An unbelievable security breach experienced recently by the PlayStation Network contains important lessons for owners of all current generation game consoles.
The PlayStation Network (PSN) has been down for several days. Yesterday, a post on the PlayStation Blog stated that this downtime has been because of an unauthorized intrusion into their network, and that users’ personal information has been compromised.
“We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.”
How did this happen?
People were accessing PSN on a console running a custom firmware (CFW). Firmware is a set of instructions for a particular electronics device that is stored on a read-only memory unit. In English, think of this as special software for gadgets that is stored on the chip itself. A hacker figured out how to modify this firmware on a PS3 unit, so that they could do things they really shouldn’t be doing. When Sony found out, they shut down CFW access to the network. A little later, a more powerful CFW was released which allowed regular users to turn their machine into a developer’s console, giving them the options that only a licensed software developer should have on the network. These options included the ability to have free and infinite money on PSN. Sony is claiming that this also gave the hackers the ability to siphon out the PSN user database as well.
“OK,” you may be thinking, “so they have some of my personal details, there’s nothing I can do about that now.” The big question on everyone’s mind is, “Did they get my credit card information?”
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.”
What does this really mean for me?
Let’s look at the best and worst case scenarios. The best case is that maybe Sony is actually doing a little CYA move here. Maybe they just shut down their network because their developer accounts were compromised, and they didn’t want anyone pirating any content off of the PSN store. A commenter on Reddit made a good point about Sony’s potential ruse.
“Their dev and admin-accounts were broken into. Any credit card details for individual users would be too time-consuming to gather, if at all possible.
So what we have here is Sony’s usual paranoia, coupled with incompetence on the administrative level. The technical solution isn’t actually bad at all. The problem is the way the solution has been used, and the way the network access has been put together, most likely.
In other words – your information is very likely safe. Sony’s dev and vip-accounts are not. But they’re not going to tell you that. Instead, we’re getting this cute tale about evil hackers who are the source of all problems, etc.
The truth is that Sony made a dumb mistake. Then they blame and inconvenience their customers once it blows up in their faces. Same old, same old.”
The worst case is that the hackers really were after people’s personal information and credit cards. Even if they don’t have credit card information, what they do have is already enough to cause major concern about potential identity theft. If this is true and enough people get burned, I wouldn’t be buying any stock in Sony anytime soon.
What can I do about any of this now?
There are a few things you can do to protect yourself. If you have a PS3 and an active PSN account, watch your bank account statements online. Assuming someone does have your credit card and starts using it, you would begin to see fraudulent charges. Early detection is always best. However, simply canceling the credit card that is linked to your PSN account might not be a bad idea. Also, Sony is advising people to monitor their credit reports. Most importantly, change the passwords of any accounts that you have that may be associated with PSN. That includes emails, social networks, anything that might be linked. Also, if like some people you use the same password for multiple accounts, definitely change it now. The movie “Hackers” did a wonderful job of showing how easily most people’s passwords can be cracked.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information.”
For all console owners, it is a good idea to start only using pre-paid cards for network purchases. Many stores, including Best Buy and Target, sell cards that contain pre-paid credit for all of the current generation consoles. You can buy those in cash, then simply add the credit to your account when you get home. It is much safer to never input your personal credit card information into one of these systems in the first place.
Part of this was Sony’s fault, for having their developer network and user network all in one integrated system. (Microsoft uses two completely separate networks for the Xbox.) Thus when the system was compromised, Sony had to shut the entire network down for everyone. And it’s still down. We’ll be able to get a feel for how bad this really is on the user end when the network is back online. If they simply ask users to change their passwords, it probably was mostly a developer issue. If they feel they have to completely wipe the entire network, bring an empty user database online, and then make it mandatory that all users set up a brand new account, then that’s bad news. And that also means say goodbye to all your trophies. If you hear a loud crash in about the next four or five days, it’s probably just a huge amount of PS3s simultaneously being thrown out of dorm room windows all across the country.
Word to the wise, don’t stand under any open windows for the next week or so.