Support NeoGAF

[Gravy Boat]

Yes, Sony didn't directly "hack" his account. However:

1) Sony was "in charge" of the security of his information and they failed miserably. If I had a security guard watching my house and he set up the security system, he sure as hell would share a large part of the blame if it got broken into. I don't care if I use the same pin for my bank and security system, it should have a redundancy.

2) Sony has the power to rectify this ordeal by having a swift and easy refund system. In the above example, it's as if the security guard is watching his own store that just happens to have my money on site. They break in, use my money in the store, and the next morning when I ask where my money is the security guard just shrugs.

This seems to happen often enough that a refund system should atleast be in place. I'm sure OP has never randomly added $200 to his account in the past and just spent it on FIFA or whatever. And if he calls within a few hours of purchase it should be an easy refund.


Sure, use a different password everywhere. Cover your ass. However, this is Sony's storefront so they need to provide the safety. And if their security system is dated without 2 step verification, then at the very least implement a refund system. The fact that after all these years I see the same posts yet don't see either of these changes feels like they just don't give a fuck.

And what the fuck is wrong with people blaming the victims and acting like the corporation bares no responsibility?

What if the you were burgled by someone who looked exactly like you and had your keys? Sony can't tell who is logging into your account. I'm not sure how you expect them to tell who is using your username and password.

I agree with your second point that they should do more to make things right after the fact, but I'm not sure what you want them to do to prevent unauthorised users logging in with your username and password. 2 factor would be great, but in the mean time people should take more care witht things like this. The person who set the password up has to take a good portion of the blame here.

'Victim blaming' has become such a meaningless phrase on Gaf. Seems like it get's thrown around way too much. OP is partly to blame here, for not using a unique password and for keeping his card details on PSN. Unless Sony gave someone else his password, they got it from another site. Sony aren't to blame for what happened, but you can absolutely blame them for their shitty handling of it after it happened.

 

[Kayant]

Yeah, but this option is only presented in a select few countries. Wouldn't surprise me if it's US only.

I don't see this step:

(My mobile number has been added)

Ah forgot about that am UK btw so probably "first-class" citizen kind of thing really the option with the app shouldn't be region locked and is silly that is presented in other countries they don't enable SMS for.

 

[Darryl M R]

Just use a good, unique password. Two-factor authentication is not an excuse for having a bad password! Often, all they need to get around it is access to your email account anyway, and if you use the same password there, it becomes pointless.

Yes, Sony should offer it, but it's not necessary if you just have a strong, unique password for each of your important accounts.

I have had three different PSN accounts since the service launched, all with payment details attached for each of the different PSN regions. They also all have unique, 32-character passwords and strangely, I've never been "hacked".

I would think that most people on GAF would have unique passwords. Something with special characters, numbers, and a mix of lower and uppercase letters.

I agree with you, but I wonder how many people actually have "weak" passwords. Every year some site reports a data breach and list the most common passwords but I have to question if those breached accounts are active.

When I create a throwaway for reddit I'll set the password to something like "123password" because I need something simple for an account I won't be using after a day. But for my personal account my password is similar to $1776Murica50$

 

[True Fire]

There have been a shit ton of data breaches recently. If you used the same email and password for those sites as you do with PSN then you're fucked.

Moral of the story, use a unique password for accounts with value, and check https://haveibeenpwned.com/ monthly

 

[STEaMkb]

I agree with you, but I wonder how many people actually have "weak" passwords. Every year some site reports a data breach and list the most common passwords but I have to question if those breached accounts are active.

When I create a throwaway for reddit I'll set the password to something like "123password" because I need something simple for an account I won't be using after a day. But for my personal account my password is similar to $1776Murica50$

Quoting from Microsoft's whitepaper on password strength:

"Don’t try to fool the search engine with $ubst!tui0n$. It will not fool the fraudsters, since modern password crackers try the most commonly used symbols."

 

[SScorpio]

I would think that most people on GAF would have unique passwords. Something with special characters, numbers, and a mix of lower and uppercase letters.

I agree with you, but I wonder how many people actually have "weak" passwords. Every year some site reports a data breach and list the most common passwords but I have to question if those breached accounts are active.

When I create a throwaway for reddit I'll set the password to something like "123password" because I need something simple for an account I won't be using after a day. But for my personal account my password is similar to $1776Murica50$

You'd be surprised. There was a study and older people in their 50-60s used stronger password than millennials. Hell, look at Zuckerburg and his password of dadada.

If you care at all about security, the best password is one you can't remember. Use a password vault, and create a strong unique password for every account you have. It makes setup on some devices a pain, but you are protected from all of the breaches where accounts are then tried against other sites.

If you want something simple there is LastPass which is $12/yr and works in your browser as well as your phone/tablet. I on the other hand am cheap and use Keepass. It's free and their are Firefox and Chrome extensions and do the auto fill. Your passwords are saved in a file on your computer. I have the file synced to Google Drive and use KeepShare on my Android phone and tablet to access the passwords.

LastPass does track breaches and tell you to change your password, but for my uses Keepass work fine.

 

[Melchiah]

There have been a shit ton of data breaches recently. If you used the same email and password for those sites as you do with PSN then you're fucked.

Moral of the story, use a unique password for accounts with value, and check https://haveibeenpwned.com/ monthly

Just checked, and there was one breach on MySpace, which I've never really used, just registered there ages ago. No worries, as I didn't use the same password for anything else.

 

[JP]

There have been a shit ton of data breaches recently. If you used the same email and password for those sites as you do with PSN then you're fucked.

Moral of the story, use a unique password for accounts with value, and check https://haveibeenpwned.com/ monthly

It may be worth mentioning that with this site, you can actually register email addresses with them and they'll then inform you if that email address is ever published after a site has been compromised. That way you're aware as soon as it happens and you can take action.

 

[Iorv3th]

Quoting from Microsoft's whitepaper on password strength:

It will take them significantly longer to guess if you use symbols.

 

[metareferential]

LastPass does track breaches and tell you to change your password, but for my uses Keepass work fine.

+1 for keepass or any other password manager.

The so-called "Fifa-hack" is just social engineering to get your password. And if it's successful, well, you're using a poor one or you're sharing it with a compromised account.

There are people using the same name/email/password across dozens of services. That's how you get robbed online.

 

[Brad Grenz]

The so-called "Fifa-hack" is just social engineering to get your password. And if it's successful, well, you're using a poor one or you're sharing it with a compromised account.

When the FIFA hacks were at their peak on Xbox Live Microsoft's login system had a flaw making it possible to brute force passwords checks. When a victim discovered the problem and published a blog post about it they quietly fixed the system and the frequency of account theft dropped precipitously.

 

[REDSLATE]

Maybe stop using the same password for all your accounts -- user definitely at fault.

Sorry, but that's the reality of it -- unless you can prove otherwise.

What an ignorant, entitled shit. Victim-blaming isn't helping anyone, and he doesn't have to "prove" anything to you.

Besides, a password means very little. If someone really wants access, they'll get in. Poor network security is the true issue here.

 

[protomouse]

The general recommendation is to not trust Sony with sensitive information (to the degree possible). I would say the same about other companies, but the topic is about Sony - and they have a bad track record:

1. There have been several high-profile Sony-related cases of data leaks, not the least of which was the 2011 PSN breach (in which Sony failed to forewarn its customers that their data may have been compromised).
2. There have been documented instances of "white hat" hackers/researchers reaching out to Sony about vulnerabilities, but not getting through.
3. General lack of proactivity when it comes to security, such as the lack of 2FA.

Strong, unique passwords go a very long way, but ultimately it's the responsibility of the service provider to provide tools and education for its users. Providers are too afraid of doing things that could be perceived as inconvenient.

Valve is also on my personal shit-list, due to their complacent response to last year's caching issue.