This morning the news is ablaze with reports of a hack into Sony's PlayStation Network, with numerous media outlets proclaiming that as many as 77 million customer accounts have been compromised (I grabbed that number from PCWorld.com, but it made local newspapers all over the country as well, if not as front-page news, then as a front-page business section topic). Patrick Seybold, Sony's Senior Director of Corporate Communications and Social Media, posted a blog entitled "Update on PlayStation Network and Qriocity" on the US PlayStation site this morning in reaction to these reports. Opportunities for phishing, cybercrime, and fraudulent credit card access appear to be greatly enhanced by a breach of this magnitude.
Here are some highlights:
Sony is keenly aware that such information disclosures can lead to targeted phishing and other attacks, so they warn affected persons "...to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password." No kidding!
When I read this story in this morning's paper, I remarked to my wife that some credit card companies allow creation of temporary credential for the purpose of one-time purchases online. Given the number of online breaches that appear to be occurring lately, I wondered out loud if it "might not make sense to use one-time credentials for any online account set-ups." But alas while that can prevent fraudulent re-use of credit card information, it does nothing to protect identity information that must usually be provided when creating online accounts of any kind. It increasingly looks like security experts and Web developers need to re-think, and possibly to re-invent, how online identity and financial information is solicited, transmitted, stored, and accessed. Only a re-imagined and re-cast set of tools for handling such information appears to offer a way out of our current mess. And in the meantime, it's probably wise to remind employees, friends, and family that phishing opportunities abound, with potential attacks at work every time they open their inboxes.
Stu Sjouwerman
Here are some highlights:
- Between April 17 and 19, 2011, "PlayStation and Qriocity user service account information was compromised in connection with an illegal and unauthorized intrusion into our network"
- Sony has taken the following actions in response to this cybercrime: turned off PlayStation Network and Qriocity services; engaged "... an outside ... security firm to conduct a full and complete investigation..."; and "...taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information."
- Information obtained during the hack is described as follows: "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."
- The blog also explains how possibly affected individuals can place fraud alerts on their credit files with the major US credit ratings agencies (Experian, Equifax, and TransUnion) to prevent fraudulent attempts to obtain credit in another person's name.
Sony is keenly aware that such information disclosures can lead to targeted phishing and other attacks, so they warn affected persons "...to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password." No kidding!
When I read this story in this morning's paper, I remarked to my wife that some credit card companies allow creation of temporary credential for the purpose of one-time purchases online. Given the number of online breaches that appear to be occurring lately, I wondered out loud if it "might not make sense to use one-time credentials for any online account set-ups." But alas while that can prevent fraudulent re-use of credit card information, it does nothing to protect identity information that must usually be provided when creating online accounts of any kind. It increasingly looks like security experts and Web developers need to re-think, and possibly to re-invent, how online identity and financial information is solicited, transmitted, stored, and accessed. Only a re-imagined and re-cast set of tools for handling such information appears to offer a way out of our current mess. And in the meantime, it's probably wise to remind employees, friends, and family that phishing opportunities abound, with potential attacks at work every time they open their inboxes.
Stu Sjouwerman
