It will not have failed to reach your attention that there has been an announcement from Sony about the recent PlayStation Network hacking and outage. The traditional media has been all over it as well as online sources. Even BBC Radio 4 covered it and that's a station more concerned with "serious" matters like politics and economics, etc.
OK, so PSN has been hacked, we knew this last week. What we've just learnt is that our personal data has been stolen from Sony's servers by an unknown individual or group. What does this mean for us, the normal users of PSN?
The risks to our data have been categorised in three ways by Sony:
Nick Caplin – Head of Communications, SCEE wrote:
... we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID.Possibly Stolen
Nick Caplin wrote:
It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.Unlikely to have been Stolen
Nick Caplin wrote:
While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.
This classification into probable, possible and unlikely levels of risk seems to indicate how Sony deals with our data once it's on their network.
As I mentioned in an earlier article
about PSN security, part of my day job involves writing software that processes credit cards online. As part of this development my company has had to look at the Payment Card Industry Data Security Standard
(PCI DSS) regulations that Sony will have had to comply with when designing their systems.
To me it looks like the "probable" data is in a database that Sony's "outside, recognized security firm" have identified as having been stolen. Data items like our passwords in this list will most likely be encrypted, but in a way that is vulnerable to a brute force attack, the rest will be stored unencrypted.
The "possible" data will be most likely held in an encrypted database separate from the previous database, maybe even on a separate server. Decrypting this database will be possible, but it will only be possible in a reasonable time with access to the encryption keys used. My assumption is that there is no evidence that these keys have been stolen.
The "unlikely" data will almost definitely be held on a separate server from the ones known to be hacked and will certainly be encrypted. This is a requirement of PCI DSS and no payment card company would deal with Sony if this were not the case. I'm assuming that there is no evidence that this server has been hacked or that this database has been stolen.
So what risks do we all face?
First of all, our credit card details are almost certainly safe. The important details, number, expiry date, etc, are in the "unlikely" section of the data. These are required by every payment processing system out there.
In addition the "security code" (also known as CVV or CV2) has not been stolen. This code is the last three digits from the back of your card or the four digits next to the hologram on the front depending on your card. According to PCI DSS (and all previous standards before it) this number can not be stored anywhere, encrypted or not.
Without this security code, our credit card details can't be used online, even in the unlikely case that our card number and expiry date have been stolen and can be retrieved from the encrypted database.
The major problem we face is not to do with PSN at all. If you use the same email and password on other systems like XBox Live, Amazon, Facebook and the rest, your accounts there could be stolen and used. The encryption on our passwords can be broken reasonably quickly, especially if you have a simple password like a word in the dictionary. Once that is done, the people who now have possession of our data will try the same details on all the major online systems to see which ones they can break into.