Getting my PlayStation account hacked was terrible, but Sony made it a whole lot worse.
Instead of helping me, Sony decided that I had to pay for the games that my hacker purchased, or face a permanent ban on my account.
It all started Saturday afternoon. I was scrolling through my inbox and noticed some odd emails from PlayStation, all of them at 3:01 AM. There were three $25 payments to my PlayStation wallet, and a purchase for NBA 2K16 and some credits. After checking to make sure my roommate hadn’t drunkenly purchased the game, thinking he’d pay me back later, I noticed even more concerning emails.
The first asked me to confirm a change to my PlayStation account’s email. The email wasn’t opened, nor had any odd devices accessed my email account, but another message less than a minute later confirmed the email change. Yep. While I was sleeping, someone locked me out of my own account.
But PlayStation requires you to confirm an email change by clicking a link in an email sent to the old account first, right? Wrong.
As it turns out, hackers have an easy way around this problem. Payment info, or at least a portion of it, is visible in the web interface for a PlayStation account. Once an attacker has your password, they can chat with Sony tech support, explain that they don’t have access to that email anymore, and use the visible info in the account to verify their identity, changing the email on the account to prevent recovery by its rightful owner — in this case, me.
In the meantime, they added a device to my account, a PS Vita. Unlike a PS3 or PS4, a PS Vita can’t be removed from the account by Web, it can only be deactivated from the device itself.
Fortunately, social hacking your way through tech support tends to be a double-edged sword, and I knew I would be able to wrestle my account back by providing the right info. Both consoles that regularly access the account are in my home, so that’s a form of proof, and because Sony doesn’t let users change their user names, no email changes could alter my gamertag.
This all happened on a Sunday, so Sony’s phone support wasn’t open, and I was forced to use the text chat. This actually ended up working to my benefit, as we’ll see shortly, but it also raises some problems of its own.
I wasn’t at home when I noticed the hacker’s activities, but I needed to stop the intruder from making any more purchases. I called PayPal support, and an agent there was quick to de-authorize my PlayStation account from making any more pre-approved purchases. Then, I filed a dispute on all three $25 charges.
Once I got home, I sat down at a computer and fired up Sony’s chat support. At first, the agent was helpful. The intrusion and email changing were a separate issue from the disputed purchases, so we would deal with them one at a time.
The agent rolled back the account’s email to the previous address (mine), and forced a password reset when I confirmed the change. Then, I was a little bewildered as the agent asked: “Now what do you want to do about the purchases?”
“I don’t want NBA 2K16, and I don’t want to add $75 to my PlayStation account,” I said. It sounded simple enough, or so I thought.
The agent passed the buck. They explained that in order to issue a refund, I needed to cancel the dispute with PayPal. Essentially, PayPal had taken the money back from Sony, and I needed to have PayPal release it so Sony could hand it back to me.
So I contacted PayPal. This turned out to be a process in and of itself. Because the dispute was security related, I had to call PayPal support, verify my identity, and then say in no uncertain terms that I was closing the case permanently, and get a guarantee that PayPal wouldn’t reopen it.
I informed the Sony tech support agent once the dispute was canceled. I didn’t get a human response. Instead, I got a copied and pasted statement explaining that Sony doesn’t offer refunds, and the funds would only be returned to my wallet. I asked what would happen if I issued a chargeback at the debit card level, and the agent explained matter-of-factly that my account would be banned until I paid the $75 in fraudulent charges.
After six years as a paying PlayStation customer, my account was now being held hostage, not by a hacker, but by Sony. I had to cover the cost of the metaphorical broken window, or my account was going to be locked. Basically, I had to apologize and pay for a thief.
You would think Sony would know how to handle hacking, especially after its multiple massive breaches (this one and this one) in the last five years, but it hasn’t learned. The PlayStation network has been around since 2006, but there’s no two-factor authentication, and visible payment info on the web front-end. This leaves a wide enough security hole for an elephant to walk through. The customer service agent suggested that I only use prepaid cards, but that’s more of a workaround than a real solution.
Sony has a history of poor responses to hacking. Back in 2011 when PlayStation Network went down for almost a month, the gaming brand offered affected players one month of PlayStation Plus, which meant you got a few games that were disabled after the month ended if you didn’t become a paying subscriber.
You could argue that the way it treated me is to avoid refunding purchases that people made accidentally (or drunkenly), but even if a few people take advantage of the system for an ill-gotten refund, at least they’ll stick with PlayStation.
Related: Facebook pays $15,000 bounty to close bug that can access any user’s account
As for me, I now have to decide whether I buy FIFA 16 on PS4 or PC. Right now, I’m not a big fan of Sony’s attitude or policies. It’s bad enough to be hacked, but it’s even worse to have to pay for the digital damage.