PSN - Warnings of Security Breach

[Robocrop]

I dont know how Sony manage to keep their userbase. I would never submit any info to these idiots.

[hackeyking]

I don't see 93,000 as a small group, trying to play it down....

[damox]

I don't see 93,000 as a small group, trying to play it down....

93k login attempts? That is nothing considering the user pool.

This news is just bullshit-hype. There is no hack here - just fallout from the old server hacks.

What did you think people were going to do with the stolen info - just let it sit?

Sony stepped up their security, and have caught people trying to exploit stolen user data.

Sony squash the login attempts and people still cry. Try and be objective for once.

[Samekas]

OMG!I can't sig in in my account

[yes159]

True, this is a brute force attack, not a new PSN hack. Sucks that it happens, but it is at least good to hear that Sony have temporary locked those accounts, showing that there are at least some security messures in place against brute force attacks like this

[Bartholomy]

True, this is a brute force attack, not a new PSN hack. Sucks that it happens, but it is at least good to hear that Sony have temporary locked those accounts, showing that there are at least some security messures in place against brute force attacks like this

I see Or maybe PSN is still a piace of trash, and 93k accounts is just a fake number, and its double or more for not lose the face and receive a huge sue? They talks about refunds, where credit card was used.. No security measure. Someone stole and used some accounts, just later blocked, when too late.
Who knows

[yes159]

I see Or maybe PSN is still a piace of trash, and 93k accounts is just a fake number, and its double or more for not lose the face and receive a huge sue? They talks about refunds, where credit card was used.. No security measure. Someone stole and used some accounts, just later blocked, when too late.
Who knows

Yes, maybe it is 1000 times more? Or maybe 100,000 times more?! Ok if you want to speculate though But that is what it will be, speculation.

If someone gets a hold of your account login information and you have creditcard info stored on the account, then of course there isnt any security messures against that people can use your account to buy stuff through PSN. And it would be amazing if they blocked the accounts before it happened, then they would have to be able to see into the future

Sony should add a CHAPTA to their PSN web login though, that is activated if the first login attempt fails.

[Bartholomy]

Yes, maybe it is 1000 times more? Or maybe 100,000 times more?! Ok if you want to speculate though But that is what it will be, speculation.

If someone gets a hold of your account login information and you have creditcard info stored on the account, then of course there isnt any security messures against that people can use your account to buy stuff through PSN. And it would be amazing if they blocked the accounts before it happened, then they would have to be able to see into the future

Sony should add a CHAPTA to their PSN web login though, that is activated if the first login attempt fails.

No. A real solution, if Sony was seriously interested to give to customers a serious security, was a secret answer during login, something just the owner knows. Can be automated during console's login, from the console's owner. This is security, let me
Wants more? Give to your customer (cheap fee) a login key token, like RSA. World of warcraft use it, for example. Well, steal a token protected account, is nearly 0. If Sony needs an expert of security, mail me

[NuclearAqua]

Or you could just implement a system like Steam Guard. It's sure to kill off any hacking attempts.

[yes159]

No. A real solution, if Sony was seriously interested to give to customers a serious security, was a secret answer during login, something just the owner knows. Can be automated during console's login, from the console's owner. This is security, let me
Wants more? Give to your customer (cheap fee) a login key token, like RSA. World of warcraft use it, for example. Well, steal a token protected account, is nearly 0. If Sony needs an expert of security, mail me

What you're suggesting regarding the secret question is pretty much to have two passwords instead of one. This system would work and it would indeed add more security, that is true, but how many places uses 2 passwords? Do you have any example of places that uses 2 passwords to login? I actually dont think i have ever seen a place online that requires 2 passwords to login, but i dont think that you mean that pretty much every place online dont have serious security? Secret question is mostly used if you forgot your password and need to retreive it.

Using a chip ID stuff like the RSA you mention would also increase security indeed, that is also true, but very few places uses stuff like this. This type of stuff is mostly used for online banks and such as far as i know. Places like Xbox Live, Gmail, Facebook, Twitter, Hotmail etc. etc. dont use RSA stuff.

But you are right that there are extra security messures that can be used, so that even if someone gets a hold of the login information, then they still cant log in. I forgot about this. But it is unfortunately not used that often.

Or you could just implement a system like Steam Guard. It's sure to kill off any hacking attempts.

Yep, this is actually a pretty good idea Facebook also have a system like this, where you can allow only certain PCs to be allowed to log into your account.

[Bartholomy]

What you're suggesting regarding the secret question is pretty much to have two passwords instead of one. This system would work and it would indeed add more security, that is true, but how many places uses 2 passwords? Do you have any example of places that uses 2 passwords to login? I actually dont think i have ever seen a place online that requires 2 passwords to login, but i dont think that you mean that pretty much every place online dont have serious security? Secret question is mostly used if you forgot your password and need to retreive it.

Using a chip ID stuff like the RSA you mention would also increase security indeed, that is also true, but very few places uses stuff like this. This type of stuff is mostly used for online banks and such as far as i know. Places like Xbox Live, Gmail, Facebook, Twitter, Hotmail etc. etc. dont use RSA stuff.

But you are right that there are extra security messures that can be used, so that even if someone gets a hold of the login information, then they still cant log in. I forgot about this. But it is unfortunately not used that often.



Yep, this is actually a pretty good idea Facebook also have a system like this, where you can allow only certain PCs to be allowed to log into your account.

Yep. The secret answer, aka second password, was the cheapest way to add some security, but works.
Looking how Sony prefer to give to his customers a secure service ( we all saw what happened, recently, and again), at least the secret answer should have prevented this new mess, locking accounts.
An other cheap solution is surely, as suggested, Steam Guard, where specific computers/ consoles are allowed.
RSA is a top end. A few online games use it, guess why. If you think it's just playmoney, like WoW...
Here, we are talking about real money, and credit cards, sometimes linked to the main bank account, guys..

[yes159]

Yep. The secret answer, aka second password, was the cheapest way to add some security, but works.
Looking how Sony prefer to give to his customers a secure service ( we all saw what happened, recently, and again), at least the secret answer should have prevented this new mess, locking accounts.
An other cheap solution is surely, as suggested, Steam Guard, where specific computers/ consoles are allowed.
RSA is a top end. A few online games use it, guess why. If you think it's just playmoney, like WoW...
Here, we are talking about real money, and credit cards, sometimes linked to the main bank account, guys..

Sure, there are extra security messures that can be taken into places. I mentioned CAPTCHA earlier, which is usually a good way to stop bruteforce attacks. So i dont disagree with you on this

I also know that this is an article about Sony, but it seems to me that you talk like Sony is the only company that dont have these security messures that you mentioned in place. So why single out Sony in this case? And as i asked you earlier, which places online uses 2 passwords to login? Or do you concider every place online that doesnt use 2 passwords to login to have poor security?

The same goes with RSA. There are tons of places where you can register your creditcard, but hardly any of them uses RSA as far as i know. Do you concider all these places to have poor security?

[Bartholomy]

Sure, there are extra security messures that can be taken into places. I mentioned CAPTCHA earlier, which is usually a good way to stop bruteforce attacks. So i dont disagree with you on this

I also know that this is an article about Sony, but it seems to me that you talk like Sony is the only company that dont have these security messures that you mentioned in place. So why single out Sony in this case? And as i asked you earlier, which places online uses 2 passwords to login? Or do you concider every place online that doesnt use 2 passwords to login to have poor security?

The same goes with RSA. There are tons of places where you can register your creditcard, but hardly any of them uses RSA as far as i know. Do you concider all these places to have poor security?

I'm not claiming every online service without RSA as unsafe. My point is: any service where real money and credit cards are used, should give to the customers , at least as option, a better way to keep his account secure. Do you want RSA, pay a token, link it to your account. Do you want captcha? press yes. Surely not the idiot paid service Sony claimed as big enhancement, now free, soon a paid service. Curious, they claim it as a great deal, and now tons of accounts are locked, and money refilled on wallet? You could answer me "maybe was accounts not protected from the new security system" Let me answer you, their service could keep more safe our credit cards, but far from a real security. Your idea of captcha, thinks, is cheap, and able to stop brute force attack. I'm not attacking just Sony, i'm just talking about the thread, here we are talking about Sony and this mess.
If Microsoft or any other company don't give to us an RSA option, or captcha, or any other better security measure, we can talk about it on an other thread For sure, Sony with his PSN, received a new worldwide kick on their back, just to remember us if PSN and Sony deserve our money on wallet, or not.

[ahou]

Sure, there are extra security messures that can be taken into places. I mentioned CAPTCHA earlier, which is usually a good way to stop bruteforce attacks. So i dont disagree with you on this ?

Using captas for security is silly really. Locking an account for even one minute after 3-5 failed login attempts would make brute forcing impossible, without inconveniencing people who simply mistype their password. Hell, even limiting it to one per second would make it impossible to realistically brute force a password with more than 5-6 characters.

[yes159]

I'm not claiming every online service without RSA as unsafe. My point is: any service where real money and credit cards are used, should give to the customers , at least as option, a better way to keep his account secure. Do you want RSA, pay a token, link it to your account. Do you want captcha? press yes.

I do agree with this, but unfortunately it is very uncommon as far as i know. I can think of 5-6 places where my creditcard is stored (and all are well known sites), but none of those places offers this type of extra security as far as i know.

Surely not the idiot paid service Sony claimed as big enhancement, now free, soon a paid service. Curious, they claim it as a great deal, and now tons of accounts are locked, and money refilled on wallet? You could answer me "maybe was accounts not protected from the new security system" Let me answer you, their service could keep more safe our credit cards, but far from a real security. Your idea of captcha, thinks, is cheap, and able to stop brute force attack.

What paid security service are you referring to?

Security breaches can unfortunately happen everywhere. But this is how people learn and improve.

I'm not attacking just Sony, i'm just talking about the thread, here we are talking about Sony and this mess. If Microsoft or any other company don't give to us an RSA option, or captcha, or any other better security measure, we can talk about it on an other thread For sure, Sony with his PSN, received a new worldwide kick on their back, just to remember us if PSN and Sony deserve our money on wallet, or not.

Fair enough. I know it was an article about Sony, so it does make sense to talk only talk about Sony here, but i just wanted to point out that the security things you mentioned (which of course are good) are very uncommon. So it is not exactly strange that PSN does not have all these things in place, in my opinion.

Using captas for security is silly really. Locking an account for even one minute after 3-5 failed login attempts would make brute forcing impossible, without inconveniencing people who simply mistype their password. Hell, even limiting it to one per second would make it impossible to realistically brute force a password with more than 5-6 characters.

Why do you think it is silly to use CAPTCHA to stop bruteforce attacks? If a CAPTCHA is well designed so that a bot cant automatically figure out the CAPTCHAs, then this is one effective way to make sure people cant keep trying passwords over and over again on an account (or in other words, bruteforcing). Automatic locking accounts, in addition to CAPTCHA, that is an even better solution than just using CAPTCHA alone

[Bartholomy]

I do agree with this, but unfortunately it is very uncommon as far as i know. I can think of 5-6 places where my creditcard is stored (and all are well known sites), but none of those places offers this type of extra security as far as i know.
Sadly true. Send to support , security department, a formal request about how unsafe is your wallet. Warn them you will sue them for a refund


What paid security service are you referring to?
The new one improved by Sony, after the PSN disaster.

Fair enough. I know it was an article about Sony, so it does make sense to talk only talk about Sony here, but i just wanted to point out that the security things you mentioned (which of course are good) are very uncommon. So it is not exactly strange that PSN does not have all these things in place, in my opinion.
That's why i will never put any more money on my PSN wallet



Why do you think it is silly to use CAPTCHA to stop bruteforce attacks? If a CAPTCHA is well designed so that a bot cant automatically figure out the CAPTCHAs, then this is one effective way to make sure people cant keep trying passwords over and over again on an account (or in other words, bruteforcing). Automatic locking accounts, in addition to CAPTCHA, that is an even better solution than just using CAPTCHA alone

Maybe with silly he meant stupid and easy to improve, so strange noone of their well paid security managers didn't add a better way to keep our account (and credit cards) more safe

[ahou]

Why do you think it is silly to use CAPTCHA to stop bruteforce attacks? If a CAPTCHA is well designed so that a bot cant automatically figure out the CAPTCHAs, then this is one effective way to make sure people cant keep trying passwords over and over again on an account (or in other words, bruteforcing). Automatic locking accounts, in addition to CAPTCHA, that is an even better solution than just using CAPTCHA alone

If they are simple, a bot will solve them (though far, far slower than it would take to simply send a million log in attempts per second). If they are complex, they are a pain in the ass for actual users. More importantly, they are entirely unnecessary. Brute forcing works by trying millions, if not hundreds of millions or billions of passwords per second. Limiting it to one attempt per second would make it entirely pointless to even try, and an actual user would never even know about it, unless told.

[Bartholomy]

If they are simple, a bot will solve them (though far, far slower than it would take to simply send a million log in attempts per second). If they are complex, they are a pain in the ass for actual users. More importantly, they are entirely unnecessary. Brute forcing works by trying millions, if not hundreds of millions or billions of passwords per second. Limiting it to one attempt per second would make it entirely pointless to even try, and an actual user would never even know about it, unless told.

Captcha simple to be managed by a bot? : uhm...

[yes159]

Sadly true. Send to support , security department, a formal request about how unsafe is your wallet. Warn them you will sue them for a refund

Hehe, yeah, i could send them a mail. But i think that the security is good enough (at least so far). I have used creditcards online for maybe 5-6 years now and i have never had money stolen from it But if it happens, then i have insurance at my bank, so i dont lose any money personally. But of course i dont want my creditcard to be abused even if i am insured, so i try to take some precautions on where i register my creditcard

The new one improved by Sony, after the PSN disaster.

Ok, i understand. It seems to have worked good so far. But only time will tell if someone manages to hack PSN again wnen it uses this new security system.

That's why i will never put any more money on my PSN wallet

I understand. I have my creditcard registered on PS3, but i'm not worried about it. But i dont blame people if they want to take precautions, i fully understand that

Maybe with silly he meant stupid and easy to improve, so strange noone of their well paid security managers didn't add a better way to keep our account (and credit cards) more safe

Maybe, but i think he means more that CAPTCHAs are unneccesary. In some cases, maybe it isnt always needed, but using CAPTCHA does at least add one layer of security against bruteforce attacks =)

If they are simple, a bot will solve them (though far, far slower than it would take to simply send a million log in attempts per second). If they are complex, they are a pain in the ass for actual users. More importantly, they are entirely unnecessary. Brute forcing works by trying millions, if not hundreds of millions or billions of passwords per second. Limiting it to one attempt per second would make it entirely pointless to even try, and an actual user would never even know about it, unless told.

I agree that CAPTCHAs can sometime be a bit annoying, but i'm only talking about CAPTCHAs that is being activated if the password is wrong. This is how i.e Windows Live, Gmail and Yahoo Mail works. If you enter your password wrong like 3 times, then you get a CAPTCHA up, so you dont have to write in a CAPTCHA every time you log in

If it is unnecessary with CAPTCHA, i dont know about that. There must be a reason why many places rely on such a solution at least instead of keeping on locking and unlocking accounts every second. Eventhough that this does severely slows down the bruteforce attack indeed, it would still allow bruteforcing to happen. Then you can keep trying every second. But with CAPTCHA, then it wont allow you to try unless you write in the right word in the CAPTCHA. So it definitely adds one extra layer of security =)

[Bartholomy]

There must be a reason why many places rely on such a solution at least instead of keeping on locking and unlocking accounts every second. Eventhough that this does severely slows down the bruteforce attack indeed, it would still allow bruteforcing to happen. Then you can keep trying every second. But with CAPTCHA, then it wont allow you to try unless you write in the right word in the CAPTCHA. So it definitely adds one extra layer of security =)

Simple answer. Clowns who pretend to be expert of security, just lazy or ignorant on how to develop a captcha system. Most works because his uncle put them as security manager