'Why I Bid $700 For a Stolen PSN Account'

Patrick Klepek tells the story of a PlayStation Network user who had their 13-year-old account stolen via what appears to be a social engineering scheme against Sony. Klepek managed to track it down and start negotiating for its release. An anonymous Slashdot reader shares an excerpt from the report: 1,200. That's how much someone is asking for a PlayStation Network account I've been investigating for the past few weeks. "Secure," the person calls it, claiming the account will "never be touched" by the original owner again. "He won't be getting it back," they claim. More than a thousand dollars? That's a little rich for my blood, and so I counteroffer: $700. "Btc?" they respond, accepting my bid. (BTC refers to bitcoin. The majority of transactions like this take place using cryptocurrency; it's generally harder, but not impossible, to trace.) I didn't purchase the account, of course. But I could -- anyone could, if they only knew where to look. This account wasn't on a shady market because someone was clumsy with their digital security. They had a strong password and two-factor authentication. When they were notified about problems with their account, they called Sony and asked for help. Despite all this, despite proving their identity over and over, they lost access to their PSN account, including any trophies earned or any games purchased. It was gone...well, sort of. The original owner no longer had access, but this person -- the individual asking for $1,200 but who quickly and without hesitation dropped to $700 -- did.
[...]
More than likely, Sony itself is a victim of a clever social engineering scheme, in which a user, or series of users, repeatedly spammed their representatives, until it found someone willing to accept the limited information they did have, and calculated the system would eventually lock the account in their favor. Even a "failed" social engineering attempt can be a success, if the person calling comes away with new information about the account. Every company in the world can fall victim to social engineering, as there are no true fail safes. But Sony's setup seems especially ripe for it. Why didn't the system get flagged as "sensitive" sooner? Why can a user flip off two-factor authentication over the phone? How can an account get abandoned, when it's still active? There are ways Sony could have prevented this from happening. In the end, the original account owner was magically handed the account. "Sony promised that they were going to set it up so no reps could make any changes," the account owner said, "but they are still investigating how this happened."

Sony's security is not such good

[sentiblue]

Don't you have to make credit card payments to PSN? And by having credit card statement, can't they just use your credit card number to confirm who owns the account? The fact that the hacker guarantees the original owner cannot get it back leads me to believe that Sony hasn't done a good enough job.

Re:Sony's security is not such good

[Calydor]

Except the trophies, achievements or whatever you choose to call it aren't meaningless to the individual player. In many cases there may be a quick association to the moment of getting especially the rarer and harder achievements, which is no different than looking through a photo album. Would you call photo albums meaningless? To the person involved with the photos, I mean, not the world at large.

Re:Sony's security is not such good

[TheLongshot]

You don't if you buy gift cards. In fact, after the last hack, I didn't trust Sony with my credit card info, so all of my payments I made on PSN were through cards.

Re:Sony's security is not such good

[AmiMoJo]

Some games aren't available as physical copies. You have to buy them through PSN.

Boycotting Sony isn't much of an option. Aside from PS4 exclusives, the XBOX is the same and while Nintendo seems to be slightly better with the Switch it doesn't get a lot of the games that the other two do.

This is an area that needs some regulation. As people move to buying software online (and it is buying, even if they try to claim it's licencing) they should have the same rights as they have when buying physical software. If the service dies or loses their account details they need some rights to get back what they lost or compensation.

In fact it should go further for physical purchases too. Loss of functionality must be compensated, e.g. turning off online play servers after only a couple of years.

And something needs to be done about banning consoles and accounts permanently.

Re:Sony's security is not such good

[h33t+l4x0r]

Boycott Sony? You might as well ask gamers to boycott oxygen.

Re:Sony's security is not such good

[apoc.famine]

Boycotting Sony isn't much of an option.

Why not? I've been doing it for a decade or more now. Seems to be working fine for me.

Re:Sony's security is not such good

[epine]

Boycotting Sony isn't much of an option.

Sure, you can boycott Sony. But to make this effective in reducing your exposure, it probably involves boycotting most of the gaming industry, as a whole.

If you're a gamer, you've probably heard a term for this: collateral damage. Welcome to Collateral Damage. Please enjoy your stay. Amenities available: the great outdoors, and old school shit like that.

I was an avid game in the 1990s and I purchased a system to be able to run Microsoft software to be able to run a favourite game.

Worst decision I ever made. It should have been a Linux or BSD box. End of story. And all those hours should have been invested in mastering bash (or zsh) instead of mastering spin, strafe, jump, grapple in a single motion.

What A Beautiful Mind failed to explain about John Nash: it's never just a single containing matrix.

For every matrix you solve, another enclosing matrix springs into being. You solve one matrix about being shit on by a single software vendor, another matrix springs into being about being shit on by an entire software segment.

As WOPR once said, sometimes the only winning move is to not play.

Sure, you care about your virtual trophies, and the immense skill you cultivated in achieving those. But you didn't have to choose to go down that path in the first place. Many other paths would have offered comparable thrills, and some of those were probably far more on your own terms. But now you have sunk cost because you did go down that path, and your next move is dominated (in the game theoretic sense) because you are 100% committed to accepting a local frame stacked against your desires.

Jordan Peterson says start by cleaning up your own bedroom.

The sooner you jettison local frames stacked against your own interests, the sooner your life will track a better slope.

I got involved as a sports fan for a while. It was a great Petri dish to explore human cognition. But then my favourite resource disappeared behind a paywall. Sure, I could pay. But now the discussion is limited to include only those people who choose to pay. The group structure is now inherently different. It's no longer such a great Petri dish for me to explore human cognition (having become far more captive and insular). I have no hard feelings about this.

But I decided to blow my cherished franchise off, rather than follow it into the paywall penumbra. Is this a stable penumbra, or just an incubating umbra waiting to swallow me whole? Why should I risk an eventuality of that nature, entirely outside of my own control. Lesson learned, way back in the 1990s.

Soon enough, of course, I found other rewarding activities which now occupy those energies. And I'm certainly not the worse off for it. There was a three month period where I felt a bit mopey, because I missed the familiar context for injecting ludicrous things with a long inside-baseball group context. That can't be replaced overnight.

There are many box-control business models out there. I'm now loyal to none of these, and I never will be again.

If only I had a time machine, that's one message I would surely send to my younger self making foolish choices back in the 1990s.

Dear younger self:

I know you get a completely unreasonable joy from the simultaneous spin, strafe, jump, grapple frag, but trust me, it's a trap. I know you think shell script was designed by a colony of drunken monkeys, but trust me, it's NOT a trap. All you do in the shell is construct strings, fork/exec, and test exit codes to control program flow. Yes, some of the quoting rules in complex commands are Unix's version of Microsoft's DLL hell. Get over it. You'll thank me later.

With chagrin,
your pathetic older self

[*] P.S. every quotation mark should be two instances of a 32-character random nonce, never to be ever used again. That's how you make nested quoting work without exponential escape growth. You'l

Re:Sony's security is not such good

[Gr8Apes]

Except the trophies, achievements or whatever you choose to call it aren't meaningless to the individual player. In many cases there may be a quick association to the moment of getting especially the rarer and harder achievements, which is no different than looking through a photo album. Would you call photo albums meaningless? To the person involved with the photos, I mean, not the world at large.

I guess this is where I part ways with the current games. I could care less about "trophies" or "achievements". I play games for fun and interest. I also suppose this is why my last triple A game purchase was created more than a decade ago, instead going with smaller shops and indie offerings. I don't care to grind through endlessly repetitive actions for a "trophy" that claims I did 'x' 1000[0[0]]+ times in bronze/silver/gold no less, because the color on screen makes it worth more!!!!

Re:Sony's security is not such good

[commodore64_love]

>Would you call photo albums meaningless?

Photo albums show my family, and family is far far more important than some stupid trophies I got in Final Fantasy 11

Most people want poor security

[FeelGood314]

Usually any extra security you add is going to hurt legitimate people who forgot their password/login. These people out number the crooks and a large army of them will be very upset if they can't reset their account with minimal effort. It's a balancing act for customer support but better to lose one account and restore 100 users who have are having trouble. Those support calls cost a lot and there is limited profit potential from them. Don't expect this problem to be fixed or even improve anytime soon.

Social Engineering Blues

[mentil]

Marking individual accounts as 'likely to be attempted to be hijacked' doesn't fix the broader problem, which is hardly exclusive to Sony. Surely security doesn't need to fly out the window when you call a helpdesk? Attackers being able to obtain bits of info about an account could be stopped by these interactions being handled by a chatbot, and programmed to not give up that info.
So long as 'I forgot my password' or 'my 2FA got lost/broken' can work on administrators, then those security features can be bypassed. As phone scams have proven, people are really bad at detecting scams when talking over the phone. Sending notifications to the account and to all the on-file contact methods for the account e.g. "click here if you don't want your password reset, you have 24 hours" is imperfect, if you happen to not log in or check messages, such as if you're out of town or you just don't use the account often. Not sure what the solution to this is, aside from some perfect unduplicatable identity verification.

He should sue Sony

[Alain+Williams]

Sony have deprived him of goods (ie games) that he has paid for. Sony was scammed, but that is not the user's problem, he seems able to demonstrate that the scam was not caused by something that he did wrong. In the UK he could take them to the small claims court - which is quick and easy. Yes: Sony's lawyers would get involved but they would need to convince a judge that they are not liable.

Re: No PSN accounts in FEDERAL PRISON

[crypticedge]

She's been investigated by corrupt republicans for over 35 years trying to force fake charges to stick without so much as a single charge being filed against her.

He's been fined 3x for money laundering for the Russian Mafia since 2005. He was also fined in 2006 for money laundering for the bank of Iran, who used that money to fund ISIS.

Doesn't quite seem on the same level.

Re: No PSN accounts in FEDERAL PRISON

3# They've been contributing for over a decade anonymously. I've been here for 16 years and never created an account. I've had AC posts rated up to +5 for Insightful, Informative and Funny. It's not cowardice, I just want my posts to be interpreted free of assumptions about me caused by reading my posting history.

Reading between the lines and guessing from writing style, there's a lot of people doing similar.

Also, ACs don't get bot spam replying to every post they create, unlike people who piss off APK, the GNAA guy or the Russian troll that hates C Reimer.

My son had his Steam account stolen

[BenJeremy]

It took way too long to get it back, but suffice it to say, for a service whose TOS claims you can't trade or sell accounts, they seemed happy to ignore the fact that the password, e-mail and language changed, and the users IP moved to Russia. I'd think a simple check on that would be enough to say "You are right, here's your account back, set it up for 2-factor and never screw up again"

Instead, we had to go back and forth, feeding them product keys used in the account in a back-and-forth that had a 24 hour+ turnaround time (their side) and took a couple of weeks. Meanwhile, some punk in Russia had bought my son's account (worth well over $3000 at the time), and probably was out a couple hundred bucks when we got it back.