We’ll file this one under the “major screw up” category, as it seems Sony has been left vulnerable for years now there has been an exploit that has potentially been costing consumers and allowing thieves to profit. Due to the nature of this PlayStation Security exploit, we won’t disclose how to actually do it since, y’know, it’s illegal. However we do hope this stirs up awareness for Sony, which according to a user who’s filed a claim, that the exploit is still not being acknowledged.
[Update 2] We have decided to include the actually video and user who had decided to make this public finally since this isn’t something anyone can go out and do themselves as it requires a stolen PSN account. The video, which is about 15 minutes long shows the process of how hackers are able to commit fraud on stolen users account despite there being a security check for the users main account via CVV confirmation. We originally didn’t not want to include it for respect that it could do greater harm and per the request of some of the active scene members not wanting the video to garner attention as it’s harmful. Though Since it is public and the user does say they wish see this fixed we decided to include it.
New video without music 😀
— Morteza Rahmani (@rmorteza21p) July 4, 2019
What you are seeing here is a bypass of the accounts CVV code. Again, there are measures in place to prevent this if the user hasn’t set-up 2-steps or security answers, but due to the nature of the bug it allows hackers to exploit it by providing a false form of payment that makes the account default to the first provided payment upon adding funds that become available on family accounts.
[Update] We have included some examples near the bottom of the article that are highly supportive that the exploit published today is very real and has been going on for some time now for accounts that have been breached from scams or other means for people to get access to accounts. This does not affect the majority of users out there, especially if they have 2-step verification enabled. Though this is not to say this isn’t an issue that shouldn’t go unnoticed as in the examples supplied its clear it can be harmful to folks who aren’t informed as many of us on the internet.
Basically, how the exploit operates is that typically, PSN requires all credit cards to supply them with their CVV security number. When you normally operate PSN this isn’t something the system usually requests, but when you log in from a different console it will ask you for the CVV number of the credit card on file (if you have one) before you can proceed to log-in. However due to a very easy exploit, if a thief was to get their hands on someones PlayStation user’s account, they could potentially rack up victim’s credit cards without even knowing their CVV number as the process bypasses the requirement.
“It isn’t an exploit with the consoles, it’s an exploit with the network” one modder told us in a private message. When we asked the original poster of the method as to why this exploit is only coming out today in the form of a YouTube video, their response was rather shocking in stating that Sony simply did not care unless it was made public. This exploit has allegedly been around roughly for five full years. The user had claimed that they had sent Sony the exploit in the past, via their own hacking disclosure program, hackerone. The user eventually ended up getting a response that informed them that the exploit served no security risk and was simply fraud. This email was from just today as you can read below.
We strongly disagree with this reply from one of the employees at Sony’s HackerOne as this opens up breached users to a larger threat. It more of an oversight, but should have been something sent up to the correct department rather than brushed off as just a “fraud issue.”
And the problem only gets worse as this typically ends up leading to illegal account selling and consoles pre-loaded with the latest games and on the latest firmware, a piece of information confirmed to us by the modder we spoke to earlier. There are countless black markets out there (mostly out of the USA due to high gaming cost in other countries) that sell PSN accounts loaded with PS3, PS Vita, PSP, and PS4 games using this exploit, and if you search hard enough you can even find consoles being sold like this. Shops in Brazil, up to the point until Sony changed their account authentication and gamesharing process would sell modded PS4 pre-loaded with titles via modchips. One other user familiar with the exploit informed us that the way sellers are doing this is that they are racking up credit card balances from one user, and applying it to three other PlayStation accounts that get placed on separate consoles to be sold; although they’ll eventually be banned if they ever go online.
For all intents and purposes, this is complete fraud, and one could argue borderline piracy since it involves the reselling of illegally obtained software and account selling which is definitely against PlayStation’s own Terms of Service (TOS). This certainly has been something that the major players in the PlayStation 4 hacking scene have been pretty much against for the longest time. In fact, while the latest PS4 firmware is no doubt exploited behind closed doors, many hackers have vowed to never release an exploit that is achievable on the latest hardware due to mass piracy and online cheating.
We have reached out to Sony for a reply and will let you know if anything comes of this. For safety purposes, keep an eye out on all your finances as you never know when someone may steal your information. We highly suggest you activate the two-step verification on your PlayStation Account, whether you want to store credit info is entirely up to you. This certainly isn’t as big as a blunder as Sony’s infamous PSN hack that happened eight years ago where millions of potential credit cards were possibly stolen, though it is a pretty big exploit in the wrong hands.
If you need help setting up Two-Step verification you can do so from either a PlayStation console or from the official PlayStation Two-Step Guide webpage, along with additional security questions to help protect your account.
— Ask PlayStation (@AskPlayStation) July 4, 2019
We have searched for some potential cases and have actually found a very recent one that shows effects from someone most likely using this exploit, along with a good amount of other posts.
— latonya williams (@ladyllw30) June 30, 2019
— latonya williams (@ladyllw30) June 30, 2019
And this reddit post from 10 months back with a similar situation: Reddit
A Reddit Post from 7 month ago: Reddit
Another one dating as far back as three years: Reddit
Source of image below: PlayStation Forums From Last April
A Gamefaqs post detailing the same situation here.
There are several others out there with the exact same scenario, which all pertain to the use of the Family management sub-account, something we didn’t want to originally state in the article due to it being a part of the exploit.