Hacker News new | past | comments | ask | show | jobs | submit login
Why I Bid $700 for a Stolen PSN Account (vice.com)
276 points by jsnell 5 months ago | hide | past | web | favorite | 188 comments

In my previous job, which was security-related, we had to deal with people forgetting their 2FA credentials (and many, many people forgot their credentials, even staff members). The way we did it was thus:

If you had enabled 2FA, it could be disabled/reset by calling support and adequately proving you were the owner of the account. This had to be this way, because, as I said, everyone forgot their 2FA credentials ("my phone fell in the sea and the backup codes were on it").

We also had another checkbox that said "Never, under any circumstances, reset my account. I have stored my backup codes somewhere secure that is not my phone. I understand that, if I lose access, I lose the account."

If the user checked that, then the password/2FA reset system for the admins got disabled for their account. If they lost their 2FA, nobody short of DBAs could reset their account (and DBAs knew not to).

Additionally, we had a screen where you could print a long, random, one-use key that would reset your account. It would come with a nice QR code so you could physically print it on a piece of paper and store it somewhere, and scan it if you ever forgot your 2FA/password, and it would let you access your account.

I should probably write an article about this...

Yeah I hate when sites force one approach or the other, having the option to permanently lock yourself out seems the best, if I don't want to be permanently locked out, let me fallback to a SMS text.

SMS is an absolutely unacceptable system to require for authentication. I just went overseas and got locked out of half the apps on my phone. Some of them permanently. Tinder now bans your account for life if you ever change phone numbers.

I suppose if it's just one option then it's okay.

> Tinder now bans your account for life if you ever change phone numbers

Huh? I've got at least 5 different SIM cards for various countries and I've never noticed any issue with Tinder. I didn't even know it used your phone number for anything.

For SMS auth it's usually no big deal to put back in your old SIM if it needs to send a 2FA code; even the most brutal roaming charges won't come to more than a dollar or so for a single SMS.

> even the most brutal roaming charges won't come to more than a dollar or so for a single SMS

Receiving SMS is generally free (or goes against your monthly bucket) while roaming.

I’m actually not aware of any cell carriers (and I have SIM cards from over a dozen providers each in different countries) that charge for receiving anymore, but leaving a little wiggle room in my statement above just in case there’s an odd ball out there.

Cruise ships: https://www.cruisecritic.com/articles.cfm?ID=1752

It's possible to send and receive text messages at sea, as long as you have a signal through your ship's roaming network (just make sure you turn off data roaming in your settings). Texting costs a lot less than a voice call -- usually in line with standard, international "pay as you go" rates: Most major carriers charge $0.50 to send a message ($0.25 for a picture or video message); AT&T also charges $1.30 for an outgoing picture or video message. For messages received, Verizon charges $0.05/text ($0.25 for a picture or video message), and Sprint charges $0.05, while T-Mobile and AT&T deduct incoming messages from your monthly allotment.

I think if you arent willing to fully lock yourself out if you lose your backup code, it should be a fallback that you can get a text, otherwise rely on a 2-factor app. Key would be that nobody in support should have any access to change your 2 factor number or disable 2 factor. Now if you lock down your account to just your backup code, no SMS, no take backsies.

SMS is insecure and not a secure form of 2fa, never mind a secure password reset option.

Online accounts (even free ones) increasingly seem like they should be viewed as property, that stealing an account like this should be considered theft, and that a company administering accounts (Sony in this case) should be held to a standard of due process.

I wonder if this is something there's been any pressure on legislation for, and I also wonder if it's something tech companies would fight against.

I think digital asset law is a hugely under-explored issue. I think one of the biggest fights that currently is hugely emblematic of the overall problem and going to surprise a lot of people in the near-ish future: inheritance. Can you inherit your parents accounts if they pass? Could you play their PSN games and watch their Movies Anywhere movies?

Right now there's no protection for that. None of the major digital services directly support transferal of licenses and most of them directly forbid it in their terms of services.

GDPR got some pressure from some of the EU members to explore the issue and GDPR itself wound up punting the ball back to individual countries for now rather than wade into digital asset protections/inheritance.

This should not be a surprise to anyone who has been paying attention. Tech companies have conducted a sustained campaign to water down the notion of ownership to the point where it is meaningless and it’s impossible to truly own a digital good. You don’t own “your” software, you license it and that license can be revoked. You don’t own “your” Netflix account, your access to it is at Netflix’s pleasure. Most of you don’t even own “your” Email address, you are one account suspension away from losing it. Even self-hosters are dependent on the mercy of their domain name registrar ultimately.

I don’t know what the solution is. The free market obviously has no incentive to fix this. Users won’t vote with their wallet until they get burned and then it’s too late.

This is part of why I bought my own NAS. All my movies and TV are downloaded to the NAS before I view them. Once Lidarr has support for Spotify imports I’ll be hosting all of my own music too.

I can stream all this content too - the experience is not much different from Netflix or Spotify and the content is usually much higher quality (lossless audio and higher bitrate video). The experience is more private too - no analytics on what you watch, no one harvesting you for ads.

I feel so much secure truly “owning” my content than having it bound to some service that can disappear at any time, along with the content on it. I’ve lost countless songs and videos due to Netflix or a music service’a contract ending.

For data resilience and redundancy, just perform encrypted backups to your cloud service of choice.

> All my movies and TV are downloaded to the NAS before I view them

> I feel so much secure truly “owning” my content

Do you actually purchase the content? If so, where do you buy it from? Is it even possible to purchase DRM-free content from major studios online?

For music, I can purchase music DRM-free from the iTunes Store or Bandcamp and actually own it, which is awesome.

I just rip my Blu-Rays and stream them through Plex.

considering nearly all commercial blu-rays are protected with AACS (which you have to bypass to rip), what you're doing violates the DMCA. also, there's a growing amount of content from streaming services (netfilx/prime originals) that's not available on blu-ray and is not trivial to rip.

However, many regions allow format shifting, which can overrule that particular part of the DMCA. Though the rules are, again, regional.

Who cares if it violates the dmca? And honestly it is simply easier to just pirate the content vs ripping it, there are literally no consequences. And yes it is trivial to rip from streaming services.

Be kind, rip and share where possible. The Dmca only applies in the US. The 2600 campaign against dmca feels like it was yesterday.

Netflix let's you download a lot of content. Great for when you aren't connected.

Even in the US, the dmca is irrelevant to individuals for the most part. You can outright throw the notices in the garbage without consequence. I've been doing that since it was passed. Some were legitimate violations, some were not. Either way the company wasted printing and postage.

Hell you can ignore DHS letters in some cases.

Rip, yes, but share? Really?

Disclaimer: not a lawyer.

In some countries there are exceptions to copyright for non-software that allow making copies for use of friends.

Which countries are those?

E.g. Poland

Reference: https://euipo.europa.eu/ohimportal/en/web/observatory/faqs-o...

I think this reference is partly inaccurate; I was under the impression that the legality of the original copy doesn't matter (and Polish Wikipedia seems to agree: https://pl.wikipedia.org/wiki/Dozwolony_u%C5%BCytek_prywatny...)

Sharing is a form of advertising. If you want to promote a company or product there is no better way then sharing.

I remember seeing a video where a company exec said that they want to sell there product but they also wanted everyone to be using there pirated copy vs another company's application.

Most people won't pirate because it involves work. The people who do sometimes are the trend setters who can encourage others to buy.

DMCA only applies in the US, making copies of items you own for personal use is legal in the UK for example.

No it isn't.


And even when it was, you weren't allowed to break encryption to do so.


Indeed, in some cases even importing (i.e downloading from a foreign server) software to do so is a criminal offence in the UK and carries a potential prison sentence.


I am trying to set up my own such NAS, currently using Plex to manage movies & TV and for streaming on my PS4. Haven't figured out a solution for music and just use Spotify. Any software you can advise to help me create a better setup?

Movies: I use Radarr. Radarr searches public movie databases for movies, and then talks to another piece of software I use called Jackett to actually initiate the download. Jackett searches for and obtains torrents from your favorite (completely legal of course) trackers.

The end UI is super simple. Search for a movie. Click Add. The software takes case of the rest. It automatically downloads the movie and replaces it with a higher quality version when one is available.

TV: Switch out Radarr for Sonarr above.

Music: Still working on this, but set up an MPD server on the NAS and listen using an MPD client on mobile. A good client seems to be Rigelian for iOS.

All super easy to set up. All the software is dockerized (check the linuxserver docker repo for most of this) and secure to access - set up a VPN server on your NAS and use a client like Tunnelblick on Mac or OpenVPN on iOS to access it.

So now I can have lunch with my coworkers, and if we're talking about a movie that sounds interesting, I open up Radarr on my phone (it has a nice mobile web interface), search and click download. It'll be ready for viewing in all its Blu-Ray HDR10 7.1 surround-sound glory by the time I get home.

Some Docker images you might find useful:

1. https://hub.docker.com/r/linuxserver/sonarr/

2. https://hub.docker.com/r/linuxserver/radarr/

3. https://hub.docker.com/r/linuxserver/jackett/

4. https://hub.docker.com/r/haugene/transmission-openvpn/

I'm surprised at all the recommendations for Plex here considering its subscription model. It's a good product but I recently switched to Kodi and it offers all of the functionality I need and then some. It doesn't seem to randomly lose access to my NAS like Plex did either.

I've been using Airsonic for music and podcasts, hosted on a headless Linux server. Supports caching, gapless playback,and more. DSub is a pretty solid client for android, with the Play Store version supporting Android auto and casting to chromecast. Everything's FOSS, too

I use a computer running FreeNAS with a shared NFS amount for the audio and video content. You can use SMB (Windows shares) too. I use a low powered set top box and a Mac Mini both running Kodi as clients. Works great.

Why rent with Spotify? Amazon still has DRM-free MP3 sales (don't pay for a Music Subscription, buy albums), and Bandcamp, CD Baby, and Magnatune are even better places to shop.

There are other opensource projects with no mothership


Just a minor thing, but I’m pretty certain Plex are performing all sorts of analysis on your usage.

> I don’t know what the solution is.

Decentralize all the things.

If that's true then there's no need for legislation because the service contracts cover it. Law is only needed if the contracts are ambiguous.

Only if the public likes the way that service contracts are working.

None of the major digital services directly support transferal of licenses and most of them directly forbid it in their terms of services.

Considering the amount of money that people sink into digital services, I’m surprised this hasn’t already been through the courts in the case of divorces.

Anecdotally I've seen a lot of divorcees still using their ex's old Netflix account or similar. It probably hasn't made it yet to the list of things on the radar of Divorce Attorneys for the simple practical matter that it's currently easy enough to (continue to) share passwords, but yes I'm very surprised we've not yet seen a huge court battle over digital assets in a divorce or inheritance drama yet.

It'd be lovely to see a return of the first sale doctrine, as well. We gave up the right to own a movie when we went to streaming. I want to be able to sell my stuff again. More importantly, I want Netflix to be able to offer streaming of everything they have the DVDs for.

>I want Netflix to be able to offer streaming of everything they have the DVDs for.

That is why it will never happen.

Could you explain?

The people who own streaming rights would go from having something that is worth money to something that is completely worthless.

Netflix is one of those companies so even they wouldn’t fight for it.

Netflix has a right to rent physical discs, but streaming is different than lending. I would love for movies to have compulsory licensing like music does though.

> Netflix has a right to rent physical discs, but streaming is different than lending.

I’m curious about this. I mean it’s different in terms of implementation and law, but conceptually it’s pretty similar.

Side-note-thought-experiment: in places where it is legal to “pirate” content you own, could Netflix get around this by renting a DVD to you (but holding in in escrow for you at their location) then providing you streaming access to that DVD?

Streaming in my mind is more like asking your friend to come over to watch a movie, than lending them the movie to watch themselves.

Exhibition rights are significantly different than private viewing rights.

At the end of the day, the results are roughly the same, one more person has seen the film. But there's a lot of subtlety in how that happens.

You can't own the stream, but you can still buy the DVD, and first sale still applies there.

Isn’t it currently akin to a library membership ? Or at least that’s how I would put it if I was a service owner.

You also won’t get irl memberships transfered by inheritance, so the debate will be short if it goes this way.

I think this line of argument works for something like a Netflix or Spotify account where you have a monthly fee for unlimited access. The problem OP is referencing is when you buy a specific movie or album on iTunes or Prime for instance. That doesn't seem so clear cut because while the license says one thing the consumer expects that they now 'own' the item forever.

Yes, iTunes or Prime pages still show a 'buy' button which is confusing.

I think people understand it better nowadays though, as they get burned more and more with services that don't work on a specific device, or the service shuts down. Or more probably they cancel the monthly payment and all the stuff they 'owned' can't be watched anymore.

Or Steam.

All the games I have there should be inheritable. Also, I'd love to be able to put ones I don't play on sale. But that's obviously not going to happen.

One reason this issue isn't explored much is that it doesn't have much in the way of practical implications. You don't need permission from Movies Anywhere to inherit your parents' Movies Anywhere account -- as long as you learn the password, you can just use the account without bothering to notify Movies Anywhere of anything.

Right, but this isn't protected anywhere. It's a fragile practicality. If you inherit that shared password do you inherit the right to recover it if you lose it again? Movies Anywhere is locked to a certain number of devices, do you have the right to unlock/remove old devices of the original account holder?

At one point I debated trying to build a system to help escrow digital asset things like passwords in Trust for the purposes of wills/digital estate planning/inheritance, but quickly realized the first major flaw of that is that as soon as you try to systematize it you immediately get into a fight over how much it violates various terms of service agreements forbidding account and password sharing entirely.

You're right, but I would still bet that the sheer ease of working around the issue stunts the development of formal legal approaches to it.

Which isn't necessarily a bad thing. I'd rather have established practice dictate the law than the other way around.

Until they find out and kill your account.

Find out how?

Through ubiquitous tracking.

In an ideal world, but in reality companies have been pushing more and more for the opposite, where accounts and services are just being "borrowed" by us for a fee.

The T&C go into great detail to make sure we understand we have no rights to the account/service/product, and that they still own it at all times and can revoke it from us.

Most companies still don't even comprehend that an account to a service can be an important part of someones life. Google locking people out forever over some automated perceived issue, as though it's nothing special and not even worth a cursory glance. Meanwhile that email account could be the central point of that users entire life.

Game accounts can have a serious amount of money, time, love, and effort invested in them. I've been using the same PSN account since the service first launched. I have hundreds of digital games, DLCs, movies, etc. My entire life is also run from my email, tied to everything from paying my rent and bills to managing my kids school through their online services. In the former, I don't play online games on purpose, because I know of the risk of pissing off the wrong kid, and for the latter, I don't use a free email service and control the domain so I can redirect it. Still not perfect though.

We need to take this stuff more seriously.

This is why I advocate both 1. Not tying anything important to you to access to an online account that you don’t host yourself, and 2. Not spending money on digital goods that require further permission from a company to use.

People look at me like I’m wearing tin foil, yet these things keep happening where someone’s account gets suspended or they lose access to $1000 of “purchased” digital goods, and they act all surprised that this could happen!

If it’s not on your computer it’s not yours. And even if it is on your computer, but you need to activate it, it’s still not yours. Don’t complain when your access suddenly gets revoked—you should know better by now.

But it terrifies me that you say it like it's nothing and like this digital "purchasing" thing is something new (I am not disagreeing, on the contrary.)

I have avoided and have never bought anything digital for those reasons, but it really is depressing that these things have not been solved by now.

It should be terrifying! You’re handing your hard earned money to a company in exchange for access to something narrowly defined in a 100 page Terms of Service document, written by company lawyers, giving them tons of escape clauses, with no input from you. You’re smart to avoid the trap, but unless other people do also, in large numbers, nothing will change.

I agree. When Verizon sold off large portions of their FIOS network to Frontier, they took away several movies I had purchased. No refund, no apologies, they just took them away and refused to do anything. It wasn't enough money to motivate me enough to do more than call and complain 3 or 4 times. So they won. I did switch to another provider, but that meant I lost the rest of the movies. Sigh.

In general this is what class action suits are for. If a bunch of plaintiffs each suffer small losses they can join together to sue a defendant, whereas it wouldn't have been practical for any single plaintiff to sue individually.

In this particular case Verizon may well have put some weasel words in the contract you agreed to that allowed them to take away what you paid for.

And this is why I don't think those clauses should be valid. There's no way to negotiate with Verizon over that; it's take it or leave it. Either you accept that they can take things away without recourse, or you don't get anything.

Should? They are in all but legalistic terms. I had my Rockstar account stolen years ago shortly after their auth db was leaked, Rockstar support was of no help and I lost access to all my Rockstar games -- some of which are tied to third-party services (Steam) that don't permit repurchase (or otherwise generating a new serial code) and won't refund my current copy.

Piracy is the only way I can play my legally-purchased copy of GTA V or Max Payne III. (Most of their older titles did not have mandatory Rockstar DRM like the new ones, so they are OK)

How is an account not property?

Well its likely a license. Therefore you have civil legislation and contract law that you will never be able to use protecting you

I agree that they should be viewed as property.

What I don't get in this scenario is how can sony deny a bought game for this person? I mean he has the receipts and he can prove that he had paid for those games. How can they deny that product to him? I understand why they would have the rights to his account but what about the games which are actual products, digital or not they should provide them to him.

They use the "trick" that all game platforms use, that they only sell you a license that is attached to your account, and if you check the TOS you will find that it is stipulated that you will lose access to the games if you lose access to the account.

I say "trick" because when you purchase a game on those platforms, it clearly says "buy" or "purchase", it does not say "license", so it relies on fine-print in a long legal document of dubious legal value to redefine what you actually purchase.

I doubt they really care at the end of the day. My Instagram username is three letters and I (used to) get 4-5 reset emails a day prior to turning on 2FA. I also frequently get asked if I want to sell the name. I'm just worried someone will get in and take it.

If you use SMS for 2FA there are numerous vulnerabilities. The Google Authenticator app is safer, unless Instagram itself has some sort of vulnerability.

Hacking an online account may or may not be property, but I wager that it is a federal crime under the The Computer Fraud and Abuse Act (CFAA).

As someone with intimate knowledge of console account buying and selling, I can elaborate some.

The main site used for buying stolen/jacked accounts is called ogusers. The screenshots in that article are of ogusers, I recognize the layout.

Most of the people who buy and sell accounts do it for profit and fame. Something among teens these days really drives them to want to be internet famous. Having a 1, 2, or 3 character account name garners attention to these people. 1 letter xbox accounts go for 10-20k. 1 letter social media accounts (twitter and IG mostly) go for anywhere from 10k upwards to 75k. A good amount of the 1 letter accounts on these platforms are bought or stolen, very few original creators own the accounts.

The problem is that people aren't content with getting an account by being the creator of the name. They want accounts by any means necessary. Some of these people do this for a living, they've devised their own secret techniques for gaming the system to get account information so they can game password resets and account retrievals. I know for PSN there is a tightly guarded way to pull the email account and name information from any account. For the most sought after accounts, attackers play the customer support reps like a fiddle. Say the right words and they will happily hand over sensitive information.

Even if you buy an account, there's no telling if you get to keep it. Microsoft has been really trying to crack down on this, and has banned hundreds of original accounts over this. I'm not how PSN handles it. IG has been trying to crack down as well. It is a sad state of affairs. Owning an original account isn't about creating it anymore, it's about how much you will spend to buy that name or who you know that can jack the account. Unfortunately, all these platforms are not setup to handle theft, fraud, and selling. If you lose an account, it is next to impossible in most cases to get it back.

In some cases you can get the account back by providing sensitive account info that only the original owner would know. However, the modern process of 'locking down' a stolen account includes flooding it with fake information to push back the original information past the point of being able to be used.

> 1 letter xbox accounts go for 10-20k. 1 letter social media accounts (twitter and IG mostly) go for anywhere from 10k upwards to 75k.

> Even if you buy an account, there's no telling if you get to keep it.

What sort of person 1) has the discretionary funds to buy an account like this, 2) wants one of these accounts so badly that they will pay that kind of money for it, and 3) is so stupid as to believe that it won't be ganked back by a different hacker, or even the same one again?

In other words, WHO IS FUELING THIS ABSURDITY?! There has to be a demand side of this equation, and, from my chair, it looks like people who have WAY more money than sense. I know there's a lot of them in the world, but, still.

I've seen several headlines recently that Sony has the console crown right now, but it seems like it wouldn't take much fear mongering by Microsoft in the right places to use this as a scare tactic against PS to try to push people back to XB. I mean, sure, this particular user "won," but you can't expect Vice to do a story about everyone who gets screwed.

Twitter and Instagram I can understand, there are a lot of people on those services that make a lot of money promoting brands and products. Having an interesting name on there can increase your marketability. Like "@tom" or "@lisa", you look cooler (rather than "@realmattdamon1977") and seem like you've been on here for quite awhile so therefore people should listen to you. I guess it might be a bit hard to show that you bought an account versus stole an account if the original owner tries to reverse the email address change. Maybe someone could build an account escrow site where ownership is transferred to a third party until the sale is complete.

It's not a "teens these days" thing though, short ICQ numbers were constantly hacked and resold fifteen years ago.

I have an 8 digit ICQ number. It's probably the only number apart from my SSN that I can still remember.

> Microsoft has been really trying to crack down on this, and has banned hundreds of original accounts over this.

Just require 7+ characters and at least one number in the username and suddenly you lose 99% of "lucrative" names.

This is a problem with usernames being the display names on the platform. For example, my friend's Xbox Live name is in the format XX## from before Microsoft upped the minimum character count. He was grandfathered in. He's fairly attached to his name and forcing him to go to one of the remaining unique usernames doesn't seem fair when he's been paying for the service for over a decade. In that time, thousands of "good" usernames have been taken and all that seems to be left is John33191299991102. Asking them to switch names they've already locked in is a very difficult balancing act between this problem and pissing off their longest standing customers.

Steam's approach of unique username and your choice of display name makes the most sense to me. If I want to be Bob, I can be. If I want to choose something rather unique, I can. However, this opens up a whole new set of problems with impersonation. I don't think this is a problem on XBox with the buddy system and no trade economy though.

Blizzard's way of doing names makes tons of sense and doesn't rely on an incredibly awful search to find people. You can name your account whatever you want, but they automatically give you a unique number (when paired with your name) so people can easily add you to their friends list. So you can sign up with the name "Bob" and they will give you "Bob#1234" for people to find you.

This way you don't have any worry about people having short usernames being special or unique. The issue is that this kind of username scheme works for gamers (that aren't trying to be standout/unique necessarily and just want their username), but I don't believe would be accepted by social media influencers whose usernames are their brand names.

Discord does the same thing with the discriminator, and if you're a Discord Nitro subscriber you get the ability to manually change it to whatever combo you like (as long as someone with the same username doesn't have that number).

This is an even better solution. I've never had a Battle.net account so was previously unfamiliar with this. I agree though, this is a good way to give people the display name they want which is the crux of my problem with making unique username the same as the display name.

Reminds me of this blog post [0] about a guy who lost his Twitter @N.

[0] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

I recently lost access to my two factor authenticator. I had saved most but not all of my recovery codes. I was surprised that a couple of websites I didn't have recovery codes for allowed me to disable 2FA after login but before authentication. It saved me from having to contact support, but it seemed to defeat the purpose of 2FA.

This happened to me as well with Uber. They use SMS 2FA and didn't provide any backups. I left my phone in an Uber and I couldn't log into my account to notify the driver because 2FA was in place. I also couldn't contact Uber about the issue because they try as hard as possible not to provide customer service mechanisms for people to leverage.

At the end of the day I had to use another friend's Uber account to contact Uber and explain the situation. They disabled 2FA and let me back into my account. I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(

This was not my recent experience with Uber's 2FA at all.

I had purchased a new phone, but lost cellular service and couldn't authenticate into Uber. I found contact info and they asked me to verify my recent ride history (including fares, times, and destinations) before disabling 2FA for me.

This happened to me about a year ago

>I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(

For that, I assume they would need to have tools built for that specific purpose, with security/audit in place. I doubt any support guy could just randomly query for GPS data for drivers/users.

> I doubt any support guy could just randomly query for GPS data for drivers/users.

There was a very widely publicised case a few years back when their support people were doing just this to stalk celebrities and exes. How quickly the world moves on, I guess.

how did you loose your 2FA device?

this is what scares me the most about using 2FA.

github for example says if 2FA is lost there is not way to recover.

i have lost a phone number before... and although github also supports other 2FA devices, such as a rotating key app which can be on multiple devices, you have to set up all devices at once. so i can put it on my laptop and my phone, but not my home and my work computer unless i carry one to the other place. phone and laptop is not enough. if i use my bag, both are gone. and i'd have to reset all devices if i ever want to add a new one. at that point i am more afraid to loose access through stupidity than through theft.

no thanks.

greetings, eMBee.

> this is what scares me the most about using 2FA.

My solution for TOTP/HOTP 2FA (aka "Google Authenticator"-2FA) is quite simple:

I print out the QR codes used to activate the 2FA, and keep them in a safe. That way I can always re-activate the 2FA on a new device, and it's still just as secure (because, if an attacker can break into my home and break open the safe, they could just as well take my phone with them)

Last I checked GitHub actually lets you turn off 2fa if you can use an associated SSH key to sign a message?

Not entirely certain but support staff definitely turned it off for me once I lost my phone number.

oh, that's a relief. good to know. thanks.

A very valid concern- I was in a serious vehicle accident this year and it took weeks for all of my keys and possessions to make it back to me. Luckily I didn't need 2FA for my email or insurance.

That's what the backup codes 2FA provides are for, no?

I've lost those in the same theft as I lost my 2fa device for github. Not going to store them outside of my password manager for github again.

So why do I use 2fa for github? Because organizations require it.

There are still benefits of 2fa even if codes are stored in your password manager. It protects against most keyloggers. It probably makes phishing a little less likely (because most websites cache 2fa, so you'll be a little more suspicious when asked for it by a phishing site). It protects people who use weak or reused passwords. Sometimes it causes support staff to be more careful with regard to social engineering.

When adding 2fa I add it to authy on my phone and to my pebble (which has significantly better battery life than my phone).

Authy allows backups though I've never tested this.

I also keep recovery codes for critical services in case all else fails (just don't forget to NOT put that behind 2FA cos circular dependency)

For what it’s worth, when i switched phones my Authy app went out of sync. It was a work account so I just had my boss reset my 2fa, but if there isn’t a way to re sync you may be out of luck.

2FA is usually to protect you against your password being stolen. If that's the only threat model, then it's fine to allow 2FA to be disabled without a new 2FA code, as long as it's from a device that has entered a 2FA code at some point in the past.

There are other potential threat models though that would require a re-enter of the 2FA code to be safe, such as cookie theft, or temporary computer compromise. Both of these though seem less likely of attacks.

> It saved me from having to contact support

This is not an insignificant consideration. Companies track support calls (call volume - and their reported reason, is monitored closely) as a matter of business. I have heard companies going back on enabling two/multi-factor auth, once realizing support volume goes up. (Which is silly, because of course it goes up compared to not if you didn't allow it before.)

Reminds me of the time my friend lost his single character Twitter account due to Godaddy social engineering. https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

Wow. That sounds like something he could sue PayPal for. $50,000...

Looks like he got the @n handle back! Do you know what happened?

Iirc he contacted friends at TWTR.

The obvious solution would be to transfer the account to a different username, that has no attraction for the scammers, but even that is still virtually impossible.

If you ever thought Microsoft is an incoherent mess, Sony is even more so, just without any clue when it comes to modern software, UX or security concepts. The PSN experience it pretty much the state of ten years ago with security features tacked on to fix the hacks, but little more.

PSN notoriously doesn't support changing usernames, at all. It's been their #1 most requested feature for over a decade.

Rumors are that they've asked game devs to prepare for name changes, so it should be possible in the nearish future!


It's coming https://blog.us.playstation.com/2018/10/10/psn-online-id-cha...

Edit : it might also be a great way to "hide" an account once it's been acquired. Just pay $5 to rename it once you've removed all the friends.

> please note not all games and applications for PS4, PS3 and PS Vita systems are guaranteed to support the online ID change, and users may occasionally encounter issues or errors in certain games.

I can't say I'm not surprised. What a mess.

I've tried to buy PSN Plus about 3 or 4 times in the last 2-3 years. Every single time the web interface threw some kind of error at some point during the checkout process. Sony is such a giant mess, but there is no alternative because there are so many PS exclusives.

Have to say, every time it worked flawlessly from the console itself.

Can't speak for the mess of Microsoft, but regarding features Sony was ahead of Microsoft for several years. But the last 1 to 2 years it feels like Microsoft is actually ahead. Things like making X360 games backwards compatible is a huge plus for me. If only all of my friends would think like that and move to the Xbox as wel :/

Yeah, but that's just giving into them. If I've had my username for a long time, and I like my username, why should I have to be the one to change?

I find it strange what services attract hacking attempts.

If anyone has attempted to break into my bank accounts or my Google account, I never noticed. (My Gmail account is used for TFA for most of my other accounts, so I would expect it to be a target.)

You know what accounts I have had attacked? There have been dozens and dozens of attempts to access my Steam account by someone who figured out my password, but didn't have access to my email to receive a confirmation code. (Mostly, but not always, from Chinese IP addresses.) Someone else successfully compromised my OkCupid account and apparently used it to advertise escort services. Apparently someone else got into my Snapchat account and sent spam to all my contacts.

Go figure.

It may be that hacking those kind of services is very unlikely to cause any sort of legal response. As soon as you start going after bank accounts, you risk the government kicking down your door.

Someone tries to take over my Google account at least once a quarter. They haven't succeeded yet, but woof - it would really, really suck if they did.

Great article. This problem goes far beyond PSN though. The sheer amount of account recovery processes companies offer that are poorly designed is astounding.

In particular, SMS has been a notoriously strong attack vector for _years_, and companies played catch-up very slowly. Maybe it's still offered because phones in the developing world don't have much space for Google Authenticator or something, but that's a stretch.

Speaking as a company that deals with frequent account resets I’ll add that account holders routinely confuse the issue with poorly/inaccurately specified identities, duplicate accounts, and obsolete contact details.

We do our best to apply strict and fair rules, but some cases still get evaluated on a balance of merits and history.

I can also safely say that customers who struggle to enter their date of birth consistently see 2FA schemes as an insurmountable barrier.

These are 1% issues but the volume grows linearly with user base, unlike other support issues which we can automate away or use the ecosystem to assist. I haven’t yet found a way to deal with these cases that scales any better, and I just know it’s going to be a marginal cost issue later.

(I don’t think any of this applies to the case in this article, no sympathy for Sony’s dismal support)

A surprisingly convoluted story, but no much the fault of the author as the lack of transparency by Sony. Most stories of account compromise have an obvious cause, such as SIM cloning. This story makes it sound like Sony’s system has many possible attack vectors via social engineering. And given Sony’s history of catastrophic breaches, it’s really hard to imagine the fault is on the user here.

Could he sue Sony in small claims court for the value of all the games he had in his account? Seems like they are unlikely to show up.

He got his account back, with a few purchases from the attacker.

I'm curious too. There may be a binding arbitration clause in the EULA that allows them to overturn any decision made by the court.

That wouldn’t be enforceable, the user won’t have even read it.

> it took far too long for Sony to add two-factor authentication to PSN, despite the service’s massive hack in 2011. Microsoft added two-factor to Xbox Live in 2013. It didn’t hit PSN until 2016, five years after the personal details of 77 million users were potentially exposed to hackers.

Enabling 2FA isn't go to stop hackers from accessing user data if the hackers hack Sony (what happened before). I fail to see the connection between 2FA and Sony being breached.

It's rather simplistic to think there's only one level of access inside Sony. At least in, or especially because of, the hacking of PSN, any sane company isn't going to give the account reps the same access as even random engineers, who, at a company the size of Sony, should get sanitized databases to develop against.

Once there is a massive hack, usernames, emails and passwords that were used before become compromised. That means that 2FA becomes more vital - as it not only provides a new factor for authentication, it provides the only one that isn't compromised.

That's a good point, though after a hack they would ask everyone to reset their password anyway - but these people are probably using the same e-mail/password on other services.

Just an FYI: The enterprise MSP password management service "Passportal" allows you to disable MFA over the phone with zero authentication.

Beyond a library of games and maybe credit car details are there other incentives to sellers/buyers for stealing these accounts?

It's mostly about the library. Many long-term Playstation users have large libraries of expensive games tied to it, so people buy stolen accounts so they can play all the games on them without buying all the games themselves.

Game-hackers also buy the accounts so they can get around being banned from online games, but considering the price mentioned this sounds more like a big game library account.

I'm assuming the PSN name was something short or of value. Something like "Justin" would get a lot of bidders.

Yeah, in this case it was "Almighty".

How do you know? That detail was redacted in the story. Is there other coverage of this?

I searched for the title of the forum thread and found the post.

Why switching an account to Japanese make it harder for the owner to get it back?

My guess? It moves the responsibility for the account to a different bureaucracy (international vs. domestic).

I found the forum that the article was talking about, and the how-to article. Using the Google cache, since they've altered the forum to make you register to see content:


Sounds like the suggestion is to first change the email from the original owner's to yours. Then, sign up the original owner's email as a Japanese account.

I had similar happen with my XBox Live account seven years ago: the attacker bought $125 in Microsoft Points using the associated credit card and then immediately transferred the account to Russia under a new email address.

At the time, Microsoft's customer service told me it was impossible for them to return accounts that had been moved internationally. They claimed that they literally didn't have the technical ability to do so, but that they'd file a ticket with engineering.

I figured the account was gone.

To my great surprise, three months later I got CC'd on an email from an engineer closing the ticket, followed by an email from Microsoft customer support with temporary account credentials to reclaim the username. And... that was that. No further follow-up, just "we fixed the system, and now we can transfer your account back to you."

This is why I buy disks

A lot of games are download only, not to mention DLC (Downloadable Content, aka expansions).

If you have enough patience you can usually just wait for an edition to come out with all the dlc bundled. (if the game is suitably popular)

Buying discs is fine, but you still need a license/key. That license then often needs to be activated online or tied to an account and... no benefit to having discs at all.

Console game discs do not require a license key, the disc itself is the key. Apart from not having to fear losing your account and thus the game, you also get the added benefit of being able to sell or trade the game.

Not to be that guy, but it's disc when you're referring to optical media [1]. Unless you're trying to say that you're fed up with an awful digital ecosystem and you just buy physical disks like Frisbees and vinyl ;)

[1] https://en.wikipedia.org/wiki/Spelling_of_disc

Do they come with a time machine?

I know that the Xbox 360 doesn't allow offline play. I wouldn't be surprised if inserting the disc automatically and permanently ties some unique serial number to your account.

Do you mean the Xbox One? I know my 360 was disconnected from the internet for a long time and I played games on it just fine.

Duh, brain on. Yes, the Xbox One.

None of that is true. There's a healthy market in second-hand discs for all of these console platforms.

I wonder whether it would make sense to force companies by law to provide proper support, given how much actual money (I know quite a number of people with four-digit-worth Steam accounts) is bound in such accounts, or how central these accounts can be for our modern lives (imagine all the identities tied to your gmail or fb or twitter accounts - and permanently losing them due to trolls "reporting" your accounts).

As for bypassing 2FA: there is, at least in Germany, a way for any online company to have the real identity of the user proven. It's called "PostIdent" and works by having you go with your ID card to a post office where it is checked. It's acceptable enough even for the strict regulatory frameworks for banks.

So the process could work like "okay, you are John Doe, and you want to re-establish control over your account with the ID 123456 by changing the primary email to john.doe@provider.com? Print out this voucher, pass PostIdent and we will modify your account".

Off topic, but hot dang. That was some excellent story telling. Didn't feel the urge to skim a single word.

Patrick's writing is sublime.

Lots of comments here detail how many people lose their phones and never kept recovery codes or lost some of their recovery codes. 2FA sms don't have that problem. If you lose your phone, you can usually get a sim card with the same phone number again. I think people who insist that 2FA sms is insecure because the telecom networks can be hacked/intercepted are ignoring the convenience of it for the vast majority of people especially considering the effort and skill required to hack the telecom network compared to just socially engineering a company.

Given the diligence with which the attacker worked on Sony via social engineering to gain access to the account, what on earth makes you think the same technique wouldn't work just as well for a telecom company? You don't need to "hack" the network, just the customer service rep. Just say you lost your phone :)

The telecom company has identifying information about you that hackers are unlikely to be able to fake - such as an home address to where they send your new sim card, or physical locations where it's much harder to work these kind of social engineering.

The telecom company also have more regulation and the stakes are higher for letting someone basically steal your number - it usually means they have a much stricter protocol to giving someone a new sim card - they'll require a physical presence, they can actually call your phone to verify you aren't a fake, they'll require confirmation of card ownership or an ID for states/countries that have them.

I am going to refer to this thread, which shows exactly how easy it is and how difficult it is to defend yourself against: https://news.ycombinator.com/item?id=18194701

From the thread: "T-Mobile has put in place some protections to prevent unauthorized transfers of your account to new SIM cards, I just had to deal with them last night - actually. Swapping SIM cards for a line must either be done in-store where your photo ID can be verified, or over the phone but only after confirmation of a OTP sent to account managers via SMS. I know T-Mobile actually had some issues with this in the past, so even though I miss the convenience of going to t-mobile.com/sim to swap a card out I feel it's a much better solution security-wise."

Obviously it differs from provider to provider and time, but it'll start moving towards better security. 2FA has only recently gotten popular

I got about half way through when I realised I had read the same piece of information twice already. A shame, because I lost interest somewhere around that point.

Too bad for Justin. I hope he gets it resolved.

[Spoiler] He got his account back, and a specific phone number he can call if he has problems again.

Shame everyone doesn't get this benefit. It's strange how being covered on all of the big gaming news sites suddenly makes "technically impossible" things (like reinstating access to an account) possible again.

The first question I had while reading this - can't Sony check the localization or something like console ID that the account is logging into? I can't believe stealing these accounts is so un-revertable! :|

There is no hacker. Justin's been doing it to himself. He has dissociative identity disorder

"When Justin finally heard back from Sony, they didn’t apologize and promise to protect the account. Instead, they said it—an account Justin has had for more than 13 years, with a history of trophies and purchases—was gone. There was nothing he could do, no process to appeal, no way to get any of his games back."

That, should be considered completely unacceptable, especially from a company that has had huge data breaches in the past. Sony should be bending over backwards to make this guy whole, not giving up.

I’m surprised he didn’t sue.

ONE WEIRD TRICK - dirtbag companies HATE this - my mom (former lawyer) taught me to get any company dragging its heels or otherwise being scummy about giving you what you paid for is to basically state what you want followed by “...and if I do not get the product/service that I paid your company for, my next call will be to the State Attorneys General of the state of (where we’re from) and the state where you are incorporated, and we will be filing a claim of fraudulent business practices.”

9 times out of 10 that’ll be enough to get the gears moving. Legal compliance is almost always more expensive than fighting a customer on an issue, so they tend to give in rather quickly.

I've also heard equally worthwhile efforts when contacting a company through BBB (Better Business Bureau) has gone as far as getting people's accounts unbanned where the account was meant to stay permanently banned from an MMO. Get legal through the right channels and you will see results. You want to get a hold of BBB directly basically, I havent had the pleasure of doing it but have heard from many that it works.

While this may work, as far as I know, BBB is a private company with no enforcement muscle, providing a service similar to Yelp, but less respected.

Only clueless business owners care about BBB. Not only is BBB a scam itself, but no one cares what they think anyway.

BBB is it's own pay to play scam. People who join magicly have poor scores removed.

From what I hear, when you compare the French or German legal sphere with US law you'll find that US law offers few remedies to compel a contract partner to perform. Instead they'll offer compensation. That's a problem when you have things (like accounts) where no one knows the value of.

The current price of the digital content in your account should at least set a floor on the value. That would probably be enough to compel Sony to return the account.

Back when I worked for an early online service (Dialcom) we had sold a big contract for email - the CEO of the company was pissed of with the performance and wrote a personal letter to the CEO of British Telecom (*our parent) at his home address.

At the next main board meeting our Director got handed the letter with the comment "one for you to sort out" - which is why we set up an entire Pr1me 750 for that customer.

I remember working in retail here in the UK and having occasional customers who thought that the mystical incantation "trading standards" would have us trembling in fear and bending over backwards to give them anything they wanted. We just laughed at most of them.

This is not good advice. Once you threaten to sue, most Big Companies will stop talking to you via customer support channels and make you do everything in writing to their legal department.

Don't do this.

I know little of the US legal landscape, or if there's a small claim system. I've threatened legal response here in the UK, usually after months of failing to get resolution without, as last step in the chain. So I've issued a small claim against those companies (UK has a cheap option when the claim is small, somewhere under £5 - £10k. Basically fill form, give fixed low fee, wait). Those have had a 100% success rate.

> Once you threaten to sue, most Big Companies will stop talking to you

That would be fine. When I have threatened to sue someone and got no response, I will do the small claim as next step. One threat, one opportunity to resolve. More talking would enable more delays. No more communication from me aside from in writing from the court.

Generally gets a panicked phone response at speed and offering full settlement. I've had several expansive apology letters. A couple ignored the summons and waited for the default judgement before it got settled. Those were big, very well known companies, which could be pure coincidence. Most have asked "why did you sue?". Waiting for months to get that promised refund, whilst only getting excuses or lies, maybe? :)

You said you don't threaten a legal response until after months of failing to get resolution. I'm pretty sure that's what's being suggested here too. Don't open with the legal threats, as they can shut down what may have been a much faster and easier customer service resolution.

By GP sure, but the comment I'm responding to is an unequivocal "this is a bad idea". My take is apply common sense and don't make idle threats on the 2nd email or you just look silly, likewise when you get to the stage of few other choices make the threat just once. Then get on with it. :)

This is a feature, not a bug. Customer support departments are set up to optimize for cost savings; legal departments are set up to minimize legal risk for their parent companies. The latter is more likely to err in a direction that is favorable to the consumer.

YMMV. I have NEVER seen a company call the bluff. At worst it just means you wait while the request goes to someone’s boss or boss’ boss and they say just give them what they want.

Also I don’t tell the company I’m suing them. They could care less about me. I am however telling them THE STATE will be looking into their practices, which to them is much scarier and expensive than a disgruntled customer.

They've already stopped talking to you once they say they will do nothing to help you.

Their legal department can actually make shit happen, though.

Without incentives, why would Sony do anything for anyone?

Sony's reputation should be incentive enough.

They are a disgusting gutter company who cares naught for their reputation. I haven't knowingly purchased any Sony products (music, movies, games, hardware) since their behavior around 2005.

That was around the infamous rootkit scandal, right?

They also have some very annoying practices for their hardware. I borrowed a Sony digital camera from a relative for a roadtrip and the memory card broke down. To my dismay I realized I can't just put any old memory card in it, I have to put in a Sony one which costs 10x as much for 0 benefit.

Since then I also stopped buying any Sony products. I think they're just too big and too diversified to fail at this point. They don't have to care about their reputation at this point, the money just won't stop coming since they're so pervasive.

Which it apparently was - once they realized a reporter was writing a story on it, they fixed the issue right quick.


So he did it only to write an article about it?

He did it as part of the effort that resulted in Justin getting his account back.

He wrote the article to validate his decisions, he sought validation to ease his bidding convictions, he uneasily bid on a psn account to gain what he’d lost, he lost what he had gained because he swallowed a fly. I don’t know why he swallowed a fly, perhaps he’ll die.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact