Lessons from the Sony PlayStation
By Matt Lidestri, CISSP
Hackers seem to be everywhere these days - most recently the Epsilon breach, and now the Sony PlayStation Network. Millions of records have been exposed. The impacted organizations are notifying consumers and apologizing as fast as they can. Haven’t we in the banking community seen all this before?
Generally speaking, we haven’t – not at such a large scale, anyways. The Sony PlayStation and Online Network break-ins represent a higher level of cybercrime that could result in greater losses than we have seen before. Here’s why:
Yes, we’ve seen a handful of large breaches in the last few years – TJX, Hannaford, and Heartland Payment Systems to name a few. But these attacks had less impact on the businesses and consumers from an identity standpoint. Even the recent and notable Epsilon breach is limited in immediate impact, although the exposed data could be used for future attacks (Epsilon maintains customer records for Best Buy and JP Morgan Chase, among others).
The PlayStation and Online Network attacks are different because the stolen personal records were more ‘complete,’ meaning they could be used more easily for identity theft. The attacks were also executed over a much shorter time (2 days) than Hannaford (months) and TJX (years) – so the information is both fresh and usable.
Sony has warned PlayStation Network users that “an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained... While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.”
That’s worth a lot more to a criminal than just a name and an email address – the spoils at Epsilon. The criminals now know where 77 million PlayStation Network users reside, how to impersonate these users, apply for credit, and collect a bigger payday. According to an attorney leading a class action suit against Sony, hackers involved in the breach are already offering 2.2 million credit cards, the corresponding three-digit security verification codes and other personal information for sale on underground Internet sites.
At the heart of the crisis, we find a company (Sony) that may not have paid enough attention to security and risk while developing its PlayStation and Sony Online Networks. This seems to be more common for non-banks which do not face safety and soundness examinations conducted by regulators on site. Unfortunately, a growing number of such companies have accumulated astounding amounts of customer information, and put us all at risk.
Think of Apple and Google, which recently admitted to the Wall Street Journal that they keep records of smartphone calling data, messaging activity, search requests and online activities. Add to those items the other data sensed by iPhone and Android smartphones and you begin to see how valuable this data can be. Today’s smartphones can sense location, movement, direction, and proximity to other phones. Toss all that information into immense commercial databases that also contain names, addresses, etc., and you begin to see the compounding danger.
These databases aren’t going away any time soon. The promise of providing customer data to retailers who can direct advertising while those customers walk by their stores is too sweet to pass up – especially when smartphones and other mobile devices become our wallets in another 12-18 months.
The criminals understand the value of gaining access to these databases, and true to form, they are busily engineering their next round of attacks. Let’s face it, cybercrime has become a business lucrative enough to support 24/7 help desk operations in Romania for today’s cyber criminals.
Will the pain and mistakes of the Sony PlayStation and Online Network breaches be enough to inspire non-bank holders of customer information to harden their sites and services and be more responsible about what type of data is collected, how it is stored, and restrict access to sensitive data? That question gets answered every day when we open our newspapers. In the meantime, many financial institutions are keeping our data safer. They should promote that fact every chance they get, and continue to learn and adapt as these events unfold.
MATT LIDESTRI manages Internet Security and Products for