Last night I received the following email.
Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.
I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.
I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.
So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.
I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.
Lets Talk About Password Security
First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.
What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.
I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.
First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.
Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?
Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).
The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA. At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.
Pokémon Company you should be ashamed. The rest of us should be really, really concerned.
P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/
I ran across this while watching a live stream on Twitch and as I came to find out that it takes a fair bit of Googling just to find the instructions(this has improved apparently). I then posted this screen shot to Miiverse only to find out that even people on Nintendo’s own Monster Hunter 4 Ultimate community aren’t really even aware of it. I figured I should try to help float this information to the top.
Fire up your Nintendo 3DS to get the Mario or Luigi outfits for your Pelico! Here’s how you do it!
First go to your home cart.
Go talk to the Housekeeper on the right.
Select Downloadable Content.
Select confirm/continue on all of the prompts to get to the DLC menu.
Select Gift Area.
Select Item Packs.
And finally grab the Start Pack.
- The Starter Pack contains:
- Mega Potion x50
- Honey x30
- Mega Dash Juice x15
- Well-done Steak x30
- Max Potion x10
- Lifepowder x20
- Ancient Potion x5
- Flash Bomb x30
- Sonic Bomb x30
- Pitfall Trap x15
- Shock Trap x15
- Super Mushroom x6
Now, go to the Market vendor or your item box and make sure you have 3 Large Barrels in your item box.
Go to “The Man” who is the Smithy and he’ll let you craft the Mario or Luigi gear and the Invincible Hammer. One thing to note is that each of the two items required to make the outfit require 3 super mushrooms so you have to pick if you want the Mario outfit or the Luigi outfit or some mix of the two but you can’t have both. Word on the street is that as more DLC gets released we’ll have opportunities to get more Super Mushrooms and be able to have our choice of both outfits.
Here’s to hoping they release Bowser as a monster via DLC. But not all cartoony. I want to see him as if he was a real Monster Hunter style monster and I want Bowser Armor as a result of his drops. That way my Palico can roll around as Mario while I roll around as Bowser. Get on that Capcom & Nintendo!
I don’t give much credit to Nintendo for a lot of things outside of making entertaining games. Frankly they’re terrible about keeping up with the modern state of gaming, by in large, and they’re especially bad at dealing with networking and the Internet. So it seems weird that I’m about to write about Nintendo doing something, arguably, right on just such a subject.
Many a games journalism website has seen fit to highlight the New 3DS’s microSD card slot and the fact that it’s kind of oddly locked away under a bottom cover that requires a tool to get in to. Knowing only this as I’m sure many people will might lead one to believe that this is just Nintendo up to their old tricks. And at first glance you’d be right. If you have a need to physically swap sd cards then perhaps you’re out of luck.
Fortunately if you’re just looking to make a backup Nintendo got smart and tucked away a little trick that makes that microSD card accessible through a network share on your home network.
Under “Data Management” you will find an option for “microSD Management”. This wizard will walk you through creating a network name for your 3DS and a username and password and then connect you to your homes wifi network so you can access the storage on the card.
On your windows PC open a file explorer window and in the quick access icons in the left window pane scroll down to network and click the icon. You should see the name of your 3DS listed. Click on that to access it. If for some reason you don’t see your 3DS listed click on any blank space in the address bar on the file explorer window and type \\MY3DSNAME where MY3DSNAME is the name you picked for your 3DS. This should find and open your 3DS files for you.
Enjoy this tiny slice of Nintendo finally getting with the new(I use the word loosely) networked world. There isn’t much of it to be had.