How to enable 2FA on the PlayStation Network

Four months ago, Sony announced that it will be beefing up the security of its PlayStation gaming platform by introducing two-factor authentication (2FA) to ensure that personal and account information are better secured from any instance of account hijacking or compromise.

And just last Thursday, we’ve been seeing reports that registered owners of PlayStation and PSP can now enable this new security feature the next time they log in. This is wonderful news, indeed, and can be considered another win for security as we continue to see companies of all sizes take security concerns seriously and actually do something about it. Better late than never, right?

psn-2fa

Enabling 2FA is pretty comprehensive to follow albeit a tad long-winded—at least as far as the browser set up is concerned. One can start off by clicking the orange button on this PlayStation page. Users are directed to a login page, if they’re not logged in already, where they can key in their credentials. Once in, they see this:

Change status to “Active” by clicking the first “Edit” button, which then changes a section of the page to show a 2-step instruction on how to sign in with 2FA:

To sign in with 2-step verification:

(1) Enter your Sign-in ID and password.

(2) Check your mobile phone for a text message about your Sony Entertainment
Network account. Enter the code from the text message when you are prompted
during the sign-in process.

The “Activate” button, however, opens the “oh, by the way” section for PS3, PS Vita, PSP, and Xperia users:

To securely sign in on PlayStation 3, PlayStation Vita, PSP and some mobile
devices:

You will not use a verification code. Generate a device setup password and
use it instead of your account password the next time you sign in.

Click “Continue” to open the section asking for the user’s mobile number:

sony-2fa-setting-4

All your verification codes will be sent as text messages to this number.

This information will be used in accordance with the privacy policy.

After selecting their country, entering their number, and clicking the “Continue” button, the site then asks for the user’s password for verification purposes. Supplying this correctly then prompts the network to send the number a 6-character, alpha-numeric code that a user enters to the provided text box displayed below:

sony-2fa-setting-5

Clicking “Verify” concludes the activation process. The next section is merely a confirmation for users that their account already has 2FA enabled. Notice the pre-ticked box that allows the auto-sign out of users from the Sony/PlayStation Network. As we have mentioned before, closing browser tabs and leaving accounts logged in can increase the likelihood of savvy bad actors accessing login information from session cookies. As you can see, this is another simple, security measure provided by the network that could save users a lot of headache.

sony-2fa-setting-6

You can change your security settings at any time by going to [2-Step
Verification].

Users also receive an SMS stating the same confirmation message.

We go back to the first page of the 2-Step Verification process above and have found that two additional options are now available: Device Setup Password and Backup Codes, as seen below:

sony-2fa-setting-7

We encourage users to check out these options as well, as these may further aid them in fully taking advantage of PSN’s new security feature.

Lastly, we encourage users to read through PSN’s help page to know more about 2FA and how it works within the network.

Act now, dear Reader, and secure your PSN account.

Jovi Umawing

Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone Users For Years

Victims of ‘lawful intercepts’ include human rights activists and journalist, researchers from Citizen Lab and Lookout say.

Apple’s much vaunted reputation for security took a bit of beating this week with two separate reports identifying serious vulnerabilities in its iOS operating system for iPhones and iPads.

One of the reports, from security firm Lookout and the University of Toronto’s Citizen Lab, details a trio of zero-day vulnerabilities in iOS, dubbed Trident, that a shadowy company called the NSO Group has been exploiting for several years to spy on targeted iOS users.

The NSO Group is based in Israel but owned by an American private-equity firm.  The company has developed a highly sophisticated spyware product called Pegasus that takes advantage of the Trident zero-day exploit chain to jailbreak iOS devices and install malware on them for spying on users.

In an alert this week, security researchers at Citizen Lab and Lookout described Pegasus as one of the most sophisticated endpoint malware threats they had ever encountered. The malware exploits a kernel base mapping vulnerability, a kernel memory corruption flaw and a flaw in the Safari WebKit that basically lets an attacker compromise an iOS device by getting the user to click on a single link.

All three are zero-days flaws, which Apple has addressed via its 9.3.5 patch. The researchers are urging iOS users to apply the patch as soon as possible.

Pegasus, according to the security researchers, is highly configurable and is designed to spy on SMS text messages, calls, emails, logs and data from applications like Facebook, Gmail, Skype, WhatsApp and Viber running on iOS devices.

“The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete,” the researchers said in their alert.

Evidence suggests that Pegasus has been used to conduct so-called ‘lawful intercepts’ of iOS owners by governments and government-backed entities. The malware kit has been used to spy on a noted human rights activist in the United Arab Emirates, a Mexican journalist who reported on government corruption and potentially several individuals in Kenya, the security researchers said.

The malware appears to emphasize stealth very heavily and the authors have gone to considerable efforts to ensure that the source remains hidden. “Certain Pegasus features are only enabled when the device is idle and the screen is off, such as ‘environmental sound recording’ (hot mic) and ‘photo taking’,” the researchers noted.  

The spyware also includes a self-destruct mechanism, which can activate automatically when there is a probability that it will be discovered.

Like many attacks involving sophisticated malware, the Pegasus attack sequence starts with a phishing text—in this case a link in an SMS message—which when clicked initiates a sequence of actions leading to device compromise and installation of malware.

Because of the level of sophistication required to find and exploit iOS zero-day vulnerabilities, exploit chains like Trident can fetch a lot of money in the black and gray markets, the researchers from Citizen Lab and Lookout said. As an example they pointed to an exploit chain similar to Trident, which sold for $1 million last year.

The second report describing vulnerabilities in IOS this week came from researchers at the North Carolina State University, TU Darmstadt, a research university in Germany and University Politehnica in Bucharest.

In a paper to be presented at an upcoming security conference in Vienna, the researchers said they focused on iOS’ sandbox feature to see if they could find any security vulnerabilities that could be exploited by third-party applications. The exercise resulted in the researchers unearthing multiple vulnerabilities that would enable adversaries to launch different kinds of attacks on iOS devices via third-party applications.

Among them were attacks that would let someone bypass iOS’ privacy setting for contacts, gain access to a user’s location search history, and prevent access to certain system resources. In an alert, a researcher who co-authored the paper said that the vulnerabilities have been disclosed to Apple, which is now working on fixing them.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Multiple Apple iOS Zero-Days Enabled Security Firm To Spy On Targeted iPhone Users For Years

Victims of ‘lawful intercepts’ include human rights activists and journalist, researchers from Citizen Lab and Lookout say.

Apple’s much vaunted reputation for security took a bit of beating this week with two separate reports identifying serious vulnerabilities in its iOS operating system for iPhones and iPads.

One of the reports, from security firm Lookout and the University of Toronto’s Citizen Lab, details a trio of zero-day vulnerabilities in iOS, dubbed Trident, that a shadowy company called the NSO Group has been exploiting for several years to spy on targeted iOS users.

The NSO Group is based in Israel but owned by an American private-equity firm.  The company has developed a highly sophisticated spyware product called Pegasus that takes advantage of the Trident zero-day exploit chain to jailbreak iOS devices and install malware on them for spying on users.

In an alert this week, security researchers at Citizen Lab and Lookout described Pegasus as one of the most sophisticated endpoint malware threats they had ever encountered. The malware exploits a kernel base mapping vulnerability, a kernel memory corruption flaw and a flaw in the Safari WebKit that basically lets an attacker compromise an iOS device by getting the user to click on a single link.

All three are zero-days flaws, which Apple has addressed via its 9.3.5 patch. The researchers are urging iOS users to apply the patch as soon as possible.

Pegasus, according to the security researchers, is highly configurable and is designed to spy on SMS text messages, calls, emails, logs and data from applications like Facebook, Gmail, Skype, WhatsApp and Viber running on iOS devices.

“The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete,” the researchers said in their alert.

Evidence suggests that Pegasus has been used to conduct so-called ‘lawful intercepts’ of iOS owners by governments and government-backed entities. The malware kit has been used to spy on a noted human rights activist in the United Arab Emirates, a Mexican journalist who reported on government corruption and potentially several individuals in Kenya, the security researchers said.

The malware appears to emphasize stealth very heavily and the authors have gone to considerable efforts to ensure that the source remains hidden. “Certain Pegasus features are only enabled when the device is idle and the screen is off, such as ‘environmental sound recording’ (hot mic) and ‘photo taking’,” the researchers noted.  

The spyware also includes a self-destruct mechanism, which can activate automatically when there is a probability that it will be discovered.

Like many attacks involving sophisticated malware, the Pegasus attack sequence starts with a phishing text—in this case a link in an SMS message—which when clicked initiates a sequence of actions leading to device compromise and installation of malware.

Because of the level of sophistication required to find and exploit iOS zero-day vulnerabilities, exploit chains like Trident can fetch a lot of money in the black and gray markets, the researchers from Citizen Lab and Lookout said. As an example they pointed to an exploit chain similar to Trident, which sold for $1 million last year.

The second report describing vulnerabilities in IOS this week came from researchers at the North Carolina State University, TU Darmstadt, a research university in Germany and University Politehnica in Bucharest.

In a paper to be presented at an upcoming security conference in Vienna, the researchers said they focused on iOS’ sandbox feature to see if they could find any security vulnerabilities that could be exploited by third-party applications. The exercise resulted in the researchers unearthing multiple vulnerabilities that would enable adversaries to launch different kinds of attacks on iOS devices via third-party applications.

Among them were attacks that would let someone bypass iOS’ privacy setting for contacts, gain access to a user’s location search history, and prevent access to certain system resources. In an alert, a researcher who co-authored the paper said that the vulnerabilities have been disclosed to Apple, which is now working on fixing them.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Stolen iPhones could eventually capture photo and fingerprint of thieves

iphone.jpg

Image: Nate Ralph/CNET

According to a patent filed by Apple and approved on Thursday, the iPhone or iPad could eventually capture and store a fingerprint, an image, audio, and video of a thief who attempts to use the device after it is stolen.

The patent, originally reported by AppleInsider, was initially filed on April 29, 2016. The patent abstract stated that the capture of biometric data could potentially occur when certain “trigger conditions” are met. Additional metadata could be used to complement the information captured on the thief.

There are a quite a few options for what could constitute a trigger, including a certain number of failed login attempts, or even potentially using machine learning to determine when to capture the data. Parameters could also be set by the user to initiate the information capture if a certain set of actions are attempted.

The patent also notes that the process would seek to capture the abovementioned information “without making said unauthorized user aware of said capture.” The patent also said that the information may be stored in an encrypted manner remotely or locally. However, the patent also mentioned that the information would be “purged” at certain intervals to save space on the device.

SEE: Mobile device computing policy template (Tech Pro Research)

As also noted by AppleInsider, there are currently five attempts available for an individual user to access an iOS device before they are forced to input the passcode. If the user can’t get the passcode in 10 tries, the phone will lock up. So, for parents of small children, this could mean you’ll see a lot of pictures of your kid if they get ahold of your phone, but that’s where the purging comes in.

More about IT Security

The patent contains some troubling language as well. Take this excerpt: “For example, a captured fingerprint may be compared to a database containing fingerprints of known users (such as fingerprints of all users of a cellular service network that have been captured by the cellular service network). By way of another example, a number of captured keystrokes entered by an unauthorized user may be grouped and analyzed to determine one or more operations that the unauthorized user was attempting to perform utilizing the computing device (such as access a digital music purchasing account accessible from the computing device).”

The comparison of fingerprints, and the potential logging of keystrokes in an attempt to determine what the unauthorized user was trying to do, may pose some ethical concerns. This is especially troubling after Apple’s long battle with the FBI over the encryption on the iPhone of the San Bernardino shooter.

On the flip side, the addition of the feature could help law enforcement track down and prosecute smartphone thieves. Either way, at this point it’s just a patent, and it may never make to production on the iPhone or iPad at all.

What do you think?

Would this feature be beneficial, or is it an invasion of privacy? Tell us in the comments.

The 3 big takeaways for TechRepublic readers

  1. A new Apple patent could mean that stolen iPhones would capture and store the fingerprint of a thief, as well as their photo and audio and video.
  2. The patent mentions specific triggers that could be used to initiate the capturing of information, with the potential for machine learning to make the call.
  3. This potential feature could raise some red flags over its potential privacy implications and the ethical concerns of using a database of fingerprints to compare users.

Also see

Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says

Start saving now.The global cost of cybercrime could reach $6 trillion by 2021, according to a Cybersecurity Ventures report.

A report out by Cybersecurity Ventures predicts global annual cybercrime costs will grow to $6 trillion by 2021. 

While a $6 trillion estimate might be a little high, “a trillion dollars plus is a real possibility,” says Larry Ponemon, chairman and founder of the Ponemon Institute. Though this isn’t a number he saw coming down the pipeline. “If you asked me five or six years ago, I’d fall over,” he says.   

The predicted cybercrime cost takes into account all damages associated with cybercrime including: damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. It does not include the cost incurred for unreported crimes. 

Other research has shown that the cost of cybercrime increases the longer it takes to detect it, if it’s detected at all. According to the Ponemon Cost of Data Breach report, the longer it takes to find and resolve a breach, the more costly it will be for an organization. Breaches identified in fewer than 100 days cost companies an average of about $1 million less than those that take more than 100 days to be discovered, according to Ponemon. And in the 2016 Dark Reading Security Salary Survey, 9% of IT and infosec pros don’t even know if they’ve been breached. A study by The Office of National Statistics for England and Wales found that most cybercrimes go unreported. 

The Cybersecurty Ventures report, which is a compilation of cybercrime statistics from the last year, also predicts that the world’s cyberattack surface will grow an order of magnitude larger between now and 2021. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights