Apr 27, 2011
Nevermind the B*ll*cks, it’s The Sony!
After last night’s announcement that user details had indeed been compromised during the breach that has brought down the Playstation Network on April 20 2011 for an indefinite period there have been more questions than answers.
Initially it was assumed that Sony would have ensured that personal and sensitive data would have been sufficiently encrypted in order to prevent it from being compromised if stolen. That would mean in the event of a security breach any stolen information would be essentially useless. Maybe a thief would get away with some names and addresses and/or email addresses – the sort of things that you don’t need to steal because they’re available from a gazillion legal sources.
That’s pretty elementary right? Encrypt sensitive information…. or not. There are two sources on the Sony Playstation site that indicates that the information was not encrypted:
14. What personally identifying information do you suspect has been compromised?
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information provided by PlayStation Network/Qriocity account holders: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password, login, and handle/PSN online ID. Other profile data may also have been obtained, including purchase history and billing address (city, state, zip). If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained. If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may also have been obtained.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
In bold we can see that names, addresses, email addresses, PSN logins and passwords and the hints to the passwords have most likely been compromised. As already stated, names and addresses are two a penny, same goes for email addresses. The real concern are the passwords and password hints. So before we go on, if you’re a PSN user stop reading, go to your email (the one you use for your PSN account) and change your password. Done that? Now go to every site that you’ve registered on using the same details and change those passwords too (to different passwords if your memory can handle it).
Panic mongering is not something people should subscribe to so it’s important to remember that over 70 million users details have potentially been stolen. That’s a lot of user details so let’s give it some perspective: The chances of winning the lottery are 14 million to one so the chances that YOUR details are those that are chosen to become 15 different people buying shiny suits and fancy shoes on your identity are quite slim.
The main threat to your details is the email address password combination. Most people are lazy and use the same email address and password for the majority of websites they visit. That’s where the real danger is. An example would be a shopping site that uses the same username and password as your PSN account, the thieves have one and so they have the other – and if you have One-Click purchasing enabled then there’s no telling what you’ll be buying for Mr Shiny Suit and his fancy shoed friends….
The issue of credit card details is actually not as much of an issue as the email address/password detail and the reason why is the CVV. Without the three digits on the back of the card the card number is useless for use online and the CVV is only available on the back of the card, you can’t get the CVV from your bank. The only compromise would be from places where they do not use chip and pin, but that would involve creating cards and then using them in places where there is no chip and pin functionality which really narrows the field. The level of effort required to do anything with the credit card numbers pretty much negates the risk to users.
Now on to the most puzzling bit for me as a PSN user:
15. How will I know if my personal information has been compromised?
We have provided notices to consumers at the email addresses associated with their PlayStation Network/Qriocity accounts. You may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your credit card account statements and to monitor your credit reports.
At the time of writing I’ve not received an email to either of my accounts email addresses. Does this mean that my details have not been compromised? Or could it be that over 70 million emails take a while to send out. I feel really sorry for the intern who has to type out all those email addresses…..
So follow this three step plan for peace of mind:
1 – change your login details for the sites you visit (use completely different details where possible)
2 – look out for emails/telephone calls asking you to confirm passwords/identity questions (obvious phish is obvious)
3 – DON’T PANIC!
On the plus side. When PSN does come back online you can be pretty certain that it’ll be as secure as secure can be.