27 Apr 2011

Playstation network hack: how to protect yourself

As Sony announces that the details of 70 million users of Sony’s PlayStation Network may have been stolen, we ask computer security experts what users need to do to protect their data.

Some 70 million users have been warned that important personal information may have been stolen after a hack attack on the PlayStation network.

Was this truly an external attack?
Sony told Channel 4 News that there had been “an illegal and unauthorised intrusion” into the PlayStation network and that it had come from outside – i.e. the attack was not perpetrated by someone working for the Sony Corporation.

Carole Thierault, senior computer security consultant with Sophos, told us: “That raises questions. The point is to protect your network from externals. So you have all kinds of different security measures. In this case it seems they weren’t successful.”

There have been several precedents in this area in recent years. In 2007 hackers stolen information from millions of payment cards used by customers of US retailer TJX, which owns the UK TK Maxx chain. In 2009 Heartland Payment Systems in the United States reported a data breach in their payment processing network.

Sony Playstation network hack: how to protect yourself from PSN data theft (Reuters)

What sort of information has been stolen?
A FAQ section on the PlayStation website confirms that all the information provided by users of the network may have been compromised. That includes name, address, country, email address, birth date, PlayStation network password, password security answers and online ID.

Other information that may have been leaked includes purchase history, billing address, credit card number and credit card expiry date.

“The biggest concern from our end right now,” says Carole Thierault, “is that Sony cannot say for sure that credit card details haven’t been compromised. That is a really serious concern for 70 million consumers.”

Was the data encrypted?
Sony told Channel 4 News: “We are currently conducting a thorough investigation of the situation. Since this is an overall security-related issue, we will not comment further on the specifics of this case.”

But if the information had indeed been encrypted, Sony would surely have moved to reassure customers by stating this fact outright. Channel 4 News Technology Correspondent Benjamin Cohen agrees: “What is shocking is that Sony certainly appears to be telling us they didn’t encrypt this information.”

What should I do if I think my data has been stolen in the attack?
Sony’s PlayStation website contains advice to customers to prevent unauthorised use of credit card details. It stresses that Sony “will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information”.

If you want to be completely sure that your credit card account is safe, you should consider asking your provider to cancel your current card and replace it with a new one.

But Rik Ferguson, director of security research at Trend Micro, believes that would be premature. “Sony say they can’t find evidence that financial data has been breached,” he told Channel 4 News. “But people affected should keep a closer eye than usual on transactions.”

That approach was endorsed by a spokesperson for the government’s Action Fraud website. “We recommend that people do their utmost to protect their identities. They need to check their bank statements, ensuring that transactions are their own,” she told us.

“The general advice for ID fraud is that you’re under an obligation to keep up with your transactions and to keep an eye on them. If you feel you’re in a situation where your identity might have been compromised, look out for the signs and take action by informing the bank.”

Rik Ferguson warns: “If people are worried, they should change their passwords. They have to consider that their email address and common password may be in the hands of criminals.

“Once they’ve got their hands on your email account, that’s like the skeleton key to any other service you use online. Today’s the day to change your passwords.”

If I use a range of different passwords, how can I keep track of them all?
One problem with the theft of computer data is that many users employ the same password on multiple sites. It means that once a hacker has your data, he or she can re-use it elsewhere. According to Carole Thierault, some 40 per cent of people use the same password for every website they log on to.

One option is to use password managers such as 1password and LastPass, which allow people to manage a complex range of passwords.

Alternatively, Rik Ferguson suggests a mental trick. “One of the best ways to have a memorable and manageable password is to create your complex root password, with upper and lower case letters and numbers mixed up together.

“To make it unique and memorable, do something like put the first two letters of the website in question at the front of the root password – or put the first letter at the beginning and the last letter at the end.”

When will the Sony network be up and running again?
Sony says it is working “round the clock to restore the PSN as soon as possible.”

What if my credit card details are used?
You should not be liable for any losses incurred if you are a victim of internet fraud – provided you did not yourself act fraudulently or with gross negligence.