When companies say "may", it's wise to assume the worst." So says Dave Whitelegg, security advisor to companies and consumers. His phone's been ringing a lot since Sony said it "may" have lost millions of PSN subscriber's credit card details.
The April 19 intrusion into the heart of Sony's online service caused over three weeks of downtime. A huge pain for players, a concern for developers and a catastrophe for indies making steps into the PSN marketplace.
For many of you Sony's 'Welcome Back' package may have repaired much of the damage - if the Xbox 360's 'Red Ring Of Death' disaster taught us anything, it's that gamers tend to forgive the moment they're back in the game.
THE REAL RISK
But will we forget? Not if we've any sense. As a tech-savvy yet often naive crowd, we've been given a wake-up call. The fact that many have obsessed over the card info - the most sensational angle - tells you just how out of touch we can be. "The thing with credit card info is that it's the quickest way for people to make cash out of the data set," says Whitelegg.
"But it's the personal information that's really important. And if you look at the kind of information that's been breached in this situation, the significant data is email address and password. Most people tend to use the same password for multiple accounts. So if a hacker knows your email, the first thing they'll try - especially if it's Hotmail or Gmail - is to log on.
"If I have control of your email account, I can do password resets on every other account you have. That's the second factor here: Sony's reset questions have been lost as part of the breach. If you look at e-commerce websites like Play.com, when they do a password reset they ask you some personal information. But Sony use generic ones like, 'What's your mother's maiden name?'"
Cancelling a payment card is as inconvenient as it is simple, and once done is absolute; those stolen numbers become useless. But unless you follow the sage advice of randomly generating each and every password in your online life - and let's face it, who does? - you'll be amazed how vulnerable you are.
KNOW YOUR ENEMY
"You could do quite clever phishing emails with this attack," says Whitelegg. "And you could make those emails very personalised - 'spear phishing' as it's called. So you could get an email, for example, pretending to come from Sony, saying you've got a free voucher because it's your birthday. So you're more likely to click on that link and, say, have malware installed on your PC."
"If you're good then you don't leave anything. You delete all your logs, don't leave messages, don't leave calling cards. Because that's how you get caught. You delete as much evidence as you can. This is someone trying to make a statement."
Speaking to SC Magazine, meanwhile, Anonymous spokesman Barrett Brown said, "Anonymous has no record in engaging credit card theft and resell, and if we did, the FBI would've already come down on us."
Comments
9 comments so far...
timewarp1 on 26 Jun '11 said:
TBH I found Geohot to be the Arrogant one. When he first announced he had hacked the fw, fair doos -clever. But then when Sony moved to protect their IP, the guy went nuts and went on a venomous attack at Sony, which triggered off the PSN attack and then all this other stuff. Its clear hackers dont like gaming -they think they are superior. Yeah Sony may have handled things badly in hindsight - but the guy escaped jail so why did people still go at Sony? The German kid refused to stop attacking Sony, and is now off to do time, I guess it makes sense to him. Geohot is famous for iphone hacking and tbh, had he left it be, he would have my respect still, but the way he went at Sony lost my respect. So its oh yeah Geohot, isnt that the guy that jailbreaked Iphone and didnt relaize SCEA means Sony has a division in USA? instead of - oh yeah! He's the dude that jailbreaked Iphones!
xsuicidesn0wmanx on 27 Jun '11 said:
I cant say I agree, I didnt think Geohot attacked sony directly, merely their decision to take away a feature many bought the console for. Geohot did not initiate any attack on PSN though, it was sony's arrogance in thinking they could do anything they wanted that brought Anon & Lulz down on them.
Lets take a sidestep though, I want to know, in others minds, whats really so different about Sony using the US Court System to force PayPal to hand over information on all of us, forcing the webserver owners to hand over ips and isp's to hand over personal information on us, versus hackers stealing very similar information from Sony? If I had merely gone to geohotz website to view the information out of curiousity, since I am a technical minded person, and because of this decision to learn more about how the system worked, Sony now demands my personal information.
Personally I'm glad Sony got hacked, and while its unfortunate that it resulted in Sony deciding to turn PSN off for 3 weeks, the big bad bully got punched in the balls, and for that i can smile a little smile inside.
Asinine on 27 Jun '11 said:
Everyone is getting hacked left right and centre at the moment, Sony, the FBI, UK census information controlled by Lockheed Martin, and more that have been in the press and no doubt more that have not owned up and have not been in the press.
Yes, Sony, FBI and others should work harder to secure their systems, of that there is no doubt, but the perpetrators are still the ar5eholes here. Whether you don't like one corporation or not does not mean that committing burglary into their systems and stealing a customers data is morally right in any sense.
SlapnutzUK on 27 Jun '11 said:
Sorry I have to disagree strongly with any comments stating it is Sony's fault for removing the OtherOS feature.
Firstly you were given a choice, you can either keep the option and remain off the PSN or accept it and carry on with a normal service. The choice was down to the individual. The OtherOS option largly didn't give you anything but the ability to hack and pirate. It wasn't an advertised feature but a "bonus" probably included just to say "hey look what the PS3 can do!".
Secondly everyone signed up to the same T's and C's, it was covered in there. Again if you don't agree with something don't sign up for it. I didn't read it isn't an excuse.
manky on 27 Jun '11 said:
The bully got slapped. People decided to act against a tyrant abusing it's power for it's own benefit. It brought it on itself and it's own weaknesses were highlighted for the whole world to see.
Don't stand up for the faceless corporation and the grey suited lawyers they hired to smash your skull in.
Stand up for yourself and the SONY behemoth might just think twice next time it considers driving its tanks over the little man.
Please don't forget to consume. Without you they are nothing.
SlapnutzUK on 27 Jun '11 said:
I fail to see any validity in your point?
Sony gave you a choice, you can either use the otherOS and stay off the network to prevent piracy and the potential for other PSN hindering hacks or accept its removal and carry on as normal. They warned everyone in advance, apologised for it and I would hope thought most of you would understand.
It's like me hacking XBOX LIVE just because I don't like the new dashboard ffs!
potnoodle1 on 27 Jun '11 said:
Not really. It'd be more like Microsoft removing the ability to play DVDs from the xbox and then telling you that you can continue to use your xbox as a DVD player if you don't update your console, but if you choose that option you can't use any of the live services. The fact that only a few people may use the xbox as a dvd player is not the point. They removed an advertised feature which people used for little to no point at all. What exactly did the removal of OtherOS prevent???
BTW I'd love the ability to alter the xbox dashboard. Can't bloody stand it as it is now.
NoobDefence on 27 Jun '11 said:
Where? Honestly I looked all over the internet and couldn't find a single video/poster advertisement. I'm sorry but people talking about features on forums etc doesn't count as official Sony advertising.
paulhudd on 29 Jun '11 said:
This!