I put this in the Journalism thread but it deserves top billing IMO.
It’s excellent reporting by Patrick Klepek. I think everyone should know this sort of thing is happening if you don’t already. Two factor authentication only protects you if the reps at the other end of the phone don’t turn it off!
Man, I really miss Patrick K. from when he was on Giant Bomb.
Anyway, I’ve read a terrifying number of accounts from people losing their PSN access on various sites, and Sony always seems quick to throw their hands up and give up entirely once the wrong people have access. It’s nonsense and they need to do better.
Stuff like this is why I’m very leery of buying digital games, almost all the games I own on my consoles are physical discs, though there are exceptions.
Yes. They absolutely need to do better. That should never have escalated like it did in the article.
I agree also about digital games. @Mike_Cathcart gives me shit all the time about buying discs (and carts), but outside of fire, flood, or zombie uprising, I’ll probably still have all my games years from now and those who go all digital have a larger non-zero chance of not.
Great article!
So why did this guy go to so much trouble to steal that specific account? Was it tagged a journalist account to get free games, or did it have a lot of rare trophies, or something? Seems like a ton of effort.
The account name was somehow desirable. Probably either very short, the name of some popular game/movie character, or some particularly macho English language word.
Ahh, that makes sense. Saw a bunch of short twitter handles being stolen for the same reason.
Basically the thief just kept calling until he found a CS rep that would remove the 2-factor for him. There’s not a whole heck of a lot you can do about that.
Well, we can’t, but Sony sure can!
Yep, and articles like this are the only way they will.
Yeah, that’s why I bumped this one to a thread. I think more people need to pay attention. This sort of thing is exactly why we’re jumping through extra security hoops, but if they’ll let it be defeated by people who can flip switches on their end then it’s damn near useless!
Let’s not forget disc rot. I’ve lost a few older PC games to that, though I think they’ve gotten better about it with later gen stuff.
Several years from now, if Sony’s usual rate for fixing problems with their network is any indication!
The problem is it’s social engineering, so you need to write a policy and convince people, very poorly paid completely unskilled people mind you, that they need to adhere to it. Even when someone is crying and/or really seems trustworthy on the phone. That’s really tough.
Simply remove the option to remove 2FA from the low-level CSR’s arsenal, and require significantly more information from the customer from the better-paid higher-level agents. It shouldn’t even be possible to remove 2FA without requiring significantly more info than one of these thieves is going to have, anyway.
A good social engineer can get a single tidbit of info per call, and then calls back multiple times. It’s really tough to protect from that. But yeah, process and controls are all you can do right now.
EA uses a cognitive chatbot for account authorization for that very reason, it removes the human element.
You also don’t have to pay the bot.
Customer service systems in a call center are often configured to restrict access to certain user information to certain support tiers, so that, for example, low-level CSRs can’t see a customer’s SSN, but someone working in a department that legitimately needs that info (collections, perhaps) can verify it. Sony probably shouldn’t be using things like SSNs, but they could easily verify using other details a low-level CSR shouldn’t need access to and that a rando on the Internet shouldn’t be able to get, like street address or DoB. Maybe they could even change their account systems so that users can’t view or change that stuff through PSN even after logging into their account, so if someone calls into customer service trying to change that info on an account they’ve already gained access to, they won’t be able to verify it unless they’ve compromised a lot of other stuff that’s more important than a PSN account already. Maybe you use IP location on top of that and require a call into a non-human verification service when someone tries to log on from a different city or country than the previous X successful logins.
Sony’s a big company, so I’m not particularly swayed by any argument that they can’t figure something out to secure their user accounts when it’s been made public that they’re horribly insecure and their own CSRs are partly to blame.
You can get humans to give that stuff up. It doesn’t matter how large the company is, nobody has cracked that nut.
Account ID changing coming soon
https://blog.us.playstation.com/2018/10/10/psn-online-id-change-feature-entering-playstation-preview-program-soon/
Yeah, my point is that you make that info unavailable to anyone except the higher-up support tiers, where employees are being paid specifically not to give out that info, where calls are actively monitored to ensure no one gets past their initial verification without giving all the necessary details, and, critically, where you have multiple separate layers of verification before the concept of changing a password or removing 2FA is even an option (To make things harder, don’t design a verification system that lets CSRs see the info they’re verifying against - it’s not hard to make a system where you plug in the info given and it gives you a yes or no to be allowed to go forward, without actually telling an employee what the correct answer is supposed to be. Unless someone is very lucky with a birthday guess or knows it from another source, they’re not going to get in before the account gets flagged to block attempts to bypass 2FA.)
Oh sure. Yes, the info should simply not be available, in exactly the way you describe. Of course tons of info is available about most people on the internet, and this guy was clearly spear-phished.