Support NeoGAF

[Griss]

Is two factor authentication the one that uses your phone?

As I have two phone numbers (I use one for about half the year and the other for the other half etc) and live abroad (where texts from USA/Ireland typically don't get through, or can take hours) that's pretty useless for me.

Wish there was another way.

 

[Night.Ninja]

PS4 is 2x the userbase of Xbox so more chances of these happening

also makes PSN accounts a bigger target

what are you two talking about

Is two factor authentication the one that uses your phone?

As I have two phone numbers (I use one for about half the year and the other for the other half etc) and live abroad (where texts from USA/Ireland typically don't get through, or can take hours) that's pretty useless for me.

Wish there was another way.

Cant you use email

 

[timmyp53]

Anyone who doesn't have access to a mobile phone number in 2017 is probably too poor to have a valuable PSN account.

 

[Whide]

Yeah, I got hacked in August and the hacker bought a game with my paypal account. I did a chargeback before I knew Sony would suspend the account if I did that...
Now I've been trying to get it back for months but haven't been able to get it unsuspended. I could try Customer Support by phone which could probably work but I have seriously intense social anxiety and just can't muster the courage to talk to them.
And I had a lot of games on my account. I made a big mistake not using 2FA.

 

[Zarth]

I was hacked sometime in mid to late 2016. They deactivated my primary and I actually continued on like normal because I was still able to use my licenses.

I found out a few weeks later when my former primary started rejecting it's licenses on my wife's login.

Sony was not helpful and it took multiple calls just to do something as simple as get my primary restored. I also became locked out of my digital games for a few days in the process (without warning) and Sony wouldn't help with that. Fortunately it fixed itself.

Sony has a real problem going on both with their Customer Support and Security. If 2FA is really required they should be BLASTING users that do not have it enabled until they turn it on. Like how you cannot login to Steam or Google without it bothering you about it.

 

[Night.Ninja]

Yeah, I got hacked in August and the hacker bought a game with my paypal account. I did a chargeback before I knew Sony would suspend the account if I did that...
Now I've been trying to get it back for months but haven't been able to get it unsuspended. I could try Customer Support by phone which could probably work but I have seriously intense social anxiety and just can't muster the courage to talk to them.
And I had a lot of games on my account. I made a big mistake not using 2FA.

You need to call them. So what did you do buy a new ps4 and repurchase all the games?

 

[icespide]

what are you two talking about

the more popular console is a bigger target for trying to access accounts. it's pretty simple

 

[Admodieus]

Out of all the big players, I only feel comfortable with EA and Microsoft support in a scenario like this.

Also, Sony should really offer support for an app for 2FA. SMS is not as secure as you think it is.

 

[Ponn]

Is two factor authentication the one that uses your phone?

As I have two phone numbers (I use one for about half the year and the other for the other half etc) and live abroad (where texts from USA/Ireland typically don't get through, or can take hours) that's pretty useless for me.

Wish there was another way.

You can use google voice. Anyone without a phone can.

Here's the thing about this topic, for me it's not victim blaming but just apathy. Sony did advertise 2FA when it released, I even got email about it

"But I didn't get email or see that"

Ok well you are a gaffer and we talk about 2FA in every my psn was hacked thread which is weekly.

"Well I don't read every thread"

We just had a thread with big bold lettered saying 2FA PSN PSA Reminder that was on the front page for several days

"Well I don't visit GAF all the time"

Well you are now

" Yea but what if I don't have a phone that texts"

Use google voice

"Yea but..."

The excuses will never stop because humans being humans. Sony could send everyone a free phone and make 2FA mandatory and people would still find excuses or more likely a large chunk of users upset they are being forced to enable it. Hackers suck, they really do. And it's a pain in the ass that we have to secure our shit but it's not changing anytime soon.

 

[AlanOC91]

2FA is the most absolute anti-hacking device, right?

What if Sony makes it that 2FA is mandatory for every PSN account? Is it possible?

Like, your account will be non-activated if you're not turning it on. Or it's an automatic process when someone make an account.

For the most part yes. 2FA is extremely effective but not 100% anti hack.

Just before Christmas there was a string of high profile YouTubers who got hacked and they all used 2FA. I can't remember the details exactly but people rang their phone provider and pretended to be them and lo and behold, got access to everything. Emails, YouTube account and more.

 

[HomerSimpson-Man]

I made an account for my dad on my PS4 a few weeks back and they straight up banned it for being compromised. I got a random email that my account was changed. Luckily no credit cards or anything was tied to it. I made it for my dad so he can use Netflix, Youtube, etc. I tried calling Sony and found out, and wanted to get it back on as I used one of my emails and didn't want to do a brand new one. They said it would take time to unlock and I would give a email to with a temp password, but nothing came of it. I got tired of waiting so I registered the email with a different ID again.

I keep hearing more and more of this, which begs the question, why did Sony take so damn long for 2 factor? My main account is fine, had it since the PS3 came out and I did turn on 2 factor. Still, 2 factor wasn't introduced til last year which is pretty damn sad. You would think when the millions of accounts were compromised years ago on PSN they would have been faster on this.

 

[styl3s]

Some place you're not obviously.

I get this when I try to create a google voice number - https://productforums.google.com/forum/#!topic/voice/DxpzSdlTPXQ (It's not an isolated incident)

Cell reception is super spotty here.

Do you not have wifi in your house? You can't send text or talk without being on wifi in my house but when connected to wifi i get text, send text and can do wifi calling.

 

[Night.Ninja]

the more popular console is a bigger target for trying to access accounts. it's pretty simple

xbox live has 48m active users and your xbox live account is also a microsoft account god knows accounts that could be.

The problem is sony are not doing enough to make people enable 2FA, every time i bought something with my xbox account i got hounded about 2FA to the point i just ended up enabling it. buy hey

 

[Jotaka]

If this tells me my email is fine, does that mean my PSN and any other accounts tied to the email are also fine?

I only have a PS3 and Vita atm, how do I set up the two step protection?

To be honest... If you e-mail doesn't show up it's only mean that there isn't an easy accessible/public/well know hacked database with your info in the wild. I am damn sure there is database hacks NOT shared in the dark web.

 

[icespide]

xbox live has 48m active users and your xbox live account is also a microsoft account god knows accounts that could be.

The problem is sony are not doing enough to make people enable 2FA, every time i bought something with my xbox account i got hounded about 2FA to the point i just ended up enabling it. buy hey

I'm not any in anyway arguing that Sony are top notch security experts or that there isn't more they could be doing to prevent cases like these.

 

[Boss Man]

I honestly did not know there was two-factor authentication on PSN.

I'm surprised that the attitude here is so much of 'serves you right'.

Sony defense force. Same thing happened to me here when I posted about witnessing my account trying to be hacked and that was before Sony even implemented two factor auth as an option (which was recent).

 

[Reallink]

what are you two talking about



Cant you use email

LOL no, this is Sony's half assed 2FA, can't use anything but a mobile phone, no email, no authenticators.

 

[Rellik]

Then you use one of your backup codes.

If you don't saves these then you have to go through support and provide photo ID and proof of number. They can't edit the number in 2FA either. They have to deactivate it.

Source: Me

Yeah, I got hacked in August and the hacker bought a game with my paypal account. I did a chargeback before I knew Sony would suspend the account if I did that...
Now I've been trying to get it back for months but haven't been able to get it unsuspended. I could try Customer Support by phone which could probably work but I have seriously intense social anxiety and just can't muster the courage to talk to them.
And I had a lot of games on my account. I made a big mistake not using 2FA.

I'm terrible with anxiety on phones as well but I realised it was the only way I was going to get real support, so I phoned them up and I had some Aussie dude who was really cool and did a great job explaining things to me. But YMMV

 

[Hari Seldon]

I will never purchase a digital game on my PS4 with Sony's fucking atrocious security situation.

 

[Reallink]

Do you not have wifi in your house? You can't send text or talk without being on wifi in my house but when connected to wifi i get text, send text and can do wifi calling.

A metric shit ton of Android devices don't support wifi calling, or won't support it on your particular carrier. Many many people who live in cell dead spots are fucked with Sony, they literally have no option to use 2FA. If they get hacked I'm sure the SDF will tell them it's their fault, they should have moved.

 

[barit]

Does it need to be a smartphone? Wouldn't any phone that receives texts work?

Yes. You can even use a cheap PrePaid Handy that costs nothing more than $10 or so. It's a poor excuse imo for not having 2FA. Especially in 2017.

And sorry OP but I don't believe you that your PW was that unique and strong. I got hacked too back in the day when D3 launched with RMAH and that was solely because I used just one PW for all my accounts. It was the time when a wave of chinese hackers hit Blizzard and many many accounts were compromised. That was my learning lesson and since that day I use really unique and strong PW for my most important accounts (PayPal, Amazon, PSN etc.) and have never been hacked again. Strange tho that Blizzard had zero problems of bringing back my account. One email was enough. They just checked the IP of the last login. Saw it was from China and said "Yeah okay you got owned, be more careful next time. Thx and bye".

It's fucking nuts that a big company like Sony can't do this too. Heck, even damn Google warns you when someone from China or from any other country that is not yours tries to get access to your account. It's pathetic. Get your shit together Sony.

I know all that won't help you at the moment OP but maybe in the future you take internet security more seriously.

 

[Zoe]

2FA is the most absolute anti-hacking device, right?

What if Sony makes it that 2FA is mandatory for every PSN account? Is it possible?

Like, your account will be non-activated if you're not turning it on. Or it's an automatic process when someone make an account.

I hope they don't make it required. That would be a mess for people with accounts in multiple regions.

 

[EmiPrime]

I hope they don't make it required. That would be a mess for people with accounts in multiple regions.

My UK, US and Japanese PSN accounts all use the same phone number for 2FA.

 

[test_account]

Long post incoming.

I work in Cybersecurity. Incident response. Think malware and APT group attacks.


It's bad. There's plenty of password theft that companies don't know about so doesn't get reported to the various sites (like the owned site). A lot of places don't know they are hacked for years (look at Yahoo). Forum accts and such are ripe pickings for this, for example.

If it's not that, it's a keylogger / backdoor Trojan on their computer or phone. Most people don't even know they are infected.

If not those, CPU/GPU power and cloud computing has gotten ubiquitous enough to crack passwords over time. I'm sure there are groups out there trying to break into some accounts once a day from rotating IPs. If you do that to enough known email addresses, using a rainbow table or the like, you'll likely get in eventually.


You need two-factor, at minimum, on any email account that has digital purchases on it. You should also have two-factor on those accts, really, if you don't want some random CC charges you'll have to tangle with.

I actually have a reusable password I use for low-hanging fruit. Because I don't really care that much if one of my forum accts or the like are comped. Activity there will warn me my accounts under attack. But I don't use it on anything remotely important.

You don't need decent passwords on all your accounts. But you do on the accounts that you care about.

That said, everyone is being a bit mean to the OP. Most people don't keep up on this stuff. Power users are considered people who know how to do an Excel formula.

Inform and help, but I think derision is uncalled for. It sucks to have your stuff hacked. I had XBL happen years ago, before TFA (yes, it happens to them too). I kept close eye on those accts though and managed to get home and password reset my acct in about 15 min, but not before they had drained my PayPal account and overdrafted the acct it was associated with.

I agree the OP should check their email addy. Google and Microsoft have a recent activity section you can check to see what IPs have been accessing your acct.

Sure, i'm not ruling out what the reason can be. I'm just saying that we dont really know, it can be anything. So to call the security really weak doesnt have much basis because the issues can be elsewhere. But hopefully as few as possible cases of these cases will happen.

 

[pswii60]

Another thread of victim blaming.

 

[test_account]

What are the status update after the thread? Have you followed any of the advise, OP?

 

[antibolo]

I will never purchase a digital game on my PS4 with Sony's fucking atrocious security situation.

Just use 2FA, it's not hard.

 

[joecanada]

I will never purchase a digital game on my PS4 with Sony's fucking atrocious security situation.

No one has ever been "hacked" on PSN. if you have your passwords stolen that's a common occurrence for any online retailer. I had my CC "hacked" but never PSN. And I didn't have two factor authentification on my CC either lol.

 

[Zoe]

My UK, US and Japanese PSN accounts all use the same phone number for 2FA.

That's good to hear. I was worried they would require a phone number in that locale.

 

[leburn98]

Anyone who doesn't have access to a mobile phone number in 2017 is probably too poor to have a valuable PSN account.

Or they simply do not have a use for one. My uncle is home based government worker and as a result has no need for a mobile. To be honest, if I didn't need one for my job I wouldn't have one either. Why pay for something you have no need for? For the $10-15 a month I would need to pay to keep my phone activated, I would rather use those funds towards my other hobbies.

With that said, Google Voice is an option for 2FA for those without mobile.

 

[Cynar]

My PSN account was hacked three weeks ago.
It had a unique password but it did not have two-factor-authentication.

For someone who has thousands of pounds of software you didn't protect it well. This is going to be a headache for you to resolve and it could've been avoided. I would be more sympathetic for you but you assume no fault for not fully securing your account. Sony needs to force 2FA on people because it seems there are those not responsible enough to set it up and to blame the company when this happens.

 

[Megatron]

I don't know, it was kinda marketed.

What? Were there commercials for it? Magazine ads? How was it marketed?

 

[Duxxy3]

Stories like this are why I try to buy physical whenever possible.

 

[leburn98]

I will never purchase a digital game on my PS4 with Sony's fucking atrocious security situation.

No one has ever been "hacked" on PSN. if you have your passwords stolen that's a common occurrence for any online retailer. I had my CC "hacked" but never PSN. And I didn't have two factor authentification on my CC either lol.

Are you new to PlayStation? Do you not remember the great 2011 PlayStation Network outage? It was only one of the largest data security breaches in history. Given the 2011 PSN outage and the 2014 Sony Pictures hack, I can't blame anyone for having slight trust issues with Sony. Personally, I only use gift cards, seldom by digital games and use 2FA.

 

[openrob]

Digital future baby

I mean this is less likely to happen than your games being broken, scratched or stolen

 

[HawksWinStanley]

I honestly did not know there was two-factor authentication on PSN.

I'm surprised that the attitude here is so much of 'serves you right'.

Same. Thanks to your thread I just enabled mine and took my credit card off my payment methods.

Hope things work out on your end.

 

[Head.spawn]

Because Microsoft were quicker to respond to the problem of credential stuffing attacks than most other online services.

See this thread for details: http://www.neogaf.com/forum/showthread.php?t=1324360

Thanks again for that posting, that thread was a real eye opener.

 

[wig]

I've been putting off activating 2FA for a while now but thanks to this post, I just activated it. Better to be safe than sorry.

I hope that you're able to get your account back OP. Good luck.

 

[joecanada]

Are you new to PlayStation? Do you not remember the great 2011 PlayStation Network outage? It was only one of the largest data security breaches in history. Given the 2011 PSN outage and the 2014 Sony Pictures hack, I can't blame anyone for having slight trust issues with Sony. Personally, I only use gift cards, seldom by digital games and use 2FA.

Of course I remember it. And not one account theft was linked to that particular breach. Passwords are stolen all the time however. Which is why changing passwords and 2fa exist. Hacking your PSN sounds as though some high tech group is forcing itself into Sony and stealing your stuff. Someone simply logging in with your own password is pretty loose definition of being hacked. Do I say visa was hacked when my cc was stolen online?

 

[Symbiotx]

Sony support can be pretty crappy. Sucks

 

[EvB]

Maybe it's revenge for not making anything on a Sony platform

 

[Head.spawn]

Of course I remember it. And not one account theft was linked to that particular breach. Passwords are stolen all the time however. Which is why changing passwords and 2fa exist. Hacking your PSN sounds as though some high tech group is forcing itself into Sony and stealing your stuff. Someone simply logging in with your own password is pretty loose definition of being hacked. Do I say visa was hacked when my cc was stolen online?

"Simply logging in" on my account would send off email/text notification alerts for most of my other relevant modern service accounts. Anytime there is a new log in from a new location, browser or device etc etc, that is the norm, like bare minimum security effort for years now.

I mean, let's be serious here... Sony JUST got 2FA a matter of months ago. They are lax on security and have been for a long time and have been called out on it over and over; their whole online infrastructure is just out of date in general. They could be doing a lot more.

I'm glad they finally have 2FA, but even then they could have plenty of other relevant forms besides SMS to give more options for users. I would personally vastly prefer 3rd party authentication, like Steam, Xbox, Ubisoft, and EA offer. I like my Lastpass, locked down via master password, then authentication, i think i have SMS as well as my thumb print. There are plenty of options and like i said, it's cool they have SMS, but there is still a lot of room for improvement. Simply making it a part of the account making process would be a good start.

Then there is the matter of their support; which judging by most of the threads here, is nightmare fuel.

 

[Waveset]

They did. It was a notification on the PS4.

Did PS3 and Vita users receive this message? It needs to be directed at PSN accounts, not platform.

 

[dock]

An update on this!
I got my PSN account back a few days ago!

The friends list was deleted and the hacker had even put a new address on the account, which I passed onto the police. I added 2FA and changed my email. I played an hour of Final Fantasy 7 yesterday.

Today, they have banned my account, and blocked me again. No explanation.

Fuck you, Sony.

 

[foolishoptimist]

An update on this!
I got my PSN account back a few days ago!

The friends list was deleted and the hacker had even put a new address on the account, which I passed onto the police. I added 2FA and changed my email. I played an hour of Final Fantasy 7 yesterday.

Today, they have banned my account, and blocked me again. No explanation.

Fuck you, Sony.

Have you contacted support?

You should probably also check/change your email password. If that's what's been hacked, that'll let someone easily use the password reset on any account its linked to. It also gives them plenty of other information.

I'm still not clear how your PSN account being hacked gave them control over your twitter account - other than letting them tweet from the console. I wouldn't think an app(PSN) OAuth token would let them log in on PC. But hey, I'm not a hacker.

 

[Zeouterlimits]

An update on this!
I got my PSN account back a few days ago!

The friends list was deleted and the hacker had even put a new address on the account, which I passed onto the police. I added 2FA and changed my email. I played an hour of Final Fantasy 7 yesterday.

Today, they have banned my account, and blocked me again. No explanation.

Fuck you, Sony.

Yikes, keep us informed, assuming you're reaching out to Sony again?

 

[maybewerethesame]

I know this is an old thread, but after doing a lot of research online etc, I've found that the hacker who hit you, was the same one who has targeted me.

Wanted to see if anyone else has had this occur?

I've had my account since day one and yes, when hacked earlier this year I was one of those who'd failed to set up 2Step Verification. After a lot of back and forths with Sony etc, account was reset, passwords changed, emails changed, 2 step setup. I thought everything was fine. Till i was randomly banned. Called up and got this sorted due to a supposed error on their side, then this morning I woke up to SMS verification codes and when i went to log into my PS4 to check, Invalid Sign in ID.

I called up Sony and spoke to them, they claimed no one had called up pretending to be me, last registered call was the one i had said i'd done. But the email address had been changed. I never recieved an email from Sony advising of this change like you normally would. It was all changed back and i set up a new address and password.

My concerns are, what could they be doing? Note the email address attached to my PSN was completely new and ONLY on the PS4. It is not written down, registered anywhere except on my phone and Sony. The Password is ONLY on the PS4 and written down. It is not stored anywhere electronically and all the email creation etc was done on a network that is highly secured.

I have created a new address and new password again, but anyone have any idea HOW they are doing this? How can they change the email ID and password without supposedly contacting Sony? Granted i question Sonys claims, but they said there was no activity on my account, nothing in their logs about contact except for my last call.

 

[Cynar]

Condolences op, be prepared for a lot of victim blaming, whether 2FA should've been on or not isn't really the point if the OP isn't lying about the password's uniqueness.

Don't be dumb. It's just a password at the end of the day.