Apr 27, 2011
Nevermind the B*ll*cks, it’s The Sony!
After last night’s announcement that user details had indeed been compromised during the breach that has brought down the Playstation Network on April 20 2011 for an indefinite period there have been more questions than answers.
Initially it was assumed that Sony would have ensured that personal and sensitive data would have been sufficiently encrypted in order to prevent it from being compromised if stolen. That would mean in the event of a security breach any stolen information would be essentially useless. Maybe a thief would get away with some names and addresses and/or email addresses – the sort of things that you don’t need to steal because they’re available from a gazillion legal sources.
That’s pretty elementary right? Encrypt sensitive information…. or not. There are two sources on the Sony Playstation site that indicates that the information was not encrypted:
http://us.playstation.com/support/answer/index.htm?a_id=2356
14. What personally identifying information do you suspect has been compromised?
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information provided by PlayStation Network/Qriocity account holders: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password, login, and handle/PSN online ID. Other profile data may also have been obtained, including purchase history and billing address (city, state, zip). If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained. If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may also have been obtained.
http://us.playstation.com/support/answer/index.htm?a_id=2185
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
In bold we can see that names, addresses, email addresses, PSN logins and passwords and the hints to the passwords have most likely been compromised. As already stated, names and addresses are two a penny, same goes for email addresses. The real concern are the passwords and password hints. So before we go on, if you’re a PSN user stop reading, go to your email (the one you use for your PSN account) and change your password. Done that? Now go to every site that you’ve registered on using the same details and change those passwords too (to different passwords if your memory can handle it).
Panic mongering is not something people should subscribe to so it’s important to remember that over 70 million users details have potentially been stolen. That’s a lot of user details so let’s give it some perspective: The chances of winning the lottery are 14 million to one so the chances that YOUR details are those that are chosen to become 15 different people buying shiny suits and fancy shoes on your identity are quite slim.
The main threat to your details is the email address password combination. Most people are lazy and use the same email address and password for the majority of websites they visit. That’s where the real danger is. An example would be a shopping site that uses the same username and password as your PSN account, the thieves have one and so they have the other – and if you have One-Click purchasing enabled then there’s no telling what you’ll be buying for Mr Shiny Suit and his fancy shoed friends….
The issue of credit card details is actually not as much of an issue as the email address/password detail and the reason why is the CVV. Without the three digits on the back of the card the card number is useless for use online and the CVV is only available on the back of the card, you can’t get the CVV from your bank. The only compromise would be from places where they do not use chip and pin, but that would involve creating cards and then using them in places where there is no chip and pin functionality which really narrows the field. The level of effort required to do anything with the credit card numbers pretty much negates the risk to users.
Now on to the most puzzling bit for me as a PSN user:
http://us.playstation.com/support/answer/index.htm?a_id=2356
15. How will I know if my personal information has been compromised?
We have provided notices to consumers at the email addresses associated with their PlayStation Network/Qriocity accounts. You may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your credit card account statements and to monitor your credit reports.
At the time of writing I’ve not received an email to either of my accounts email addresses. Does this mean that my details have not been compromised? Or could it be that over 70 million emails take a while to send out. I feel really sorry for the intern who has to type out all those email addresses…..
So follow this three step plan for peace of mind:
1 – change your login details for the sites you visit (use completely different details where possible)
2 – look out for emails/telephone calls asking you to confirm passwords/identity questions (obvious phish is obvious)
3 – DON’T PANIC!
On the plus side. When PSN does come back online you can be pretty certain that it’ll be as secure as secure can be.
Buy a Sony PlayStation 3 Slim Console (320 GB Model) at Amazon
David Nicol is a gamer, blogger, podcaster and video creator based in the UK. Responsible for TBFmedia.com, thegamerscraic.com, backslashgaming.com and is articles editor at hupitgaming.com
But won’t the CVV be recorded along with the rest of the CC details?
I’m not too worried about my card being used but I may still call my bank tomorrow and tell them I used that card on PSN. I’m not cancelling it though as there’s a 40 Euro tax on credit cards here and cancelling it would cost me that tax payment, I think.
Ars had an alarming post about this, even listing people who had problems with their credit cards. I was all ready to dismiss them as coincidence except for that guy who said he only ever used that card to pay for PSN.
Still, the odds they’ll be used is minuscule.
PS. Install the subscribe to comments plugin!
I get the feeling that the CVV is secured differently to the other information and is probably not retained by the service provider at all. On most sites they regurgitate your name address and card number, but ask you to enter the CVV as confirmation that you are who you say you are – that is then checked by the card issuer for authorisation and not the site.
It really is just a numbers game. There will be people who have trouble, but same as everything else out there, how much of it is 100% true, and how much of it is actually directly related to the Sony issue rather than poor security by the individual? There are a lot of ambulance chasers out there.
Ahhh, plugins. The site wasn’t going to be live for another couple of weeks so I haven’t got everything how I wanted it to be yet. The subscribe plugin will be #1 right now.
Well well here we are! Nice site Dave
I’m not too concerned over the hack either and like Donncha I may just call my bank and let them know. I’ve already got fraud protection on my card so when a purchase does occur I’m usually notified within a couple of hours, plus I’ve always placed a limit on my card so my account cant be cleaned out. As for my other details, well those are already in the public domain anyway.
Thanks buddy. Hopefully I’ll be able to get some non-PSN hack information up here soon but you know how it is…
As for the whole identity theft thing, like you say, the majority of our details are easily locatable, but the main cause for concern in this case has to be the username/password combinations. That’s where the real threat is.
User/pass is always a big issue when comes to online websites, systems etc and after working in IT for over 10 years I could tell you a few crazy stores about insecure systems due to user/pass combinations.
Problem is most users are not aware of what a dictionary attack is and don’t know the importance of creating a good strong password, kids especially. I’d hate to imagine how many PSN users have a weak password on their account and use for other websites such as emails and even the likes of PayPal or Amazon.
Lots of good reading here, many thanks! I had been searching on yahoo when I observed your publish, I’m going to add your feed to Google Reader, I look forward to additional from you.