Slashdot Mirror

← Back to Stories (view on slashdot.org)

PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com)

Posted by BeauHD on from the five-years-too-late dept.

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.

19 of 42 comments (clear)

  1. SMS-Based? Dear Flipping ${GOD}... by ewhac · · Score: 1, Insightful

    From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security [ ... ]

    Fscking idiots. SMS is NOT SECURE! They had five years to work on the problem, and this is what they came up with?

    --
    Editor, A1-AAA AmeriCaptions
  2. Now that I have the Two-Step... by magusxxx · · Score: 1

    ...Would someone please teach me the Charleston.

    --
    Care killed the cat, but satisfaction brought it back.
  3. Re:SMS-Based? Dear Flipping ${GOD}... by Anonymous Coward · · Score: 1

    So what if SMS is not secure?

    I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?

  4. Re:SMS-Based? Dear Flipping ${GOD}... by ewhac · · Score: 2

    You can socially engineer a SIM redirect to a handset in your control. Once done, you get all the victim's SMS messages: https://www.wired.com/2016/06/...

    --
    Editor, A1-AAA AmeriCaptions
  5. Re: SMS-Based? Dear Flipping ${GOD}... by Barefoot+Monkey · · Score: 1

    Thanks for sharing your experience, and congratulations on being one of today's lucky ten thousand :)

  6. from the five-days-too-late dept by MSG · · Score: 4, Informative

    Just days ago, NIST recommended that SMS no longer be used for authentication

    https://pages.nist.gov/800-63-...

    1. Re:from the five-days-too-late dept by rsmith-mac · · Score: 2

      Unfortunately it's the only two factor authentication system that's going to work for the public at large. It's a simple system that works with any and every cell phone on the market, with no need to (re)develop applications for multiple OSes, manage syncing those applications to a master server, and then handle user support issues when those applications break.

      The problem with "proper" security is that it works against the user. Long passwords that you can't remember, SecurID tokens that you never have when you need them, and finicky fingerprint readers that are too easily fooled by fakes. And in the end, all of this just gets subverted by social engineering, calling the help desk and convincing the rube on the other end to reset the account password. Unbreakable security fails at being friendly when faced with the fallibility of users, and at the same time it's only as strong as the weakest human who has control over it.

      The fact of the matter is that the only real threat to PSN users is going to be criminal gangs harvesting accounts en masse. A token two factor system, properly implemented, is going to be enough to stop that. It's security that's good enough. Otherwise you'll quickly discover first-hand how perfect can be the enemy of good.

      Which is not to say I advocate poor security. But so far no one has come up with a better way to do it. It has to be universally compatible and it has to handle user failures gracefully, and there are very few ways to do that.

    2. Re:from the five-days-too-late dept by bobdehnhardt · · Score: 1

      Check the app store for your smart phone of choice - the same one that's going to receive the SMS message. There are at least a dozen SecurID-style token apps that are easy to set up and use, work with multiple sites, and free. Google Authenticator is my token of choice. It meets your criteria: universally compatible (or nearly so - I haven't found a place were I can't use it yet, but YMMV), and in my experience, handles user failures gracefully.

    3. Re:from the five-days-too-late dept by MSG · · Score: 1

      Let's add a summary from a Sophos blog:

      https://nakedsecurity.sophos.c...

      The problem with "proper" security is that it works against the user

      NIST guidelines:
      Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

      Long passwords that you can't remember

      NIST guidelines:Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.. We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety... No composition rules. What this means is, no more rules that force you to use particular characters or combinations

      so far no one has come up with a better way to do it.

      Says the guy who obviously hasn't read the guidelines they're criticizing.

  7. Nice try by SuperKendall · · Score: 2

    Like I'm going to actually use a link to PSN in an article about how insecure my PSN account is...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  8. Re:SMS-Based? Dear Flipping ${GOD}... by WaffleMonster · · Score: 2

    I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?

    Your description is not far off. But for serious as you suggest it would still be useful if you take the vendors stated goals at face value.

    The problem here is that vendors don't really give a shit about "enhancing" security they care about not being harassed constantly by customers contacting them and uttering those infamous words "I forgot my password". Managing password resets is costly with aggregate cost estimated to be in the billions / year.

    What this means in the real world is rather than enhancing security the second factor is not additive.. It isn't what you know + what you have. It is what you know OR what you have.

    Email has been used the same way for "verification" for decades... every system has an "I forgot" button you can press that enables you to reset your password or to send you an email with a verification code. Ditto for SMS.

    Before you know it your email account gets hacked or you install an App and grant it permission to read/send SMS gets your identity uploads it to a criminal enterprise and your "2FA" buzzword laced second factor advertised as enhancing security becomes the reason you got owned.

    There is no shortcut.. no quick fix... and no market based incentive for vendors to give a fuck.

  9. Here we go again... by markdavis · · Score: 2

    >"will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account"

    Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.

    1. Re:Here we go again... by tlhIngan · · Score: 1

      Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.

      Well, given the PS4's success, I can see the marketing team sitting at the table and saying they can milk their insecurity and get a whole pile of working cellphone numbers... for free! (Microsoft, alas, had implemented two-factors years ago and with the "failure" of the Xbone, presents less of a marketing surface).

      OTOH, when Sony gets hacked again (I'm starting to lose count), well, thieves now have a bunch of working cellphone numbers to which to taunt the account holders. Imagine waking up to 99,999 texts on your cellphone...

    2. Re:Here we go again... by markdavis · · Score: 1

      I am glad there are still a few reputable companies still out there. But I believe them to be the minority.

  10. Advise you get a "throwdown phone" by Maxo-Texas · · Score: 2

    Because putting your phone number out there will probably pollute it and soon you'll be getting telemarketing calls 24x7 effectively killing the number.

    They'll promise to take care of your number but they'll sell it to a "business partner" or they'll lose the list due to poor security or when they go bankrupt it will be sold as an asset.

    I've had multiple email and one phone number polluted like this so far. I don't trust'em any more.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  11. Open standard by DrYak · · Score: 1

    Best of all, the Time based OTP algorithm is open and well known, which means there are tons of other implementation beside google's, most of them similarly free/gratis, and a lot of them free/libre.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  12. Re:SMS-Based? Dear Flipping ${GOD}... by Viewsonic · · Score: 1

    While this is true, it's still an extra layer, which means they/we are better off than where we were yesterday.

  13. Sony is the one I want protection from, though. by shess · · Score: 1

    I'm not really sure what the point of this would be. I'm currently unable to purchase new games using my credit card on my PSN account, because of some undefined error I'm not allowed to know. Adding a new credit card fails. PayPal fails. Tech support tells me I've entered my information incorrectly (without telling me what information is incorrect). Basically after years of working fine and no changes from my end, Sony has decided my money is no good. So if some Russian hacker wants to walk to Walgreens to buy a PSN cash card to upload to my account to purchase me some games, well, they should just go for it.

    [And Sony leaks all my information in bulk, no need to crack my login for that.]

  14. I better act quickly, then... by MrNiceguy_KS · · Score: 1

    ...if I'm going to hijack the PSN account some guy set up using my gmail address. I wonder if Sony's bothered to start sending a test message to confirm email addresses on new accounts yet.

    A few months ago, I commandeered a Twitter account that was linked to my email. I did manage to resist the temptation to screw around with some 64-year-old woman's match.com account. Doesn't anybody check these things?

    --
    Redundancy is good And also good.