PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com) 42
Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
Re: (Score:1)
Yup. PSA, /. is stagnated.
SMS-Based? Dear Flipping ${GOD}... (Score:2, Insightful)
Fscking idiots. SMS is NOT SECURE! They had five years to work on the problem, and this is what they came up with?
Re: (Score:2)
Thanks for sharing your experience, and congratulations on being one of today's lucky ten thousand [xkcd.com] :)
Re: (Score:1)
I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?
Re: (Score:3)
Re: (Score:3)
I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?
Your description is not far off. But for serious as you suggest it would still be useful if you take the vendors stated goals at face value.
The problem here is that vendors don't really give a shit about "enhancing" security they care about not being harassed constantly by customers contacting them and uttering those infamous words "I forgot my password". Managing password resets is costly with aggregate cost estimated to be in the billions / year.
What this means in the real world is rather than enhancin
Re: (Score:2)
While this is true, it's still an extra layer, which means they/we are better off than where we were yesterday.
Now that I have the Two-Step... (Score:2)
from the five-days-too-late dept (Score:5, Informative)
Just days ago, NIST recommended that SMS no longer be used for authentication
https://pages.nist.gov/800-63-... [nist.gov]
Re: (Score:3)
Unfortunately it's the only two factor authentication system that's going to work for the public at large. It's a simple system that works with any and every cell phone on the market, with no need to (re)develop applications for multiple OSes, manage syncing those applications to a master server, and then handle user support issues when those applications break.
The problem with "proper" security is that it works against the user. Long passwords that you can't remember, SecurID tokens that you never have whe
Open standard (Score:2)
Best of all, the Time based OTP algorithm is open and well known, which means there are tons of other implementation beside google's, most of them similarly free/gratis, and a lot of them free/libre.
Re: (Score:2)
Check the app store for your smart phone of choice - the same one that's going to receive the SMS message. There are at least a dozen SecurID-style token apps that are easy to set up and use, work with multiple sites, and free. Google Authenticator is my token of choice. It meets your criteria: universally compatible (or nearly so - I haven't found a place were I can't use it yet, but YMMV), and in my experience, handles user failures gracefully.
Re: (Score:2)
Let's add a summary from a Sophos blog:
https://nakedsecurity.sophos.c... [sophos.com]
The problem with "proper" security is that it works against the user
NIST guidelines:
Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.
Long passwords that you can't remember
NIST guidelines:Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.. We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variet
Nice try (Score:3)
Like I'm going to actually use a link to PSN in an article about how insecure my PSN account is...
Here we go again... (Score:3)
>"will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account"
Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.
Re: (Score:2)
Well, given the PS4's success, I can see the marketing team sitting at the table and saying they can milk their insecurity and get a whole pile of working cellphone numbers... for free! (Microsoft, alas, had implemented two-factors years ago and with the "failure" of the Xbone, prese
Re: (Score:2)
I am glad there are still a few reputable companies still out there. But I believe them to be the minority.
Advise you get a "throwdown phone" (Score:2)
Because putting your phone number out there will probably pollute it and soon you'll be getting telemarketing calls 24x7 effectively killing the number.
They'll promise to take care of your number but they'll sell it to a "business partner" or they'll lose the list due to poor security or when they go bankrupt it will be sold as an asset.
I've had multiple email and one phone number polluted like this so far. I don't trust'em any more.
Sony is the one I want protection from, though. (Score:2)
I'm not really sure what the point of this would be. I'm currently unable to purchase new games using my credit card on my PSN account, because of some undefined error I'm not allowed to know. Adding a new credit card fails. PayPal fails. Tech support tells me I've entered my information incorrectly (without telling me what information is incorrect). Basically after years of working fine and no changes from my end, Sony has decided my money is no good. So if some Russian hacker wants to walk to Walgre
I better act quickly, then... (Score:1)
...if I'm going to hijack the PSN account some guy set up using my gmail address. I wonder if Sony's bothered to start sending a test message to confirm email addresses on new accounts yet.
A few months ago, I commandeered a Twitter account that was linked to my email. I did manage to resist the temptation to screw around with some 64-year-old woman's match.com account. Doesn't anybody check these things?