Sony Breach Ignites Phishing FearsOther Concern: Are Consumers Suffering 'Breach Fatigue?'
Sony Corp.'s announcement that hackers may have accessed personal information it stores on 77 million users of its PlayStation Network and Qriocity online service follows a long line of recent breach announcements. And Neal O'Farrell of the Identity Theft Council says that string of incidents has led to consumer "breach fatigue." "The hackers understand the apathy and are taking advantage," he says.
From the RSA hack to the Epsilon e-mail breach and the Oak Ridge phishing attack, database breach announcements have become nearly daily news.
O'Farrell says hackers are wising up, taking advantage of consumers' growing apathy and corporations' reluctance to better protect their customers' personal information. "We have awareness," he says. "People know about identity theft. We just don't have vigilance."
Targeted AttacksSpear phishing is a growing threat, and in the case of the Sony breach, it's the primary concern. Hackers appear to have penetrated a Sony server or file sometime between April 17 and April 19, gaining access to names, mailing addresses, e-mail addresses, birthdates, login and password details for the PlayStation Network and Qriocity, as well as handles [online IDs] used by Sony gamers. Additionally, cyber intruders are suspected to have gathered other details, including gamers' credit card information, billing addresses and purchase histories.
A Sony spokeswoman says, "We cannot rule out the possibility."
With billing information and other details like purchasing history, fraudsters have plenty of information to launch targeted attacks, says Alan Paller, director of research for the SANS Institute. "So, you have knowledge of these people as being gamers; you have knowledge of their music; you know what kinds of games they bought," he says. "That's the way they perpetrate fraud on the Internet."
From there, it's easy for cybercriminals to use socially engineered tactics to trick consumers into revealing other personal details, such as Social Security numbers and bank account information.
"The correlation of data is very useful," says Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University. "You combine the e-mail address with other information, and it's easy for fraudsters to turn that combined information into cash. People also have to realize that privacy online is hard to maintain. Consumers should be very much on the defensive."
Sony's PlayStaion Network is offline until more about the breach is uncovered. Sony has not said when it expects to be back online. A lawsuit also has been filed against Sony, alleging the gaming powerhouse waited too long to notify its customers of a possible breach. That delay, the suit filed in federal court claims, exposed PlayStation users to financial losses related to potential credit-card data theft.
Sony states on its blog that all of the credit card information it stores is encrypted. But Sony cannot rule out the possibility that the card data may have been stolen until its investigation into the breach is completed. In the meantime, Sony is sending a system software update to its gamers and asking them to change their passwords once the PlayStation Network is restored.
The investigation could take months and still not pinpoint the source of the compromise. But Paller says, given Sony's high-value as a company, a phishing attack on Sony itself likely opened the door for the hack.
"I would say they got in by doing a targeted phishing attack against an administrator or a high officer in the company," Paller says. "Common defenses don't protect against that kind of attack. Companies need to start thinking more like a bank than like a social community. Banks do a much, much better job of defending, because the value of what they are defending is so high."
Vulnerability of Payment Card?Bob Russo, general manager of the Payment Card Industry Security Standards Council, says the council, which sets guidelines for the governance and storage of payments card data, does not monitor security compliance and has no insight into the details of any specific breach. "Until a forensics investigation is completed, there is no way to determine whether or not an organization was PCI compliant at the time of the breach," Russo says. PCI security standards, such as the PCI Data Security Standard, provide best practice guidelines for the storage and handling of cardholder data.
Even if credit card numbers were encrypted by Sony, the storing of any credit card numbers is a bad idea. "For most companies of this size that don't specialize in payments, the processing of the credit card is actually handled elsewhere," Paller says. "But the mistake that companies like this make is that they store that data, because they think they might need it sometime in the future."