Tuesday, 17 November 2015

In August, my PSN account was hacked and I found $500 in charges made on my card. Sony strings me along for a month, promising a full refund, but ultimately tells me that my only recourse is a chargeback. I issue the chargeback, but Sony disputes and inexplicably wins. Details inside.

I hope I'm not violating any rules of this subreddit by posting this here. I think I'm okay, based on previous posts such as this and this.

Introduction

For the past three months, I have been embroiled in a struggle with Sony customer support trying to resolve an issue with an attacker who gained access to my PSN account and used it, along with the stored card information associated therewith, to purchase $499.91 in PlayStation 3 games and PlayStation services. I have attempted to resolve this issue with Sony for several months, but it has reached the point where I feel that public airing is my only recourse.

Summary

For those of you who don't want to read the entire thing, here's a brief summary:

  • An unknown attacker gains access to my PSN account and makes approximately $500 in charges to my debit card. Sony has a history of security breaches.
  • Because of Sony's policy of banning accounts from which chargebacks arise, I try to get my money back from Sony without resorting to a chargeback, a process where a bank officially files fraudulent charges against a merchant.
  • Every step of the way, Sony's representatives promise me my $500 back, yet I only ever see $230 of it.
  • Eventually, Sony tells me that the remaining money cannot be refunded due to a ridiculous technicality. (They apparently cannot process refunds for banned accounts, and the attacker created a sub-account that they suggested I request be banned.)
  • Sony's representative tells me that "literally" the only way to get my money back is a chargeback. I tell my bank to issue the chargeback.
  • Sony disputes the chargeback using extremely questionable logic that doesn't even address the fraudulent nature of the original charges, and somehow wins.
  • Currently, I am in the process of re-filing the claim, this time trying to make it very clear that it is a case of fraud, not whatever Sony claims it is.

That's just the short of it. I encourage you to read on. It's quite the riveting tale.

Background

I own one PlayStation console, a PlayStation Vita that I purchased in 2012. My only interaction with the PlayStation Network is that I occasionally buy games from the PSN Store (no online play, etc.), and I have several games in my digital library, such as New Little King's Story and Atelier Totori Plus, which were only available through the PSN Store. Were my account to be banned, I would lose access to these games that I purchased.

Part 1: Discovery

One day, I received a spate of emails from PlayStation Network along the lines of "Thank you for your purchase". This alarmed me, because I hadn't made any purchases on the PSN recently. I also noticed four charges on my debit card, totaling $499.91. When I signed in to the PSN to see what was going on, I saw that a PS3 I did not own had been registered with my account, and that my account now had a new "sub-account" under it. The $499.91 in charges on my card were spent on a combination of PS3 games, subscriptions to PlayStation services, and a $150 charge to my "PlayStation wallet" which lay unspent.

I immediately changed my password, revoked all the permissions I could from the sub-account, removed my card information, etc. Under normal circumstances, I would have also contacted my bank to report a case of fraud, but I had purchased several games on the PSN in the past, and I knew that it was Sony's policy to ban any account that initiated a chargeback, so I tried to resolve the issue with Sony first.

I contacted PlayStation support as soon as I could. (As a side note, if you try to access PlayStation Live Support Chat outside of the hours it is available, like I did, you get this, an error page that suggests that this fabled Live Chat either doesn't exist or is currently technologically broken, not that you are trying to access it outside operating hours. You get the same page if you try to visit a bunch of other pages, too. But I should stop talking about that, since confusing web service is the least of their problems.)

The next morning, when it was available, I got on Live Chat with a Sony customer service representative and brought the problem up.

 

Live Chat with Evelyn
August 19, 2015
Transcript

 

The response:

Evelyn: PlayStation takes all security matters seriously. Your case will be passed on to our Trust and Safety team for investigation and you will hear back from us within 5 business days.

Looks like they'll look into it. Cool. So far so good.

A few days pass, and I receive an email from Sony stating that a refund of $499.91 has been approved. Great! I do notice that they are quick not to admit any fault, instead calling this refund a "one-time gesture of goodwill", essentially stating that it was my fault that someone got access to my password. There's no way Sony's robust security systems could have been breached, right? That's definitely never happened before! But whatever. If it's a one-time gesture of goodwill, I just have to deactivate my debit card, never do business with Sony in the future, and this kind of thing will never happen again. They also say that it could take 1-2 billing cycles (i.e. 1-2 months) before I see the funds, which is a pretty long time. I'm not happy about that, but what can you do?

A couple more days pass, and I see that two of the four charges to my card had been reversed. Awesome! Just two more to go! At this point, $229.97 of the total $499.91 has been returned to me. I also notice that there is $55 sitting in my PlayStation wallet (down from the $150 that was there after the fraudulent charges, but up from the $0 that was there prior to this whole mess). Anyway, any day now, the other two charges will be reversed and this will all be over with. Any day now.

Any day now...

Well, after another week of waiting, I started to grow worried. It was one thing if all four reversals took a while to post, but two of them had been reversed relatively quickly, so it seemed odd that the other two were taking so long. I contacted Sony customer support once again, and this time, I was redirected to the phone lines by the Live Chat agent.

Part 2: Investigation

When I called Sony's customer support line, my call was answered by a friendly gentleman named... actually, I don't know what his name was, because I couldn't make it out properly. It originally sounded vaguely like "Jordan" to me, but listening to it again, it was definitely not Jordan. Unfortunately for him, he's Jordan now, because I don't know his actual name and I need something to call him.

 

Phone Call with Jordan (Customer Support)
September 1st, 2015
Audio (11:08)
Full Text Transcript

 

After explaining the situation to Jordan, I ask him if there's a reason why two of the charges had been reversed, while the other two had not been. The initial response:

Jordan: Oh, okay, I'm able to see right now on your refund request, that says the [unintelligible] has been approved. Your refund has been approved and was, um, refunded to the wallet of your PlayStation account.

That's not good. First of all, part of the refund had already been credited to my card. Second of all, why would they think refunding to my PlayStation wallet would be acceptable?

Me: The wallet of my PlayStation account?
Jordan: Correct.
Me: That is not acceptable.
Jordan: Hmm?
Me: Um, so for some background, several purchases for my PlayStation account were made fraudulently, and I want to have the money back into my card because I never intended to make any of these purchases.
Jordan: Okay, I see. (pause) Okay, let me see what I can do.

So Jordan does a little more research, and here's what he finds:

Jordan: Okay, Mr. *******, I am able to see that your refund has been complete. I will [unintelligible] the department in charge where we're processing the refund keys, and the money went to the card. To your credit card. To your actual credit card.
Me: Sorry, can you repeat the whole thing?
Jordan: Yes. I was investigating this for you, and I was told that when the billing department, when they were processing your refund request, the amount was refunded to the credit card where the money was taken.
Me: Okay.
Jordan: Okay, so in that case, my best suggestion would be the next, try to contact your [unintelligible], and ask them how much they will be taking to process, completing the refund for you.
Me: Wait, sorry, who am I contacting?
Jordan: Your bank.
Me: Uh huh.
Jordan: So if you can ask them what would be the timeframe that would be refunded the money to your credit card, okay?
Me: Wait, hold on. The problem is that, so there were four charges made on my card originally, and I see, from my bank, that two of them have been refunded, and two of them have not. Should I expect the other two to both...
Jordan: Correct. Sure.
Me: Okay.
Jordan: In case you don't have any update from your bank statement, give us a call back so we can give you more information.
Me: Okay.

Okay, so the thing about it being sent to my PlayStation wallet was a false alarm. Good, good. Still, I am a little worried about this taking too long, since I want to file for a chargeback with my bank if this doesn't work out, and there's usually a 1-2 month time limit for that.

I call up my bank and they say that any credits should be posted more or less immediately on their online banking service, but I'll give everyone the benefit of the doubt and be patient for a little longer.

I have two more things to address on this call with Jordan. First, I ask him about the suspicious $55 in my account:

Me: Yeah, um, I'm also seeing that my wallet balance is at $55, and I believe, before any of these charges, it was at zero. Is this uh, does it have to do with this whole thing, with the refund?
Jordan: Correct. Sure. So, all of that will be refunded.

I'm not sure what he means, but as long as I get all my money back, it's not a big deal, I guess.

Second, I ask if he can remove this foreign sub-account made by the attacker.

Me: Alright. And another question is that as part of this break-in, someone created a "sub-account" to my account and, if possible, I would like to delete this sub-account. Is that something you guys can do?
Jordan: Um, to delete it completely, deleting the account, it is not possible to do it.
Me: Okay.

Looks like the answer is no. But he has an alternative:

Jordan: Uh, what we can do is to escalate the case for you and ban that account. The account will be severe, so they could be the uh, when you request to ban an account, nobody else will be getting access to that account anymore. But it's up to you if you want to ban the account, so you can think very well if you want to ban it so we can do the process for you.
Me: Yeah, I would like to ban this sub-account. It's called bomamamitachinga10@gmail.com. This sub-account was created without my permission.
Jordan: And the Online ID?
Me: Uh... hold on. (pause) Just give me like, thirty seconds.
Jordan: Alright.
...
Me: The Online ID is boamama10.
Jordan: Thank you. (pause) Okay, got it. Found it. So you want to unban this account. No, to ban this account.
Me: Yes.
Jordan: Alright. Just one second. (pause) Okay, so let me do this for you... (pause)
Jordan: Okay, so let me see, I will be creating a case for you, for this account, so the account will be unbanned. Banned, sorry. Just another couple of seconds.
Me: Okay.
Jordan: Thank you. (pause)
Jordan: Okay, great. So I have already escalated the case, so the account will be banned.
Me: Okay.
Jordan: Nobody else will be getting access to this account.
Me: Alright.

Well, second-best thing. If I can't have it removed, might as well get it banned. There's absolutely zero chance this could have ramifications down the line. None. Zilch. Nada.

The phone call ends with a reassurance that the money is on the way, and that I should talk to my bank to know how long it will take.

Jordan: Okay, Mr. *******? Do you have any other questions I can assist you with?
Me: Um, just to summarize, I should expect the charges to my card to be undone?
Jordan: Correct.
Me: For the full amount of $499.91?
Jordan: If you don't get an update from your bank account, give us a call back so we can investigate more for you.

I call my bank, and they repeat that they see no credit to my card and that any transactions should show up in one day, at the slowest. Well, maybe they're wrong or something. Who knows? I can wait.

Part 3: Befuddlement

After waiting two more weeks, still with the money not having been refunded, I call my bank again and ask them to check into the MasterCard system to see if there were any pending transactions. They answer that, no, there weren't. The refund that Sony promised had never been sent.

So, I call Sony customer support again to figure out what the heck was going on. After some frustrating conversations, they tell me that they can't help me and send me to the billing department. I call the billing department number they give me and explain the situation to a Sony representative named Victor, who goes to contact a supervisor and puts me on hold. After 15 minutes of being on hold, the call disconnects.

I redial the number and get a fellow named Warren.

 

Phone Call with Warren (Billing)
September 14th, 2015
Audio Part 1 (9:59) | Audio Part 2 (10:23)
Full Text Transcript

 

I describe the situation to Warren and ask about the yet-unrefunded $269.94:

Warren: So you said you only got back $229.97?
Me: That is correct. So there were four charges originally, and the ones that were refunded were one that was for $150, and one for $79.97. The remaining two charges, which were both for $134.97, have not been refunded.
Warren: Give me one moment here.
Me: Sure.
<some time passes>
Warren: Give me one moment here while I go ahead and get a hold of a supervisor here for you. Give me one moment.
Me: Sure.

And so, Warren puts me on hold as he contacts a supervisor. He comes back with an answer, and boy, is it not one I expected:

Warren: Hello?
Me: Hello.
Warren: Okay, so I found out what the issue is here. The amount that you got refunded back was based off of what was submitted for the master account, but according to your accounts here, you also have a sub-account.
Me: Yes, that was created—
Warren: And...
Me: Yeah, sorry.
Warren: And that specific sub-account is technically on a ban right now.
Me: Yes, I requested that ban because I didn't create that account.
Warren: Okay. So purchases that were made from that account is what you are submitting the refund from, but they cannot process the rest of those purchases for the refund while the account is currently banned, so what would need to be done is...

Wait, what? They can't refund the charges because the attacker's sub-account is banned? How does that make sense? And the sub-account wasn't banned until my chat with Jordan. The first two charges were reversed way before that. None of this makes sense.

Me: Wait, hold on. I requested that account to be banned on September 1st. However, these refunds were on August 24th, so that shouldn't have had anything to do with it.
Warren: When the account is banned, they cannot touch anything from the account and the refund submission for everything was based off of a call that you made on August 19th. These charges were all made prior to that, so what you're looking at here is that they can't touch anything on that account until the account is unbanned. Which is this case um, basically means that we need to go ahead and rectify this account getting unbanned first so that we can go ahead and get the rest of the submission of that refund done for you.

Way to dodge my point. Also, thanks for raising my hopes that I can get this sub-account unbanned.

Me: Okay. Is that something you can do?
Warren: Well, right now what we would need to do is we would need to go ahead and get you to basically change the uh, information on the account. Do you know what the Online ID and Sign-in ID for that account is?
Me: Yes, give me a couple of seconds.
Me: Alright, the Online ID is boamama10, and the Sign-in ID, well the last time I looked at it, it was boamamamitachinga10@gmail.com. I'm looking at it now and I see it's prefixed by "cnotes_". That might be an internal thing you guys use?
Warren: Okay, give me one moment here.
Warren: You said that you didn't create this account, right?
Me: I did not.
Warren: Okay.
Me: My account was compromised, which led to the fraudulent charges, and part of that was the creation of this account.
Warren: Okay, give me one moment here.

Cool! So I'm gonna get this stupid sub-account unbanned, get my refund, and peace out of this mess.

After spending a long time being on hold:

Warren: Hello?
Me: Hello.
Warren: Okay, so this is what I found out here with this information. Basically, you will only have pretty much just one option at this point of what you can do, which in this case, if you want to be able to get all your money back, you're gonna need to file for fraudulent charges through your bank.

what

Me: Yep. Yeah, that's what I was going to do if nothing else worked. Do you mind explaining why the refund can't go through?
Warren: Because the part that you did have go through was based off the purchases from your master account, from your account there, but the other charges came from that sub-account.
Me: Okay...
Warren: And because that sub-account was closed and you don't have access to that sub-account, correct?
Me: I mean, I can have access to that sub-account if it were unbanned.
Warren: So you have access to the email is what you're saying?
Me: No no, what I'm saying is... wait, let me see if I have you correctly. You're saying that because the fraudulent charges were made using this sub-account, which I did not create, those funds cannot be refunded. Is that correct?
Warren: Well, yes, because that's the question, why I was asking is you didn't create it, so I'm assuming you don't have access to that email, correct?
Me: I do not have access to that email.
Warren: So because you would need to have access to that email in order for them to go ahead and help you change the information on this account...
Me: What do you mean by "change the information"?
Warren: Change... so that we can get the account unbanned, basically.

This still doesn't make sense. In order to get the sub-account unbanned, I need to have access to this random guy's email? Just so they can process the refund, which everyone agrees is valid?

Me: I don't understand. I was the one who requested the account be banned. How was I allowed to do that, and now I can't request it be unbanned?
Warren: Anybody can request for the account to be banned because you're saying that you didn't create the account information, but if it was someone else's account and they actually have access to it, they could contact us if they actually have access to that email and everything that was used to create the account with and such, they can provide all the information that would be completely needed for them to get that unbanned. And in this case, right now what we're looking at here is that no one has disputed that information, so this account is still currently on a ban, and right now because of those refund requests that was made, you're basically looking at the fact that because we cannot refund the charges from a banned account, the only solution or option that you have at this point would be to dispute the charges with a bank by following up, filing for fraudulent charges.

The fact that whoever this attacker was could contact Sony and get their account unbanned is wholly unhelpful for reasons I hope I don't need to explain. This goes on for a while (you can read the whole conversation in the linked transcript, or listen to it with the audio provided). Eventually, I just resign myself to filing for the chargeback, but I want to make one thing clear first:

Me: Okay. And I have a question about that. So when I do file for fraudulent charges, I have heard that that would lead to the closing of my account. Is that correct?
Warren: It would lead to the closing or the banning of that specific account. In this case...
Me: Which would be the sub-account.
Warren: Correct, because that's where the money that you are expecting the rest, or the balance of, to come from, because that's the money they cannot submit the refund for on that, so that's the charges you would be disputing with the bank to have them take back from Sony for you so that you can get that money back.
Me: So it would apply to the account whose Online ID is boamama10?
Warren: Correct, just that sub-account, yes.
Me: And it wouldn't affect that main account that the sub-account is under.
Warren: Not unless you're gonna end up disputing any charges that are a part of that master account.

Well, okay. This can still work out. I'll file for fraudulent charges through my bank, and after a couple of months, the money will be back in my bank account, this attacker's account will stay banned, and my main account and the games on it will remain untouched. So I go ahead and start filling out digital paperwork with my bank.

Part 4: Mindboggle

Several days later, I officially file for a chargeback against Sony with my bank, citing the initial approval of the refund and the vacuous reasoning given to skirt payment multiple times as supporting evidence. It was a slam-dunk case, I thought. In order for the chargeback not to go through, Sony would have to file a rebuttal in which they show that the transactions were not made fraudulently, which they obviously can't do, because they were 100% fraudulent.

Imagine my surprise when I get a letter from my bank notifying me that my claim had been rejected, following a rebuttal by Sony.

I had to see this rebuttal for myself.

 

Chargeback Adjustment Reversal Request from Sony
Filed October 30, 2015
Document (PDF)

 

Let's take a look. Specifically, at the second page, where their entire argument is. This is the information they collected at the time these charges were made:

IP address: 201.229.62.112

Customer used the following contact information:
Name: ******* *******
Email address and Sign-in ID: *******@*******
Address: ******* ******* Cambridge, MA 02141

Okay, they know they were supposed to offer evidence to support their case, right? I typed that IP address into iplocation.net and guess where it's from? Oranjestad, Aruba. The address that's partially starred out was my billing address on file. Last I checked, Aruba and Massachusetts were two very different places. In fact, this looks like a pretty solid case of fraud. Geolocation services aren't 100% accurate, but they're all at least above 90%, and all the geolocation services listed on iplocation.net agree on this one. The conclusion should be that some charlatan in Aruba (or using an Aruban VPN) got their hands on my account information and used it to buy a bunch of games (which they no longer have access to). Not whatever they concluded.

I should also mention that I moved residences at the end of June and updated my bank information (but not my PSN billing information) to reflect my new address well before these charges to my debit card were made. Had Sony checked that the billing address they had on file matched the one on the card, they would have been able to reject the transaction.

Sony tracks all log in and usage activity, and their records show the cardholder has continued to access their account and utilize services through 09/14/2015.

So accessing my account is proof that I made those transactions? 09/14/2015 is the day I had those lovely conversations with Victor and Warren, by the way. I was logged into my PSN account in case I had to provide them with information about my account. And unless they're counting my chats with Jordan, Warren, and Victor as "using their services", that's a patently false statement. I didn't so much as touch a PlayStation console since finding out about the charges. Well, I might have touched my Vita when I was trying to deactivate the PS3 that the attacker had registered with my account, but that should hardly count.

During the checkout process, customers are required to select a "click-to-accept" button to fund the Wallet. This action signifies the customer's agreement to the attached Terms of Service and User Agreement, which state that all purchases are non-refundable.

Except the part where I didn't agree to those conditions, because I never selected that button, because I didn't make the purchase! Someone else did!

Somehow, whoever arbitrates these things decided that yes, Sony's case is watertight. Someone who is paid to decide things decided that I was some scoundrel trying to swindle Sony out of their hard-earned money, or something.

Anyway, I decided to log in to my PSN account to see how things were faring on that front, and lo and behold, I couldn't log in because my account had been banned. Despite Warren's assurance that the chargeback banning would only apply to the sub-account. Despite Sony having disputed the chargeback and mindbogglingly succeeding. That wasn't enough, so they closed my PSN account, which had tangible value in the form of previously purchased games.

Part 5: Current Situation

Steaming, I call up my bank and explained the situation. My bank's representative theorizes that the chargeback had been treated as "unauthorized charges" instead of "fraud". I wasn't sure what the difference was, but apparently unauthorized charges are when, say, a company overcharges for a service, or when you cancel a monthly subscription but they keep billing you. Fraud is when someone pretends to be you and uses that info to charge your card. This seems like clear-cut fraud to me.

As it stands now, I'm waiting for my bank to get back to me on re-filing the chargeback. All logic dictates that I should win, but if there's anything I've learned, it's that logic doesn't matter.

Conclusion

Let's recap some of the absurdity in this situation.

they cannot process the rest of those purchases for the refund while the account is currently banned

Why was the account banned? Because one of your associates suggested that I request for it to be banned! And why does it matter whether it's banned or not? Some bit in your system doesn't stop you from pressing the couple of buttons (or triggering an automated system to virtually press those couple of buttons for you) that initiates the reversal. And there was nothing stopping you from unbanning the account in the first place! You could have unbanned it for ten seconds, processed the refund, and re-banned it again, if it was so against your policy.

"We're incompetent" is not an excuse for phenotypically malevolent behavior. A Sony representative suggests that I request the attacker's sub-account be banned, so I do. Then Sony turns around and says that the refund can't be processed because that account is banned. It's actually kind of brilliant.

Further, look at this:

if you want to be able to get all your money back, you're gonna need to file for fraudulent charges through your bank.

When I filed those charges, I thought I was just jumping through some wacky bureaucratic hoops and this was the way to get my money back. I mean, how could PlayStation dispute these fraudulent charges (successfully, I might add) if one of their agents specifically suggests I file a chargeback? How could Sony have the temerity to dispute the fraudulent nature of those transactions when every step along the way, it was not the validity, but the logistics of the refund that was debated? How could Sony so brazenly present evidence in their case that blatantly refutes their argument and act as though it supports it?

"The check is in the mail" is an old cliché that died out because no one sends checks in the mail anymore. I think I found the modern equivalent.

Miscellaneous

Why didn't you change your password after the news broke on Sony's security breach?

First, I changed my password in May, and this attack happened in August. I'm sure some security experts would recommend a more frequent changing, but I don't use my PSN account very often (which means I don't think about it much) and I think three months should count as decently recent.

Second, Sony has had multiple security breaches, and it's hard to keep track of them all. It's hard to react to a headline saying that the PSN has been compromised when it seems like you see them every few months. Maybe some of them are rehashes of old news, maybe they're not.

Why did you store your debit card information on Sony's servers if you knew their security was questionable?

I don't know, I guess I never thought it would happen to me. It was definitely stupid of me, and I won't do it again.

But it's not like dressing sluttily gives people the right to rape me.

Well, now I'm outraged. Is there anything I can do to relieve my outrage?

If you're really feeling riled up, I guess you can direct your outrage at Sony's Twitter accounts, referencing this post. That's probably the only way Sony will take notice and maybe fix their broken customer interaction model. You can also spam their other social media pages if you want, I guess. Or if you want to be really serious about it, you could go the legally binding route and change your Facebook status to something like "I swear never to buy anything related to the PlayStation brand ever again". I know I will.



by serfbufo http://ift.tt/1PyDQ3F

No comments:

Post a Comment