If you get verification texts, doesn't that mean they have your password?
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Is my PSN account hacked?
- Thread starter zoukka
- Start date
If you get verification texts, doesn't that mean they have your password?
Reizo Ryuu
Member
How does this stop anything though? The +text email still has the actual email in it.
Seems like just an identifier and not an actual security increase.
If you check places like Reddit you will usually find that Xbox Live has the same issue because obviously people not caring about their security much isn't exclusive to PSN. Now why do we have so many threads about PSN on Gaf these days? Simple answer really: there is not a whole lot of Xbox users on Gaf anymore. Back in the 360 days you had threads like this every other week too with people falling victims to the so called Fifa hack.
This helps introduce a level of security through obscurity; the only time this e-mail address is being used is when you log into PSN. If people trying to steal accounts do not know the e-mail address you're using they can't attempt to take over your account. The only way they're getting hold of this information is if you're tricked into typing it into a compromised web site or device, or data is stolen from Sony.
If you use a single e-mail address across everything that you do online then your e-mail address is a well known piece of information and easy to obtain owing to the extensive number of information leaks that have occurred over the years (or general availability of the information on sites you've made it public).
It's no replacement for 2FA but you're making things as difficult as you reasonably can to prevent someone accessing your account. Gmail makes this even easier as you don't even need separate accounts.
LoveCake
Member
Ok thanks.
I have just set up 2FA for Live, I thought I had done it already, I did it last month on PSN when I first heard that it had been enabled, I mean is it best to leave the PS4 in rest mode (as many people seem to have)?
I am starting to get really worried now, I have a different long password for both PSN and Live (which is my main email) and 2FA on both accounts.
Why don't Sony, Micorsoft, Nintendo, Steam, Uplay and EA/Origin work on a authentication app or something all in one instead of different things for each, the 2FA on Microsoft uses the Microsoft app on my Android phone and requires wifi to work, what if I don't have a connection, it doesn't use a text message system like PSN does, and what if I lose my phone?? how do you activate the Microsoft app on a new phone, replacing your old one for example?
It is like you need a separate phone for use with 2FA and it's kept at home in a safe!
Wouldn't it be an idea to have something that you have to connect to the PlayStation or Xbox like a USB?
I have thought about setting up a new email for both PlayStation, Nintendo and Microsoft (Live) but I would rather use a email from my ISP, but I have no idea how you can changed a Xbox from a Microsoft email.
This has been asked before by others I have seen, but I think it would be good if some top tech member here on GAF was able to have a thread explaining it all and the best way and options, I have looked at PSN, Live info before online and as usual it always seems to be different depending on where you look, also what information you need to have to have when contacting Microsoft, Sony and Nintendo etc, have sort of a guide of what to do and how to set it all up, have contact numbers listed (in one of those links in the text) and have the thread stickied for a month or so, so we can all help each other help each other, how many people here know about 2FA on PSN, as you have mentioned it's at least once a week we see a thread about this, I think I am pretty well covered, but I want to be sure I have done the best I can, I really think as a community GAF should try and make as many people a-wear as it can.
Just in reading this thread I have learnt that Amazon have 2FA also as well now! where is it going to end!
Who/which Mod/Admin here would be the best to contact about this?
Reizo Ryuu
Member
I don't think you understand what I'm saying.
The email itself is still inside the entire thing, just because there is a +text behind it doesn't mean your email is now suddenly obscured, the person after you data could just see oh right this is that gmail thing, remove the +text and then try to access the email aswell.
So in a data leak your email will be listed as email+text@gmail.com, just remove the +text and you have the actual email, it doesn't really do anything.
Firestorm ZERO
Member
It does help a bit.
For example, let's say your GAF email is "email+neogaf@gmail.com" and your PSN is "email+psn@gmail.com". These are different logins for GAF and PSN. You can't login in to GAF or PSN with "email@gmail.com".
So let say, GAF got their DB hacked. A hacker will go through all emails and passwords and try it on popular sites like PSN. When the hacker tries "email+neogaf@gmail.com", it won't work on PSN because it doesn't exist.
You still have to be aware of fake and phishing emails. Because like you said the real email is there (email@gmail.com).
And it won't work either when you just use a password manager that makes strong and unique 30 character passwords. That shit is useless.
Firestorm ZERO
Member
I agree. A unique long password per site is way better. But unique emails is not useless. I say less effective if you think that all you need to protect yourself.
A login needs two things. A username/email (either or depending on the site) and a password. With one or the other, you only half way into getting in so why not make it even harder for the hacker.
The Artisan
Member
how do people keep getting hacked?
thebigmachine
Member
Maybe using these + email addresses would help with social engineering. Wouldn't a rep ask for your email and you would need to know the + to get it correct?
it's not there to stop people getting your email, if somebody manages to get hold of your email then they have your email, irrelevant of the format that particular email address takes.
In terms of security email addresses are not just email addresses, they're also used to authenticate logging into websites in the same way that a secret username would.
With a randomly diceware generated email address the email address would take this sort of form..
Code:
sneAKy.25.foRename.huntsMan.3.jove.bogoTa.52.boy@gmail.comIf that email address was obtained by somebody that was unauthorised they would also obtain access to a part of your login authentication for any site that you've used that email address on. To reduce the issues caused by somebody getting hold of that email address you can use gmail plus-addressing to ensure that that each and every website that you log into has a unique email to log in.
To do this you would more non identifiable diceware text after the plus so that you would end up with something along these lines...
Code:
sneAKy.25.foRename.huntsMan.3.jove.bogoTa.52.boy+unleArn.4.writeup.liTaNy@gmail.com
Code:
unleArn.4.writeup.liTaNyHowever, if somebody was using plus-addressing in a more representational way, such as +psn, +xboxlive, +steam, etc then it's going to reduce the security, particularly once they've worked out the format that you use. It's still going to be better than not plus-addressing but I would recommend against it. If you're going to do it, do it properly.
endlessflood
Member
Good on you for admitting it
2FA was never really going to change the incidence of people losing control of their PSN accounts, because the sort of people who enable 2FA don't reuse username/password combinations among multiple sites. It's the latter practice that leads to nearly all of these account hijackings, after one of those other sites gets breached.