One more major hack to be noted.
Will we ever learn???
PSN is the backbone of the Social Gaming environment in Sony’s Playstation systems. It provides everything form the backend allowing the games to communicate effectively through to the Playstation Store and Music/Movie purchase portals.
If you’ve ever purchased a minigame, album or rented a movie via your Playstation then this issue will affect you directly.
Essentially, on the 17/Apr/2011 an attempt was started against the PSN that appears to have successfully obtained user information. This information includes:
- Email Address
- Date of Birth
- PSN Login
- PSN Password
The Official Blog does not mention if the PSN Password was exposed in raw text or hashed/encrypted format. It does, however, state that the following information may have additionally been exposed:
- Purchase History
- Billing Address
- PSN Security Question Reponses
It is also noted in the same source that they cannot guarantee that Credit Card information was not exposed.
Advice to American customers of PSN is to enable the Fraud Protection mechanisms on your identity to prevent credit being obtained in your name. Also, Americans can contact the major Credit Bureaus.
The blog also states that the attack was on going until 19/Apr/2011, 2 days later. It is not clear if they shutdown the network immediately upon detecting the attack or if they waited to see if they could trace it or stop it themselves but the network wasn’t disabled until 20/Apr/2011. It may not be commercially good but just PULL THE PLUG!!!!
Urgent Action Required
So, why is all this possible? Basically it is entirely our own fault. Two things are most commonly associated with today’s society: Convenience and Easy of Use. The latter also covers a fetish for speed. Faster, faster, faster. Oh, and stop asking me all those annoying questions too.
We all need to accept some inconvenience now. This is just getting silly. A system such as this should not exposing client data. Pure, defined one way requests are the only thing that should be authorised. Why is Credit Card information stored in a similar location to the PSN profile data? We have insisted that these companies store this information as we don’t want to enter it every time we make a purchase, look at Apple’s iTunes store – a potential store of over 100 million Credit Card numbers. We just don’t want to have to type in a load of digits every time we purchase a 59p App or 99p song. Apple do it as the “impetuous” purchase is way too easy this way.
But we as users should be forced to accept some difficulty in purchasing to protect ourselves, and these service providers and retailers should be forcing us down that path. They need to think about their reputations.
What matters most to a Company?
The primary asset of any firm is its REPUTATION. Above and beyond all else, any company needs to protect this, and here Sony have failed catastrophically. Yes, they are hardening the system and tracing the nature of the attack and the data leeched but for their customers it is all too late. 55 Million people are not going to enable anti-fraud on their identity. Again, because we are lazy.
Who has performed the attack?
I am hoping that this is all a worst case scenario and that this is not a sponsored attack, leading to direct huge scale fraud. If the nature of the attack is revealed by Sony (unlikely) then we will be able to guess how much risk is involved. There should be a public announcement after they receive the report from the external security firm, possible indicating how sophisticated the attack was.
Notice to customers
An email has gone out to all registered users with all the post-exposure advice listed above. They also remind users that the password has been compromised and that if they use it elsewhere then they should change it there too (as well as on PSN once the system is up again).
Passwords: I strongly suggest that individuals ALWAYS use a different passwor don all systems/accounts/services and that they make these secure. Storage tools like mSecure are a good way of helping with this.
Identity: difficult one. The Credit Agencies should be forced in these circumstances to contact you but they are not. Also a lot of their services are not free, especially outside the US. Contacting all of them is a huge task (three major agencies but there are others). BE CAUTIOUS and careful as ever!