Wait. Please tell me I'm misunderstanding. You needed only to enter a user's e-mail address and birth date to change his/her password? So, even without the previous (actual) hack, you could use this page to change the password of a family member, friend, co-worker, and nearly anyone else you've ever exchanged e-mails with if you know their birthday (or they publish it on Facebook)?
How does someone even conceive of something like that without realizing the glaring problem with it? How does it pass muster at a major corporation that has hired security consultants? This is utterly flabbergasting.
How does someone even conceive of something like that without realizing the glaring problem with it? How does it pass muster at a major corporation that has hired security consultants? This is utterly flabbergasting.
I could understand that much outrage if Sony deliberately designed the password reset process to require only e-mail address and DOB. However, the article says that the password reset page had an exploit that allowed you to do that. It's still shoddy security, but at least it's not sheer idiocy.
I'm really not into the whole boycotting thing and I never really understood (for example) the people who would flat out not buy Microsoft products because of their at times very questionable business practices (especially when the worst of them happened a while ago).
I'll happily look past a gaffe here or there especially when it comes from the PR department or from the corporate lawyers as long as a company puts out a quality product.
And I quite like a few of Sony's products, too. They seem to put more thought into industrial design than most other companies.
But right now I can only pick up my Sony digital camera and earphones in distaste and it will probably be a long while until I buy anything made by Sony.
This is just way too much incompetence and in too short an order and they won't even stand up straight for it, instead pointing the finger at Anon or geohot.
Why is the de facto standard way of email exchange plus old password plus maybe a birthday not workable? Unless psn stored the passwords in plaintext, the hackers modified data, and Sony does not have a clean backup.
The main issue is that all the info used for password reset are in the hackers' hands. There may not be a perfect method, but maybe having a system that calls the phone number on file to give you a password reset code would have been more secure.
You are correct; that is what I meant. Users may have used the same password on the psn and their email account though. If sony did the right thing and only stored salted hashed passwords then that would be mitigated a bit.
Another option would be to send out a new password via mail to the billing address if they had no other way to do it electronically. Out of luck if you moved since then. Make the old password a requirement so mail thieves cannot steal your account.
I was pissed that I needed to change my credit card number because of these clowns. If someone wants to make a cool startup make a credit card number that is a one off that will only work for a certain time frame(extendable), dollar limit, and business name(though this one might be tougher because the business name given to the credit card company might be different than the business name I would enter).
I heard of the one off card numbers before but I thought those were for just one month before they expire. Are they not? I haven't seen the amex gold one though thanks.
The use of DOB as an element of security has always made me question sites like Facebook offering to display it in public. Social networking would easily create an identity thief utopia if not kept in check. I actually gave a fake DOB on Facebook... then on my birthday five people came and wished me well, which is nice, but do anyone paying attention, this somewhat defeated my attempt to not make my DOB public.
The use of DOB as an element of security has always made me question its use as an element of security. It's used in many places, is not typically considered confidential, and is relatively easy to look up in publicly-available information.
Lots of security conventions ("mother's maiden name" for another example) are very silly.
For having three different security firms working with Sony on the hack a month ago, are they really just pushing out the new PSN without a proper, full security review? I mean, any competent developer would immediately realize that this password reset system is flawed by design, especially with the fact that the user's information requested is the information the hackers already have!
This does not bode well for the near future of PSN as a whole. If something as simple as a password reset feature is still being built without security in mind, then how does the rest of the updated system fare?
I must say I'm baffled. I logged back into my PSN account via my PS3 yesterday, it directly asked me to change my password when I tried to use my previous credentials. No confirmation needed, it just sends you an email afterwards to notify you that your password has been changed.
At this point I assumed that it had used my PS3 hardware ID + my (static) IP + whatever to correlate that in all likelihood it must have been a legitimate login, which was already a bit weird but I guess they wanted to make it as simple as possible for everybody.
But this is just outstanding. It's really security 101 failure. As others have pointed out, using a regular password reset email with a unique token would have been much more safe, albeit not foolproof (some people would have lost their emails accounts they used to register by now).
Sony deserves everything that's happening (and will probably continue to happen) to them. The sad part is that I'm sure a majority of the gamers sony really targets must still be chanting "xbox sucks go sony lol" and still think geohot or anonymous or santa is to blame.
If you are referring to changing your password the first time you logged in after the breach, then what is happening is that PSN knows you created that account on that PlayStation, hence the lack of confirmation. I created my account on a friend's PS3, and when I signed in I got sent an email which contained a password reset link.
It's rather strange then, given how secure the reset process was post-hack (and I think they did a really good job of making it secure and convenient) that they left such a gaping and obvious hole!
Sony deserves everything that's happening (and will probably continue to happen) to them. The sad part is that I'm sure a majority of the gamers sony really targets must still be chanting "xbox sucks go sony lol"...
The effective collective IQ of Sony has sunk below average at this point, and the company lumbers along on network effects. Maybe there's room now for a gaming platform that's not a physical console?
I hope the collective IQ analogy doesn't also work for the United States!
The sad part is that I'm sure a majority of the gamers sony really targets ... still think geohot or anonymous or santa is to blame.
As a fellow PS3 player, I have an alternate point of view: I do not care about anyone's personal crusades. I just want to play some online games.
I believe multiple sources are at fault. One is at fault for providing the gun to the public, another is at fault for shooting the gun, and the third is at fault for not wearing a bulletproof vest. If I were to speculate on where most of the blame should be placed, I would be hardpressed to blame the victim. I point my finger at the gunmen. I am part of the collateral damage, a civilian caught in the crossfire, caught in friendly fire.
If it is your credit card information, you would seem to be the victim. In that case Sony is playing the role similar to the US government and is only offering you a shirt instead of a bullet proof vest.
The original analogy though is only accurate depending on where this is taking place. A person living in the suburbs would seem silly for wearing a bullet proof vest. A person walking into a war zone without a vest is an idiot. The question is, which of the two locations best describes the internet.
If it's my credit card information then all the merchants who end up passing my card fraudulently are the victims, because they are the ones who won't get paid.
I won't have to pay a dime for transactions I didn't authorize.
I suppose I could call "victim" for having to watch my statements more closely, but everyone does that anyway, right?
Every day that went by where they didn't respond drew further outcry in the press and from government. So they rushed something out. Caught between a rock and a hard place.
> I mean, any competent developer would immediately realize that this password reset system is flawed by design, especially with the fact that the user's information requested is the information the hackers already have!
That's not actually the problem here. It's pretty standard practice to only ask for an email address to initiate a password reset. Google, for example, only asks for email address. Asking for additional information, like DOB, isn't really a security measure. It's more of an annoyance prevention measure, to make it slightly harder for random people to initiate password resets in your name.
The problem with what Sony was doing is that you could circumvent the verification that you had access to the email address you gave. The way it is supposed to work is that you initiate a password reset, and the site sends you a link that you have to follow to get to the form where the actual password reset takes place and you enter a new password.
The security comes not from knowing your email address and DOB, but rather from having to actually have access to the email.
The way Sony's site was working, when you initiated the reset request it was possible to figure out what the link was that sent in the email, and hence finish the reset process without having access to the email. Oops.
any competent developer would immediately realize that this password reset system is flawed by design, especially with the fact that the user's information requested is the information the hackers already have!
One conclusion: there is a high prevalence of incompetent programmers at companies like Sony, combined with an unsatisfactory ability of management to ferret them out.
In their defense though: What data could ask Sony for? All the data that Sony knew about these accounts has leaked, so what ever they ask for, the hackers with the leaked data know it too.
Exception is maybe the credit card number, but that would mean that only a small subset of the original account holders can change their password.
Or you use a PS3 device ID and only allow changing the password on the device, but that is also known by the attackers and I'm sure it could be spoofed.
Not even sending a token to the email address on file would work in all cases because the users might have lost their email accounts to the breach too (by reusing the same weak password).
>Not even sending a token to the email address on file would work in all cases because the users might have lost their email accounts to the breach too (by reusing the same weak password).
Well, in that case, it'd be the user's fault for not having unique passwords, or at least for not changing an email password they knew was compromised, not Sony's fault. Sony can't do anything to ensure the users' email accounts are secure, so emailing a token would probably be the best solution.
IIRC there was already a security question when you first registered (at least, I made an entry for it in my keepass DB, so I must have been asked one somewhere). It was however not asked to reset the password, which makes me wonder what it was good for in the first place.
Exactly this. All previously stored data is compromised. Obviously, people can't change their birthdates, but the password reset function unquestionably has to rely only on newly-supplied, uncompromised data.
It might not be perfect, but if they have phone numbers for their customers, why not set up an automated phone call system where a PIN is provided in the call? Email accounts can be compromised by hackers but I would think it would be much more difficult to co-opt customer's phone lines.
robo calls would be a bad idea. people lose phone numbers when they move or go away to school. an email token is the best solution. if you are in the subset that lost your PSN email account then you can call sony to sort out some other method of verifying your identity.
Why would people "lose" numbers given the Number portability act, as well as the fact that long distance charges don't really exist any longer. I realize this is slightly off-topic, but your claims don't ring true to me, and I'm hoping you will add some color.
Not all numbers are portable in all cases. When my fiance and I decided to both move cell carriers onto a third carrier to get a family plan, only one of us was allowed to transfer. No way around it.
Also, it's still basically impossible to transfer a land-line number to a cell number, as they are apples and oranges.
This is simply untrue as I've operated. These companies will often take advantage of you if you are not aware. If you utilize a competent SIP trunk provider, they will go to bat for you, and you should never relinquish a number. I realize ILECs present an issue, but again, the law is on your side. Document everything. I will help you for free with this, no problem. Not sure what there is to do post-facto, but I'd raise holy hell.
use a PS3 device ID and only allow changing the password on the device, but that is also known by the attackers and I'm sure it could be spoofed.
Often, every device in a secure network would benefit by having its own asymmetric encryption key. This way, Sony could have easily implemented a challenge-response that only clients could respond to. The hackers would only have gotten the public keys, which wouldn't do them any good outside of some sort of man in the middle exploit, which would require secret control of a part of the PSN network over an extended period of time.
This title strikes me as misleading. It should not come as a surprise that the personal information gathered in the first attack will be used for this purpose. It's just shocking that PSN forgot or misunderstood that they themselves were the first and easiest target.
Yes, it irks me too. I consider myself a "hack" when it comes to programming. I tinker, I play, I build, but I have mostly surface knowledge. "Hacker" is a term that should be reserved for real programmers who actually know what they are doing and dig deep into vast reserves of knowledge to get around barriers that us mere hacks would come to a halting screech at.
Well, IMHO being "tinkerer" is an important trait for a "hacker" :).
I was thinking about the hacker == kids who DDoS mastercard or steal infos from the PSN. Some of them might be hackers, but that's not what a hacker is. Bruteforcing PSN accounts using a stolen DB is not really the mark of a hacker's job for me.
Just agreeing with the other comments here. This is not a 'hack'.. this is just an unfortunate consequence of the original breach. All the information was taken so Sony has nothing else to verify your identity with that can't be 'spoofed' by those with the original data. I restored my info via my PS3.
It's not dependent on the first breach. If I understand correctly that it only requires an email address and birth date to change someone's password, then it would be pretty easy to grab all of that data from somewhere like Facebook and run it through.
Reading the steps on Kotaku, I’m still not exactly clear how this procedure goes…
So you enter the target’s email address and date of birth on the reset page. If that clears, then the next URL has a token in the query string that you can apply to the actual password reset page URL to reset the target’s password?
Ironically I know of actual account owners who entered in fake birthdays and could not reset their own password because they don't remember their own "personal details."
The solution to Sony's issue here seems like a no-brainer to me.
The answer is to rebuild/rebrand the networking for the playstation with a strong partner like Amazon, Google, or Valve/Steam.
A partner like Amazon for example could bring good e-commerce stability to lend confidence to platform.
Google is also an excellent candidate -- they have the experience with scale and could use a strong partner like Sony to help push their home media platforms (GoogleTV, etc.)
I like this idea. What do you think about using Valve/Steam? They are in similar industries but occupy almost completely disjoint spaces. Could it be a match made in heaven?
Though, I do shudder thinking about having a company as incompetent as Sony joining forces with Valve.
Valve would be great for people who respect what they do (me included) but I'm hesitant to believe that Valve has much to gain from the partnership.
Google and Amazon are actively working towards marketing to televisions screens -- Amazon with Prime/Digital Video media sales and Google with GoogleTV and YouTube. They have more to gain from a potential partnership.
The problem seems to be that the email validation required for resetting the password could be circumvented. There is no detailed information in the posts how, but likely either the validation hash was generated in a insecure fashion, or the email address input was not properly sanitized and allowed piggybacking (CCing) a 2nd email address to receive the confirmation email.
I dont know why they are worrying about security, i wish they could put a guy on the fact that my sony blu-ray disk, running in my sony playstation doesn't play on my nokia blue tooth headsets. Thats a problem, the fact that some people provide the sony network with acess to one of their high level passwords is beyond me.
They snatched defeat from the jaws of victory. All they needed to do was generate a little random data and email it to their clients.
eg. /reset?token=XXXXX
Only the recipient of the email can use it and it will let the person reset their password. It's so standard fare, I'm not sure why Sony needed to go this route.
How does someone even conceive of something like that without realizing the glaring problem with it? How does it pass muster at a major corporation that has hired security consultants? This is utterly flabbergasting.