
Why I Bid $700 for a Stolen PSN Account - jsnell
https://waypoint.vice.com/en_us/article/43ebpd/the-long-weird-story-explaining-why-i-bid-dollar700-for-a-stolen-psn-account
======
StavrosK
In my previous job, which was security-related, we had to deal with people
forgetting their 2FA credentials (and many, _many_ people forgot their
credentials, even staff members). The way we did it was thus:

If you had enabled 2FA, it could be disabled/reset by calling support and
adequately proving you were the owner of the account. This had to be this way,
because, as I said, everyone forgot their 2FA credentials ("my phone fell in
the sea and the backup codes were on it").

We also had another checkbox that said "Never, under any circumstances, reset
my account. I have stored my backup codes somewhere secure that is not my
phone. I understand that, if I lose access, I lose the account."

If the user checked that, then the password/2FA reset system for the admins
got disabled for their account. If they lost their 2FA, nobody short of DBAs
could reset their account (and DBAs knew not to).

Additionally, we had a screen where you could print a long, random, one-use
key that would reset your account. It would come with a nice QR code so you
could physically print it on a piece of paper and store it somewhere, and scan
it if you ever forgot your 2FA/password, and it would let you access your
account.

I should probably write an article about this...

~~~
giancarlostoro
Yeah I hate when sites force one approach or the other, having the option to
permanently lock yourself out seems the best, if I don't want to be
permanently locked out, let me fallback to a SMS text.

~~~
ClassyJacket
SMS is an absolutely unacceptable system to require for authentication. I just
went overseas and got locked out of half the apps on my phone. Some of them
permanently. Tinder now bans your account for life if you ever change phone
numbers.

I suppose if it's just one option then it's okay.

~~~
sho
> Tinder now bans your account for life if you ever change phone numbers

Huh? I've got at least 5 different SIM cards for various countries and I've
never noticed any issue with Tinder. I didn't even know it used your phone
number for anything.

For SMS auth it's usually no big deal to put back in your old SIM if it needs
to send a 2FA code; even the most brutal roaming charges won't come to more
than a dollar or so for a single SMS.

~~~
jsjohnst
> even the most brutal roaming charges won't come to more than a dollar or so
> for a single SMS

Receiving SMS is generally free (or goes against your monthly bucket) while
roaming.

I’m actually not aware of any cell carriers (and I have SIM cards from over a
dozen providers each in different countries) that charge for receiving
anymore, but leaving a little wiggle room in my statement above just in case
there’s an odd ball out there.

~~~
kbutler
Cruise ships:
[https://www.cruisecritic.com/articles.cfm?ID=1752](https://www.cruisecritic.com/articles.cfm?ID=1752)

It's possible to send and receive text messages at sea, as long as you have a
signal through your ship's roaming network (just make sure you turn off data
roaming in your settings). Texting costs a lot less than a voice call --
usually in line with standard, international "pay as you go" rates: Most major
carriers charge $0.50 to send a message ($0.25 for a picture or video
message); AT&T also charges $1.30 for an outgoing picture or video message.
For messages received, Verizon charges $0.05/text ($0.25 for a picture or
video message), and Sprint charges $0.05, while T-Mobile and AT&T deduct
incoming messages from your monthly allotment.

------
gmjoe
Online accounts (even free ones) increasingly seem like they should be viewed
as property, that stealing an account like this should be considered theft,
and that a company administering accounts (Sony in this case) should be held
to a standard of due process.

I wonder if this is something there's been _any_ pressure on legislation for,
and I also wonder if it's something tech companies would fight against.

~~~
WorldMaker
I think digital asset law is a hugely under-explored issue. I think one of the
biggest fights that currently is hugely emblematic of the overall problem and
going to surprise a lot of people in the near-ish future: inheritance. Can you
inherit your parents accounts if they pass? Could you play their PSN games and
watch their Movies Anywhere movies?

Right now there's no protection for that. None of the major digital services
directly support transferal of licenses and most of them directly forbid it in
their terms of services.

GDPR got some pressure from some of the EU members to explore the issue and
GDPR itself wound up punting the ball back to individual countries for now
rather than wade into digital asset protections/inheritance.

~~~
ryandrake
This should not be a surprise to anyone who has been paying attention. Tech
companies have conducted a sustained campaign to water down the notion of
ownership to the point where it is meaningless and it’s impossible to truly
own a digital good. You don’t own “your” software, you license it and that
license can be revoked. You don’t own “your” Netflix account, your access to
it is at Netflix’s pleasure. Most of you don’t even own “your” Email address,
you are one account suspension away from losing it. Even self-hosters are
dependent on the mercy of their domain name registrar ultimately.

I don’t know what the solution is. The free market obviously has no incentive
to fix this. Users won’t vote with their wallet until they get burned and then
it’s too late.

~~~
xvector
This is part of why I bought my own NAS. All my movies and TV are downloaded
to the NAS before I view them. Once Lidarr has support for Spotify imports
I’ll be hosting all of my own music too.

I can stream all this content too - the experience is not much different from
Netflix or Spotify and the content is usually much higher quality (lossless
audio and higher bitrate video). The experience is more private too - no
analytics on what you watch, no one harvesting you for ads.

I feel so much secure truly “owning” my content than having it bound to some
service that can disappear at any time, along with the content on it. I’ve
lost countless songs and videos due to Netflix or a music service’a contract
ending.

For data resilience and redundancy, just perform encrypted backups to your
cloud service of choice.

~~~
namanyayg
I am trying to set up my own such NAS, currently using Plex to manage movies &
TV and for streaming on my PS4. Haven't figured out a solution for music and
just use Spotify. Any software you can advise to help me create a better
setup?

~~~
xvector
Movies: I use Radarr. Radarr searches public movie databases for movies, and
then talks to another piece of software I use called Jackett to actually
initiate the download. Jackett searches for and obtains torrents from your
favorite (completely legal of course) trackers.

The end UI is super simple. Search for a movie. Click Add. The software takes
case of the rest. It automatically downloads the movie and replaces it with a
higher quality version when one is available.

TV: Switch out Radarr for Sonarr above.

Music: Still working on this, but set up an MPD server on the NAS and listen
using an MPD client on mobile. A good client seems to be Rigelian for iOS.

All super easy to set up. All the software is dockerized (check the
linuxserver docker repo for most of this) and secure to access - set up a VPN
server on your NAS and use a client like Tunnelblick on Mac or OpenVPN on iOS
to access it.

So now I can have lunch with my coworkers, and if we're talking about a movie
that sounds interesting, I open up Radarr on my phone (it has a nice mobile
web interface), search and click download. It'll be ready for viewing in all
its Blu-Ray HDR10 7.1 surround-sound glory by the time I get home.

Some Docker images you might find useful:

1\.
[https://hub.docker.com/r/linuxserver/sonarr/](https://hub.docker.com/r/linuxserver/sonarr/)

2\.
[https://hub.docker.com/r/linuxserver/radarr/](https://hub.docker.com/r/linuxserver/radarr/)

3\.
[https://hub.docker.com/r/linuxserver/jackett/](https://hub.docker.com/r/linuxserver/jackett/)

4\. [https://hub.docker.com/r/haugene/transmission-
openvpn/](https://hub.docker.com/r/haugene/transmission-openvpn/)

------
Rotdhizon
As someone with intimate knowledge of console account buying and selling, I
can elaborate some.

The main site used for buying stolen/jacked accounts is called ogusers. The
screenshots in that article are of ogusers, I recognize the layout.

Most of the people who buy and sell accounts do it for profit and fame.
Something among teens these days really drives them to want to be internet
famous. Having a 1, 2, or 3 character account name garners attention to these
people. 1 letter xbox accounts go for 10-20k. 1 letter social media accounts
(twitter and IG mostly) go for anywhere from 10k upwards to 75k. A good amount
of the 1 letter accounts on these platforms are bought or stolen, very few
original creators own the accounts.

The problem is that people aren't content with getting an account by being the
creator of the name. They want accounts by any means necessary. Some of these
people do this for a living, they've devised their own secret techniques for
gaming the system to get account information so they can game password resets
and account retrievals. I know for PSN there is a tightly guarded way to pull
the email account and name information from any account. For the most sought
after accounts, attackers play the customer support reps like a fiddle. Say
the right words and they will happily hand over sensitive information.

Even if you buy an account, there's no telling if you get to keep it.
Microsoft has been really trying to crack down on this, and has banned
hundreds of original accounts over this. I'm not how PSN handles it. IG has
been trying to crack down as well. It is a sad state of affairs. Owning an
original account isn't about creating it anymore, it's about how much you will
spend to buy that name or who you know that can jack the account.
Unfortunately, all these platforms are not setup to handle theft, fraud, and
selling. If you lose an account, it is next to impossible in most cases to get
it back.

In some cases you can get the account back by providing sensitive account info
that only the original owner would know. However, the modern process of
'locking down' a stolen account includes flooding it with fake information to
push back the original information past the point of being able to be used.

~~~
TheRealDunkirk
> 1 letter xbox accounts go for 10-20k. 1 letter social media accounts
> (twitter and IG mostly) go for anywhere from 10k upwards to 75k.

> Even if you buy an account, there's no telling if you get to keep it.

What sort of person 1) has the discretionary funds to buy an account like
this, 2) wants one of these accounts so badly that they will pay that kind of
money for it, and 3) is so stupid as to believe that it won't be ganked back
by a different hacker, or even the same one again?

In other words, WHO IS FUELING THIS ABSURDITY?! There has to be a demand side
of this equation, and, from my chair, it looks like people who have WAY more
money than sense. I know there's a lot of them in the world, but, still.

I've seen several headlines recently that Sony has the console crown right
now, but it seems like it wouldn't take much fear mongering by Microsoft in
the right places to use this as a scare tactic against PS to try to push
people back to XB. I mean, sure, this particular user "won," but you can't
expect Vice to do a story about everyone who gets screwed.

~~~
moftz
Twitter and Instagram I can understand, there are a lot of people on those
services that make a lot of money promoting brands and products. Having an
interesting name on there can increase your marketability. Like "@tom" or
"@lisa", you look cooler (rather than "@realmattdamon1977") and seem like
you've been on here for quite awhile so therefore people should listen to you.
I guess it might be a bit hard to show that you bought an account versus stole
an account if the original owner tries to reverse the email address change.
Maybe someone could build an account escrow site where ownership is
transferred to a third party until the sale is complete.

------
tjbrennan
I recently lost access to my two factor authenticator. I had saved most but
not all of my recovery codes. I was surprised that a couple of websites I
didn't have recovery codes for allowed me to disable 2FA after login but
before authentication. It saved me from having to contact support, but it
seemed to defeat the purpose of 2FA.

~~~
em-bee
how did you loose your 2FA device?

this is what scares me the most about using 2FA.

github for example says if 2FA is lost there is not way to recover.

i have lost a phone number before... and although github also supports other
2FA devices, such as a rotating key app which can be on multiple devices, you
have to set up all devices at once. so i can put it on my laptop and my phone,
but not my home and my work computer unless i carry one to the other place.
phone and laptop is not enough. if i use my bag, both are gone. and i'd have
to reset all devices if i ever want to add a new one. at that point i am more
afraid to loose access through stupidity than through theft.

no thanks.

greetings, eMBee.

~~~
plorntus
Last I checked GitHub actually lets you turn off 2fa if you can use an
associated SSH key to sign a message?

Not entirely certain but support staff definitely turned it off for me once I
lost my phone number.

~~~
em-bee
oh, that's a relief. good to know. thanks.

------
hkmurakami
Reminds me of the time my friend lost his single character Twitter account due
to Godaddy social engineering. [https://medium.com/@N/how-i-lost-
my-50-000-twitter-username-...](https://medium.com/@N/how-i-lost-
my-50-000-twitter-username-24eb09e026dd)

~~~
rand_r
Looks like he got the @n handle back! Do you know what happened?

~~~
hkmurakami
Iirc he contacted friends at TWTR.

------
mxfh
The obvious solution would be to transfer the account to a different username,
that has no attraction for the scammers, but even that is still virtually
impossible.

If you ever thought Microsoft is an incoherent mess, Sony is even more so,
just without any clue when it comes to modern software, UX or security
concepts. The PSN experience it pretty much the state of ten years ago with
security features tacked on to fix the hacks, but little more.

~~~
jonny_eh
PSN notoriously doesn't support changing usernames, at all. It's been their #1
most requested feature for over a decade.

~~~
Aissen
It's coming [https://blog.us.playstation.com/2018/10/10/psn-online-id-
cha...](https://blog.us.playstation.com/2018/10/10/psn-online-id-change-
feature-entering-playstation-preview-program-soon/)

 _Edit_ : it might also be a great way to "hide" an account once it's been
acquired. Just pay $5 to rename it once you've removed all the friends.

~~~
jonny_eh
> please note not all games and applications for PS4, PS3 and PS Vita systems
> are guaranteed to support the online ID change, and users may occasionally
> encounter issues or errors in certain games.

I can't say I'm not surprised. What a mess.

------
wtracy
I find it strange what services attract hacking attempts.

If anyone has attempted to break into my bank accounts or my Google account, I
never noticed. (My Gmail account is used for TFA for most of my other
accounts, so I would expect it to be a target.)

You know what accounts I have had attacked? There have been dozens and dozens
of attempts to access my Steam account by someone who figured out my password,
but didn't have access to my email to receive a confirmation code. (Mostly,
but not always, from Chinese IP addresses.) Someone else successfully
compromised my OkCupid account and apparently used it to advertise escort
services. Apparently someone else got into my Snapchat account and sent spam
to all my contacts.

Go figure.

~~~
bspammer
It may be that hacking those kind of services is very unlikely to cause any
sort of legal response. As soon as you start going after bank accounts, you
risk the government kicking down your door.

------
Kaveren
Great article. This problem goes far beyond PSN though. The sheer amount of
account recovery processes companies offer that are poorly designed is
astounding.

In particular, SMS has been a notoriously strong attack vector for _years_,
and companies played catch-up very slowly. Maybe it's still offered because
phones in the developing world don't have much space for Google Authenticator
or something, but that's a stretch.

~~~
inopinatus
Speaking as a company that deals with frequent account resets I’ll add that
account holders routinely confuse the issue with poorly/inaccurately specified
identities, duplicate accounts, and obsolete contact details.

We do our best to apply strict and fair rules, but some cases still get
evaluated on a balance of merits and history.

I can also safely say that customers who struggle to enter their date of birth
consistently see 2FA schemes as an insurmountable barrier.

These are 1% issues but the volume grows linearly with user base, unlike other
support issues which we can automate away or use the ecosystem to assist. I
haven’t yet found a way to deal with these cases that scales any better, and I
just know it’s going to be a marginal cost issue later.

(I don’t think any of this applies to the case in this article, no sympathy
for Sony’s dismal support)

------
danso
A surprisingly convoluted story, but no much the fault of the author as the
lack of transparency by Sony. Most stories of account compromise have an
obvious cause, such as SIM cloning. This story makes it sound like Sony’s
system has many possible attack vectors via social engineering. And given
Sony’s history of catastrophic breaches, it’s really hard to imagine the fault
is on the user here.

------
dahdum
Could he sue Sony in small claims court for the value of all the games he had
in his account? Seems like they are unlikely to show up.

~~~
wtracy
I'm curious too. There may be a binding arbitration clause in the EULA that
allows them to overturn any decision made by the court.

~~~
albertgoeswoof
That wouldn’t be enforceable, the user won’t have even read it.

------
askmike
> it took far too long for Sony to add two-factor authentication to PSN,
> despite the service’s massive hack in 2011. Microsoft added two-factor to
> Xbox Live in 2013. It didn’t hit PSN until 2016, five years after the
> personal details of 77 million users were potentially exposed to hackers.

Enabling 2FA isn't go to stop hackers from accessing user data if the hackers
hack Sony (what happened before). I fail to see the connection between 2FA and
Sony being breached.

~~~
Illniyar
Once there is a massive hack, usernames, emails and passwords that were used
before become compromised. That means that 2FA becomes more vital - as it not
only provides a new factor for authentication, it provides the only one that
isn't compromised.

~~~
askmike
That's a good point, though after a hack they would ask everyone to reset
their password anyway - but these people are probably using the same
e-mail/password on other services.

------
RIMR
Just an FYI: The enterprise MSP password management service "Passportal"
allows you to disable MFA over the phone with zero authentication.

------
hiei
Beyond a library of games and maybe credit car details are there other
incentives to sellers/buyers for stealing these accounts?

~~~
bballlova99
I'm assuming the PSN name was something short or of value. Something like
"Justin" would get a lot of bidders.

~~~
AntiRush
Yeah, in this case it was "Almighty".

~~~
echelon
How do you know? That detail was redacted in the story. Is there other
coverage of this?

~~~
AntiRush
I searched for the title of the forum thread and found the post.

------
ojosilva
Why switching an account to Japanese make it harder for the owner to get it
back?

~~~
azernik
My guess? It moves the responsibility for the account to a different
bureaucracy (international vs. domestic).

~~~
tyingq
I found the forum that the article was talking about, and the how-to article.
Using the Google cache, since they've altered the forum to make you register
to see content:

[https://webcache.googleusercontent.com/search?q=cache:nVHhLB...](https://webcache.googleusercontent.com/search?q=cache:nVHhLB6UJykJ:https://ogusers.com/Thread-
How-To-Secure-a-PSN+&cd=1&hl=en&ct=clnk&gl=us)

Sounds like the suggestion is to first change the email from the original
owner's to yours. Then, sign up the original owner's email as a Japanese
account.

------
tobyhinloopen
This is why I buy disks

~~~
wtracy
I know that the Xbox 360 doesn't allow offline play. I wouldn't be surprised
if inserting the disc automatically and permanently ties some unique serial
number to your account.

~~~
__david__
Do you mean the Xbox One? I know my 360 was disconnected from the internet for
a long time and I played games on it just fine.

~~~
wtracy
Duh, brain on. Yes, the Xbox One.

------
mschuster91
I wonder whether it would make sense to force companies by law to provide
proper support, given how much actual money (I know quite a number of people
with four-digit-worth Steam accounts) is bound in such accounts, or how
central these accounts can be for our modern lives (imagine all the identities
tied to your gmail or fb or twitter accounts - and permanently losing them due
to trolls "reporting" your accounts).

As for bypassing 2FA: there is, at least in Germany, a way for any online
company to have the real identity of the user proven. It's called "PostIdent"
and works by having you go with your ID card to a post office where it is
checked. It's acceptable enough even for the strict regulatory frameworks for
banks.

So the process could work like "okay, you are John Doe, and you want to re-
establish control over your account with the ID 123456 by changing the primary
email to john.doe@provider.com? Print out this voucher, pass PostIdent and we
will modify your account".

------
nstart
Off topic, but hot dang. That was some excellent story telling. Didn't feel
the urge to skim a single word.

~~~
mikewhy
Patrick's writing is sublime.

------
Illniyar
Lots of comments here detail how many people lose their phones and never kept
recovery codes or lost some of their recovery codes. 2FA sms don't have that
problem. If you lose your phone, you can usually get a sim card with the same
phone number again. I think people who insist that 2FA sms is insecure because
the telecom networks can be hacked/intercepted are ignoring the convenience of
it for the vast majority of people especially considering the effort and skill
required to hack the telecom network compared to just socially engineering a
company.

~~~
venantius
Given the diligence with which the attacker worked on Sony via social
engineering to gain access to the account, what on earth makes you think the
same technique wouldn't work just as well for a telecom company? You don't
need to "hack" the network, just the customer service rep. Just say you lost
your phone :)

~~~
Illniyar
The telecom company has identifying information about you that hackers are
unlikely to be able to fake - such as an home address to where they send your
new sim card, or physical locations where it's much harder to work these kind
of social engineering.

The telecom company also have more regulation and the stakes are higher for
letting someone basically steal your number - it usually means they have a
much stricter protocol to giving someone a new sim card - they'll require a
physical presence, they can actually call your phone to verify you aren't a
fake, they'll require confirmation of card ownership or an ID for
states/countries that have them.

~~~
venantius
I am going to refer to this thread, which shows exactly how easy it is and how
difficult it is to defend yourself against:
[https://news.ycombinator.com/item?id=18194701](https://news.ycombinator.com/item?id=18194701)

~~~
Illniyar
From the thread: "T-Mobile has put in place some protections to prevent
unauthorized transfers of your account to new SIM cards, I just had to deal
with them last night - actually. Swapping SIM cards for a line must either be
done in-store where your photo ID can be verified, or over the phone but only
after confirmation of a OTP sent to account managers via SMS. I know T-Mobile
actually had some issues with this in the past, so even though I miss the
convenience of going to t-mobile.com/sim to swap a card out I feel it's a much
better solution security-wise."

Obviously it differs from provider to provider and time, but it'll start
moving towards better security. 2FA has only recently gotten popular

------
Izmaki
I got about half way through when I realised I had read the same piece of
information twice already. A shame, because I lost interest somewhere around
that point.

Too bad for Justin. I hope he gets it resolved.

~~~
haser_au
[Spoiler] He got his account back, and a specific phone number he can call if
he has problems again.

~~~
SmellyGeekBoy
Shame everyone doesn't get this benefit. It's strange how being covered on all
of the big gaming news sites suddenly makes "technically impossible" things
(like reinstating access to an account) possible again.

------
_mrmnmly
The first question I had while reading this - can't Sony check the
localization or something like console ID that the account is logging into? I
can't believe stealing these accounts is so un-revertable! :|

------
mdni007
There is no hacker. Justin's been doing it to himself. He has dissociative
identity disorder

------
s73v3r_
"When Justin finally heard back from Sony, they didn’t apologize and promise
to protect the account. Instead, they said it—an account Justin has had for
more than 13 years, with a history of trophies and purchases—was gone. There
was nothing he could do, no process to appeal, no way to get any of his games
back."

That, should be considered completely unacceptable, especially from a company
that has had huge data breaches in the past. Sony should be bending over
backwards to make this guy whole, not giving up.

~~~
rm_-rf_slash
I’m surprised he didn’t sue.

ONE WEIRD TRICK - dirtbag companies HATE this - my mom (former lawyer) taught
me to get any company dragging its heels or otherwise being scummy about
giving you what you paid for is to basically state what you want followed by
“...and if I do not get the product/service that I paid your company for, my
next call will be to the State Attorneys General of the state of (where we’re
from) and the state where you are incorporated, and we will be filing a claim
of fraudulent business practices.”

9 times out of 10 that’ll be enough to get the gears moving. Legal compliance
is almost always more expensive than fighting a customer on an issue, so they
tend to give in rather quickly.

~~~
rustcharm
This is not good advice. Once you threaten to sue, most Big Companies will
stop talking to you via customer support channels and make you do everything
in writing to their legal department.

Don't do this.

~~~
NeedMoreTea
I know little of the US legal landscape, or if there's a small claim system.
I've threatened legal response here in the UK, usually after months of failing
to get resolution without, as last step in the chain. So I've issued a small
claim against those companies (UK has a cheap option when the claim is small,
somewhere under £5 - £10k. Basically fill form, give fixed low fee, wait).
Those have had a 100% success rate.

> Once you threaten to sue, most Big Companies will stop talking to you

That would be fine. When I have threatened to sue someone and got no response,
I will do the small claim as next step. One threat, one opportunity to
resolve. More talking would enable more delays. No more communication from me
aside from in writing from the court.

Generally gets a panicked phone response at speed and offering full
settlement. I've had several expansive apology letters. A couple ignored the
summons and waited for the default judgement before it got settled. Those were
big, very well known companies, which _could_ be pure coincidence. Most have
asked "why did you sue?". Waiting for months to get that promised refund,
whilst only getting excuses or lies, maybe? :)

~~~
daveFNbuck
You said you don't threaten a legal response until after months of failing to
get resolution. I'm pretty sure that's what's being suggested here too. Don't
open with the legal threats, as they can shut down what may have been a much
faster and easier customer service resolution.

~~~
NeedMoreTea
By GP sure, but the comment I'm responding to is an unequivocal "this is a bad
idea". My take is apply common sense and don't make idle threats on the 2nd
email or you just look silly, likewise when you get to the stage of few other
choices make the threat just once. Then get on with it. :)

------
brian_herman__
So he did it only to write an article about it?

~~~
daveFNbuck
He did it as part of the effort that resulted in Justin getting his account
back.

