Last night I received the following email.
Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.
I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.
I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.
So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.
I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.
Lets Talk About Password Security
First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.
What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.
I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.
First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.
Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?
Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).
The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA. At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.
Pokémon Company you should be ashamed. The rest of us should be really, really concerned.
P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/
I ran across this while watching a live stream on Twitch and as I came to find out that it takes a fair bit of Googling just to find the instructions(this has improved apparently). I then posted this screen shot to Miiverse only to find out that even people on Nintendo’s own Monster Hunter 4 Ultimate community aren’t really even aware of it. I figured I should try to help float this information to the top.
Fire up your Nintendo 3DS to get the Mario or Luigi outfits for your Pelico! Here’s how you do it!
First go to your home cart.
Go talk to the Housekeeper on the right.
Select Downloadable Content.
Select confirm/continue on all of the prompts to get to the DLC menu.
Select Gift Area.
Select Item Packs.
And finally grab the Start Pack.
- The Starter Pack contains:
- Mega Potion x50
- Honey x30
- Mega Dash Juice x15
- Well-done Steak x30
- Max Potion x10
- Lifepowder x20
- Ancient Potion x5
- Flash Bomb x30
- Sonic Bomb x30
- Pitfall Trap x15
- Shock Trap x15
- Super Mushroom x6
Now, go to the Market vendor or your item box and make sure you have 3 Large Barrels in your item box.
Go to “The Man” who is the Smithy and he’ll let you craft the Mario or Luigi gear and the Invincible Hammer. One thing to note is that each of the two items required to make the outfit require 3 super mushrooms so you have to pick if you want the Mario outfit or the Luigi outfit or some mix of the two but you can’t have both. Word on the street is that as more DLC gets released we’ll have opportunities to get more Super Mushrooms and be able to have our choice of both outfits.
Here’s to hoping they release Bowser as a monster via DLC. But not all cartoony. I want to see him as if he was a real Monster Hunter style monster and I want Bowser Armor as a result of his drops. That way my Palico can roll around as Mario while I roll around as Bowser. Get on that Capcom & Nintendo!
I don’t give much credit to Nintendo for a lot of things outside of making entertaining games. Frankly they’re terrible about keeping up with the modern state of gaming, by in large, and they’re especially bad at dealing with networking and the Internet. So it seems weird that I’m about to write about Nintendo doing something, arguably, right on just such a subject.
Many a games journalism website has seen fit to highlight the New 3DS’s microSD card slot and the fact that it’s kind of oddly locked away under a bottom cover that requires a tool to get in to. Knowing only this as I’m sure many people will might lead one to believe that this is just Nintendo up to their old tricks. And at first glance you’d be right. If you have a need to physically swap sd cards then perhaps you’re out of luck.
Fortunately if you’re just looking to make a backup Nintendo got smart and tucked away a little trick that makes that microSD card accessible through a network share on your home network.
Under “Data Management” you will find an option for “microSD Management”. This wizard will walk you through creating a network name for your 3DS and a username and password and then connect you to your homes wifi network so you can access the storage on the card.
On your windows PC open a file explorer window and in the quick access icons in the left window pane scroll down to network and click the icon. You should see the name of your 3DS listed. Click on that to access it. If for some reason you don’t see your 3DS listed click on any blank space in the address bar on the file explorer window and type \\MY3DSNAME where MY3DSNAME is the name you picked for your 3DS. This should find and open your 3DS files for you.
Enjoy this tiny slice of Nintendo finally getting with the new(I use the word loosely) networked world. There isn’t much of it to be had.
This week marks a potentially historic day for the internet. Today I’m releasing the very first episode of “The Gaming Appendix” podcast who’s aim it is to talk about games past and what they turned out to be post patches, DLC and general reception. The first episode is actually covering more recent games Call of Duty Black Ops 2 and Halo 4 along with board games Settlers of Catan and Small World. Hit up the libsyn.com page for now to subscribe to the podcast. I plan to do it bi-monthly currently and will post when I work out the exact schedule.
In case you want to give it a listen before subscribing here is a direct link to the mp3.
After putting it off, taking some time to think about it I’m finally ready to say something about the WiiU. Nintendo, you’re doing it wrong.
$300 & $350 is way way way to much money to charge for a console that doesn’t do anything particularly more or better than the current generation of consoles. It doesn’t even have storage on par with current gen consoles. You’re entire reason for charging that much is for the giant controller screen thing. I mean it’s doing HD at a time where the next gen of consoles are prepping to handle 4K. A PS3 160GB is $250 and a subsidized Xbox 360 is $150 up front.
Not to be one to knock something with out providing solutions here it is. First swap that solid state for a hard drive. This will bring the price point down and the storage up. Consoles sit on entertainment centers, they don’t travel. Second offer a couple packages. Since the console is backwards compatible with most Wii games some people are just going to want to play those in HD. Some people don’t want the gimmicky screen controller. Give those people the console upgrade with out the fluff. A $150-$175 package minus the gimmick. And then to ensure your console sells eat enough price while selling software for profit that people will actually buy it. Bring the price plus gimmick down to $200 or $250. People don’t like to pay more than $250 for consoles/gadgets. Finally give us some value add. With the WiiU specific games coming in light at launch offer customers some value add like a couple of Wii games in the box.
I’m not saying my plan is perfect because I’m just a consumer and I don’t have the details. What I do have is the perspective of a gamer who is decidedly hard core. One who didn’t pay $300 for his current console that has supported HD and has had 5ish times the amount of storage for the past 6+ years.
I don’t mean to be negative but it’s really hard to stay positive about what Microsoft has been doing with Xbox 360 lately. It looks like one step forward and three steps back. Guess what, the original Xbox was black. The Playstation 3 is black. Why Microsoft thought a white console was a good idea when almost every TV and stereo component in THE WORLD is black is beyond me. Black is the new black.
Built in Wifi!!!! Oh wait, everything for the past three years has wifi built in. My phone, my portable game devices, and my laptop. Nintendo managed to put it in their console that was $100 cheaper and in their hand held device that was $160 cheaper. Oh wait, the free phone I got from IWireless(Iowa’s t-mobile affiliate) has built in wifi. There is no good reason that the Xbox 360 up till now hasn’t had built in wifi. This is really just unacceptable PERIOD!
It’s smaller! Once again, WTF!? Why the Xbox 360 was so huge is beyond me. I’ve opened the original machine and there is a ton of open empty space in the case. So much so that there is ducting in the case to ensure good air flow due to all that empty space. If MS has taken a little more time to think out their system layout they could have released the original as a much smaller package to begin with.
The final, actually positive, piece is Kinect and the leap forward it represents for motion gaming. No controller, the thing can determine depth and track on things as small as fingers. Seems to be pretty spectacular all around but it still remains to be seen if this is going to be put to truly good use or if we’re going to get the same flood of gimmicky games on the Xbox as the Wii has received.