Last week, Ryan Hamann found himself locked out of his PlayStation. Someone had spent $570 on extra points in FIFA '15, billed directly to Hamann's credit card, and switched the account to another PlayStation somewhere in Europe. Hamann called his credit card company to dispute the charges — the standard first move in cases of identity theft — but Sony wasn't happy about being stuck with the bill. Sony customer service told him that until someone paid for the fraudulent FIFA points, he would be locked out of the account entirely, with no access to the games he'd paid for.
He had just regained control of the account, only to find it had been hijacked again
It's an unsettling story, but a surprisingly common one. A string of account thefts has hit Sony PlayStation users, with Reddit users counting five separate reports in the recent weeks, leading to renewed calls for better security on the platform. The PlayStation Network has repeatedly come under digital attack — most recently when Lizard Squad brought down the network in December — but accounts like Hamann's are still vulnerable to basic social engineering attacks. Even worse, the platform still doesn't support two-factor authentication, which could have prevented many of the compromises.
In Hamann's case, he was able to escalate the issue all the way to a member of Sony's legal team, and his account was eventually restored, but it wasn't an entirely happy ending. When he spoke to The Verge on Monday, he had just regained control of the account, only to find it had been hijacked again. "My thought is that the hacker called phone support and claimed that I was stealing the account from him," Hamann said.
"I'm not really confident that I'll be protected if it happens again."
Hamann isn't the only one asking for more protections. Another user (who asked not to be named) told The Verge that his account was compromised with an extra device added for a full month before any games were purchased. Eventually, the intruder got greedy, locking out the user's PlayStation and running up $600 in charges. Again, Sony's customer service said that if the user disputed the charges with his bank, he would be locked out of the account permanently. He was eventually able to restore the account, but the ease of the hack has left him with deep doubts about the security of the platform. "I'm not really confident that I'll be protected if it happens again," he told The Verge. "If my account can be compromised without me or Sony knowing and there is absolutely nothing I can do to protect myself, that scares me."
It's unclear exactly how the accounts were compromised, but it seems likely the attackers gained access through social engineering, impersonating the target for a customer service call. Sony customer service only requires a person's name, email, and PSN username before adding another console to a given account, making social engineering attacks unsettlingly easy. The Verge was able to recreate this line of attack using a dummy account. Xbox Live accounts, by contrast, already support two-factor authentication, making it much easier for users to secure their accounts if they're worried about being targeted. (Sony did not respond to request for comment.)
There's also reason to believe at least some of the necessary data is already available in certain corners of the web. In 2011, Sony suffered a major data breach that leaked information on 77 million accounts. Passwords would have been changed in the five years since the breach, but most names, usernames, and emails would still be the same. For anyone who stumbled across the breach data online, it would be easy to use the information for a social engineering attack.
"If someone's account is obviously hacked... don't threaten them with extortion."
The scam carries a surprisingly low payout for attackers. FIFA points are highly prized by players, but they’re only useful for in-game purchases, and it’s unlikely the attackers got any hard cash out of their victims’ losses. When they tied the stolen account to a new PlayStation, they also may have left themselves seriously exposed if Sony wants to track them down. Still, that’s little comfort for victims who find themselves stuck with a bill for hundreds of dollars in stolen goods.
In the meantime, the larger issue is Sony's customer service. Both users were eventually reimbursed, but the process still left them caught between standard anti-fraud practices from banks and Sony's refusal to unlock the account until the fees were settled. "They need to be reasonable," said one target. "If someone's account is obviously hacked and unauthorized purchases are made, refund the full amount to the customer and don't threaten them with extortion."