Slashdot Mirror
PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com)
Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
Wtf, is this turning into a shitty random subreddit?
Fscking idiots. SMS is NOT SECURE! They had five years to work on the problem, and this is what they came up with?
Editor, A1-AAA AmeriCaptions
Are not 2fa, it's a joke to use them and call it upgrading security. Derpy phone companies gladely help the hackers activate their new device that gets your texts
So each time hackers break into the Sony user database and steal all the info, from now on they'll also get my mobile number. Good thinking.
...Would someone please teach me the Charleston.
Care killed the cat, but satisfaction brought it back.
So what if SMS is not secure?
I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?
You can socially engineer a SIM redirect to a handset in your control. Once done, you get all the victim's SMS messages: https://www.wired.com/2016/06/...
Editor, A1-AAA AmeriCaptions
Thanks for sharing your experience, and congratulations on being one of today's lucky ten thousand :)
Just days ago, NIST recommended that SMS no longer be used for authentication
https://pages.nist.gov/800-63-...
Like I'm going to actually use a link to PSN in an article about how insecure my PSN account is...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?
Your description is not far off. But for serious as you suggest it would still be useful if you take the vendors stated goals at face value.
The problem here is that vendors don't really give a shit about "enhancing" security they care about not being harassed constantly by customers contacting them and uttering those infamous words "I forgot my password". Managing password resets is costly with aggregate cost estimated to be in the billions / year.
What this means in the real world is rather than enhancing security the second factor is not additive.. It isn't what you know + what you have. It is what you know OR what you have.
Email has been used the same way for "verification" for decades... every system has an "I forgot" button you can press that enables you to reset your password or to send you an email with a verification code. Ditto for SMS.
Before you know it your email account gets hacked or you install an App and grant it permission to read/send SMS gets your identity uploads it to a criminal enterprise and your "2FA" buzzword laced second factor advertised as enhancing security becomes the reason you got owned.
There is no shortcut.. no quick fix... and no market based incentive for vendors to give a fuck.
Most people lose their email accounts before the PSN criminal activity takes place. This simple SMS authentication will stop the many usurped accounts from making purchases unbeknown to the account holder. The problem isn't Sony's issue, it's the mega-corps behind the payment systems that should be the gate keeper. It's the simplest place to put a block on anything that has access to your paypal, bank, bitcoin et al account; and will hinder all services from sucking your money away.
>"will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account"
Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.
How would this handle a stolen phone? Steam recently added a similar phone-based two-factor login, and I'm avoiding it because stealing my phone would be a lot easier than cracking my steam password, and I'm worried that stealing my phone would make it easier to get access to my steam account. My Steam account is worth more than my phone.
Besides, wasn't the PSN attack somebody getting access to the servers and leaking personal information? Adding two-factor authentication to your PSN account is not going to make any difference whatsoever in that case. If they can leak your password, they can leak the key used to generate the two-factor codes. In most cases, it would actually be easier to get the two-factor key, as most two-factor models do not have the option of hashing the key (the server needs to access it every time it verifies a code. And that's assuming they are using some standard two-factor system like TOTP, if they rolled their own, we already know it's going to be insecure (it's Sony we are talking about).
Because putting your phone number out there will probably pollute it and soon you'll be getting telemarketing calls 24x7 effectively killing the number.
They'll promise to take care of your number but they'll sell it to a "business partner" or they'll lose the list due to poor security or when they go bankrupt it will be sold as an asset.
I've had multiple email and one phone number polluted like this so far. I don't trust'em any more.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Best of all, the Time based OTP algorithm is open and well known, which means there are tons of other implementation beside google's, most of them similarly free/gratis, and a lot of them free/libre.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
While this is true, it's still an extra layer, which means they/we are better off than where we were yesterday.
I'm not really sure what the point of this would be. I'm currently unable to purchase new games using my credit card on my PSN account, because of some undefined error I'm not allowed to know. Adding a new credit card fails. PayPal fails. Tech support tells me I've entered my information incorrectly (without telling me what information is incorrect). Basically after years of working fine and no changes from my end, Sony has decided my money is no good. So if some Russian hacker wants to walk to Walgreens to buy a PSN cash card to upload to my account to purchase me some games, well, they should just go for it.
[And Sony leaks all my information in bulk, no need to crack my login for that.]
If someone steals my PSN account, I'll just register another one.
I only use PSN for updates
Oh, you gave Sony your credit card number? LOL. Sux2BU.
You can socially engineer any victim to do anything if they are dumb enough. There is no technical solution to that problem.
someone from hacking Sony again and stealing all the my information from their servers. They just won't be able to use may account but who cares. They can still steal my stuff from Sony. How about Sony upping their security posture at the corporate level then worry about the endpoints.
...if I'm going to hijack the PSN account some guy set up using my gmail address. I wonder if Sony's bothered to start sending a test message to confirm email addresses on new accounts yet.
A few months ago, I commandeered a Twitter account that was linked to my email. I did manage to resist the temptation to screw around with some 64-year-old woman's match.com account. Doesn't anybody check these things?
Redundancy is good And also good.
Im probably never moving to PS4 so it sucks that the PS3 is not supported. Ive invested too much buying games directly through PSN. I figure Sony can give me a PS4 console and I can rebuild my library or they can give me the PS4 versions of the games I have bought through PSN for my PS3. I just cant see having for pay out of my pocket for both. If i'm buying through their store I feel they should give me the same game for the newer console because I just dont have the funds to buy the console and rebuild my library.