If you had enabled 2FA, it could be disabled/reset by calling support and adequately proving you were the owner of the account. This had to be this way, because, as I said, everyone forgot their 2FA credentials ("my phone fell in the sea and the backup codes were on it").
We also had another checkbox that said "Never, under any circumstances, reset my account. I have stored my backup codes somewhere secure that is not my phone. I understand that, if I lose access, I lose the account."
If the user checked that, then the password/2FA reset system for the admins got disabled for their account. If they lost their 2FA, nobody short of DBAs could reset their account (and DBAs knew not to).
Additionally, we had a screen where you could print a long, random, one-use key that would reset your account. It would come with a nice QR code so you could physically print it on a piece of paper and store it somewhere, and scan it if you ever forgot your 2FA/password, and it would let you access your account.
I should probably write an article about this...
I suppose if it's just one option then it's okay.
Huh? I've got at least 5 different SIM cards for various countries and I've never noticed any issue with Tinder. I didn't even know it used your phone number for anything.
For SMS auth it's usually no big deal to put back in your old SIM if it needs to send a 2FA code; even the most brutal roaming charges won't come to more than a dollar or so for a single SMS.
Receiving SMS is generally free (or goes against your monthly bucket) while roaming.
I’m actually not aware of any cell carriers (and I have SIM cards from over a dozen providers each in different countries) that charge for receiving anymore, but leaving a little wiggle room in my statement above just in case there’s an odd ball out there.
It's possible to send and receive text messages at sea, as long as you have a signal through your ship's roaming network (just make sure you turn off data roaming in your settings). Texting costs a lot less than a voice call -- usually in line with standard, international "pay as you go" rates: Most major carriers charge $0.50 to send a message ($0.25 for a picture or video message); AT&T also charges $1.30 for an outgoing picture or video message. For messages received, Verizon charges $0.05/text ($0.25 for a picture or video message), and Sprint charges $0.05, while T-Mobile and AT&T deduct incoming messages from your monthly allotment.
I wonder if this is something there's been any pressure on legislation for, and I also wonder if it's something tech companies would fight against.
Right now there's no protection for that. None of the major digital services directly support transferal of licenses and most of them directly forbid it in their terms of services.
GDPR got some pressure from some of the EU members to explore the issue and GDPR itself wound up punting the ball back to individual countries for now rather than wade into digital asset protections/inheritance.
I don’t know what the solution is. The free market obviously has no incentive to fix this. Users won’t vote with their wallet until they get burned and then it’s too late.
I can stream all this content too - the experience is not much different from Netflix or Spotify and the content is usually much higher quality (lossless audio and higher bitrate video). The experience is more private too - no analytics on what you watch, no one harvesting you for ads.
I feel so much secure truly “owning” my content than having it bound to some service that can disappear at any time, along with the content on it. I’ve lost countless songs and videos due to Netflix or a music service’a contract ending.
For data resilience and redundancy, just perform encrypted backups to your cloud service of choice.
> I feel so much secure truly “owning” my content
Do you actually purchase the content? If so, where do you buy it from? Is it even possible to purchase DRM-free content from major studios online?
For music, I can purchase music DRM-free from the iTunes Store or Bandcamp and actually own it, which is awesome.
Netflix let's you download a lot of content. Great for when you aren't connected.
Hell you can ignore DHS letters in some cases.
In some countries there are exceptions to copyright for non-software that allow making copies for use of friends.
I think this reference is partly inaccurate; I was under the impression that the legality of the original copy doesn't matter (and Polish Wikipedia seems to agree: https://pl.wikipedia.org/wiki/Dozwolony_u%C5%BCytek_prywatny...)
I remember seeing a video where a company exec said that they want to sell there product but they also wanted everyone to be using there pirated copy vs another company's application.
Most people won't pirate because it involves work. The people who do sometimes are the trend setters who can encourage others to buy.
And even when it was, you weren't allowed to break encryption to do so.
Indeed, in some cases even importing (i.e downloading from a foreign server) software to do so is a criminal offence in the UK and carries a potential prison sentence.
The end UI is super simple. Search for a movie. Click Add. The software takes case of the rest. It automatically downloads the movie and replaces it with a higher quality version when one is available.
TV: Switch out Radarr for Sonarr above.
Music: Still working on this, but set up an MPD server on the NAS and listen using an MPD client on mobile. A good client seems to be Rigelian for iOS.
All super easy to set up. All the software is dockerized (check the linuxserver docker repo for most of this) and secure to access - set up a VPN server on your NAS and use a client like Tunnelblick on Mac or OpenVPN on iOS to access it.
So now I can have lunch with my coworkers, and if we're talking about a movie that sounds interesting, I open up Radarr on my phone (it has a nice mobile web interface), search and click download. It'll be ready for viewing in all its Blu-Ray HDR10 7.1 surround-sound glory by the time I get home.
Some Docker images you might find useful:
Decentralize all the things.
Considering the amount of money that people sink into digital services, I’m surprised this hasn’t already been through the courts in the case of divorces.
That is why it will never happen.
Netflix is one of those companies so even they wouldn’t fight for it.
I’m curious about this. I mean it’s different in terms of implementation and law, but conceptually it’s pretty similar.
Side-note-thought-experiment: in places where it is legal to “pirate” content you own, could Netflix get around this by renting a DVD to you (but holding in in escrow for you at their location) then providing you streaming access to that DVD?
Exhibition rights are significantly different than private viewing rights.
At the end of the day, the results are roughly the same, one more person has seen the film. But there's a lot of subtlety in how that happens.
You also won’t get irl memberships transfered by inheritance, so the debate will be short if it goes this way.
I think people understand it better nowadays though, as they get burned more and more with services that don't work on a specific device, or the service shuts down. Or more probably they cancel the monthly payment and all the stuff they 'owned' can't be watched anymore.
All the games I have there should be inheritable. Also, I'd love to be able to put ones I don't play on sale. But that's obviously not going to happen.
At one point I debated trying to build a system to help escrow digital asset things like passwords in Trust for the purposes of wills/digital estate planning/inheritance, but quickly realized the first major flaw of that is that as soon as you try to systematize it you immediately get into a fight over how much it violates various terms of service agreements forbidding account and password sharing entirely.
Which isn't necessarily a bad thing. I'd rather have established practice dictate the law than the other way around.
The T&C go into great detail to make sure we understand we have no rights to the account/service/product, and that they still own it at all times and can revoke it from us.
Most companies still don't even comprehend that an account to a service can be an important part of someones life. Google locking people out forever over some automated perceived issue, as though it's nothing special and not even worth a cursory glance. Meanwhile that email account could be the central point of that users entire life.
Game accounts can have a serious amount of money, time, love, and effort invested in them. I've been using the same PSN account since the service first launched. I have hundreds of digital games, DLCs, movies, etc. My entire life is also run from my email, tied to everything from paying my rent and bills to managing my kids school through their online services. In the former, I don't play online games on purpose, because I know of the risk of pissing off the wrong kid, and for the latter, I don't use a free email service and control the domain so I can redirect it. Still not perfect though.
We need to take this stuff more seriously.
People look at me like I’m wearing tin foil, yet these things keep happening where someone’s account gets suspended or they lose access to $1000 of “purchased” digital goods, and they act all surprised that this could happen!
If it’s not on your computer it’s not yours. And even if it is on your computer, but you need to activate it, it’s still not yours. Don’t complain when your access suddenly gets revoked—you should know better by now.
I have avoided and have never bought anything digital for those reasons, but it really is depressing that these things have not been solved by now.
In this particular case Verizon may well have put some weasel words in the contract you agreed to that allowed them to take away what you paid for.
Piracy is the only way I can play my legally-purchased copy of GTA V or Max Payne III. (Most of their older titles did not have mandatory Rockstar DRM like the new ones, so they are OK)
How is an account not property?
What I don't get in this scenario is how can sony deny a bought game for this person? I mean he has the receipts and he can prove that he had paid for those games. How can they deny that product to him? I understand why they would have the rights to his account but what about the games which are actual products, digital or not they should provide them to him.
I say "trick" because when you purchase a game on those platforms, it clearly says "buy" or "purchase", it does not say "license", so it relies on fine-print in a long legal document of dubious legal value to redefine what you actually purchase.
The main site used for buying stolen/jacked accounts is called ogusers. The screenshots in that article are of ogusers, I recognize the layout.
Most of the people who buy and sell accounts do it for profit and fame. Something among teens these days really drives them to want to be internet famous. Having a 1, 2, or 3 character account name garners attention to these people. 1 letter xbox accounts go for 10-20k. 1 letter social media accounts (twitter and IG mostly) go for anywhere from 10k upwards to 75k. A good amount of the 1 letter accounts on these platforms are bought or stolen, very few original creators own the accounts.
The problem is that people aren't content with getting an account by being the creator of the name. They want accounts by any means necessary. Some of these people do this for a living, they've devised their own secret techniques for gaming the system to get account information so they can game password resets and account retrievals. I know for PSN there is a tightly guarded way to pull the email account and name information from any account. For the most sought after accounts, attackers play the customer support reps like a fiddle. Say the right words and they will happily hand over sensitive information.
Even if you buy an account, there's no telling if you get to keep it. Microsoft has been really trying to crack down on this, and has banned hundreds of original accounts over this. I'm not how PSN handles it. IG has been trying to crack down as well. It is a sad state of affairs. Owning an original account isn't about creating it anymore, it's about how much you will spend to buy that name or who you know that can jack the account. Unfortunately, all these platforms are not setup to handle theft, fraud, and selling. If you lose an account, it is next to impossible in most cases to get it back.
In some cases you can get the account back by providing sensitive account info that only the original owner would know. However, the modern process of 'locking down' a stolen account includes flooding it with fake information to push back the original information past the point of being able to be used.
> Even if you buy an account, there's no telling if you get to keep it.
What sort of person 1) has the discretionary funds to buy an account like this, 2) wants one of these accounts so badly that they will pay that kind of money for it, and 3) is so stupid as to believe that it won't be ganked back by a different hacker, or even the same one again?
In other words, WHO IS FUELING THIS ABSURDITY?! There has to be a demand side of this equation, and, from my chair, it looks like people who have WAY more money than sense. I know there's a lot of them in the world, but, still.
I've seen several headlines recently that Sony has the console crown right now, but it seems like it wouldn't take much fear mongering by Microsoft in the right places to use this as a scare tactic against PS to try to push people back to XB. I mean, sure, this particular user "won," but you can't expect Vice to do a story about everyone who gets screwed.
Just require 7+ characters and at least one number in the username and suddenly you lose 99% of "lucrative" names.
Steam's approach of unique username and your choice of display name makes the most sense to me. If I want to be Bob, I can be. If I want to choose something rather unique, I can. However, this opens up a whole new set of problems with impersonation. I don't think this is a problem on XBox with the buddy system and no trade economy though.
This way you don't have any worry about people having short usernames being special or unique. The issue is that this kind of username scheme works for gamers (that aren't trying to be standout/unique necessarily and just want their username), but I don't believe would be accepted by social media influencers whose usernames are their brand names.
At the end of the day I had to use another friend's Uber account to contact Uber and explain the situation. They disabled 2FA and let me back into my account. I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(
I had purchased a new phone, but lost cellular service and couldn't authenticate into Uber. I found contact info and they asked me to verify my recent ride history (including fares, times, and destinations) before disabling 2FA for me.
For that, I assume they would need to have tools built for that specific purpose, with security/audit in place. I doubt any support guy could just randomly query for GPS data for drivers/users.
There was a very widely publicised case a few years back when their support people were doing just this to stalk celebrities and exes. How quickly the world moves on, I guess.
this is what scares me the most about using 2FA.
github for example says if 2FA is lost there is not way to recover.
i have lost a phone number before... and although github also supports other 2FA devices, such as a rotating key app which can be on multiple devices, you have to set up all devices at once. so i can put it on my laptop and my phone, but not my home and my work computer unless i carry one to the other place. phone and laptop is not enough. if i use my bag, both are gone. and i'd have to reset all devices if i ever want to add a new one.
at that point i am more afraid to loose access through stupidity than through theft.
My solution for TOTP/HOTP 2FA (aka "Google Authenticator"-2FA) is quite simple:
I print out the QR codes used to activate the 2FA, and keep them in a safe. That way I can always re-activate the 2FA on a new device, and it's still just as secure (because, if an attacker can break into my home and break open the safe, they could just as well take my phone with them)
Not entirely certain but support staff definitely turned it off for me once I lost my phone number.
So why do I use 2fa for github? Because organizations require it.
Authy allows backups though I've never tested this.
I also keep recovery codes for critical services in case all else fails (just don't forget to NOT put that behind 2FA cos circular dependency)
There are other potential threat models though that would require a re-enter of the 2FA code to be safe, such as cookie theft, or temporary computer compromise. Both of these though seem less likely of attacks.
This is not an insignificant consideration. Companies track support calls (call volume - and their reported reason, is monitored closely) as a matter of business. I have heard companies going back on enabling two/multi-factor auth, once realizing support volume goes up. (Which is silly, because of course it goes up compared to not if you didn't allow it before.)
If you ever thought Microsoft is an incoherent mess, Sony is even more so, just without any clue when it comes to modern software, UX or security concepts. The PSN experience it pretty much the state of ten years ago with security features tacked on to fix the hacks, but little more.
Edit : it might also be a great way to "hide" an account once it's been acquired. Just pay $5 to rename it once you've removed all the friends.
I can't say I'm not surprised. What a mess.
Have to say, every time it worked flawlessly from the console itself.
Can't speak for the mess of Microsoft, but regarding features Sony was ahead of Microsoft for several years. But the last 1 to 2 years it feels like Microsoft is actually ahead. Things like making X360 games backwards compatible is a huge plus for me. If only all of my friends would think like that and move to the Xbox as wel :/
If anyone has attempted to break into my bank accounts or my Google account, I never noticed. (My Gmail account is used for TFA for most of my other accounts, so I would expect it to be a target.)
You know what accounts I have had attacked? There have been dozens and dozens of attempts to access my Steam account by someone who figured out my password, but didn't have access to my email to receive a confirmation code. (Mostly, but not always, from Chinese IP addresses.) Someone else successfully compromised my OkCupid account and apparently used it to advertise escort services. Apparently someone else got into my Snapchat account and sent spam to all my contacts.
In particular, SMS has been a notoriously strong attack vector for _years_, and companies played catch-up very slowly. Maybe it's still offered because phones in the developing world don't have much space for Google Authenticator or something, but that's a stretch.
We do our best to apply strict and fair rules, but some cases still get evaluated on a balance of merits and history.
I can also safely say that customers who struggle to enter their date of birth consistently see 2FA schemes as an insurmountable barrier.
These are 1% issues but the volume grows linearly with user base, unlike other support issues which we can automate away or use the ecosystem to assist. I haven’t yet found a way to deal with these cases that scales any better, and I just know it’s going to be a marginal cost issue later.
(I don’t think any of this applies to the case in this article, no sympathy for Sony’s dismal support)
Enabling 2FA isn't go to stop hackers from accessing user data if the hackers hack Sony (what happened before). I fail to see the connection between 2FA and Sony being breached.
Game-hackers also buy the accounts so they can get around being banned from online games, but considering the price mentioned this sounds more like a big game library account.
Sounds like the suggestion is to first change the email from the original owner's to yours. Then, sign up the original owner's email as a Japanese account.
At the time, Microsoft's customer service told me it was impossible for them to return accounts that had been moved internationally. They claimed that they literally didn't have the technical ability to do so, but that they'd file a ticket with engineering.
I figured the account was gone.
To my great surprise, three months later I got CC'd on an email from an engineer closing the ticket, followed by an email from Microsoft customer support with temporary account credentials to reclaim the username. And... that was that. No further follow-up, just "we fixed the system, and now we can transfer your account back to you."
As for bypassing 2FA: there is, at least in Germany, a way for any online company to have the real identity of the user proven. It's called "PostIdent" and works by having you go with your ID card to a post office where it is checked. It's acceptable enough even for the strict regulatory frameworks for banks.
So the process could work like "okay, you are John Doe, and you want to re-establish control over your account with the ID 123456 by changing the primary email to firstname.lastname@example.org? Print out this voucher, pass PostIdent and we will modify your account".
The telecom company also have more regulation and the stakes are higher for letting someone basically steal your number - it usually means they have a much stricter protocol to giving someone a new sim card - they'll require a physical presence, they can actually call your phone to verify you aren't a fake, they'll require confirmation of card ownership or an ID for states/countries that have them.
Obviously it differs from provider to provider and time, but it'll start moving towards better security. 2FA has only recently gotten popular
Too bad for Justin. I hope he gets it resolved.
That, should be considered completely unacceptable, especially from a company that has had huge data breaches in the past. Sony should be bending over backwards to make this guy whole, not giving up.
ONE WEIRD TRICK - dirtbag companies HATE this - my mom (former lawyer) taught me to get any company dragging its heels or otherwise being scummy about giving you what you paid for is to basically state what you want followed by “...and if I do not get the product/service that I paid your company for, my next call will be to the State Attorneys General of the state of (where we’re from) and the state where you are incorporated, and we will be filing a claim of fraudulent business practices.”
9 times out of 10 that’ll be enough to get the gears moving. Legal compliance is almost always more expensive than fighting a customer on an issue, so they tend to give in rather quickly.
At the next main board meeting our Director got handed the letter with the comment "one for you to sort out" - which is why we set up an entire Pr1me 750 for that customer.
Don't do this.
> Once you threaten to sue, most Big Companies will stop talking to you
That would be fine. When I have threatened to sue someone and got no response, I will do the small claim as next step. One threat, one opportunity to resolve. More talking would enable more delays. No more communication from me aside from in writing from the court.
Generally gets a panicked phone response at speed and offering full settlement. I've had several expansive apology letters. A couple ignored the summons and waited for the default judgement before it got settled. Those were big, very well known companies, which could be pure coincidence. Most have asked "why did you sue?". Waiting for months to get that promised refund, whilst only getting excuses or lies, maybe? :)
Also I don’t tell the company I’m suing them. They could care less about me. I am however telling them THE STATE will be looking into their practices, which to them is much scarier and expensive than a disgruntled customer.
They also have some very annoying practices for their hardware. I borrowed a Sony digital camera from a relative for a roadtrip and the memory card broke down. To my dismay I realized I can't just put any old memory card in it, I have to put in a Sony one which costs 10x as much for 0 benefit.
Since then I also stopped buying any Sony products. I think they're just too big and too diversified to fail at this point. They don't have to care about their reputation at this point, the money just won't stop coming since they're so pervasive.