$1,200. Thatâs how much someone is asking for a PlayStation Network account Iâve been investigating for the past few weeks. âSecure,â the person calls it, claiming the account will ânever be touchedâ by the original owner again. âHe won't be getting it back,â they claim. More than a thousand dollars? Thatâs a little rich for my blood, and so I counteroffer: $700.âBtc?â they respond, accepting my bid. (BTC refers to bitcoin. The majority of transactions like this take place using cryptocurrency; itâs generally harder, but not impossible, to trace.)
Advertisement
I didnât purchase the account, of course. But I couldâanyone could, if they only knew where to look. This account wasnât on a shady market because someone was clumsy with their digital security. They had a strong password and two-factor authentication. When they were notified about problems with their account, they called Sony and asked for help.Despite all this, despite proving their identity over and over, they lost access to their PSN account, including any trophies earned or any games purchased. It was goneâŠwell, sort of. The original owner no longer had access, but this personâthe individual asking for $1,200 but who quickly and without hesitation dropped to $700âdid.âRight now it feels like Sonyâs system is protecting the people who stole my account and not me, the legit account owner of that account for almost 12 years,â said Justin, who asked to keep his identity and PSN name anonymous for reasons thatâll become increasingly clear.Sony did not respond to my multiple requests for comment about this story.To prove Justin owned the account in question, he forwarded me several PSN receipts with the username attached to the email, and various correspondence with Sony.Roughly a month after the launch of the PlayStation 3 and PSN, Justin did what a lot of people were doing: registered a username. There was nothing special about the username; it was the same one heâd been using online for years. And for a while, everything was normal. He played games, mostly single-player ones. Eventually, someone tried to gain access to his account, prompting an email from Sony thanking him for calling into customer service, but nothing more came of it. A fluke, surely?
Advertisement
It was not.Instead, it proved to be the opening shot in a ongoing struggle for Justin. This tug-of-war began in 2015, and escalated in recent weeks, where people would gain access to his PSN account, then heâd wrestle it back. Justin would add new security measures, figuring the digital wall would prove too high, or theyâd get bored and move onâand theyâd get it again.The moment Sony added two-factor authentication to PSN, Justin did, too.âI've had at least one or two instances,â he said, âwhere they got far enough where the two-factor prevented them, it stopped them. I was like âOK, that's what two-factor is supposed to do.ââNothing is completely secure on the Internet, but there are steps you can take to make life harder for anyone trying to access your stuff. Two-factor authentication, where after entering a password the user is asked to paste a randomly generated code sent to an email account or device of their choosing, is one of the easiest steps one can take. It means an intruder requires access to your device or multiple accounts. Itâs helpful, and it took far too long for Sony to add two-factor authentication to PSN, despite the serviceâs massive hack in 2011. Microsoft added two-factor to Xbox Live in 2013. It didnât hit PSN until 2016, five years after the personal details of 77 million users were potentially exposed to hackers.Two-factor authentication is enough for most people, though increasingly, companies are offering more complex security layers, including dedicated authentication apps. (I use Authy.)
Advertisement
Until this point, what Justin was experiencing was annoying but tolerable. The two-factor notifications told him people were trying to gain access, but all he had to do was change his PSN password. Things changed last month, however, when he was getting ready for school.âI got a text message on my phone,â he said, âfrom the two-factor service saying âYour two-factor authentication has been deactivated. Please be careful, you don't have that protection.â I won't say I'm a security expert, but I like to believe I'm security conscious. I knew I was screwed. I tried to log in, but it wouldn't let me log in, so I called Sony.âAfter proving he was the account owner, control reverted to Justin, but he was confused. Justin told me Sonyâs customer service representatives couldnât explain what happened, but noted they could flag the account as âsensitive or somethingââhe couldnât remember the exact phrasingâwhich would invite extra scrutiny by future representatives.Justin pressed on. He registered a brand-new email account, one that hadnât been associated with anything yet, and used the respected password management software LastPass to generate a 30-character password for his PSN account.âI would go longer but I hate manually typing it in the PS4,â he said.
“Right now it feels like Sony’s system is protecting the people who stole my account and not me, the legit account owner of that account for almost 12 years."
Advertisement
For the email address itself, however, he applied a 100-character, randomly generated password with two-factor authentication. After logging in, the name associated with the account (not the username) had changed. He didnât take much note of it. Fear-something?âI changed it all back,â he said, âand I was like âOK, this happened before. It's never gotten this far, but it was probably a one-off. Sony said they'd keep an eye on it. I have a new email address. I have a new password. Everything should be fine."Narrator: It wasnât.When Justin woke up the next morning, it was like Groundhog Day; another text message saying two-factor had been flipped off. After calling Sony, he learned the damage was more serious: whoever hijacked the account changed the email address it was associated with, punched in a new password, and set up their own form of two-factor for a phone number.When he tried to regain access through customer service, the said the account was now flagged as âprotected.â Protected? This was different than âsensitive,â apparently. Protected turns on automatically, when the information on an account changes enough times to be considered erratic, and isnât controlled by the representatives. Though the representatives confirmed Justin was the account holder, it was now, as Justin tells it, out of their hands. Another team was supposed to contact him in three days with more information.
Advertisement
During this phone call, something weird happened: someone texted Justin with messages he described âvaguely threatening,â promising to make things âworseâ if he didnât give up the account. (He deleted the text messages before I'd gotten in touch, when I asked him to start documenting everything.) If he didnât give up the account, this person would make things worse at their job at Earthlink. They also made vague allusions to his wife and child.Hereâs the problem: Justin never worked at Earthlink. Earthlink was his old internet service provider during the PlayStation 3 era, and there was an old Earthlink email address attached to a PSN child account heâd made for a reason he couldnât remember. The hijacker, it seems, used these scant details to infer he worked at Earthlink, and had a family worth threatening.This was actually comforting to Justin. There was no family to be threatened. Plus, when heâd been thinking through the other ways someone might be getting access to his informationâcloning his phoneâs SIM card, a hidden keylogger tracking the movements on his keyboard, a fully compromised email accountâit was potentially much worse. Had that been true, though, why hadnât anyone used his credit card? Accessed a website that could do more financial damage than his lowly PSN account?The fact that two-factor was disabled on Justinâs account is an important, complicating point. In order to disable two-factor, youâd theoretically have to have full access to the account, which also means access to the email (or device) the two-factor code is being forwarded to.
Advertisement
In such a case, wouldnât the hijacker have access to more information than the misleading details on the PSN account, such as an old email address? Something wasnât adding up.Who, then, was disabling two-factor on his account? A key piece of evidence to consider: Sony had told him someone had called about his PSN account a whopping 12 times in the past 48 hours. A few of those were Justin, but the vast majority of calls were someone else.âI assume he's wasting an hour or two [on the phone with Sony], at least?â said Justin. âIt takes me half an hour to sort it out, and I have all the information. [laughs] So I'm just going off how long it takes me, and I hope it takes him at least as long. I hope he's not calling up and getting it done in 10 minutes.âA potential culprit, then, is social engineering, a now-pervasive technique where someone uses pieces of information to trick someone, usually customer service representatives, into gaining access to another personâs account. This would explain the volume of phone calls. If you donât succeed with one representative, call back and see if another will be more willing.Though Sony asked Justin a series of personal questions to re-establish identityâthe primary email address on the account, serial number of his first console, first city he logged in fromâthey also asked for details, like recent purchases, that could be found by punching in the account into any number of websites and seeing what trophies had recently unlocked.
Advertisement
(I asked multiple individuals who recently spoke with Sonyâs customer service over similar issues, and several mentioned Sony asking for recent purchases as one of their identity metrics.)Once you know one piece of information, itâs not difficult to start punching that into Google and find other pieces of information that might be just enough for a more lax representative.Whatever happened, the end result was the same: When Justin finally heard back from Sony, they didnât apologize and promise to protect the account. Instead, they said itâan account Justin has had for more than 12 years, with a history of trophies and purchasesâwas gone. There was nothing he could do, no process to appeal, no way to get any of his games back.âI couldn't get any confirmation on if the person who âhackedâ it is locked out, but I sure as shit am,â he said. âFrom what I can gather I have lost that account and Sony can't or won't do jack shit about it. If the person who stole it is also locked out that is one thing, but I couldn't get a concrete answer on that piece of info.âThatâs when I went looking for answers, and how Iâd end eventually end talking someone down from a $1,200 asking price for Justinâs account to onlyâ onlyâ$700. My first tip came from one of Justinâs friends, who, in a fit of frustration, looked up Justinâs account on PSN, and found someone was actively using it, and had changed a bunch of information on it.
Advertisement
Importantly, it listed an active Twitter account in the âabout meâ section of the profile, an account that featured a (now deleted) screen bragging about access to Justinâs PSN name:
A reply mentioned another account, who also bragged about nabbing Justinâs PSN name.
When I contacted the first person, who had open direct messages, they pleaded ignorance, and repeatedly claimed it was their account. âWhat makes you believe the account was stolen?â they asked. Not long after, they locked their accountâand deleted the screen shot.Itâs at this point that I contacted a source close to the hacking and piracy community, who pointed me towards a popular message board for sharing, selling, and buying âOG,â aka original, accounts across a variety of platforms, including Fortnite, Snapchat, Steam, Twitter, and, of course, PlayStation Network.Iâm declining to name the message board due to the sensitivity of the information on it.On the board, there are guides to âsecureâ a PSN account in case âsomeone attempts to get the account back,â albeit with the important caveat âthereâs no way to secure a PSN 100%.â One of the key suggestions is to quickly change the account to Japanese, which youâll notice happened with Justinâs account. One of the screen shots listed the language as âJapanese.âIt was easy enough to register an account on this message board. Thereâs no vetting process. You also donât have to pay anything to search the database, either. Once I was in, I plugged Justinâs PSN account into the search field and voila. There was a thread selling his username for $1,200.
Advertisement
In the thread, the seller promises the account is âsecure.â Thereâs scattered and disputed discussion about whether the account has been sold before, but the seller claims it hasnât. Importantly, thereâs a discussion over whether the âog owner,ââJustinâcould regain access.âHe wonât be getting it back,â argued the seller.âAre you going to have a pull war with him or what,â asked another user.âNot really a pull war when he not gonna pull lolâ retorted the seller.Pull war is a reference to the cat-and-mouse game Justin had been playing with this person, or possibly someone else, and Sonyâs customer service department. The seller was boasting thereâs no way itâll switch hands, a claim bolstered by what Justin was told by Sony: the account is lost. In this case, though, itâs not âlostâ because Sony locked it down, itâs lost because the user apparently had pulled enough tricks to make sure itâs out of Justinâs hands.The seller even referenced the text message conversations he had with Justin:
Soon after, another user vouches for the sellerâs authenticity, but is called out by someone as being a duplicate account for the sellerâa violation of the boardâs rules. Heâs now banned, amid speculation from other users the seller cannot back up claims of securing the account.âUse your brain a lil bit,â said another user. âThere are ways to make sure og owner doesnt get it back. If you dont know then you dont.â
Advertisement
The other user concedes the point.The seller continues to bump the threadâ itâs been on sale for nearly a monthâbut no oneâs biting. Thatâs when I decided to send a message, asking for proof about the account. He agrees to add me as a friend on PSN, and after registering a new account, I send a request.Jackpot.
Youâll notice weâre now friends, as evidenced by the âyour friendâ note in the corner. The avatar is the same as the one referenced in the screenshot from Twitter a few weeks back.This is when I decided to negotiate. Nobody had bought the account at $1,200, so maybe heâd go a little lower. Like I mentioned, I picked $700 out of thin air, thinking weâd settle somewhere in the middle, but they immediately agreed to my asking price. No negotiation.âNo one actually pays real money for accounts, so I bet heâs thrilled,â said the hacker whoâd tipped me off to the forum in the first place.I havenât paid any money for the account, of course. Nor has anyone else.More than likely, Sony itself is a victim of a clever social engineering scheme, in which a user, or series of users, repeatedly spammed their representatives, until it found someone willing to accept the limited information they did have, and calculated the system would eventually lock the account in their favor. Even a "failed" social engineering attempt can be a success, if the person calling comes away with new information about the account. Every company in the world can fall victim to social engineering, as there are no true fail safes. But Sonyâs setup seems especially ripe for it.
Advertisement
Why didnât the system get flagged as âsensitiveâ sooner? Why can a user flip off two-factor authentication over the phone? How can an account get abandoned, when itâs still active?There are ways Sony could have prevented this from happening.As I mentioned before, Sony did not respond to my request for comment about this story. They didnât respond to my request for comment in 2017 when I investigated the shady world of PSN account resellers, either. PSN has a long, troubled history of putting their users in compromising situations. There are always exceptions, and no digital security is completely safe, but when someone follows all the rules, shouldnât the company go above and beyond?In this case, Sony most definitely did notâat first, anyway.Though Sony did not officially respond to me, a few days after being alerted to the situation, in which I outlined everything that had happened to Justinâs account, he got a phone call. A week after Sony told Justin he was screwed, he was magically being handed the account.âSony promised that they were going to set it up so no reps could make any changes,â he said, âbut they are still investigating how this happened.âSony did not respond to my request for comment about this new development.Thereâs evidence the seller truly did believe they had the account âsecured.â There was a new name and address associated with the account, and $15 in credit had been added. The seller even purchased some new games. This was an account someone intended to use, or allow someone else to use, if theyâd agreed to an asking price of $1,200. (Or, uh, $700.) Itâs also possible the purchases were made to establish a new purchase history, one of the identity metrics Sonyâs customer service uses to establish who is the owner of an account.Justin was also given a specific phone number to call in the future, if he has new problems.âI have my account all set up now,â he said. âWe shall see how well Sony can protect it.âAs for the seller, I called their bluff and asked for evidence they still had the account. They demurred, accused me of trying to waste their time (fact check: true), and asked for their money. They'll have to keep waiting.Follow Patrick on Twitter. If you have a tip or a story idea, drop him an email: patrick.klepek@vice.com.Have thoughts? Swing by Waypoint's forums to share them!