Attack on the PlayStation Network: what customers should now watch out for

Since the intrusion into the PlayStation Network (PSN), 77 million users have been wondering what dangers they are facing due to the data theft, and whether they can still do anything to limit the potential damage. According to Sony, the intruders obtained user data including addresses, dates of birth, PSN online IDs and PSN passwords between 17 April and 19 April. A company spokesperson said that users' credit card numbers, expiry dates and billing addresses may also have been compromised, although no evidence of this has reportedly been found so far. Only the three-digit CCV security codes on the back of credit cards were apparently inaccessible to the attackers; Sony said that they are stored elsewhere.

However, that the security codes remained uncompromised is only small comfort, because this code isn't even verified, for example, in offline transactions. Despite the obvious lack of security, the reason why the credit card system is so popular is that credit card companies assume liability for losses. Therefore, users should be sure to check their credit card statements from mid-April and report any discrepancies to their banks immediately. When establishing whether a transaction was legitimate, the burden of proof lies with the bank. If in doubt, banks must therefore refund the money.

Does this mean that customers are off the hook? Not quite, for if a thief empties a customer's account, some phone calls and paperwork at least will be required to cancel the transactions. However, it may be weeks before criminals will actually attempt to monetise the stolen credit card numbers. The many millions of numbers (only a part of the 77 million customers stored their credit card details with the PSN) will probably be offered on the black market and will then be resold in "bite-size chunks". They will pass through many hands before someone will actually try to use them. Some numbers will even be printed on forged plastic cards. It could be a year before this happens.

In the UK, Financial Fraud Action UK, the body under which the financial services industry co-ordinates its activity on fraud prevention, has issued a press release on the problems facing PlayStation users. This states that FFA UK is liaising closely with Sony over the incident. It continues: "There is no need for customers to contact their bank or card company at this stage. However, customers should continue to do what they should normally be doing – checking their statement and keeping a close eye on their account for any unusual activity – if they spot any they should then contact their bank or card company." It also advises users to change any passwords for services such as email that might have shared their PSN password. It concludes that "In the event that anyone is the innocent victim of fraud as a result of this incident, customers can have peace of mind that they will get their money back from their bank or card company."

Customers who want to be safe and cancel their card in mainland Europe will though be asked to pay a fee to their credit card company. A bank advisor said that German bank Sparkasse charges 20 euros for a new card but that Sony should reimburse these costs. However, this would involve having to prove that the credit card numbers were actually stolen from Sony. When asked by a colleague, Valovis credit institution said that they would cancel his card and charge him for it, even if that was against his wishes. When the colleague refused to agree, the company pointed out that he would now be liable for any misuse – which doesn't exactly inspire confidence.

The second point of attack is the PSN password: Many customers use the same password for various services including Amazon, eBay and PayPal. Even if Sony stored the passwords as encrypted hash values, attackers could now use brute force to try and derive the original passwords. Using a modern graphics card, the time required to crack a six character password is only 9 minutes. For eight characters, the required computing time is already 300 days. However, this time can be reduced by hiring cloud servers to crack the passwords. For example, using Amazon's Elastic Computing Cloud (EC2) to crack an eight-characters password with brute force would cost about 600 euros. With twelve characters, it would already cost more than 15 billion euros. This means that passwords of 11+ digits can currently be regarded as safe, as the cost required to crack them would be greater than a criminal's potential earnings.

Depending on their PSN password length, users therefore now have varying amounts of time to think up a new password for their account. In any case, passwords should be changed and Sony say that when the network comes back online it will be accompanied with a firmware update which will force users to change their password.

Over the coming months, users should be particularly wary of spam emails asking them to enter their personal data and passwords, claiming for instance that the information is needed in order to rebuild the PSN. Such emails will certainly not be sent by Sony, but by data thieves. Sony has made it clear that it will not request any customer data via email, phone or post.

Users can justly accuse the Japanese corporation of storing all its customer data in one central place with insufficient security. However, it is understandable that, after shutting down the network, Sony wanted to thoroughly investigate the case before issuing such a far-reaching public alert. The vendor said that it is currently informing all 77 million users via emails that will reportedly take until the end of 28 April to be sent. The damage Sony has suffered in terms of loss of user confidence can't be measured at present. After all, the PlayStation Network is the digital marketing platform the vendor uses to sell its games, movies and music online.

Sony is presently paying an external security firm to investigate the case and is restructuring the entire PSN to fix the current security issues. The network may therefore remain down for a, currently, indefinite time to come.

(crve)