We store cookies, you can get more info from our privacy policy.
Switch

Nintendo Accounts Possibly Breached: Recommendation To Turn On Two Factor Authentication

by Donald Theriault - April 21, 2020, 5:13 pm EDT
Total comments: 8 Source: Ars Technica

The old Nintendo Network may be to blame for this one.

There is an imminent security threat for Nintendo accounts, and all holders are advised to turn on two-factor authentication to counter it.

Multiple reports of Nintendo accounts having multiple hundreds of dollars in downloadable content purchases - usually Fortnite V-Bucks - have emerged in recent days, and a writer for technology website Ars Technica reported it yesterday. Nintendo responded to Ars today, stating they are aware of the reports and recommending 2 factor authentication, and providing a process for recovering compromised accounts. Although not confirmed - Nintendo is not commenting on the root cause - it is suspected that people were able to gain access through an exploit targeting the old Nintendo Network ID system.

The 2 factor authentication is done by way of a smartphone application, such as Google Authenticator, though applications such as Microsoft's authenticator or Twilio's Authy can also work. There are also guides for using Google or other authenticators on PCs. A smartphone application is recommended for 2-factor in order to prevent potential hijacking of a text messages.

Talkback

TurdFurgyApril 21, 2020

What's this about hijacking text messages? What does that have to do with the Nintendo Network? I don't understand.

LemonadeApril 21, 2020

About a week ago I suddenly getting heaps of log ins on my account that were not me. I added the 2 step login and that fixed it.

Thankfully no money was taken

SheckyApril 21, 2020

Quote from: TurdFurgy

What's this about hijacking text messages? What does that have to do with the Nintendo Network? I don't understand.

To get the gist of it....

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin

https://medium.com/@sarathiandroid/time-to-doubt-sms-based-tfa-two-factor-authentication-755cb342f62

Order.RSSApril 23, 2020

Are there any tangible benefits for coupling an NNID (3DS/Wii U) to a Nintendo Account (Switch)? Could people unlink them, or are they permanently tied?

Quote from: TurdFurgy

What's this about hijacking text messages? What does that have to do with the Nintendo Network? I don't understand.

It has to do with 2 factor authentication/multi-factor authentication (2FA/MFA).
2FA/MFA are methods to increase security on accounts. It requires new logins to not only provide the correct username + password combination, but also sends a temporary code to a mobile phone. Those temporary codes are time-sensitive and need to be entered within a certain timeframe (30 seconds for example).

Where the SMS/text message hijacking comes into place is at this step.
SMS/text messages can be spoofed (faked). If someone has access to your Account, they can perhaps figure out your phone number. (Maybe it's in the NNID account info they've got access to, or maybe they just try to use your password across many services to see if an account re-uses that password.)
From there, using spoofing, they could still intercept the 2FA/MFA temporary code, and use that to compromise your Switch Account.

It's more hoops to jump through, yes, but this is why services are pushing clients away from SMS/text-based 2FA, and towards using an app like Authy/Google Authenticator/Microsoft Authenticator. Those should encrypt the temporary code, making it more difficult for outsiders to crack the unique code within the 30 second timeframe.

TL;DR: texting/SMS is thought of as a less secure method of communication than using end-to-end encrypted methods. Thus, 2FA login codes are phasing out SMS and favouring encrypted Apps.

Fun fact: Once I had 2FA set up with my Nintendo account I went and set it up with a bunch of other things too, including the other game systems, and Sony's PSN only supports 2FA via text message.

Mop it upApril 23, 2020

Quote from: Steefosaurus

Are there any tangible benefits for coupling an NNID (3DS/Wii U) to a Nintendo Account (Switch)? Could people unlink them, or are they permanently tied?

If I remember rightly, this is what unifies the eShop wallet across all the platforms.

Quote from: NWR_insanolord

Fun fact: Once I had 2FA set up with my Nintendo account I went and set it up with a bunch of other things too, including the other game systems, and Sony's PSN only supports 2FA via text message.

This was a real irritant when I had to change my phone number last summer, but it was honestly worse that my bank also uses SMS for 2FA.

steveyApril 24, 2020

Quote from: Steefosaurus

Are there any tangible benefits for coupling an NNID (3DS/Wii U) to a Nintendo Account (Switch)? Could people unlink them, or are they permanently tied?

You're able to friend people from your friend lists on both the WiiU and 3DS

Got a news tip? Send it in!
Advertisement
Advertisement