Earlier this week, the revelation that Sony’s PlayStation Network (PSN) – the infrastructure that allows PS3 owners to play online games and buy movies as well as other downloadable content – had been infiltrated by an unknown hacker, in turn potentially compromising the customer details of up to 77 million users, came as something of a shock.
Between 17 April and 19 April, the electronics giant realised there had been an “unauthorised intrusion” on the Sony PSN and rapidly shut down the service before initiating an investigation. Apparently, the full extent of the security breach was only understood on Tuesday of this week.
The scenario is obviously not a happy one if you’re a PlayStation Network user. It seems that any personal information end users entered into the PSN service could be vulnerable. This includes names, addresses (including postcodes), country of origin, e-mail addresses, dates of birth, PSN passwords, logins, password security answers and PSN online IDs.
Sony has stated it’s also possible that individuals’ profile data (“including purchase history and billing address”) may have been obtained.
If individuals have used their credit cards to buy downloadable content via the Sony PSN or Qriocity, then credit card details (excluding the three-digit security number on the reverse) might also have been obtained by the hacker.
At present, however, Sony is stressing that all of this is a possibility. The company doesn’t know for definite that the hacker has acquired all of this information.
Industry experts quick to have their say
Not surprisingly, industry experts have been quick to comment on the security breach and offer some words of wisdom.
“The period after such a breach is time-critical in terms of communicating with consumers and regulators and protecting reputations,” explained William Beer, a director in PwC’s information security practice.
“Increasingly, consumer trust is being tested as more and more personal information is being placed in the hands of companies, but even the most respected organisations that are expected to have watertight security are being breached as hackers become more sophisticated.”
Beer continued: “At this point, it’s important that consumers are on red alert when receiving requests for their personal information. In what might seem like an authentic attempt by the company itself or a credit card supplier to rectify a problem, hackers are increasingly using advanced methods of social engineering to play on people’s trust and trick them into handing over key nuggets of information.”
Referring to the Sony situation, Beer stressed: “Events like this are surrounded by uncertainty, and that contributes to the severity of the problem. Targeted companies are uncertain about what has occurred and what their exposures are while consumers are unclear about the nature of data stolen and the motivations of the attackers.”
Certainly, the implications of a major breach like this for consumers are wide-ranging and will require increased vigilance over the months to come.
Reductions in credit card fraud
Considering the impact data breaches such as this can have on banks and credit card providers, Simon Westcott (a director in PwC’s financial services strategy group) told SMT Online: “Since 2008, we have seen a reduction in overall credit card fraud of close to 30%, mainly due to the introduction of the Chip and PIN system and other online security measures.”
Westcott added: “However, the nature of the threat is now changing from ‘Point of Sale’ fraud to one perpetrated by hackers stealing large quantities of data. As more people register their credit card details across the Internet, so the risk and cost to the credit card providers becomes ever greater.”
Westcott and Co expect providers to look at ways in which they can recover the costs of the losses they suffer.
“Ultimately, this could be passed on to consumers in the form of increased borrowing costs,” he suggested.
“We may also see providers imposing stricter security requirements on retailers and seeking to recoup some of the cost from the companies who lost the customers’ data in the event these rules are not followed. Providers may also consider levying a premium for additional protection on consumers who use their credit cards online frequently.”
Q&A blog post on the PSN hack
Mikko Hypponen (chief research officer at F-Secure) has drafted a Q&A blog post on the topic of the Playstation Hack.
Q: What kind of credit cards do you recommend for online use?
A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems like the one provided by Bank of America, where you can generate temporary credit card numbers for online use.
Q: Who hacked PSN?
A: We don’t yet know. Anonymous has recently launched several attacks against Sony but has announced they are not behind this breach.
Q: What’s the connection to Rebug?
A: Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit.
In some cases, this could be used to steal content from PSN shops for free.
While the Rebug hack could be used to steal credentials and credit card numbers from the PS3 unit it’s running on, there’s no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the current breach.
Q: So, this could never happen on the gaming networks of XBOX and Wii, right?
A: We wouldn’t bet on that.
The full blog is accessible on the Internet (click the dedicated web link on the right hand panel of this page)
CPP Group warns all Sony users to be “extra vigilant”
CPP Group plc (CPP) is warning all Sony PSN users to be extra vigilant in monitoring their finances and checking the legitimacy of all communications.
With identity fraud a serious issue affecting millions of people worldwide, CPP reminds users that the hackers responsible for targeting Sony’s PSN have all the data needed to target customers and potentially obtain new credit and goods and services using their personal and financial data.
Nicole Sanders, an identity fraud expert from CPP, said: “Sony is a trusted brand that will undoubtedly have the highest levels of security in place. This data breach is evidence that identity fraudsters and hackers are equipped with the knowledge and technical expertise to illegally steal customer’s data.”
Sanders went on to state: “While there are many practical steps you can take to reduce your chances of becoming a victim, you cannot guarantee that your identity will not be stolen. People need to make sure they’re doing everything possible to proactively manage their own identities, guard against potential scams and act on any suspicious activity.”
With the UK Cards Association figures for March 2011 identifying that phishing attacks have increased by 21% from 2009, there’s a chance people will be targeted with a phishing e-mail that seems legitimate.
Even if it appears to be from Sony, CPP advises individuals never to respond with updated account details online, or even over the phone, and always to telephone back to confirm the legitimacy of the call.
“Users of the Sony network need to act now to detect any fraudulent activity and to change access passwords,” urged Sanders. “CPP is aware many people use the same password for multiple purposes, and always recommends the use of an individual password for each access point.”
CPP also advises all businesses to inform customers as soon as possible about data breaches such that they’re able to take action as quickly as possible.
PSN hacking incident ‘just the tip of the iceberg’
Peter Regent, director of online authentication at Gemalto, has also commented on the PSN hacking incident.
“This data breach brings to light the lack of protection offered by the traditional username and password. This once considered ‘good enough’ approach enables hackers to easily bypass security measures and gain access to sensitive personal data.”
Most businesses still employ a username and password security approach and, worryingly, lots of employees use similar passwords for everything including work PCs and networks, e-mail accounts, social networks and personal bank accounts.
Cyber criminals can therefore use passwords and other personal details harvested from attacks to hack into corporate networks by simply logging onto LinkedIn to find out where the individuals work.
“To avoid any repeat of such a large scale data breach,” added Regent, “consumer organisations must re-evaluate security controls to reduce fraud and protect individuals’ data. A one-time-password (OTP) approach, using tokens or smartcard devices, provides an additional security layer to usernames and passwords to secure online transactions.”
Some gaming companies already require customers to use OTP devices to securely access their online accounts and make transactions. OTP devices can easily be integrated into most gaming consoles, in turn securing access to the gaming environment and account holder information as well as ensuring customer data doesn’t fall into the wrong hands.
To protect businesses, however, a far more sophisticated security approach is a ‘must’ in order to prevent networks from attack using just username and password credentials.
“A layered identity verification approach will ensure only authorised users gain network access,” stressed Regent. “A smartcard solution encompassing certificate-based authentication and Public Key Infrastructure (PKI) certificates will enable only authorised employees to access sensitive information and allow audit trails to be carried out.”
This provides a similar level of protection to corporate information assets that Chip and PIN cards provide for banking consumers when accessing cash from ATM machines.
Regent concluded: “Cyber criminals are becoming increasingly sophisticated, and no individual or corporation is immune to attack. By integrating multi-layer authentication into security processes and infrastructures, consumer organisations and businesses will be better prepared for fraud prevention.”
An expert’s candid view of the PSN situation
Phil Lieberman, CEO and founder of Lieberman Software, is an IT security expert with over 30 years’ programming experience at his fingertips.
What’s his view on the Sony PSN hack, and how best to protect individuals from similar breaches?
“Taking a baseball bat to a hornet’s nest is never an advisable strategy,” said Lieberman.
“Sony’s strategy in defending its intellectual property was, in my opinion, heavy handed and has triggered the ‘nuclear option’ with those that it engaged. Perhaps Sony could learn a few lessons from Microsoft in how it has handled XBOX 360 and Kinect intellectual property.”
Lieberman’s considered suggestions for consumers are as follows:
“The reality of cloud data security and PCI today is that they’re ineffective,” outlined Lieberman, “and there are often no consequences for many companies that under-invest in security..”
He continued: “The auditor responsible for the Sony account will, in all probability and looking at these situations historically, not be held accountable.”
Lieberman said: “We’re fundamentally opposed to hiding PCI results as well as SAS70 reports from the public. If you don’t have access to the full internal security report of a vendor you’re dealing with, you should expect that they have little-to-no real security and that your data will probably be compromised.”
As far as Lieberman’s concerned, there’s “abundant technology” available to prevent such data breaches and/or limit their scope.
“Putting this much data into a single database that’s publicly extractable with no limits is shameful given what’s available today to protect against this type of loss.”
