I'm Casting Magic Missle!

Posts tagged “security

Your Pokémon Account Has Been Hacked

Last night I received the following email.

2016-11-23 20_52_03-Inbox – tekchip@gmail.com

Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.

I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.

I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.

2016-11-23 21_01_03-The Official Pokémon Website _ Pokemon.com

So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.

2016-11-23 21_02_24-The Official Pokémon Website _ Pokemon.com

I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.

Lets Talk About Password Security

First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.

What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.

I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.

First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.

Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?

Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).

The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA.  At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.

Failing to find a way to properly secure my account I went looking for a way to close/remove my account. As it turns out there are absolutely no entries in the FAQ about how to do this. Doing a little Googling I came across a way to request a specifically Pokémon Go account removal here. But there doesn’t appear to be an easy way to close an actual Pokemon.com account.  This website seems to indicate the only way to close an account is to send a piece of real world mail to Pokémon Company asking them to remove you. In the intervening week the crackers will have run off with at the least your account and probably leveraged it to gain access to your other accounts and information. Reviewing their Privacy Policy brought up this joke of a statement “…verify your identity by asking you for an email address or by other means…”. As you can see above the email verification is performed by the randomized link but absolutely no “…other means…” are employed to verify your identity.

Pokémon Company you should be ashamed. The rest of us should be really, really concerned.

drunk_charmander_appeared_by_potemkill-d8q22bl

Image by potemkill@deviantart

P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/


How Do You Respond When Your Password Becomes Public?

I heard the tale of this event and just had to have some evidence. Thank goodness for chat logs. Which is the opposite of what this guy was thinking.

password in chat

ooops!

The funniest part is less the mistake and more the response to the password becoming public. Gotta give the user an A+ for coming up with at least some form of action.  It would have worked too if it weren’t for those meddling chat logs!


Epsilon & PlayStation Network Security Recommendations

Logo of the PlayStation NetworkImage via Wikipedia

I amongst the 70 million have been effected by the PlayStation Network hack that took place between April 17th and April 19th. While there isn’t much we can do right now there are some steps you may want to consider taking to protect your own security and financial well being. I’m sure some would like to think they are extreme but after the security breach with  Epsilon recently and now this there is no good reason to take chances.

I will state clearly I am not an information security professional. I have however been working in the Information Technology industry for 13(going on 14) years. I’ve suffered similar security breaches before and I’ve heard of them happening many times before. I am also a member of the US Military who under goes security briefings anually on protection of data and while deployed served my section as the Information Management Officer. While my primary role is not information security I have enough experience to know that the bottom line is that information security is every ones problem. What follows are some recommendations. Some vital, some, may be only if you are paranoid.

First and fore most purchases online can only be made if all the pieces of information line up. Your online account information(username & password), your card/account number, your PII or Personally Identifiable Information, and typically a physical marker for your card(that 3 digit number on the back). So your first line of defense against security breaches that have all ready taken place is to change as much of this information as possible.
The easiest of course is your username and password on sites that contain financial information. That’s Amazon, Ebay, Newegg and any other online retailers. Thats service sites like playstation, xbox, netflix, redbox etc. If you can change both your username and password then go for it. The absolute “must change” is your password.

While you can’t change where you live you can change your card number and the three digit code on the back. In other words go to your bank, talk to them, cancel your card and get a new one issued. While it isn’t a comfortable process it is a fairly easy one. Some banks will even let you do this process online. I mentioned briefly your address which you may be able to change through the post office box service at your local post office. Be sure to do some research before going this route because some services will not let you use P.O. Boxes as your personal address. Lastly, and most drematicly is to change your PII or personally identifiable information. This includes your name, social security number and other bits of information like your drivers license number. These are much harder to change. Changing your name will involve both the state and fedral government. Like wise changing your social security number(this is especially hard to do). I don’t recommend going to this length but if you are really that paranoid it can be done. I can’t outline here how to do it as the process will differ from state to state.

These changes should be more than enough to safe guard your security. When changing username and password ensure you use good security practices like long complicated passwords. If you can come up with something you can remember and don’t write it down. Change your passwords frequently, every couple of months at minimum. Last, keep an eye on your accounts. Know whats going on with them. If anything looks suspicious report it to your financial institution immediately.

Enhanced by Zemanta