'Why I Bid $700 For a Stolen PSN Account' (vice.com) 102
Patrick Klepek tells the story of a PlayStation Network user who had their 13-year-old account stolen via what appears to be a social engineering scheme against Sony. Klepek managed to track it down and start negotiating for its release. An anonymous Slashdot reader shares an excerpt from the report: 1,200. That's how much someone is asking for a PlayStation Network account I've been investigating for the past few weeks. "Secure," the person calls it, claiming the account will "never be touched" by the original owner again. "He won't be getting it back," they claim. More than a thousand dollars? That's a little rich for my blood, and so I counteroffer: $700. "Btc?" they respond, accepting my bid. (BTC refers to bitcoin. The majority of transactions like this take place using cryptocurrency; it's generally harder, but not impossible, to trace.) I didn't purchase the account, of course. But I could -- anyone could, if they only knew where to look. This account wasn't on a shady market because someone was clumsy with their digital security. They had a strong password and two-factor authentication. When they were notified about problems with their account, they called Sony and asked for help. Despite all this, despite proving their identity over and over, they lost access to their PSN account, including any trophies earned or any games purchased. It was gone...well, sort of. The original owner no longer had access, but this person -- the individual asking for $1,200 but who quickly and without hesitation dropped to $700 -- did.
[...]
More than likely, Sony itself is a victim of a clever social engineering scheme, in which a user, or series of users, repeatedly spammed their representatives, until it found someone willing to accept the limited information they did have, and calculated the system would eventually lock the account in their favor. Even a "failed" social engineering attempt can be a success, if the person calling comes away with new information about the account. Every company in the world can fall victim to social engineering, as there are no true fail safes. But Sony's setup seems especially ripe for it. Why didn't the system get flagged as "sensitive" sooner? Why can a user flip off two-factor authentication over the phone? How can an account get abandoned, when it's still active? There are ways Sony could have prevented this from happening. In the end, the original account owner was magically handed the account. "Sony promised that they were going to set it up so no reps could make any changes," the account owner said, "but they are still investigating how this happened."
[...]
More than likely, Sony itself is a victim of a clever social engineering scheme, in which a user, or series of users, repeatedly spammed their representatives, until it found someone willing to accept the limited information they did have, and calculated the system would eventually lock the account in their favor. Even a "failed" social engineering attempt can be a success, if the person calling comes away with new information about the account. Every company in the world can fall victim to social engineering, as there are no true fail safes. But Sony's setup seems especially ripe for it. Why didn't the system get flagged as "sensitive" sooner? Why can a user flip off two-factor authentication over the phone? How can an account get abandoned, when it's still active? There are ways Sony could have prevented this from happening. In the end, the original account owner was magically handed the account. "Sony promised that they were going to set it up so no reps could make any changes," the account owner said, "but they are still investigating how this happened."
Re: (Score:1)
Re: (Score:3)
She's been investigated by corrupt republicans for over 35 years trying to force fake charges to stick without so much as a single charge being filed against her.
He's been fined 3x for money laundering for the Russian Mafia since 2005. He was also fined in 2006 for money laundering for the bank of Iran, who used that money to fund ISIS.
Doesn't quite seem on the same level.
Re: (Score:2)
Any every single person who worked on trumps campaign has been investigated with several putting in plea deals, and over 80% being charged.
Also, trump was still the only one out of the two to be fined for laundering money for criminals (a criminal act in and of itself)
Trump was also the only president in US history to commit treason.
Re: No PSN accounts in FEDERAL PRISON (Score:2)
As true as that may be, I still fear a world where all speach is censored much more. We just need a /. Option to make AC posts not visible, and make it the default setting.
They post AC for basically 1 of 2 reasons.
1) they are using a mobile device and hate logging in practically every time they click a link from a response notification
2) they lack the spine to stand by whatever hatefull, moronic, outlandish, or downright retarded bullshit they drivel.
#1 is a technological issue and could be fixed with devel
Re: No PSN accounts in FEDERAL PRISON (Score:2, Insightful)
3# They've been contributing for over a decade anonymously. I've been here for 16 years and never created an account. I've had AC posts rated up to +5 for Insightful, Informative and Funny. It's not cowardice, I just want my posts to be interpreted free of assumptions about me caused by reading my posting history.
Reading between the lines and guessing from writing style, there's a lot of people doing similar.
Also, ACs don't get bot spam replying to every post they create, unlike people who piss off APK, the
Re: (Score:2)
We already are "delt with". Started a few months ago when Slashdot added member posts start at +1
It's been that way for as long as I remember, and I've been here well over 10 years.
that wasn't enough though so they added +2 for some (maybe based on UID?).
It's based on "karma", which is having a large number of posts moderated up. In other words, once you've shown that you can make a positive contribution to discussions, you get an extra +1 bonus.
savedyouaclick: The guy didn't actually bid $700 (Score:1)
Dear article OP, the scammer wasn't accepting your bid... he was asking if you're a moron. (He was looking for idiots to pay him in untraceable currency.)
I'm guessing the scammer "sold" the account a few dozen times.
Re: (Score:2)
Pay, no, but.. it would cost several thousand pounds to re-acquire the games in my Steam library. You can bet there'll be action if I lose access to it.
Sony's security is not such good (Score:5, Insightful)
Re: (Score:2)
You shouldn't even need such an account. Buy your games somewhere other than the account and then you always have them. If you lose the account that keeps track of meaningless trophies, it's no big deal as you make a new one. If Sony is tying all your gaming to an account, then boycott them.
Re: (Score:3)
Except the trophies, achievements or whatever you choose to call it aren't meaningless to the individual player. In many cases there may be a quick association to the moment of getting especially the rarer and harder achievements, which is no different than looking through a photo album. Would you call photo albums meaningless? To the person involved with the photos, I mean, not the world at large.
Re: (Score:2)
Don't worry too much. Unlike your old photos, the internet's got a copy of the trophies [wikia.com] that you can check anytime.
Re: (Score:2)
Aye caramba!
Re: (Score:2)
Except the trophies, achievements or whatever you choose to call it aren't meaningless to the individual player. In many cases there may be a quick association to the moment of getting especially the rarer and harder achievements, which is no different than looking through a photo album. Would you call photo albums meaningless? To the person involved with the photos, I mean, not the world at large.
I guess this is where I part ways with the current games. I could care less about "trophies" or "achievements". I play games for fun and interest. I also suppose this is why my last triple A game purchase was created more than a decade ago, instead going with smaller shops and indie offerings. I don't care to grind through endlessly repetitive actions for a "trophy" that claims I did 'x' 1000[0[0]]+ times in bronze/silver/gold no less, because the color on screen makes it worth more!!!!
Re: (Score:2)
The achievements for the most part that I've run across (PC games only), tend to either be automatic achievements you can't help but earn if you finish the game, additional easter-egg type things that yu may as well add to your TODO list, and stuff in DLCs so that you feel obligated to spend more money. I don't mind the TODO stuff myself and they can be fun (ie, finding how to destroy all the monitors in Portal 2, which you might not know is possible if it wasn't listed as an achievement).
Re: (Score:3)
>Would you call photo albums meaningless?
Photo albums show my family, and family is far far more important than some stupid trophies I got in Final Fantasy 11
Re: (Score:2)
The thing is I play a lot of online games with family, so we tend to get a lot of those rarer achievements at the same time.
Everyone's mileage may vary, of course.
Re: (Score:2)
You can re-earn achievements without much trouble. I know some platforms attach money to these, which I always thought was crazy.
(In Fallout 4 they pushed out a patch that prevented achievements if you used any mods, so the next day someone had a mod to re-enable achievments)
Re: (Score:3)
Some games aren't available as physical copies. You have to buy them through PSN.
Boycotting Sony isn't much of an option. Aside from PS4 exclusives, the XBOX is the same and while Nintendo seems to be slightly better with the Switch it doesn't get a lot of the games that the other two do.
This is an area that needs some regulation. As people move to buying software online (and it is buying, even if they try to claim it's licencing) they should have the same rights as they have when buying physical software.
Re: (Score:2)
Not really, it doesn't need 'regulation.'
The physical copy has real value, and always should have value above 'online purchased' copies.
If the game vendor wants the online copy to retain value better, that's their responsibility and they need to figure out what to do to keep the value up. It's not our responsibly as taxpayers to subsidize the 'value' of online purchases.
Re: (Score:3)
Boycotting Sony isn't much of an option.
Why not? I've been doing it for a decade or more now. Seems to be working fine for me.
Re: (Score:2)
I mean boycotting Sony isn't much of an option if you like to play video games.
The only other options are Microsoft who are just as bad, or Nintendo who don't have a lot of the games you want.
Re: (Score:2)
I'm not sure why you think Sony is the only developer putting out video games. Are you unfamiliar with the hundred or so other large developers? Or the thousands of small independent ones? The giant app market which is churning out games at a breakneck pace?
Seriously, I've not played a Sony game for a decade, and I am absolutely not hurting for gaming. Haven't even missed them, to be honest.
Re: (Score:2)
I know, I'm pointing out that many of the AAA games people want to play come out on the PS4 and XBOX. You might get a Switch support, likely inferior due to its lower power but not always in the game of games like Fortnight. And you might get a PC port, but then you need to buy and maintain an expensive gaming PC.
So really for a lot of people, especially kids, it's PS4 or XBOX. And XBOX isn't really any better in terms of security or having all your stuff tied to your account.
Re: (Score:2)
I mean boycotting Sony isn't much of an option if you like to play video games.
The only other options are Microsoft who are just as bad, or Nintendo who don't have a lot of the games you want.
Or, PC Master race.
Re:Sony's security is not such good (Score:4, Insightful)
Sure, you can boycott Sony. But to make this effective in reducing your exposure, it probably involves boycotting most of the gaming industry, as a whole.
If you're a gamer, you've probably heard a term for this: collateral damage. Welcome to Collateral Damage. Please enjoy your stay. Amenities available: the great outdoors, and old school shit like that.
I was an avid game in the 1990s and I purchased a system to be able to run Microsoft software to be able to run a favourite game.
Worst decision I ever made. It should have been a Linux or BSD box. End of story. And all those hours should have been invested in mastering bash (or zsh) instead of mastering spin, strafe, jump, grapple in a single motion.
What A Beautiful Mind failed to explain about John Nash: it's never just a single containing matrix.
For every matrix you solve, another enclosing matrix springs into being. You solve one matrix about being shit on by a single software vendor, another matrix springs into being about being shit on by an entire software segment.
As WOPR once said, sometimes the only winning move is to not play.
Sure, you care about your virtual trophies, and the immense skill you cultivated in achieving those. But you didn't have to choose to go down that path in the first place. Many other paths would have offered comparable thrills, and some of those were probably far more on your own terms. But now you have sunk cost because you did go down that path, and your next move is dominated (in the game theoretic sense) because you are 100% committed to accepting a local frame stacked against your desires.
Jordan Peterson says start by cleaning up your own bedroom.
The sooner you jettison local frames stacked against your own interests, the sooner your life will track a better slope.
I got involved as a sports fan for a while. It was a great Petri dish to explore human cognition. But then my favourite resource disappeared behind a paywall. Sure, I could pay. But now the discussion is limited to include only those people who choose to pay. The group structure is now inherently different. It's no longer such a great Petri dish for me to explore human cognition (having become far more captive and insular). I have no hard feelings about this.
But I decided to blow my cherished franchise off, rather than follow it into the paywall penumbra. Is this a stable penumbra, or just an incubating umbra waiting to swallow me whole? Why should I risk an eventuality of that nature, entirely outside of my own control. Lesson learned, way back in the 1990s.
Soon enough, of course, I found other rewarding activities which now occupy those energies. And I'm certainly not the worse off for it. There was a three month period where I felt a bit mopey, because I missed the familiar context for injecting ludicrous things with a long inside-baseball group context. That can't be replaced overnight.
There are many box-control business models out there. I'm now loyal to none of these, and I never will be again.
If only I had a time machine, that's one message I would surely send to my younger self making foolish choices back in the 1990s.
Dear younger self:
I know you get a completely unreasonable joy from the simultaneous spin, strafe, jump, grapple frag, but trust me, it's a trap. I know you think shell script was designed by a colony of drunken monkeys, but trust me, it's NOT a trap. All you do in the shell is construct strings, fork/exec, and test exit codes to control program flow. Yes, some of the quoting rules in complex commands are Unix's version of Microsoft's DLL hell. Get over it. You'll thank me later.
With chagrin,
your pathetic older self
[*] P.S. every quotation mark should be two instances of a 32-character random nonce, never to be ever used again. That's how you make nested quoting work without exponential escape growth. You'l
Re: (Score:2)
I got involved as a sports fan for a while. It was a great Petri dish to explore human cognition. But then my favourite resource disappeared behind a paywall. Sure, I could pay. But now the discussion is limited to include only those people who choose to pay. The group structure is now inherently different. It's no longer such a great Petri dish for me to explore human cognition (having become far more captive and insular).
Dude, you are waaaaay overthinking this. It's baseball. There's effectively no cognition involved. That's rather the point, as far as I can tell.
P.S. every quotation mark should be two instances of a 32-character random nonce, never to be ever used again.
Dude, you are way way way waaaaay overthinking this. Exponential escape growth is telling you to refactor your script into functions, or failing that, abandon shell script for a proper programming language. That rabbit hole you are digging at does not have a rabbit at the bottom of it. The burrow was abandoned long ago.
So stop whimpering that your clever multiply-nested commands have more backslash escape characters than a Jupiter-scale Pine Barrens on Ringworld after a small asteroid hull breach that doesn't clear the upper atmosphere. GET OVER IT you irritating shit.
And take your meds.
Re:Sony's security is not such good (Score:4, Funny)
Re: (Score:2)
Boycott Sony? You might as well ask gamers to boycott oxygen.
Sony is scum and has always been scum. If you love games, you have to hate Sony. If you love Sony, then you hate other gamers.
Re: Sony's security is not such good (Score:2)
Games purchased thru their store, DLC, and other add-ons are account based. Your annual subscription for PSN is also tied. It could be financially a mess if you have spent a lot of money on non tangible products and unlock codes.
I am not a fan of owning a game without a corresponding disk. Some games like fortnite and battlefront also do the whole âbuy goldâ(TM) model to alter appearances or unlock weapons.
I could see how this could be a disaster if your identity got stolen. Posession is 9/10ths o
Re:Sony's security is not such good (Score:5, Interesting)
Re: (Score:1)
My credit card company lets me generate one-off card numbers (aka "shop safe"). I use those for merchants about whom I question their security chops.
Re: (Score:2)
You don't if you buy gift cards. In fact, after the last hack, I didn't trust Sony with my credit card info, so all of my payments I made on PSN were through cards.
Well, you got halfway there. You were supposed to just not trust Sony, full stop. That's the only sane response to their ongoing indifference towards security on PSN.
Re: (Score:2)
You can, but you don't have to. There are other ways.
Re: (Score:2)
Also, I'm not sure if the account people can get the full credit
Pay your Customer Service Reps more (Score:1)
Lesson to every company with phone/chat/email support:
PAY REPS MORE, AND QUIT PUSHING FOR PERFECT PRODUCTIVITY.
If you don't pay reps enough, they will simply not care, and when you push for higher productivity, you will get better productivity, at the cost of less attention paid to what is actually going on.
I shit you not, the one time I let a social engineering thing go, it was only caught by the fraud team because of the rapid succession in which the fraudster tried to do things with it. What would have m
Most people want poor security (Score:5, Insightful)
Re: (Score:2)
The standard method which makes it de facto impossible to trace is spreading the transactions out in smaller amounts. Cost of trace rapidly ramps up to be more expensive than amount of money to be recovered.
Re: (Score:2)
"BTC leaves an unbreakable cryptographic record"
Nothing is unbreakable.
Yawn. (Score:1)
Inside job.
Re: (Score:2)
If the original owner preferred digital, the account would be full of games tied to it.
So why not just spend the money on games?
Re: (Score:2)
If the original owner preferred digital, the account would be full of games tied to it.
So why not just spend the money on games?
I mean, I'm no economics major, but I'd venture a guess that the account was advertised as having more than the asking price worth of games tied to it.
Re: (Score:2)
Social Engineering Blues (Score:3)
Marking individual accounts as 'likely to be attempted to be hijacked' doesn't fix the broader problem, which is hardly exclusive to Sony. Surely security doesn't need to fly out the window when you call a helpdesk? Attackers being able to obtain bits of info about an account could be stopped by these interactions being handled by a chatbot, and programmed to not give up that info.
So long as 'I forgot my password' or 'my 2FA got lost/broken' can work on administrators, then those security features can be bypassed. As phone scams have proven, people are really bad at detecting scams when talking over the phone. Sending notifications to the account and to all the on-file contact methods for the account e.g. "click here if you don't want your password reset, you have 24 hours" is imperfect, if you happen to not log in or check messages, such as if you're out of town or you just don't use the account often. Not sure what the solution to this is, aside from some perfect unduplicatable identity verification.
He should sue Sony (Score:3)
Sony have deprived him of goods (ie games) that he has paid for. Sony was scammed, but that is not the user's problem, he seems able to demonstrate that the scam was not caused by something that he did wrong. In the UK he could take them to the small claims court - which is quick and easy. Yes: Sony's lawyers would get involved but they would need to convince a judge that they are not liable.
Re: (Score:2)
"Sony was scammed, but that is not the user's problem,"
Yet, it is the user's problem. That's the problem.
Re: (Score:2)
Sony have deprived him of goods (ie games) that he has paid for.
He only rented them for as long as Sony chose to allow. Banks now play this game also; when someone hacks the bank, it is *your* money and *your* identity which are stolen.
Re: (Score:2)
Their is perfectly fine from a grammar standpoint and has been used long before it was socially relevant.
My son had his Steam account stolen (Score:5, Interesting)
It took way too long to get it back, but suffice it to say, for a service whose TOS claims you can't trade or sell accounts, they seemed happy to ignore the fact that the password, e-mail and language changed, and the users IP moved to Russia. I'd think a simple check on that would be enough to say "You are right, here's your account back, set it up for 2-factor and never screw up again"
Instead, we had to go back and forth, feeding them product keys used in the account in a back-and-forth that had a 24 hour+ turnaround time (their side) and took a couple of weeks. Meanwhile, some punk in Russia had bought my son's account (worth well over $3000 at the time), and probably was out a couple hundred bucks when we got it back.
Re: (Score:1)
This same thing happened to a relative though Steam has refused to return the account. I used it as a learning opportunity about dependence on online brokers (Google, Steam, Amazon, you pick one) and digital licensing. Funny how others view us experienced IT folks as "fuddy duddy's" that the young ignore until its too late...
Serial numbers (Score:2)
Glad he got his stuff back. (Score:1)
RIFE! Hire an editor, Motherboard (and Slashdot) (Score:2)
> But Sony's setup seems especially ripe for it.
Rife. Rife means abundant. Ripe means fully mature.