Jump to content

PSN Account with 2FA Hacked - Make sure you switch from SMS to Authenticator App


Recommended Posts

11 hours ago, deKay said:


It’s @gooner4life’s personal account. They (the hackers) put those details in his account. Not a GDPR issue.


I don’t think it works like that. Sony are a data controller here, they can’t just choose to disclose someone’s personal details because someone entered them when they weren’t authorised to do so. If nothing else, we don’t know that they are the hacker’s details - it could be a friend or relative, or the sucker who the hacker sold the account to, or a completely random person who has no idea their details are being used this way. 

Link to post
Share on other sites

Absolutely. How the details got there is irrelevant, as is ownership of the account in which they are contained. Sony are (now) aware that the details in the account do not belong to gooner4life so they should have removed them, not disclosed them.

Link to post
Share on other sites
1 hour ago, K said:


I don’t think it works like that. Sony are a data controller here, they can’t just choose to disclose someone’s personal details because someone entered them when they weren’t authorised to do so. If nothing else, we don’t know that they are the hacker’s details - it could be a friend or relative, or the sucker who the hacker sold the account to, or a completely random person who has no idea their details are being used this way. 

 

If I post my contact details through your letterbox, who is at fault that you now know my contact details? What if I post someone else's contact details through your letterbox?

 

Sony are just the letterbox in this.

Link to post
Share on other sites
3 minutes ago, deKay said:

 

If I post my contact details through your letterbox, who is at fault that you now know my contact details? What if I post someone else's contact details through your letterbox?

 

Sony are just the letterbox in this.

 

I wouldn't become a data controller under GDPR if you posted your contact details through my letterbox, so it's not the most relevant example. Sony are a data controller, they've come across this data in the course of their normal activities, and I don't think they have any right to disclose it without the consent of the owner of the data. Think about it - if someone hacks a PSN account and puts your personal details into Sony's database, whose fault is it if Sony disclose your name and address to the account owner? There are very obvious reasons why disclosing that data would be a bad idea.

Link to post
Share on other sites

I'm not 100% sure they'd be GDPR culpable in this scenario. That's gooner's account, and gooner's account details. If I hack into it, put my address (or yours) into it and then Sony undo the hack and return control to gooner, it's my illegal actions that have put your data under his control. Yes, it's obviously good practice to remove them (I 100% don't question that) but I'm not sure you'd be successful at arguing they've breached a GDPR requirement. Their Ts & Cs will explicity forbid the selling on or transfer of accounts even with willing legitimate people on both sides. Probably for these sorts of reasons. Everyone involved, including any hypothetical buyer, is behaving in a way Sony told them not to and don't support.

 

You may well know more than me, I accept.

 

 

Link to post
Share on other sites

I mean it may or may not be a data protection breach on behalf of the scumbag who hacked my account, but it just highlights how little Sony give a fuck about your Data or anybody's.

 

I don't even work in an area of our business where I have access to customer data and still have to do 12 month data protection refresher courses.

 

I'm glad that 2FA wasn't broken in some exploit, i'm glad they told me exactly how it happened, I'm now speaking with VirginMedia to secure the email account, they were surprisingly apologetic, I expected them to wash their hands of it, but the account was supposed to be deleted 90 days after I closed the account with them and it never was.

 

I've accepted that the details on the account were most likely made up or wouldn't be the details of the scumbag who actually yeeted my account.

 

I am going to slowly migrate to everything game wise being in the Xbox eco-system, I don't trust Sony to protect my account anymore.

Link to post
Share on other sites
39 minutes ago, deKay said:

 

If I post my contact details through your letterbox, who is at fault that you now know my contact details? What if I post someone else's contact details through your letterbox?

 

Sony are just the letterbox in this.

That isn't how the law on GDPR works - unless there is an exemption for them to disclose data - if it falls under the definition of personal data as a data controller they cannot disclose it regardless of the weird fucked up circumstances

 

I only saw my hackers name as the idiot had changed the profile to reflect this - there is no way Sony or any company could have told me on the phone

Link to post
Share on other sites

@Uncle Mike

 

I am pretty far frombeing an expert on GDPR. But I would have thought that data controllers will come across information all the time that they didn't intend to collect that will come under the heading of personal data, and I would be very surprised if they didn't have responsibilities over that data - like, if someone copies and pastes information into the wrong field or into the wrong page, so you end up with someone's email to their mum in an "any other comments?" box. I don't think you could disclose that without the permission of the person who wrote it. I'm not sure GDPR distinguishes between personal data of your customers and personal data of everyone else - personal data is defined as "any information that relates to an identified or identifiable living individual."

 

I would say that giving an address you find on a hacked account to someone would be a personal data breach. If it wasn't, you would have odd situations, like it not being a personal data breach if you found loads of credit card details on a hacked account, and emailed them to the account owner.

 

 

Link to post
Share on other sites
3 minutes ago, Uncle Mike said:

I'd love to watch the court case where gooner drives round to the hacker's house and eggs it and then the hacker sues Sony for a GDPR breach. I think we can all agree on that.

 

Digital equivalent to that robber who fell through a conservatory roof in the house he was burgling, then successfully sued the owners for not putting up warning signs.

Link to post
Share on other sites

I'm not going to go and egg anybody's house, sorry guys, i've got my account back, I've secured the old email address they had compromised, they can't do it again.

 

I'm done, I'll still argue with Sony about their ridiculous policies that let somebody circumvent 2FA like this.

 

At the very least if somebody turns off 2 step they should have a cooldown period where you're unable to make other changes to the account for a period of time without speaking to somebody.

Link to post
Share on other sites

I do (obviously) agree that there's stuff that needs tightening up and improving on there. As much as one could argue that the core issue (where you've got an old unsecured email account with your PSN details and transaction in it) is your/Virgin's fault and perhaps not something you can directly level at Sony, the idea that you can leverage that to have a fucking chatbot disable your 2FA seems ridiculously insecure. That really should be a human, surely? (Although I guess that's still open to abuse if you're convincing enough and the policies allow it.)

 

There clearly needs to be a way to allow account recovery 2FA disablement (for example, I presume it's possible to lose access to the phone number and only realise that once it's too late) but a chatbot and an ancient transaction ID seem like terrible authentications. Maybe you'd rather ask about recent transactions (which seems to be what my credit card provider does, for example) or something else more contemporary.

Link to post
Share on other sites
1 minute ago, Uncle Mike said:

I do (obviously) agree that there's stuff that needs tightening up and improving on there. As much as one could argue that the core issue (where you've got an old unsecured email account with your PSN details and transaction in it) is your/Virgin's fault and perhaps not something you can directly level at Sony, the idea that you can leverage that to have a fucking chatbot disable your 2FA seems ridiculously insecure. That really should be a human, surely? (Although I guess that's still open to abuse if you're convincing enough and the policies allow it.)

 

There clearly needs to be a way to allow account recovery 2FA disablement (for example, I presume it's possible to lose access to the phone number and only realise that once it's too late) but a chatbot and an ancient transaction ID seem like terrible authentications. Maybe you'd rather ask about recent transactions (which seems to be what my credit card provider does, for example) or something else more contemporary.

 

The argument for more recent transactions is they say often people buy stuff soon after compromising the account so the most recent transactions were by the hacker.

 

At the very least they should say a transaction ID from the current email and a transaction ID from the old email if trying to switch to a previously used email address.

 

Interestingly the way they verified my identity as the account owner was via the Serial Number of my PS4 Pro (couldn't get the Serial Number easily on the PS5) so gave them that, but it had been used on the account when both emails were in use, so they were more than happy to verify it was me, surely the chatbot should just use the same authentication?

Link to post
Share on other sites
1 minute ago, Uncle Mike said:

I do (obviously) agree that there's stuff that needs tightening up and improving on there. As much as one could argue that the core issue (where you've got an old unsecured email account with your PSN details and transaction in it) is your/Virgin's fault and perhaps not something you can directly level at Sony, the idea that you can leverage that to have a fucking chatbot disable your 2FA seems ridiculously insecure. That really should be a human, surely? (Although I guess that's still open to abuse if you're convincing enough and the policies allow it.)

 

There clearly needs to be a way to allow account recovery 2FA disablement (for example, I presume it's possible to lose access to the phone number and only realise that once it's too late) but a chatbot and an ancient transaction ID seem like terrible authentications. Maybe you'd rather ask about recent transactions (which seems to be what my credit card provider does, for example) or something else more contemporary.


Pretty sure the sms 2fa is the only one that can be defeated in this way, Authenticator based 2fa should use backup codes as the only means to recover an account.

Link to post
Share on other sites
5 minutes ago, Shimmyhill said:


Pretty sure the sms 2fa is the only one that can be defeated in this way, Authenticator based 2fa should use backup codes as the only means to recover an account.

 

Authenticator would have been exactly the same, confirmed by Paul McDowell @ Sony, the chatbot is able to turn off 2FA if it deems you are the account owner.

Link to post
Share on other sites

GDPR legislation with regards to being the Data Custodian is pretty simple. If the data sits on a storage medium that you are responsible for, you are then liable for any breach of that data. However a factor in this case is that the data forms part of an account that @gooner4life is the owner of, irrespective of who inputted that data. 

Gooner has an account containing data he inputted sitting on Sony's server = its gooners data on his account with Sony being the custodian.

Scumbag gain access to gooners account and inputs data on to account =  its scumbag's data on gooners account with Sony being the custodian. Gooner still rightfully has access to this data on his account.

Link to post
Share on other sites
6 minutes ago, gooner4life said:

 

Authenticator would have been exactly the same, confirmed by Paul McDowell @ Sony, the chatbot is able to turn off 2FA if it deems you are the account owner.


Given its Sony then it’s hardly surprising but it does go against the agreement with Sony when you turn on 2fa :lol:

Link to post
Share on other sites
8 minutes ago, gooner4life said:

 

Authenticator would have been exactly the same, confirmed by Paul McDowell @ Sony, the chatbot is able to turn off 2FA if it deems you are the account owner.

This really does feel like this issue should get some proper media coverage.

Link to post
Share on other sites
Just now, Shimmyhill said:


Given its Sony then it’s hardly surprising but it does go against the agreement with Sony when you turn on 2fa :lol:

 

It's exactly the same agreement for SMS 2 Factor, you get backup codes when you enable that also.

Link to post
Share on other sites
1 hour ago, gooner4life said:

I'm not going to go and egg anybody's house, sorry guys,

All that an no pics of the #driveby ;)

 

Pleased you are all sorted and secure once more. Hopefully that will be the last of it, unless you're @Uzi with a 'desirable' PSN name I think you'll be safe from now on. I don't think anyone is desperate for the user name Quexex so I feel relatively safe. And thanks to you I can not be hacked by SMS exploit on 2FA and not a chatbot hack as I've only ever used one very secure email address for the life of my PSN account.

Link to post
Share on other sites

Sony are clearly idiots in all of this, and the flaw in multiple email addresses being valid is a gaping flaw, but surely the 1st problem and where the actual blame lies is that the email account got compromised? Once your account is gone, the electrothief has access to every single password reset link they can get out of the inbox? 

Link to post
Share on other sites

Just read through this, and changed 2FA from SMS to authenticator app half way through (though not actually sure it's that much of an issue as sim cloning stuff for a PSN account seems unlikely and obviously wasn't the cause here).  Proper sobering stuff.  I'm not convinced the hacker would have known a chat bot would do what it is alleged to have done, sounds very much like something a human in a call centre may well do though...

 

As for the GDPR thing, I'd say the owner of the account is the person who can log in etc.  In this case, Sony were very much aware that someone else was logging in and using the account, and therefore ownership had basically changed.  I think GDPR would most certainly apply, and that they should have wiped all personal detail fields prior to returning it to @gooner4life

 

Of course, the reality is, the Sony employee is a customer service desk operator with certain abilities, and some software to point them to an answer.  They most probably have an idea abour GDPR, but won't be a lawyer.  They have an idea about PSN, but won't be a developer, or marketing department.  They have the ability to apologise and apply a couple of months free PSN, but not make an official statement on behalf of Sony.

The reality is they made a mistake and most probably breached GDPR by letting gooner access someone else's personal data, and they have either have a chatbot, or (I suspect) another customer service desk operator who reset the password based on not enough information in the first place.

 

Also, everyone seems to be assuming that the name and address that was left on the account is the hacker.  If you're smart enough to hack someone's PSN account in this way, I'd doubt you are dumb enough to think it's not going to be taken back from you, therefore, I'd imagine it's the details of whoever bought the account on eBay or similar, some innocent who is out of pocket, and probably calling eBay for a refund and Sony trying to get gooner's account back!

Link to post
Share on other sites
5 minutes ago, mikeyl said:

Sony are clearly idiots in all of this, and the flaw in multiple email addresses being valid is a gaping flaw, but surely the 1st problem and where the actual blame lies is that the email account got compromised? One your account is gone, the electrothief has access to every single password reset link they can get out of the inbox? 

 

Everything had been migrated off of that email address, Virgin Media told me that the email account would be closed (90 days after i ceased the services) 2.5 years ago when I closed my mums account after she passed away, it's the flaw in Sony's Chat Bot that allowed the thief to get in, it was definitely via the bot as it happened at 00:50 and Sony's customer care are closed, the only thing that does work is the chat bot at that time of night.

Link to post
Share on other sites
22 hours ago, Thor said:

Isn't it also possible that the guy whose address was left on the account is merely the numpty who bought it, and not the cunt who did the hack?

 

11 minutes ago, Freeman said:

Also, everyone seems to be assuming that the name and address that was left on the account is the hacker. 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.