PSA: PlayStation Network Gets Two-Step Verification

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.

Re:SMS-Based? Dear Flipping ${GOD}...

[ewhac]

You can socially engineer a SIM redirect to a handset in your control. Once done, you get all the victim's SMS messages: https://www.wired.com/2016/06/...

from the five-days-too-late dept

[MSG]

Just days ago, NIST recommended that SMS no longer be used for authentication

https://pages.nist.gov/800-63-...

Re:from the five-days-too-late dept

[rsmith-mac]

Unfortunately it's the only two factor authentication system that's going to work for the public at large. It's a simple system that works with any and every cell phone on the market, with no need to (re)develop applications for multiple OSes, manage syncing those applications to a master server, and then handle user support issues when those applications break.

The problem with "proper" security is that it works against the user. Long passwords that you can't remember, SecurID tokens that you never have when you need them, and finicky fingerprint readers that are too easily fooled by fakes. And in the end, all of this just gets subverted by social engineering, calling the help desk and convincing the rube on the other end to reset the account password. Unbreakable security fails at being friendly when faced with the fallibility of users, and at the same time it's only as strong as the weakest human who has control over it.

The fact of the matter is that the only real threat to PSN users is going to be criminal gangs harvesting accounts en masse. A token two factor system, properly implemented, is going to be enough to stop that. It's security that's good enough. Otherwise you'll quickly discover first-hand how perfect can be the enemy of good.

Which is not to say I advocate poor security. But so far no one has come up with a better way to do it. It has to be universally compatible and it has to handle user failures gracefully, and there are very few ways to do that.

Nice try

[SuperKendall]

Like I'm going to actually use a link to PSN in an article about how insecure my PSN account is...

Re:SMS-Based? Dear Flipping ${GOD}...

[WaffleMonster]

I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?

Your description is not far off. But for serious as you suggest it would still be useful if you take the vendors stated goals at face value.

The problem here is that vendors don't really give a shit about "enhancing" security they care about not being harassed constantly by customers contacting them and uttering those infamous words "I forgot my password". Managing password resets is costly with aggregate cost estimated to be in the billions / year.

What this means in the real world is rather than enhancing security the second factor is not additive.. It isn't what you know + what you have. It is what you know OR what you have.

Email has been used the same way for "verification" for decades... every system has an "I forgot" button you can press that enables you to reset your password or to send you an email with a verification code. Ditto for SMS.

Before you know it your email account gets hacked or you install an App and grant it permission to read/send SMS gets your identity uploads it to a criminal enterprise and your "2FA" buzzword laced second factor advertised as enhancing security becomes the reason you got owned.

There is no shortcut.. no quick fix... and no market based incentive for vendors to give a fuck.

Here we go again...

[markdavis]

>"will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account"

Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.

Advise you get a "throwdown phone"

[Maxo-Texas]

Because putting your phone number out there will probably pollute it and soon you'll be getting telemarketing calls 24x7 effectively killing the number.

They'll promise to take care of your number but they'll sell it to a "business partner" or they'll lose the list due to poor security or when they go bankrupt it will be sold as an asset.

I've had multiple email and one phone number polluted like this so far. I don't trust'em any more.