Wednesday, 27 April 2011

That PSN Thing

Today I went to the bank to cancel my debit card and have a new one sent to me. Last night I spent some time changing passwords and security questions in accounts that I intend to keep secure. The reason I took these precautions is not because I've replied to phishing emails or clicked any malicious links (as far as I know); I did this because I'm signed up to, and have made regular use of, Sony's Playstation Network.

This is a service that, until now, hadn't even crossed my mind as having potential security issues. I felt safe entering my debit card details to purchase downloadable games and content. I felt safe entering my Facebook username and password to use some of its integration with PSN. Had I got round to trying it out, I would've felt safe logging into Lovefilm or any other services that required a username and password. I picked a strong, unique password when I signed up to PSN and I set up security questions which I could be certain were unanswerable to any unsavoury types attempting to break into my account. I did everything I could to keep my account safe and yet, all of my personal details stored on it have now been compromised.

In case you haven't been following the news, PSN was shut down on Wednesday last week and is, as of now, still suspended. Until yesterday, Sony had very little communication with the gaming public, only muttering the words "external intrusion" and stating that they were working on getting PSN back up and running as soon as possible. After almost a week, Sony finally made a statement on the situation, revealing that PSN users' personal information had been stolen by an "unauthorized person". This includes name, date of birth, address, password, answers to security questions and, potentially, credit/debit card details.

This brings up two questions:

1. Why did it take almost a week for Sony to warn users of the theft of their personal details?

2. Why was this possible in the first place?

Sony has answered the first question by explaining that they've been investigating the extent of the intrusion and had only come to the conclusion that personal information had been compromised shortly before announcing it. They wanted to be sure that this was the case before informing users as to the situation.

When sensitive information that can lead to fraud and identity theft is at stake, one should always assume the worst. It's clear that Sony were aware that there had been a potential intrusion right from the moment they shut PSN down. Any kind of unauthorised access into a system puts all of its data immediately at potential risk of theft. While Sony claims that they didn't know that personal information had been stolen, they also couldn't have been certain that it hadn't.

The warning to PSN users along with the advice on how to avoid the consequences of a compromised account should have been made clear from the moment Sony became aware of the intrusion. Yes, this would still have angered many as it still leaves question 2 unanswered, but by leaving it a week, users now have even more reason to be frustrated. A week is a dangerously long time to have a compromised credit or debit card available for use or any other personal information open to an unauthorised person for attempted identity theft.

The second question is not asking how this happened as that can only be answered with speculation at the present time. What is extremely worrying about this whole situation is that it happened at all. We rely on systems such as PSN all the time, making purchases with credit and debit cards and giving away personal data in order to prove our identity. We do the same when using Steam, Xbox Live, Amazon, Paypal and so on. As these services are handling such sensitive data, we assume that security is the number one priority of the companies that run them. The theft of this data can be catastrophic.

PSN should be an impenetrable fortress. Even when hackers do find their way in, sensitive data should not be so readily available as it appears to have been here. It shouldn't have been possible for this to go as far as it has.

Sony has a lot of damage control ahead. Their consumers are shaken; it's difficult to feel anything but concerned about the security of PSN or any of Sony's online services. Even with Sony working to rebuild PSN and tighten its security, the feeling that this could happen again in future isn't going to be easily shaken off. Until this incident I've had nothing but praise for the Playstation 3 and I'll still continue to enjoy the console and its online integration long after this has been resolved, albeit with a little more of a cautious attitude. However, like many others I'm very disappointed in the way this has been handled.

No comments:

Post a Comment