Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption PlayStation (Games) Communications Network Security Sony The Internet News Entertainment Games

PSA: PlayStation Network Gets Two-Step Verification (arstechnica.com) 42

Consider this a public service announcement: Sony has (finally) added two-factor authentication to PlayStation Network accounts. If you're a PlayStation user and are reading this right now, you really should go set it up so that someone doesn't try to take over your account and steal your password. Ars Technica details how you can set up the new security features: "Turn on your PS4 and go to Settings -> PlayStation Network Account Management -> Account Information -> Security -> 2-Step Verification. You can also set it up through the web by logging into your PSN account on the web and going through the Security tab under the Account header. From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account. Two-factor support is not available when logging on to older PlayStation systems, so Sony recommends you generate a 'device setup password' to help protect the PS3, Vita, or PSP." Two-factor authentication comes five years after hackers breached PSN's security and stole 77 million accounts.
This discussion has been archived. No new comments can be posted.

PSA: PlayStation Network Gets Two-Step Verification

Comments Filter:
  • From there, on-screen instructions will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security [ ... ]

    Fscking idiots. SMS is NOT SECURE! They had five years to work on the problem, and this is what they came up with?

    • by Anonymous Coward
      So what if SMS is not secure?

      I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?
      • by ewhac ( 5844 )
        You can socially engineer a SIM redirect to a handset in your control. Once done, you get all the victim's SMS messages: https://www.wired.com/2016/06/... [wired.com]
      • I'm seriously asking here, because I don't understand the problem. It might be trivial to listen in on the text messages that are being sent and received by phones in your vicinity, but how is an attacker supposed to do that from, say, 2,000 miles away from where your phone is? Is the protocol really so broken that towers blast out every text message everywhere, and then rely on everyone's phones to ignore the ones they should not be listening to?

        Your description is not far off. But for serious as you suggest it would still be useful if you take the vendors stated goals at face value.

        The problem here is that vendors don't really give a shit about "enhancing" security they care about not being harassed constantly by customers contacting them and uttering those infamous words "I forgot my password". Managing password resets is costly with aggregate cost estimated to be in the billions / year.

        What this means in the real world is rather than enhancin

    • While this is true, it's still an extra layer, which means they/we are better off than where we were yesterday.

  • ...Would someone please teach me the Charleston.
  • by MSG ( 12810 ) on Thursday August 25, 2016 @08:05PM (#52772747)

    Just days ago, NIST recommended that SMS no longer be used for authentication

    https://pages.nist.gov/800-63-... [nist.gov]

    • Unfortunately it's the only two factor authentication system that's going to work for the public at large. It's a simple system that works with any and every cell phone on the market, with no need to (re)develop applications for multiple OSes, manage syncing those applications to a master server, and then handle user support issues when those applications break.

      The problem with "proper" security is that it works against the user. Long passwords that you can't remember, SecurID tokens that you never have whe

      • Check the app store for your smart phone of choice - the same one that's going to receive the SMS message. There are at least a dozen SecurID-style token apps that are easy to set up and use, work with multiple sites, and free. Google Authenticator is my token of choice. It meets your criteria: universally compatible (or nearly so - I haven't found a place were I can't use it yet, but YMMV), and in my experience, handles user failures gracefully.

      • by MSG ( 12810 )

        Let's add a summary from a Sophos blog:

        https://nakedsecurity.sophos.c... [sophos.com]

        The problem with "proper" security is that it works against the user

        NIST guidelines:
        Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.

        Long passwords that you can't remember

        NIST guidelines:Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.. We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variet

  • by SuperKendall ( 25149 ) on Thursday August 25, 2016 @10:30PM (#52773167)

    Like I'm going to actually use a link to PSN in an article about how insecure my PSN account is...

  • by markdavis ( 642305 ) on Friday August 26, 2016 @02:03AM (#52773529)

    >"will walk you through the process of using a text message to confirm your mobile device as a secondary layer of security for your PSN account"

    Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.

    • by tlhIngan ( 30335 )

      Please realize that all this is, is a way for businesses to capture your mobile phone number and then abuse it with marketing. Almost GUARANTEED. Any "security" that requires you to disclose your phone number is a HORRIBLE idea.

      Well, given the PS4's success, I can see the marketing team sitting at the table and saying they can milk their insecurity and get a whole pile of working cellphone numbers... for free! (Microsoft, alas, had implemented two-factors years ago and with the "failure" of the Xbone, prese

  • Because putting your phone number out there will probably pollute it and soon you'll be getting telemarketing calls 24x7 effectively killing the number.

    They'll promise to take care of your number but they'll sell it to a "business partner" or they'll lose the list due to poor security or when they go bankrupt it will be sold as an asset.

    I've had multiple email and one phone number polluted like this so far. I don't trust'em any more.

  • I'm not really sure what the point of this would be. I'm currently unable to purchase new games using my credit card on my PSN account, because of some undefined error I'm not allowed to know. Adding a new credit card fails. PayPal fails. Tech support tells me I've entered my information incorrectly (without telling me what information is incorrect). Basically after years of working fine and no changes from my end, Sony has decided my money is no good. So if some Russian hacker wants to walk to Walgre

  • ...if I'm going to hijack the PSN account some guy set up using my gmail address. I wonder if Sony's bothered to start sending a test message to confirm email addresses on new accounts yet.

    A few months ago, I commandeered a Twitter account that was linked to my email. I did manage to resist the temptation to screw around with some 64-year-old woman's match.com account. Doesn't anybody check these things?

news: gotcha

Working...