Are your credit card details safe?
Gamers were left puzzled on April 20 when the PlayStation Network went down, cutting off access to the store and a host of other services, including the media portal Qriocity. At almost two weeks and counting, the outage is the longest in the network's four-and-a-half-year history. But as it turns out, the threat to players is graver than an interruption to their spring-break gaming: they'd just been subject to one of the greatest security breaches in recent Internet memory.
The day after the shutdown, Sony acknowledged the issue, saying they were investigating the cause of the problem and that restoration may take a day or two. The reason was only alluded to not explicitly announced two days later, when officials admitted the network's security had been breached. The "external intrusion," as they called it, occurred sometime between April 17 and 19.
Little happened in the next few days, except for a few hasty announcements. On April 23, Sony apologised again and said they were rebuilding the system and strengthening its network infrastructure; two days later, Patrick Seybold, Senior Director of Corporate Communications and Social Media, blogged that he didn't have much in the way of updates just that the process was "time-intensive." No mention was made of the intrusion.
Like this infographic? You can embed it on your blog or website!
Embed this infographic in your website by copying and pasting the code below into your source code
Sony finally confirmed the worst on April 26, nearly a week after the shutdown. After reiterating its previous statements, it admitted, via its Verified Corporate Twitter feed, that the intrusion had compromised users' personal information, including credit card data. Members were promptly advised to monitor their accounts for suspicious activity and have their credit cards blocked for good measure.
On May 2, the company admitted they'd got the numbers wrong about 25 million more users were affected than previously thought, according to a Reuters report. A second attack also resulted in the theft of over 10,000 direct debit records from all over Europe, over 12,000 credit and debit card numbers from non-U.S. users, and an outdated database dating back to 2007, forcing Sony to take down the Sony Online Entertainment service.
Sony on the spot
Sony has understandably taken a beating from the incident. One could argue that their response was timely; they did turn off the network and its services as soon as the problem was detected. In an email to users on April 28, published by Gamers Hub, they detailed the steps they were taking to protect consumers. They included, among other things, hiring a third-party security firm to carry out a thorough investigation and rebuilding the system to "enhance security and strengthen [their] network infrastructure."
The main question is: why did it take them so long to own up? If they were so quick to act on it, why did they wait nine days to tell users their credit card information had been stolen?
Seybold answered some of the questions on the U.S. PlayStation blog. According to him, they learned of the intrusion and of the data theft at different times: they identified the former on the 19th and promptly shut services down, and had to conduct forensic analysis over several days to find out its scope. About a week later, their experts reported that credit card information had been stolen, after which they made the public announcement.
Gamasutra, a gaming blog, is one of many parties that aren't buying it. Editor Chris Morris believes Sony has long had problems with public communication. In an article about the alleged discontinuation of the PSP Go which also mentions the hack, he compares Sony to "an ostrich with its head in the sand," avoiding questions with motherhood statements and providing answers that are ambiguous.
Users added that if the breach were serious enough to require a complete shutdown on the 20th, Sony should have considered the possibility of data theft and alerted users right away, according to a report by UK website PC Pro. This would have allowed them to take preventive measures immediately, instead of leaving them vulnerable for six whole days.
As it happens, the first acknowledgment of the incident made no reference to a security breach, saying instead that the system was "undergoing maintenance." The first clue that the network had been hacked didn't come out until two days later, and for many, that's two days too many. In a letter to Sony representatives, Connecticut Senator Richard Blumenthal said it was troubling that they held back the details of the attack for so long.
Another question worth asking is how it happened. Unlike the delayed announcement issue, this one is clearly Sony's fault, as most experts agree. Carole Thierault of Sophos, a security software developer, says the whole point of data security is to protect your network from external attacks those perpetrated by parties outside the company and that's exactly what Sony allowed to happen. The fact that some of the data (luckily, not the credit card numbers) were unencrypted also shows lack of vigilance on Sony's part, according to Benjamin Cohen of Channel 4 News Technology.
The question of who perpetrated the breach was nowhere near as significant, but it has generated some buzz of its own. To date, no one knows although conspiracy theories have turned up to no one's surprise. Initial speculations pointed to Anonymous, a group of online vigilantes who had previously slammed Sony for taking legal action against George Hotz, a 21-year-old who had cracked the PlayStation's software so that it could run unauthorised programs. Many think that the breach was Anonymous's way of teaching Sony a lesson.
In online forums, gamers are putting forward their own theories. Certain members on Gameslurp.com think that Sony is using the Anonymous excuse to its advantage, covering up the fact that the breach was in fact the result of its own shortcomings. After all, they say, it's easier than owning up to their fault, and it channels the hate mostly of those looking forward to some gaming over the Easter break away from them and towards Anonymous.
Sony has denied that the "hacktivists" had anything to do with the attack, although at the time of the May 1st interview they haven't come up with an alternative. In a press conference in Tokyo, as reported by PC World, Games Division CEO Kaz Hirai admitted that while they had been attacked by Anonymous a few weeks before, they found no link between the group and the breach in question. Anonymous themselves posted a blog denying any involvement, although they didn't rule out the fact that some of their members may have acted individually.
The bigger picture
No clear reason has been given for the breach and how it happened. And if Sony takes a cue from other who have faced similar situations, it will only speak if pressured in court. That day may come soon enough: the UK's Information Commissioner's Office, Canada's Privacy Commissioner Jennifer Stoddart, and Senator Blumenthal have all announced intentions to question the company and conduct investigations. U.S. Representatives Mary Bono Mack and G.K. Butterfield have sent a letter to Sony demanding information on the breach's discovery and how it plans to deal with the crisis.
While we're waiting for answers, speculations abound. The Daily Telegraph highlights the fact that any system linked to the Web is prone to data theft. And with a 77-million-strong customer base and just as much credit card information up for grabs, the PlayStation Network was practically winking and waving at hackers.
Even if credit card data hadn't been stolen, password files were. And even if changing your password were all it took to patch things up, it brings to light another issue: the encryption of user data. Experts have been urging companies to do this for years, according to the Telegraph. But Sony admitted in one of its many statements that the stolen passwords were unencrypted. That's a whole new bag of questions and accusations right there.
The incident is also a major blow to cloud computing, the practice of storing and retrieving data from a central location instead of individual computers. The Sony experience, dubbed IT's "Deepwater Horizon moment" in a Eurogamer article, sheds light on the weaknesses of the system, both to users and providers. Given that many companies are just about to jump on the trend, this fiasco may have come at just the right time.
What users can do
1. Keep a look out for phishing attempts in the form of e-mail scams
In its April 28 message, Sony advised PlayStation Network users to watch out for phone, mail, and e-mail scams, particularly those that ask for personal information. They maintained that Sony would never ask for any identity information, including credit card and social security numbers and reminded users never to provide them to any third party. They also urged users to change their username and password as soon as the PlayStation Network and Qriocity services were back on, and do the same for any accounts (even unrelated ones) where they use the same username and password.
2. Keep a close eye on your credit card statement
Sony also encouraged users to check their account statements and credit reports for any unauthorised transactions. They provided contact information for Experian, TransUnion, and Equifax, the three major credit bureaus in the U.S., and said that U.S. residents can have one copy of the report for free every year. As an added measure, users can have a "fraud alert" status put on their file to watch out for suspicious activity, Sony said.
In an interview with Channel 4, Trend Micro's security research director Rik Ferguson agrees with Sony's advice, saying users should keep a close watch on their transactions. Ferguson added that e-mail passwords should be of particular concern, as they can unlock all sorts of other information linked to the e-mail address. It's like a skeleton key to all your other accounts, he said. Carole Thierault of Sophos says about 40% of internet users use the same password for every account.
3. Consider cancelling your credit card, or having a new credit card number re-issued to you
Action Fraud, the largest fraud reporting center in the UK, reminds users that keeping an eye on their account activity is their standard obligation, with or without the threat of fraud. Events like the Sony PlayStation hack merely serve as a reminder to be more vigilant. Others suggest taking it a step further and cancelling the card altogether.
4. Change your "secret answer" information for retrieving passwords
Graham Cluley, a developer at Sophos, highlights another piece of information that may have been stolen: secret answers for password retrieval. If hackers have this information, they can easily retrieve your new password after you've changed it. If your credit card issuer has the same feature, it's all the more reason to change. Play it extra safe and don't set a question that's traceable, such as your mother's maiden name or the last four digits of your phone number. Choose something that they won't find online, such as your first pet's name.
The Sony incident will go down in history as one of the gaming world's biggest fiascoes. That much we're sure of. On the bright side, if we can call it that, online consumers and providers can learn a few new lessons, and perhaps relearn forgotten ones, in the world of security and public trust. eWeek, an IT business magazine, sums it up in ten points:
- Big names can't always be trusted - Sony was a pioneer in technology, but it proved just as vulnerable to attacks as your average company.
- Not all information should be shared - Too many companies, Sony included, ask for information they don't really need. Optional fields are left blank.
- Sometimes it's out of your hands - Sony's breach proves that even the most vigilant users can be harmed through no fault of their own.
- There's no comfort zone - It's when you fall into a sense of security ("Nothing's happened so far, anyway") that you're most vulnerable to data theft.
- Sometimes, offline is better - The offline world has its share of security issues, but on the whole they are more manageable. If there's an offline alternative to sharing information, it may be worth a try.
- Vigilance is key - Even without the threat of identity theft, consumers have a basic responsibility to monitor their accounts.
- Cloud computing makes for a scary future - After the Sony fiasco, will users still be comfortable putting so much of their professional and personal information online?
- Your antivirus isn't enough - Bolster your online arsenal with web-security software. These programs encrypt all communication from your computer, so that anything that's stolen will be useless to the thief.
- Threats to your financial identity can exist anywhere - Playing a game of Portal 2 may be the last place you'd expect criminals to lurk, what with bank and government sites carrying much more sensitive information. But as it turns out, hackers don't discriminate.
- Exposure must be minimised - The fewer the sites you give your information to, the better.
Important Links and Information for Australians concerned about the security of their financial identity
- SCAMWatch - Australasian Consumer Fraud Taskforce website
- Tips and Advice on dealing with Identity Theft - guide by CyberSmart
- My Veda Alert - an excellent product which allows you to monitor your credit file