over the phone without concrete proof of identity. That's unacceptable and needs to change asap

Click to shrink...

Seriously. You should have to mail/fax in physical proof or something.

 

[Mass Effect]

How do the accounts get hacked? I have a strong password, but no 2fa (though judging by the stories on here today 2fa on psn is useless at best and helpful to hackers at worst.) Are there any other steps I should take?

Click to shrink...

Social engineering. In this case, passwords mean nothing. They convince Sony they're you and have them reset all your info.

 

[DanSensei]

Social engineering. In this case, passwords mean nothing. They convince Sony they're you and have them reset all your info.

Click to shrink...

How do they do that? Any way to protect against it? My Steam account got hacked once and I was able to get it back. I fear the worst if someone steals my PSN account.

 

[8byte]

Don't just reply in this thread. Copy the article, tweet it out / share it, and tag PlayStation in it. Sony needs to be taken to task for this in a BIG way.

 

[paulc]

Wow this is seriously shocking from Sony. What the hell?!?

 

[Drek]

How do the accounts get hacked? I have a strong password, but no 2fa (though judging by the stories on here today 2fa on psn is useless at best and helpful to hackers at worst.) Are there any other steps I should take?

Click to shrink...

No, you are still better with 2fa. This is a social engineering process to get around 2fa while without it a more brute force password crack or just compromised email and username is all it takes.

Use 2fa, just don't assume it's enough.

Personally I scrub all systems from my account and reset my password about every 6 months just to ensure that the only devices on there are mine.

Sony needs to start from scratch with PS5 and do the work to connect a legacy account, giving a far greater eye to security and account control.

 

[Mass Effect]

How do they do that? Any way to protect against it?

Click to shrink...

Database compromises (since Almighty's account is pre-2011 hack, that info is still out there)
triangulate your data (say if you've mentioned your PSN name from somewhere that exposes your real name. they can easily go from there)

protecting against it? well, be careful where you reveal your account names, be aware about how much personal info you reveal in general.

 

[BlackLagoon]

Seriously. You should have to mail/fax in physical proof or something.

Click to shrink...

I mean, for starters they should just try to contact the account holder using the existing details to verify that there even is a problem. An SMS to the phone used for authentication and a couple of days for the owner to respond would have stopped the vast majority of attempts.

 

[Deleted member 8118]

Wow this is seriously shocking from Sony. What the hell?!?

Click to shrink...

....

Sarcasm?