Support NeoGAF

[Dylan Sexbang]

Woke up this morning to see 4 emails from PSN about adding funds and transactions, someone bought $160 worth of NBA shit on my old psn ID. So I signed into my PS3 to check on it. Luckily I didn't have any payment methods on this account. But there was someone's card attached to it, I deleted it and changed the password.

What do I need to do outside of that? I'm probably going to go around and change all my account passwords from Amazon to XBL. Do I need to contact Sony about the transactions? Account has been inactive since I started a new PSN and stuck with that one. I've had an XBL account since 2008, and I've never had a single compromise on it. Congrats Sony, happy to see you keeping secure.

 

[Wario64]

I'd contact Sony. Also, Sony get your shit together and offer two factor already

 

[onQ123]

So did you get the things that they bought for free?

 

[benny_a]

I've had an XBL account since 2008, and I've never had a single compromise on it. Congrats Sony, happy to see you keeping secure.

I'm pretty sure your password was just compromised instead of Sony having all their security breached just so someone can buy $160 of microtransactions in NBA 2k.

 

[Storm Raider]

If you don't need that account at all, just do a chargeback. It will ban the account.

Edit: didn't read

 

[panda-zebra]

card details were likely stolen, if you do nothing you might expect a knock at the door. best to get in there first.

blame sony if you like, but someone likely just brute-forced your password, or possibly you signed in to someone else's console once upon a time and that machine is where the action took place. could be a number of things, probably best to give it some thought before pointing fingers.

 

[Dylan Sexbang]

So did you get the things that they bought for free?

I got $160 worth of NBA 2k16 VC. I have no idea what that is or what it's worth.

 

[dapoktan]

why would this guy steal someone else's id, then add $160 bucks of his own money?... Did they steal that CC info from someone else?

 

[AwesomeMeat]

I was waiting for the FIFA micro transactions. Looks like you get hit by the considerably more rare NBA micro transactions. Sorry it happened OP but it sounds like it could have been much worse.

 

[NoblesseOblige]

why would this guy steal someone else's id, then add $160 bucks of his own money?... Did they steal that CC info from someone else?

If Sony is as dumb as SquareEnix was back in the day then the thief can get the account back with a call pretending they are the account owner and then provide them with the account information including card details last used to make a purchase. Hopefully that's not the case.

 

[Kaiken]

Deactivate all PS3 systems and re-enable yours with the new password.

 

[entremet]

These guys can't change PSN names, so don't expect two factor.

Sony is a joke with their online infrastructure.

 

[sensui-tomo]

They're probably gonna trade the stuff they bought in nba to their real account, file a a chargeback with their real card, keep the stuff they bought on your account and leave you with the banned account, Call sony if you care about the account.

 

[Gestault]

I truly don't understand why two-factor authentication hasn't at least been mentioned as something in the works. It would prevent so many of these sorts of situations.

 

[HarryDemeanor]

I still can't believe they've made Plus mandatory and still don't offer any sort of two-factor security.

You'd think that would be a priority after that big breach.

 

[Justified]

why would this guy steal someone else's id, then add $160 bucks of his own money?... Did they steal that CC info from someone else?

I would assume so. Stole another PSN so it cant be tied back.

Next the thief would go on 2K sell a wack MyTeam Card for $160 (In VC), then buy it with the compromise account, thus transferring the VC

 

[Camp1nCarl]

Yeah I had my PSN account compromised and someone bought a PsOne classic game and added there PS Vita to my account. I changed my shit ASAP and luckily Sony refunded me the money, but I'm glad I never trusted Sony with any cards and simply had some funds in my account. Kind of pissed I can't deactivate that random persons Vita from my account though, I try and it says I can only deactivate it from the Vita manually. Either way Sony's track record with security and no two-factor authentication is pretty shitty.

 

[Weevilone]

card details were likely stolen, if you do nothing you might expect a knock at the door. best to get in there first.

blame sony if you like, but someone likely just brute-forced your password, or possibly you signed in to someone else's console once upon a time and that machine is where the action took place. could be a number of things, probably best to give it some thought before pointing fingers.

It's legit to blame Sony when they don't offer 2 factor authentication.

 

[killroy87]

Is there a reason i can't log in to my account settings? This seems more like a bug than suspicious activity.

I went to PSN website to change my password (this thread reminded me). For some reason I was unable to log in. I tried every variation of a password that I could use, but nothing worked, which is weird. So I said whatever, and did the "forgot your password?" method of changing it. I did all that, went fine, but now I still can't log in, even with the new password I just created!

Long story short: Is anyone able to log in to their PSN account setting from the web?

Edit: Got it. Had to change my password with Firefox, Chrome wasn't doing it correctly. Weird.

 

[panda-zebra]

It's legit to blame Sony when they don't offer 2 factor authentication.

Possibly, if you're sure you didn't leave your details on another ps3 somewhere or whatever. There's not only a single potential cause leading to this situation.

 

[Hentailover]

Contact SONY. If they get their money back from the bank, you will be banned, with no way to unban yourself without paying that money back to Sony. The policy on the chargebacks is strict.

 

[theangrypirate]

I've had an XBL account since 2008, and I've never had a single compromise on it. Congrats Sony, happy to see you keeping secure.

Your weak or compromised password is Sony's fault? Take some responsibility man and don't use shitty passwords.

 

[JSoup]

Your weak or compromised password is Sony's fault? Take some responsibility man and don't use shitty passwords.

This....but we really should have two factor authentication by now.

 

[Chrisdk]

I don't trust Sony at all and i'm kinda surprised that their lack of "security" isn't that big of a deal to people. It's rarely mentioned how little protection they offer us. Sometimes i feel like Sony gets a pass on a lot of things.

I'm using prepaid cards on my PS4.

 

[sensui-tomo]

funny enough its almost always the sports games with those trading mechanics that are the games people hack other accounts for.

 

[Birgitte2004]

I don't trust Sony at all and i'm kinda surprised that their lack of "security" isn't that big of a deal to people. It's rarely mentioned how little protection they offer us. Sometimes i feel like Sony gets a pass on a lot of things.

I'm using prepaid cards on my PS4.

Considering how easy it is to find posts about Xbox accounts being hijacked, I feel like Sony gets undue blame, as opposed to getting a free pass.

 

[Big Chungus]

get your shit together sony

 

[Palette Swap]

I'd contact Sony. Also, Sony get your shit together and offer two factor already

Yup. It's 2016. At this point it's negligent to not offer the possibility.

Considering how easy it is to find posts about Xbox accounts being hijacked, I feel like Sony gets undue blame, as opposed to getting a free pass.

A few years ago, MS were kind of shit with the "FIFA hack" (most likely the result of CS social engineering), but at the very least they did eventually introduce two factor authent.

 

[RhyDin]

Just curious, was your password one that was easily crackable - a common word/s with numbers, for example? I wonder if these accounts are social engineered or if people are just using silly passwords or being compromised some other way. When something like this happens and you can't tell how it happened, you should assume they have everything and change your other passwords immediately, especially to the e-mail associated with the account and any other accounts that used shared passwords or similar account names.

I wonder how Sony doesn't have something in place to lock an account after multiple login attempts, or at least to see that an account was attempted to be logged into multiple times erroneously - thus there would be no reason to "ban" the account due to a fraudulent purchase and subsequent chargeback.

 

[Shpeshal Nick]

Staggering that Sony still doesn't have 2 step.

I've activated for basically everything I have with money attached or videogame related.

 

[GifGafIsTheBestGaf]

Deactivate all PS3 systems and re-enable yours with the new password.

this after changing your password 4 times

 

[Chanser]

Is there any reason why they don't offer 2FA?

 

[diablo900t]

I had the same problem happen to me recently. Had to go through my credit card company to reverse the charges. A bunch of purchases over a period of a month.

They didn't make any other purchases with my CC linked to the account, just seemed to hack my PSN account. Never had any others hacked and have strong passwords.

 

[Jacksinthe]

Use Gmail and do the + thing.

name@gmail can be name+whateverthefuckyouwant@gmail and will deliver to name@gmsil

I have a unique + identifier, pw and 2-factor (where allowed) for every site. Now anyone can have my email and be SoL.

 

[Head.spawn]

Use Gmail and do the + thing.

name@gmail can be name+whateverthefuckyouwant@gmail and will deliver to name@gmsil

I have a unique + identifier, pw and 2-factor (where allowed) for every site. Now anyone can have my email and be SoL.

You're going to have to explain this one, what?

 

[Raimond]

In addition to the + trick with Gmail, you can also add a period "." anywhere within your email before the @ sign and they will all be sent to your same email. In this way you can sign up at a site multiple times or something like that, but still gets delivered to your same inbox.

 

[Dylan Sexbang]

Use Gmail and do the + thing.

name@gmail can be name+whateverthefuckyouwant@gmail and will deliver to name@gmsil

I have a unique + identifier, pw and 2-factor (where allowed) for every site. Now anyone can have my email and be SoL.

Could you elaborate? I use gmail for my primary emails and this has me scratching my head. Please that is!

 

[11redder]

Yeah I had my PSN account compromised and someone bought a PsOne classic game and added there PS Vita to my account. I changed my shit ASAP and luckily Sony refunded me the money, but I'm glad I never trusted Sony with any cards and simply had some funds in my account. Kind of pissed I can't deactivate that random persons Vita from my account though, I try and it says I can only deactivate it from the Vita manually. Either way Sony's track record with security and no two-factor authentication is pretty shitty.

I had an issue where a dude added his ps4 to my account as the primary. I called Sony and they reset all active systems on the account, after a few questions to make sure I really was the account owner. You should be able to do the same for the Vita.

No purchases were made on my account, I think he just wanted free access to my PS Plus games.

 

[Head.spawn]

Could you elaborate? I use gmail for my primary emails and this has me scratching my head. Please that is!

Just messed around with it.

Say you have an email addy is something like: iam.a.jerk1@gmail.com

I tried sending mail to: iamajerk1@gmail.com - and that worked.
I also tried sending an email to: Iamajerk1+wut12314@gmail.com - and that worked as well.

'i.a.m.aj.er.k.1+neogafgoldaccount@gmail.com' also worked.

All emails sent, no matter how goofy you get with it, within those guidelines, were recovered under the original iam.a.jerk1@gmail.com account.

I'm ashamed to admit I had no clue this was possible. It would be amazing if it worked for other email addresses, like Hotmail or yahoo.

 

[Blurry15]

If you don't need that account at all, just do a chargeback. It will ban the account.

This happened to my friend, is there really no way of getting around it? She called and she said that they told her she needs to buy PSN codes that equal X amount to get her account unbanned. Is that true? Does she seriously have to pay to get all those games she lost?

 

[JSoup]

This happened to my friend, is there really no way of getting around it? She called and she said that they told her she needs to buy PSN codes that equal X amount to get her account unbanned. Is that true? Does she seriously have to pay to get all those games she lost?

Unless she get's really, really lucky with a rep, yeah, she's got to pay to get her account back.

 

[Weevilone]

Unless she get's really, really lucky with a rep, yeah, she's got to pay to get her account back.

And this is why Sony deserves no mercy on the lack of two factor authentication. They're making money from the lack of security.

 

[SomTervo]

Why the hell are sports games so relenetlessly shit for this kind of stuff? I only ever hear about it from EA sports games. Is it EA?

 

[mokalovesoulmate]

Could you elaborate? I use gmail for my primary emails and this has me scratching my head. Please that is!

It is called "Email Alias". Every email sent to:

blah+a@gmail.com
blah+123@gmail.com
blah+abc@gmail.com
blah+xyz@gmail.com

will be delivered to blah@gmail.com in one single inbox.

 

[Echoplx]

Just messed around with it.

Say you have an email addy is something like: iam.a.jerk1@gmail.com

I tried sending mail to: iamajerk1@gmail.com - and that worked.
I also tried sending an email to: Iamajerk1+wut12314@gmail.com - and that worked as well.

'i.a.m.aj.er.k.1+neogafgoldaccount@gmail.com' also worked.

All emails sent, no matter how goofy you get with it, within those guidelines, were recovered under the original iam.a.jerk1@gmail.com account.

I'm ashamed to admit I had no clue this was possible. It would be amazing if it worked for other email addresses, like Hotmail or yahoo.

Isn't this kinda pointless? all they'd have to do is remove everything after the + and they know your email anyway? Unless I'm missing something.