Jump to content

PSN Account with 2FA Hacked - Make sure you switch from SMS to Authenticator App


gooner4life
 Share

Recommended Posts

My 11 year old PSN account has been hacked, I was mid game and I got a notification to say 2 step had been deactivated, i checked my email and they'd changed the email tied to the account as well, and it logged me out.

 

How they managed to deactivate 2 step without getting a 2 step code I don't know.

Link to comment
Share on other sites

6 hours ago, gooner4life said:

My 11 year old PSN account has been hacked, I was mid game and I got a notification to say 2 step had been deactivated, i checked my email and they'd changed the email tied to the account as well, and it logged me out.

 

How they managed to deactivate 2 step without getting a 2 step code I don't know.


Bloody hell :o have you got the account back?

 

sms 2 factor is pretty poor and easy to spoof apparently, let’s hope this isn’t another Sony hack - password change time!

Link to comment
Share on other sites

3 hours ago, Shimmyhill said:


Bloody hell :o have you got the account back?

 

sms 2 factor is pretty poor and easy to spoof apparently, let’s hope this isn’t another Sony hack - password change time!


Really? I know it’s possible to spoof a phone number from the receivers point of view, but surely call routing to a number is defined and controlled on the telephone network?

Link to comment
Share on other sites

3 hours ago, Shimmyhill said:


Bloody hell :o have you got the account back?

 

sms 2 factor is pretty poor and easy to spoof apparently, let’s hope this isn’t another Sony hack - password change time!

 

Nope, I called Sony when they opened at 11:30 this morning, they have raised a case but said it will take 2/3 days to hear back from the escalation team, absolute shambles when you consider somebody turned off 2 step and then changed every fucking detail possible on the account seconds later, surely they should have some sort of cooldown system in place if you deactivate 2 step.

Link to comment
Share on other sites

1 hour ago, Super Craig said:

Worth noting that there’s proper two-factor authentication available now. You have to disable the SMS one and set it up again to be given the option.

 

How do they do it? authenticator app?

Link to comment
Share on other sites

3 hours ago, Popo said:


Really? I know it’s possible to spoof a phone number from the receivers point of view, but surely call routing to a number is defined and controlled on the telephone network?


Spoofing was a catch all and not he best word for it but there are multiple ways to compromise, quick google gives this with a few of them - https://www.cnet.com/how-to/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/

Link to comment
Share on other sites

7 hours ago, Shimmyhill said:


Spoofing was a catch all and not he best word for it but there are multiple ways to compromise, quick google gives this with a few of them - https://www.cnet.com/how-to/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/

So, should you have 2FA enabled or not? Sounds like it's less secure...

 

Ah being dumb, deactivated the phone number version. Added it to the Google Auth app... QR codes have found the purpose in life! 

 

Now everyone do this.

Link to comment
Share on other sites

21 hours ago, gooner4life said:

My 11 year old PSN account has been hacked, I was mid game and I got a notification to say 2 step had been deactivated, i checked my email and they'd changed the email tied to the account as well, and it logged me out.

 

How they managed to deactivate 2 step without getting a 2 step code I don't know.

Fuck me that's awful. Really hope they sort it quick for you. 

Link to comment
Share on other sites

Top of a new page on mobile... Just in case it gets missed update your 2FA on your PS account to NOT use SMS and use an authenticator app. I used the Google one on my android phone not sure what iOS has.

 

 

Link to comment
Share on other sites

5 minutes ago, gooner4life said:

Just to clear up a few things, I dont think even switching to the authenticator app would have helped, they have clearly worked out a way to circumvent the 2FA to get into the account and turn it off, when I first got the message saying 2FA was switched off, I got the text message to say 2 step had been turned off so they hadn't cloned my sim or transferred it to a new sim etc, they just got round it entirely.

 

I'm raising it with Sony's exec team on Monday, i've already sent an email to Jon Budden raising the fact although to them it's just losing access to my account for a period, it's actually a significant breach of my Data Protection, breaking GDPR and i'll be raising it with ICO as well, the person/people who have access to my account have access to my DOB, Address, Phone Number etc it's a significant chunk of data that would enable identity theft to take place and Sony simply saying they will raise a case and get back to me in a few days is not a good enough response.

Interesting, and scary I wonder if 2FA should be off now... Keep us posted on how you get on. I don't imagine the details of how they managed to curcumvent 2FA will be disclosed to you though.

Link to comment
Share on other sites

Just now, Quexex said:

Interesting, and scary I wonder if 2FA should be off now... Keep us posted on how you get on. I don't imagine the details of how they managed to curcumvent 2FA will be disclosed to you though.

 

They wont disclose shit, but i've spent thousands of pounds on this account, i've had it since before PSN was switched on with the pre-registration of your name on it, I've had every PlayStation ever released, I'm a very good customer and it's cost them a huge amount of goodwill on my part. 

 

I honestly feel like switching over to the Xbox permanently.

Link to comment
Share on other sites

12 minutes ago, gooner4life said:

 

They wont disclose shit, but i've spent thousands of pounds on this account, i've had it since before PSN was switched on with the pre-registration of your name on it, I've had every PlayStation ever released, I'm a very good customer and it's cost them a huge amount of goodwill on my part. 

 

I honestly feel like switching over to the Xbox permanently.

To be honest I'd feel the same way. I've had my account for the same length of time and if it suddenly went I'd be gutted. Hang in there though hopefully it will get sorted. What 2FA did you have active? 

Link to comment
Share on other sites

37 minutes ago, Quexex said:

To be honest I'd feel the same way. I've had my account for the same length of time and if it suddenly went I'd be gutted. Hang in there though hopefully it will get sorted. What 2FA did you have active? 

 

SMS but i got the SMS to say it had been deactivated, but didn't get one with a verification code so they obviously got in without it.

Link to comment
Share on other sites

5 hours ago, Quexex said:

Interesting, and scary I wonder if 2FA should be off now... Keep us posted on how you get on. I don't imagine the details of how they managed to curcumvent 2FA will be disclosed to you though.

 

You should still keep it on.

Link to comment
Share on other sites

8 hours ago, gooner4life said:

 

SMS but i got the SMS to say it had been deactivated, but didn't get one with a verification code so they obviously got in without it.


Pretty sure that’s just how they can access your 2fa via a carrier based hack, if Sony’s 2fa had been breached then millions of accounts would be gone as it used for password recovery - I will try and find the article but a buddy of mine works in internet security stuff and he told me years back that sms based 2fa is seen as weaker than not having any 2fa in many ways.

 

Its fairly obvious how I feel about Sony as a company but I’m fairly sure their 2fa hasn’t been breached.

Link to comment
Share on other sites

I just went into my sony account on browser on my computer. My account is set with 2FA switched on for SMS but I guess it is set so I enter password but does not require 2FA as it didn't do 2FA - I must have set the browser as a "trusted" device or something similar.

 

If I then go into security and switch off 2FA it lets me do it without issue which surprised me. I am sure on other 2FA type stuff if I set a trusted device to not need 2FA then it allows me to login but if I try to change my 2FA setting set it then does a 2FA to make sure I am me.

 

Not saying this happened in this instance but that did seem lax. As a positive I have switched from SMS to an authenticator app as a result.

 

 

 

EDIT - something is definitely screwy. When I logged in using this computer/browser it did not do 2FA - I went and found the 2FA which was switched on so assumed my browser/computer was set as "trusted". I switched off  2FA without being prompted as I say and then switched to authenticator app.  Now I logged off and back on and this browser/computer now needs 2FA and isn't "trusted". If I had set it to trusted before why is it not tursted now? Hmmmm odd

Link to comment
Share on other sites

56 minutes ago, Shimmyhill said:


Pretty sure that’s just how they can access your 2fa via a carrier based hack, if Sony’s 2fa had been breached then millions of accounts would be gone as it used for password recovery - I will try and find the article but a buddy of mine works in internet security stuff and he told me years back that sms based 2fa is seen as weaker than not having any 2fa in many ways.

 

Its fairly obvious how I feel about Sony as a company but I’m fairly sure their 2fa hasn’t been breached.

Yeah did a bit of googling last night after reading your CNET link. SMS is really insecure for 2FA, security firms have been advising against it since 2016!!! It is possible for someone to receive texts meant for you without knowing anything other than the last 4 digits of your phone number (easier with the full no.) Crucially this can all happen without you seeing anything at your end. Until it's too late. 

Link to comment
Share on other sites

36 minutes ago, gospvg said:

an authenticator app.

Some help on this would be handy - are there different apps for each service/company, or one app to rule them all? Are some apps better than others?

Link to comment
Share on other sites

3 minutes ago, Thor said:

Some help on this would be handy - are there different apps for each service/company, or one app to rule them? Are some apps better than others?

 

Any is ok most use either google, microsoft or authy.

Link to comment
Share on other sites

You install Authy (for example) on your device. https://authy.com/

 

That app generates 2FA codes that can be used on any setup that supports 2FA authentication apps. (Which is most of them, these days.) I've got like 16 different services using Authy, so you don't end up with hordes of different 2FA apps.

 

Then you go into your PSN security page, disable the current 2FA setup if it's enabled, then reenable it and select "Authentication App" follow the instructions (which I think involves a QR code) make a note of the backup codes, and away you go.

Link to comment
Share on other sites

1 minute ago, Uncle Mike said:

Then you go into your PSN security page, disable the current 2FA setup if it's enabled, then reenable it and select "Authentication App" follow the instructions (which I think involves a QR code) make a note of the backup codes, and away you go.

Thank you! I was just about to ask this as I could only see an option to disable it. Sorting it now.

Link to comment
Share on other sites

I’m sure this happened to someone else on resetera a whole back and the conclusion was they got through via Sony CS by saying they lost their phone or some other rubbish and blagged their way through the security. Basically doesnt matter how secure your stuff is when someone at Sony will just hand over the keys for you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.