Opinion// PlayStation Network Hack Analysis

Posted 27 Apr 2011 12:00 by
Companies:
Even if you use a different email, but from the same domain, with the same password you are vulnerable. For example, if you use an email like psn@example.com (where "example.com" is your own email domain, of course) it won't be too hard to guess that you'll also use amazon@example.com or xboxlive@example.com and try those with the same password you use on PSN.

If this applies to you then I can't stress this strongly enough: Change Your Other Passwords Now! Then change your PSN password once it's available again.

The other, less likely risk is that of identity theft. Our names, physical and email addresses and birthdays are now "in the wild" so to speak. These can be used to impersonate you and possibly gain access to services and systems you use. There are procedures in place to try to deal with this sort of thing and your bank, credit card company and government will be able to give you advice on what you can do to avoid it.

For example, in the UK the Information Commissioner's Office has advice regarding identity theft.

What could Sony have done to prevent this?
Without knowing how the hack was accomplished, it's very difficult to know what went wrong. It's possible that this was just a lucky attack by a dedicated hacking group that managed to hit on a way to access Sony's servers. It's also possible that a vulnerability in Sony's systems was revealed by access to the information posted by fail0verflow and GeoHot using custom firmware. However, there's no evidence available to us to say for sure either way.

Sony's systems must have been designed to comply with PCI DSS and therefore they were designed using industry best practice for dealing with credit card details. Systems like this are designed based on the assumption that they will be hacked at some point and so there should be a "defence in depth" type of approach where more sensitive data is held more securely.

Based on this, I believe the systems were compromised at the network security level. Some vulnerability was used to gain remote access to the PSN servers. From that point the hack will have become a case of copying files and breaking into them on the attackers' own systems.

However, it's very unlikely we will ever know for sure how this hack was accomplished. It's very uncommon for a company affected like this to reveal how it was done.

Should Sony have admitted the possibility of our personal details being stolen before they did?
This is a tricky one to answer, it's probable that there was no firm evidence until just before the announcement on the 26th, indeed Sony has issued a "clarification" message that claims this is exactly what happened.

Without strong evidence either way it could be seen as jumping the gun to publish a warning. Both because it might not be true and you've just potentially caused 77 Million credit cards to be cancelled for no reason, and also because if it turns out to be true then repeated warnings may fall into the "boy who cried wolf" category and be ignored.

On the other hand, we're (mostly) all adults, certainly those of us with credit cards should be, and we're capable of making our own decisions. Publishing the warning over a week after the event happened can easily be seen as too late and will have affected the trust that millions of people have put in Sony and its systems.

One thing we can be very sure of, this is a big problem and a PR disaster for Sony. Like I said, many people will now not trust Sony to keep their details safe. Let's just hope that Sony, and everybody else involved in online commerce, learns from this incident and makes sure their systems and procedures are as up to date as they can be.

The opinion expressed in this article is that of the author and does not reflect those of SPOnG.com except when it does.

Want to vent your gaming spleen? Send 900 words max of well thought-out, deeply analysed opinion and we may even run it. Send in 900 words of incisive but mostly brutally angry invective, and we almost certainly will.

<< prev    1 -2-
Companies:

Read More Like This


Comments

config 27 Apr 2011 11:33
1/8
Great, well reasoned article. I feel Sony ought to have issued a statement sooner to the effect that there was the potential that usernames and passwords were compromised, and encouraged users to change passwords on other systems that share the PSN password.
Martin 27 Apr 2011 13:30
2/8
Totally agree with you Config. The "potential" warning from Sony regarding passwords would have been helpful, timely and almost certanly not seen as over-reacting.
However, Sony are going to have to do somthing very drastic to restore user's faith... More than a free "minis" game at least.
more comments below our sponsor's message
James 27 Apr 2011 19:54
3/8
Same here good job config. In my opinion, Sony did do it too late and put 77 million credit cards in danger. Apparently, one employee from Sony leaked the network codes and thats how it all happened. All of my friends who have PS3 say that it will come back online even though it doesn't. But anyway, it was a good article. Job well done.
Super Tramp 27 Apr 2011 19:55
4/8
I also agree with config, but what I fail to understand it how to take my Credit card details off the PSN, I know everyone is advising us to do so, however we are not actually able to because we cannot sign onto PSN due to the "Maintenance" occurring. This is frustrating because we know what is happening/happened but we are powerless to do anything about it.
K45H1F 27 Apr 2011 20:14
5/8
so when will everything be back to normal ?
SONY 27 Apr 2011 20:15
6/8
WHY ME ?
WHY NOT XBOX ???
xbox 27 Apr 2011 20:16
7/8
hahahaha
Chris 27 Apr 2011 22:46
8/8
Great article, makes complete sense and has slightly put my mind at rest. I say slightly because I wasn't buying into all the crap that everyone else was coming out with in the first place, though i'm not convinced about SONY telling us sooner would have been possible. I for one don't know when they found out the extent of the hack into their system, and unfortunatly you haven't convinced me that they knew that peoples information was stolen before they told us.
But as I said before this is a great article, thanks for the info :)
Posting of new comments is now locked for this page.