PSN hack: The facts and the fiction

The truth behind gaming's biggest ever hack...

When companies say "may", it's wise to assume the worst." So says Dave Whitelegg, security advisor to companies and consumers. His phone's been ringing a lot since Sony said it "may" have lost millions of PSN subscriber's credit card details.

The April 19 intrusion into the heart of Sony's online service caused over three weeks of downtime. A huge pain for players, a concern for developers and a catastrophe for indies making steps into the PSN marketplace.

For many of you Sony's 'Welcome Back' package may have repaired much of the damage - if the Xbox 360's 'Red Ring Of Death' disaster taught us anything, it's that gamers tend to forgive the moment they're back in the game.


But will we forget? Not if we've any sense. As a tech-savvy yet often naive crowd, we've been given a wake-up call. The fact that many have obsessed over the card info - the most sensational angle - tells you just how out of touch we can be. "The thing with credit card info is that it's the quickest way for people to make cash out of the data set," says Whitelegg.

"But it's the personal information that's really important. And if you look at the kind of information that's been breached in this situation, the significant data is email address and password. Most people tend to use the same password for multiple accounts. So if a hacker knows your email, the first thing they'll try - especially if it's Hotmail or Gmail - is to log on.

"If I have control of your email account, I can do password resets on every other account you have. That's the second factor here: Sony's reset questions have been lost as part of the breach. If you look at e-commerce websites like Play.com, when they do a password reset they ask you some personal information. But Sony use generic ones like, 'What's your mother's maiden name?'"

Cancelling a payment card is as inconvenient as it is simple, and once done is absolute; those stolen numbers become useless. But unless you follow the sage advice of randomly generating each and every password in your online life - and let's face it, who does? - you'll be amazed how vulnerable you are.

"You could do quite clever phishing emails with this attack," says Whitelegg. "And you could make those emails very personalised - 'spear phishing' as it's called. So you could get an email, for example, pretending to come from Sony, saying you've got a free voucher because it's your birthday. So you're more likely to click on that link and, say, have malware installed on your PC."


The two attacks on PSN and Sony Online Entertainment's servers have, incredibly, brought over 100m such data sets into the culprit's hands. Various fingers have pointed between Anonymous (the anti-establishment hacking outfit with a vendetta against Sony) and some unknown cyber-criminal with more conventional aims. Anonymous became chief suspect when Sony discovered a file on an SOE server called 'Anonymous' which simply read: 'We are legion'. A sceptic might think this an obvious plant. But that's not how it works, argues Whitelegg.

"If you're good then you don't leave anything. You delete all your logs, don't leave messages, don't leave calling cards. Because that's how you get caught. You delete as much evidence as you can. This is someone trying to make a statement."

Speaking to SC Magazine, meanwhile, Anonymous spokesman Barrett Brown said, "Anonymous has no record in engaging credit card theft and resell, and if we did, the FBI would've already come down on us."

  1 2