Support NeoGAF

[RexNovis]

Rather than focus on who is or is not to blame for the various compromised PSN accounts I think it would be better and far more productive to create a thread for suggestions on how Sony might improve account security on their platforms. So, here we are.

In today's world of shared logins and constant data breaches its clear its no longer enough to ensure that your individual service is secure you must also seek to protect people from themselves by providing them with every opportunity to make a corrective action after their account may have been compromised. Its clear that a lot more could be done to help keep user's accounts secure. So in the interest of improving their service here are a few suggestions I think would be very beneficial to all parties involved:

1. Send users an email anytime someone logs into their account from a new device with links to immediately reset their password and set up 2FA
   
   
2. Notify users by email when a new system is activated on their account and provide two links one to deactivate said system and change their password if they did not add said system and another to set up 2FA on the account.
   
   
3. Allow for the creation of a unique pin for use on all account purchases both via dedicated HW and online. Cross reference PIN with existing account password to make sure there are no shared values
   
   
4. When setting up 2FA automatically deactivate all existing consoles on an account, provide user with a one time use master key for account access in case they misplace their phone and prompt user to activate main system as primary with instructions on how to do so.
   
   
5. Allow the registration and use of various third party 2FA programs to make the service more convenient and promote wider adoption. Alternatively allow for the use of email 2FA or provide an option to use the Playstation App as a 2FA service for smartphones.
   
   
6. Provide users utilizing a password reset link with tips on how to create a secure password and enforce stricter password requirements on their new passwords demanding the use of at least 15 characters with at least 2 symbols, 2 numbers and 2 upper case letters.

If they were to implement two or three of these I'm sure it would help reduce the recently rampant run of compromised accounts.

Please use this thread to submit any suggestions or ideas you have on how account security could be improved going forward. Hopefully, given enough participation, we can get their attention and get some improvements made.

 

[DjRalford]

Or people could just have setup 2FA when it first came out a while back.

 

[Afrocious]

I think it depends on how the accounts were hacked to begin with.

 

[mf.luder]

Or people could just have setup 2FA when it first came out a while back.

Maybe it should get communicated over and over. How people don't have it enabled must be because they simply don't know.

 

[antibolo]

Sony's 2FA implementation is the absolute laziest and half-assed implementation ever. They really did the bare minimum to be able to claim "hey we have 2FA now".

There's so much that should be improved I wouldn't be able to figure out where to start.

 

[Persona7]

This will never stop as long as people keep making and reusing insecure passwords.

 

[darkwing]

I think I'm safe my password is hello123

 

[StrongBlackVine]

Or people could just have setup 2FA when it first came out a while back.

The truth is most people are too lazy to enter a generated code every time they log on.

 

[blackgandorf]

I think it depends on how the accounts were hacked to begin with.

Agree (and sometimes those "hacked" accounts was really a game sharing that gone wrong)

 

[demosthenes]

Force all users to have 2 factor. Make all passwords 15 characters minimum. No 3 sequence from a prior password can be used in your current password.

 

[jacob armitage]

I was hacked last night but i was using a pretty old password on PSN and with the amount of breaches of various sites over the years I feel a good portion of the blame lays with me given current internet practices. I really should have enabled 2FA (which i have since done) or at least updated my password.

All your suggestions are very good.

Speaking of which, I should look into using a password manager. Any recommendations GAF?

 

[2blackcats]

Google sign in?

 

[Garudan]

I think I'm safe my password is hello123

I mean I would never guess that. You're good to go.

 

[Afrocious]

I was hacked last night but i was using a pretty old password on PSN and with the amount of breeches of various sites over the years I feel a good portion of the blame lays with me given current internet practices. I really should have enabled 2FA (which i have since done) or at least updated my password.

All your suggestions are very good.

Speaking of which, I should look into using a password manager. Any recommendations GAF?

I use LastPass. I paid 20 bucks for the annual premium subscription and haven't looked back. Premium allows mobile syncing.

 

[guybrushfreeman]

They should actively push people to turn on 2FA and work to improve it a bit. It would save them trouble as well. 2FA should drastically limit the hacks due to password reuse. Even Uplay pushes me to turn on 2FA when I sign in.

 

[ronaldthump]

1password.

Its not their responsibilty. Its yours.

 

[jacob armitage]

I use LastPass. I paid 20 bucks for the annual premium subscription and haven't looked back. Premium allows mobile syncing.

Did last pass have a big data breach this year though?

I'll look into it though for sure, thanks.

 

[family_guy]

They can't even figure out how to change names, and some of you let them store your credit card info.

 

[RexNovis]

This will never stop as long as people keep making and reusing insecure passwords.

This is very true but Sony could certainly be doing more to give users more opportunities to stop account fraud and mitigate damage and recover compromised accounts hence this thread.

 

[Lindsay]

Force all users to have 2 factor.

How would this work for people who don't got cellphones?

 

[OldMan]

Build a wall

 

[demosthenes]

How would this work for people who don't got cellphones?

Have it called to a land line and have it speak it to you.

 

[Coldsun]

How would this work for people who don't got cellphones?

There's other forms of 2FA. Some systems have an option of using email as the secondary factor for 2FA. Granted it doesn't fit the notion of something you know and something you have, but still.

 

[RexNovis]

They should actively push people to turn on 2FA and work to improve it a bit. It would save them trouble as well. 2FA should drastically limit the hacks due to password reuse. Even Uplay pushes me to turn on 2FA when I sign in.

While I agree that they should be pushing 2FA they should also be improving their implementation to help facilitate wider adoption. There are many people who have no interest whatsoever tying 2FA to a cell phone number. Luckily there are lots of third party 2FA apps and plenty of other 2FA options like email 2FA or even USB key 2FA that they could look into supporting as well. If they were to allow the user more options they would no doubt see more people adopting it. As it is now I just dont think its at an acceptable level to really force it on people but if they expand it I could see it being something they could require for accounts going forward.

 

[snitch]

Force all users to have 2 factor. Make all passwords 15 characters minimum. No 3 sequence from a prior password can be used in your current password.

You shouldn't be able to test any part of a new password against an old password.

 

[Lindsay]

Have it called to a land line and have it speak it to you.

That'd work as long as its a robot call lol. What with how notoriously bad Sony's support is said ta be.

There's other forms of 2FA. Some systems have an option of using email as the secondary factor for 2FA. Granted it doesn't fit the notion of something you know and something you have, but still.

Ohhh this would prolly be good to.

 

[The Faceless Master]

This will never stop as long as people keep making and reusing insecure passwords.

2FA strengthens even the crappiest password

 

[Shai-Tan]

Did last pass have a big data breach this year though?

I'll look into it though for sure, thanks.

no, several years ago they had said there was suspicious activity on a server but no evidence anything was done. and your database is only decrypted locally anyway

also there is no need to subscribe to get passwords on mobile anymore

 

[DriftingSpirit]

I have a question - does auto-login make 2FA less effective? Is it better to log out every time and sign in?

 

[jabberwocker]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

 

[malfcn]

Require frequent password changes. This way leaked accounts will become useless quicker.

However, I believe I've heard this tactic ends up with users creating weaker passwords.

 

[DISSESHOWEDO]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

I am sorry but untill i see an actual proof, i call bs. For 7 years my account never got hacked, never changed my pass (which is unique for my psn account) and activated 2FA the moment it became available.

 

[wenaldy]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

What are you trying to prove here?

 

[cheesekao]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

Where's your proof of this?

 

[potatohead]

Or people could just have setup 2FA when it first came out a while back.

.

 

[jacob armitage]

no, several years ago they had said there was suspicious activity on a server but no evidence anything was done. and your database is only decrypted locally anyway

also there is no need to subscribe to get passwords on mobile anymore

Ahh, i'm not sure what i was thinking of. That sounds great, thanks for the info.

 

[Bear Force One]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

LOL.no.

 

[soundscream]

Require 2fa. If your paying for broadband Internet there is no way you dont have a cell phone.

 

[Persona7]

Require 2fa. If your paying for broadband Internet there is no way you dont have a cell phone.

Why not?

 

[JC Lately]

Did last pass have a big data breach this year though?

I'll look into it though for sure, thanks.

There was a vulnerability discovered earlier this year with the last pass add on for Firefox that could conceivably allow someone to bypass your 2fa if you visited a website with the right kind malicious code embedded.

It has long since been fixed.

 

[killer rin]

Sony's 2FA implementation is the absolute laziest and half-assed implementation ever. They really did the bare minimum to be able to claim "hey we have 2FA now".

There's so much that should be improved I wouldn't be able to figure out where to start.

Really, it would just be improving the 2FA. If I was Sony I would just be staring at the engineers going "Seriously, you had to roll own? You couldn't have used the TOTP/Google Authenticator Standard like everybody else"

 

[RexNovis]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

Who? You are spreading absolute nonsense. The only thread made with 2FA was one who set it up AFTER his account was already compromised. Your fearmongering about hacks is not helping to fix the situation its only leading to more confusion. Stop spreading misinformation.

 

[Gxgear]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

My life for Aiur.

 

[Joni]

Those suggestions won't work for the same reason the current solution doesn't work: the users. The simple 2FA which should be advertised on the login page should be enough to stop any but the most targetted assaults. Even a strong unique password woudl stop 99% of these 'hacks'.

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

The Sony implementation requires people to enter either the CVC when adding money or entering the complete credit card again when logging into a console like a new PS3. Please explain how CC information could be abused. Certainly cause every topic here was concerning PayPal.

 

[captainraincoat]

If someone tries to login more than 3 times with incorrect details it blocks them from being able to try again for 30 mins and it escalates upwards

This would also help anyone who doesn't use 2fa and stop brute force hacks on passwords

Edit
And how about a competent fucking support team....they are fucking useless

 

[Paganmoon]

Sony's 2FA implementation is the absolute laziest and half-assed implementation ever. They really did the bare minimum to be able to claim "hey we have 2FA now".

There's so much that should be improved I wouldn't be able to figure out where to start.

Sony's 2fa is the same system Linkedin and Steam/Valve uses. Actually I'm sure Microsoft used this exact same system a few years back.
Not sure what's lazy about it. It's platform independent, so no matter what phone you have, even non-smartphones can use it. Seems good to me.

If someone tries to login more than 3 times with incorrect details it blocks them from being able to try again for 30 mins and it escalates upwards

This would also help anyone who doesn't use 2fa and stop brute force hacks on passwords

Edit
And how about a competent fucking support team....they are fucking useless

Accounts aren't getting compromised through brute force most likely. Besides, there's captcha and other systems in place to prevent auto-trying lots and lots of passwords. That's a non-issue imo.

 

[Kthulhu]

Sony's 2FA implementation is the absolute laziest and half-assed implementation ever. They really did the bare minimum to be able to claim "hey we have 2FA now".

There's so much that should be improved I wouldn't be able to figure out where to start.

Please do. Cuz it's exactly the same as 90% of the 2FA that I use. The only services I use that have an app are Google, Discord, Snapchat, and Twitter.

 

[hemo memo]

So if someone break into my house is it my fault for not building a wall around the place?

 

[Dredd97]

peoples accounts getting hijacked, isn't the sole privy of Sony you know, this is more a warning that all online accounts can be hacked. 2FA makes it very difficult to do this.

Even apple accounts got hacked before they implemented 2FA.

 

[EmiPrime]

So if someone break into my house is it my fault for not building a wall around the place?

If you leave the metaphorical front door metaphorically wide open, yes.