Opinion// PlayStation Network Hack Analysis

PSNightmare!

Posted 27 Apr 2011 12:00 by
It will not have failed to reach your attention that there has been an announcement from Sony about the recent PlayStation Network hacking and outage. The traditional media has been all over it as well as online sources. Even BBC Radio 4 covered it and that's a station more concerned with "serious" matters like politics and economics, etc.

OK, so PSN has been hacked, we knew this last week. What we've just learnt is that our personal data has been stolen from Sony's servers by an unknown individual or group. What does this mean for us, the normal users of PSN?

The risks to our data have been categorised in three ways by Sony:
Probably Stolen
Nick Caplin Head of Communications, SCEE wrote:
... we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.
Possibly Stolen
Nick Caplin wrote:
It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.
Unlikely to have been Stolen
Nick Caplin wrote:
While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.
This classification into probable, possible and unlikely levels of risk seems to indicate how Sony deals with our data once it's on their network.

As I mentioned in an earlier article about PSN security, part of my day job involves writing software that processes credit cards online. As part of this development my company has had to look at the Payment Card Industry Data Security Standard (PCI DSS) regulations that Sony will have had to comply with when designing their systems.

To me it looks like the "probable" data is in a database that Sony's "outside, recognized security firm" have identified as having been stolen. Data items like our passwords in this list will most likely be encrypted, but in a way that is vulnerable to a brute force attack, the rest will be stored unencrypted.

The "possible" data will be most likely held in an encrypted database separate from the previous database, maybe even on a separate server. Decrypting this database will be possible, but it will only be possible in a reasonable time with access to the encryption keys used. My assumption is that there is no evidence that these keys have been stolen.

The "unlikely" data will almost definitely be held on a separate server from the ones known to be hacked and will certainly be encrypted. This is a requirement of PCI DSS and no payment card company would deal with Sony if this were not the case. I'm assuming that there is no evidence that this server has been hacked or that this database has been stolen.

So what risks do we all face?
First of all, our credit card details are almost certainly safe. The important details, number, expiry date, etc, are in the "unlikely" section of the data. These are required by every payment processing system out there.

In addition the "security code" (also known as CVV or CV2) has not been stolen. This code is the last three digits from the back of your card or the four digits next to the hologram on the front depending on your card. According to PCI DSS (and all previous standards before it) this number can not be stored anywhere, encrypted or not.

Without this security code, our credit card details can't be used online, even in the unlikely case that our card number and expiry date have been stolen and can be retrieved from the encrypted database.

The major problem we face is not to do with PSN at all. If you use the same email and password on other systems like XBox Live, Amazon, Facebook and the rest, your accounts there could be stolen and used. The encryption on our passwords can be broken reasonably quickly, especially if you have a simple password like a word in the dictionary. Once that is done, the people who now have possession of our data will try the same details on all the major online systems to see which ones they can break into.
-1- 2   next >>
Companies:

Comments

config 27 Apr 2011 12:33
1/8
Great, well reasoned article. I feel Sony ought to have issued a statement sooner to the effect that there was the potential that usernames and passwords were compromised, and encouraged users to change passwords on other systems that share the PSN password.
Martin 27 Apr 2011 14:30
2/8
Totally agree with you Config. The "potential" warning from Sony regarding passwords would have been helpful, timely and almost certanly not seen as over-reacting.
However, Sony are going to have to do somthing very drastic to restore user's faith... More than a free "minis" game at least.
more comments below our sponsor's message
James 27 Apr 2011 20:54
3/8
Same here good job config. In my opinion, Sony did do it too late and put 77 million credit cards in danger. Apparently, one employee from Sony leaked the network codes and thats how it all happened. All of my friends who have PS3 say that it will come back online even though it doesn't. But anyway, it was a good article. Job well done.
Super Tramp 27 Apr 2011 20:55
4/8
I also agree with config, but what I fail to understand it how to take my Credit card details off the PSN, I know everyone is advising us to do so, however we are not actually able to because we cannot sign onto PSN due to the "Maintenance" occurring. This is frustrating because we know what is happening/happened but we are powerless to do anything about it.
K45H1F 27 Apr 2011 21:14
5/8
so when will everything be back to normal ?
SONY 27 Apr 2011 21:15
6/8
WHY ME ?
WHY NOT XBOX ???
xbox 27 Apr 2011 21:16
7/8
hahahaha
Chris 27 Apr 2011 23:46
8/8
Great article, makes complete sense and has slightly put my mind at rest. I say slightly because I wasn't buying into all the crap that everyone else was coming out with in the first place, though i'm not convinced about SONY telling us sooner would have been possible. I for one don't know when they found out the extent of the hack into their system, and unfortunatly you haven't convinced me that they knew that peoples information was stolen before they told us.
But as I said before this is a great article, thanks for the info :)
Posting of new comments is now locked for this page.