Sony PlayStation breach: What the security experts are saying
If your account was one of the 77 million on Sony's PlayStation Network or Qriocity online music service, there's no reason to panic.
Security experts say that while the scope of the breach was among the largest in history, the resulting financial damage to consumers may be minimal as many banks and nearly all credit card companies don't hold victims liable for fraudulent claims.
"You are at a greater risk driving home today than you are of not being able to buy a house for the rest of your life because someone stole your identity," said Bruce Schneier, a security technologist who has written a number of books on the topic. "There is a risk of crime. But it’s not huge."
Still, if you feel like taking measures to safeguard your online accounts, Philip Lieberman, a security consultant and chief executive of Lieberman Software in Los Angeles, suggests the following:
- Don’t provide your correct birth date or other personal information.
- Use a throwaway email account.
- Use an anonymous debit card for online transactions.
- Use a unique password for each site.
- Always assume that the companies gathering your personal information are totally incompetent at securing the data. Consider what you share with them and how you are going to recover your personal identity after they lose your information.
But because the consequences are rarely dire, consumers are unlikely to change their online behavior, said Mark Rasch, a cybersecurity and privacy expert at CSC, a computer networking and security firm in Falls Church, Va.
"Yes, there's anger and outrage now, but what you'll see in coming weeks is the world's biggest shrug," Rasch said.
So the onus is on the "white hats," the security good guys who constantly duel with "black hat" hackers to defend against increasingly clever attacks.
One possible way hackers got into Sony's computer fortress is by leveraging information being openly shared on social networks, said John Pescatore, a computer security analyst with Gartner Inc.
"They do their research on LinkedIn, Facebook and other social networks to gather personal information on a targeted group of people who are most likely to have administrative-level passwords to these systems," Pescatore said.
"Then they send a highly personalized message to fool them into clicking onto a site that downloads malicious software that captures their user names and passwords. Once they log in, using a legitimate account, they have the keys to the kingdom, and the data goes flying out the door."
-- Alex Pham
Image: A screenshot of the message that shows up when a user tried to login to the PlayStation Network in a web broswer. Credit: Sony