For months now, I have been receiving email statements from Sony Entertainment showing my recent purchases and activities. The email address belongs to me, but the Sony user ID, payment method, and activities do not. These mails were coming about once a week and were starting to become quite annoying.
After some quick investigation, I determined that this was not spam, or identity theft (at least not mine), but a case of stupidity where someone had registered my email address with their Sony account.
Due to Sony not verifying email addresses before allowing customers to continue registration and purchases, I have been receiving months of unwanted and unwarranted mail from them.
For months, I have been trying to remove my email address from this account. I tried contacting Sony support, but this seemed to only be available to logged in users. I tried emailing support@, spam@, and abuse@, and to report this as abuse of my email address, but received bounces.
Finally, all of this annoying spam, I decided to see if I could just log in and try to remove myself from this account.
I went to the login screen, but I didn't know the password. So, I decided to try resetting the password. Since my email address is the one on file, I should theoretically be able to use this page to submit for a password reset and receive a password reset link.
If worked! Sony sent the password reset link to my email address.
I clicked the link, which took me to a password reset page. However, before getting to the form to reset the password, I was challenged with a birthdate verification check. This was good, but maybe not as foolproof a security method as one would think.
That said, it did have me stumped and quite frustrated. I thought I might just give up on the password reset and just live with the onslaught of spam. I didn't really have any options other than to start marking them as spam or creating a filter to bounce them back to Sony. This would probably just create an endless loop of bounced email messages and not really solve the problem.
So I tried entering in some random dates. All failed. Then I thought, maybe if I repeatedly enter wrong dates, it would trigger something and lock the account. That would be good because at least someone would take notice and maybe do something with the account. So I went about entering random dates, hoping this slow and manual dictionary attack would set off some alarms. It didn't. I must have tried 20 or 30 variations, but nothing triggered. It just kept prompting me for more tries.
Then I was looking at the user ID... (example only) sonyuser1225. Hmm... 1225... That kind of looks like December 25th. But who would be stupid enough to use their birthdate in their user ID?! Well, unfortunately, this is not uncommon and given that this user was oblivious enough to register someone else's email address and continue to use it blindly for months, chances seemed high that this was *the* birthdate.
So I tried Month: 12 Day: 25. But then what to enter for a Year? Well, considering he's using a Playstation to stream media and play games and that he is clearly... Let's call this 'naive' to put it very mildly... I made the assumption that he was born between 2001 and 1995.
So I just worked backwards until I hit the right number and... Bingo! I was presented with the password reset form. I quickly entered something snarky as the password as the new password and hit submit. After submitting the form, I was redirected to the Sony account home screen.
And from there, I had easy access to anything in the account. Full name, billing address, and billing name. Credit card was not fully visible, which is good practice, but with the credit card registered, it would be very easy to go on a little shopping spree on his behalf. But as annoyed as I was about some idiot using my account and Sony's belligerence with account management, I would never stoop that low. I was in for one purpose only - to remove my email address and end this abuse of my email address.
But back to the job at hand. I mozied over to find the profile where I could edit and remove my email address. But before I did, I stumbled upon this notice:
Great, so at least Sony is aware that the email address has never been verified. But how could they continue to let this person use an unverified account? That is ridiculous! They should lock the account until verified to prevent these kinds of issues due to accidental, malicious, or just plain stupid mis-use of email addresses.
Anyway, mission accomplished within just a few minutes and I was out. No need to linger or abuse my temporary access privileges. The only damage caused is that the user is now effectively locked out - and rightly so. They and/or Sony needed to take notice of the account anyway. I was the victim and my email address and inbox were being abused. My account is now out of the picture, and the user has a chance to clean up their debacled account and register an email they legitimately own.
Well this experience highlights a few important lessons:
- Users should never use identifiable or easy to guess information in your username
- Providers should have checks in place to prevent this in their forms
- Users should never register an email address that isn't theirs (It's really not that hard to get this right)
- Providers should request the email twice as confirmation in their forms to rule out typos
- Providers should email users a verification link and require they click on it before enabling services on an account
- Providers should always provide a way for users to easily contact them, report abuse, or report misuse of accounts or other personal information
- Providers should detect when a user authentication fails continuously and either lock out the user or prompt for a 2-factor auth method
Sony currently has a lot security problems to fix, many of which are far more serious than this. But proper email and account management should definitely be added to their list.
And while I felt slightly shady about having to go about it in this way, I felt that I was left with no choice given that I couldn't contact anyone at Sony and couldn't be fully certain that this account wasn't somehow mine until I logged in and verified the details. So I've documented this here to leave as an example and offered these lessons learned to help others improve their practices, both for users and for service providers.
Note: You should also be slightly impressed that this whole process and the writing of this article were done on a mobile device.