$1,200. That’s how much someone is asking for a PlayStation Network account I’ve been investigating for the past few weeks. “Secure,” the person calls it, claiming the account will “never be touched” by the original owner again. “He won't be getting it back,” they claim. More than a thousand dollars? That’s a little rich for my blood, and so I counteroffer: $700.
This is a really strange story. I remember this coming around the first time Klepek covered it on Waypoint, but I do think this is an interesting topic of discussion, which the article does work in elucidating. Social engineering as a method of accessing accounts is definitely a problem, particularly in corporations without robust customer service systems in place. The potential for inconsistencies to arise or overworked (and underpaid) staff to just “yeah, yeah” and play fast and loose with an account’s security is, frankly, high.
With that said, I am curious about the whys of this market and why this account in particular was targeted so firmly. One assumes it might just be ‘a cool username’, but one does wonder.
Truly a chilling account that sounds like a nightmare of bureaucracy that can happen to any of us. By like @robowitch mentioned, what is the point of all this from the hacker’s perspective? Like, I’m an active PSN user with like 1000+ PS3, PS4 and Vita games (from PS Plus and otherwise) associated with my account. And even I wouldn’t pay $700 (or $1200) for it on account that most of those games are selling for next to nothing on Sony’s regular flash sales. Sure, the account has personal value to me, but I can’t see anyone else caring all that much about it. Wouldn’t all this effort be better spent cracking your system and playing all the games for free? This just seems like the dumbest scam that only serves to cause the rightful owner an unceasing headache.
A friend of mine did propose that it would be the game library where you would get a lot of the value – even if many of those games can be picked up on the cheap, I think, if you can get ahold of it, it can be some easy money for a hacker to do.
I imagine it’s easier to ‘win’ against another customer than it would be against Sony’s copy protection – the corporation has a lot more human will to keep on an issue than people do (Justin may be an exception rather than the rule!).
But based on this story, it seems even more difficult to sell the account than it was to steal it. Dealing with internet randos in an already sketchy area of the web, using bitcoin transactions, it all seems like such a pain in the ass.
I haven’t kept up with modding, but I remember back in the 360 era there were people in Toronto that would mod your console and load it with hundreds of games for something like $100 a pop. Granted, you couldn’t log onto Xbox Live, but I could easily grok the value proposition for both seller and buyer. Here, it just doesn’t add up to me.
This was a super interesting article! My thought as to why the seller was so persistent in getting the account: based on the messages they recieved on that board, as well as them trying to use a sockpuppet to vouch for themselves, and their willingness to sell for much lower than offered, this person might be fairly new to this sort of thing. In that case, they probably wouldn’t want their first attempt to be a massive failure. I know I tend to dig in and get stubborn when I’m struggling with something new, so I could see it happening to me if I was inclined towards this kind of thing.
Anyhow, I’m… uh… off to change my PSN password I think!
I think you might be onto something here. The scammer in question probably treats Justin as his white whale at this point, even if he’s had success with other thefts in the meantime. I have tremendous trouble understanding the psychology of these inordinately spiteful people who persistently harass one person in particular on the internet.
Bravo Patrick for assembling this wild story. I hope Mr. Scammer doesn’t read this story and realize it’s about him, reigniting his passion to seize Justin’s account. Relatedly, I hope that Justin will finally be able to disappear off of his radar when Sony allows name changes (and ideally doesn’t allow some obvious method to track people across name changes).
Great article. I had someone steal my Xbox Live account years ago before they had Two-Factor. The person bought a couple games (one of them being Call of Juarez) I think to test my Credit Card and then bought a bunch of Fifa Ultimate Team stuff, as was the trend.
I managed to get the account back, got refunded the purchases. Funny enough they actually didn’t remove the stuff that was bought. I setup a new password and two-factor when that came along, been good since.
I was pretty sure that was social engineering since that password wasn’t like any of the other passwords I was using. I remember a script going around at the time for how to get around Xbox Live’s call support by claiming you were disconnected during a certain step in identity verification.
Kinda scary they can get around the Two-Factor with “Whoops I deleted the app”, I presume.
Damn, that was a rollercoaster. Really great reporting Patrick. It sucks that it seems like as long as someone is determined to hit up customer service enough, they can probably do this to any one of us. At the same time though, I totally don’t think I could ever handle being a customer service rep–with the personality that I have, I’d probably be naive enough to believe someone with a good enough sob story that “got locked out of their account”.
This stuff is awful. With permission I once called up Vodafone to cancel my contract though it was in my mums name. Granted I knew my mums general details, I was able to cancel the contract through simply threatening to speak to a manager. (The rep said I didn’t sound like a ‘Miss’ and all’s it took was to say how dare they, I would like to make a formal complaint) not my proudest moment but it’s scary how easy it can be to gain access
I’m sure this is just naiveté on my part, but it is absolutely stunning to me that Sony would just so cavalierly and non-chalantly rip potentially thousands of dollars worth of purchases away from a decade-long customer.
I’m sure verified accounts have some extra level of protection on PSN, but I really hope Patrick talked to someone at Sony about putting super-secret double protection on his account before publishing this.
To me, that section certainly read as folks in customer service throwing their hands up at a ‘problem customer’ (especially if they were under the impression this person had called 12+ times previously). That isn’t necessary defending the practice, but customer service teams are often underpaid despite (or because?) they’re the front-line of engaging with end-users and delivering them a high-quality service. Teams that are under-paid, under-resourced, and (often) surveilled and subjected to intrusive working practices from a corporate perspective go into a working environment dealing with clients who can range from the pleasant and easy to the difficult and, frankly, verbally abusive.
I’ve never worked for Sony and can’t speak to whether or not any of the above is the case with their teams, but I have worked in similar roles and can certainly vouch for how little management can prioritise over-the-phone customer support despite how important it is for end-users.
Not to be an alarmist, but I think it’s really worth this pointing out.
If you all think it’s scary how people are so easily able to get information from Customer Service Representatives at tech call centers, you should be terrified that it’s not much more difficult to get important confidential information from Customer Service Centers that work for the government.
I work in a call center at a HCA contracted company as middle management and part of my job is trying to make sure everyone follows proper confidentiality protocol, but mistakes are made all the time and I see the consequences. CW Domestic Abuse I’ve talked to two separate women who have had their abusers find them because someone, thankfully not in my company, gave out their addresses to the abuser, just because he called in to “confirm the home address on file on their behalf”.
This really isn’t just an issue in video games, and you should be concerned about it.
Yeah, and this is true from both directions. (I think it was Rami on twitter who said that the two weakest links in any security chain are customer service and the user.) I’ve worked on government surveys. We don’t collect anything as sensitive as health care data, but we’re also not supposed to collect any information not specifically asked for on the survey.
With some respondents you have to practically beg them to stop repeatedly breaching their own PII. It’s like they can’t wait to tell this stranger on the phone every conceivable piece of identifying information. And, contrary to conventional wisdom, this is far from limited to the elderly.
You know I would have assumed after getting just completely destroyed over security flaws in the past their security team would have sat down and actually planned out their security for customers.
Let’s just ignore the fact that it is SMS, which is incredibly insecure, and talk about how customer service representatives can remove 2 factor authentication. That should never be an option ever. If you don’t have both you should be locked out completely.
All this tells me is Sony still doesn’t care enough about security to bother hiring a third party to test it because social engineering is often the easiest and fastest way to getting control and is one of the first things a professional will test.
Oh my God people are so fast to just give away sensitive information, the amount of times I’ve heard “I don’t have my Medicaid # on me, but I can give you my social”.
Why would anyone just volunteer their whole ass ssn#??? We don’t even keep those on FILE they are so sensitive
In a CS position I held for a year, I had no less than two clients directly send me their full debit card information (full 16 digit number, name on card, expiry date, CVV – literally everything) entirely unprompted, one of which in an e-mail that went into a general e-mail address that could be accessed by multiple members of staff.
