Wednesday, 27 April 2011
On 20th April 2011, without announcement Sony took down their online gaming network, the PlayStation Network (PSN), which is used by millions of gamers worldwide. I immediately suspected it was hacked, and my fears were confirmed by Sony, who stated between April 17 and 19, they suffered an “illegal and unauthorised intrusion”. Sony also explained user account personal profile information ‘may’ have been compromised, which presents a major breach of personal information, a real gold mine of black market personal information for use by identity thieves and card fraudsters.
PSN Profile Information at Risk
Full home address
Date of Birth
PlayStation Security Questions & Answers (password reset)
Credit Card Details
When a company uses the word “may” in reference to a data breach, it is always wise assume the information has been stolen and is in the hands of the bad guys.
PSN Gamers Security Advice
1. Once the PlayStation Network comes back online, the first thing you must do is not play CoD or FIFA, but change your PSN password straight away.
2. Pay extra attention to transaction activity on your credit card linked to your PSN account. With data breaches of this nature, credit card data is the quickest and so typically is the first piece of information fraudsters cash in on. If you have received an Email from Sony saying your account has been compromised, I suggest you play it safe, cancel and obtain a new credit card. If you do find the bad guys have been using your credit card, report it to your credit card company immediately, they will cancel your credit card and reissue you a new one, and you should be fully refunded against any of fraudulent transactions made.
3. Be on the lookout for Scam (phishing) Emails. By using your profile information, the bad guys can craft and send you fraudulent Emails which are highly personalised and so appear to be more genuine than normal spam Emails, this technique in the security business is known as Spear Phishing. For example they could use your full name and birth date to offer you a free birthday gift, perhaps a free PlayStation 3 game voucher, enticing you to click on a link to a website engineered to steal further credit card details. Always remember Phishing Emails have either a greed (i.e. you have won something or get something for free) or a fear element (i.e. your account security has been compromised), so do not implicitly trust any such Emails, even if they look like they come from Sony.
4. Passwords. If your PSN password is the same password as with any of your other online accounts, especially with your Email account or online bank accounts, assume that this password is compromised and change those passwords right now.
5. The potential compromise of your Security Questions, which are used to reset your password is particularly concerning, especially if you can’t remember what security questions Sony has used. Many of your other online accounts will use the same security questions and answers, and typically your date of birth to reset your account password. Most websites will Email that password reset confirmation to your registered Email address, so be vigilant for password reset Emails and if you use an online Email system like Gmail or Hotmail, ensure the password you use is a strong one and unique. As if the bad guys compromise that Email account, they can use password resets to compromise many of your other accounts.