Last night I received the following email.
Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.
I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.
I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.
So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.
I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.
Lets Talk About Password Security
First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.
What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.
I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.
First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.
Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?
Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).
The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA. At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.
Pokémon Company you should be ashamed. The rest of us should be really, really concerned.
P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/
I heard the tale of this event and just had to have some evidence. Thank goodness for chat logs. Which is the opposite of what this guy was thinking.
The funniest part is less the mistake and more the response to the password becoming public. Gotta give the user an A+ for coming up with at least some form of action. It would have worked too if it weren’t for those meddling chat logs!
I amongst the 70 million have been effected by the PlayStation Network hack that took place between April 17th and April 19th. While there isn’t much we can do right now there are some steps you may want to consider taking to protect your own security and financial well being. I’m sure some would like to think they are extreme but after the security breach with Epsilon recently and now this there is no good reason to take chances.
I will state clearly I am not an information security professional. I have however been working in the Information Technology industry for 13(going on 14) years. I’ve suffered similar security breaches before and I’ve heard of them happening many times before. I am also a member of the US Military who under goes security briefings anually on protection of data and while deployed served my section as the Information Management Officer. While my primary role is not information security I have enough experience to know that the bottom line is that information security is every ones problem. What follows are some recommendations. Some vital, some, may be only if you are paranoid.
First and fore most purchases online can only be made if all the pieces of information line up. Your online account information(username & password), your card/account number, your PII or Personally Identifiable Information, and typically a physical marker for your card(that 3 digit number on the back). So your first line of defense against security breaches that have all ready taken place is to change as much of this information as possible.
The easiest of course is your username and password on sites that contain financial information. That’s Amazon, Ebay, Newegg and any other online retailers. Thats service sites like playstation, xbox, netflix, redbox etc. If you can change both your username and password then go for it. The absolute “must change” is your password.
While you can’t change where you live you can change your card number and the three digit code on the back. In other words go to your bank, talk to them, cancel your card and get a new one issued. While it isn’t a comfortable process it is a fairly easy one. Some banks will even let you do this process online. I mentioned briefly your address which you may be able to change through the post office box service at your local post office. Be sure to do some research before going this route because some services will not let you use P.O. Boxes as your personal address. Lastly, and most drematicly is to change your PII or personally identifiable information. This includes your name, social security number and other bits of information like your drivers license number. These are much harder to change. Changing your name will involve both the state and fedral government. Like wise changing your social security number(this is especially hard to do). I don’t recommend going to this length but if you are really that paranoid it can be done. I can’t outline here how to do it as the process will differ from state to state.
These changes should be more than enough to safe guard your security. When changing username and password ensure you use good security practices like long complicated passwords. If you can come up with something you can remember and don’t write it down. Change your passwords frequently, every couple of months at minimum. Last, keep an eye on your accounts. Know whats going on with them. If anything looks suspicious report it to your financial institution immediately.