04/27/2011

Sony PlayStation®Network under attack

Sony PlayStation®Network under attack Security products

After discovering an external intrusion, the persons in charge took the worldwide network and the Qriocity services offline on April 20th 2011. Since then, none of the games can be played online anymore, some offline games can’t even be played offline due to the lack of network functionality, not to talk about the possibility to view movies online.

 

But, apart from the non-existence of the well-reputed online services, there is a more critical problem than the lack of leisure time entertainment: The compromise of around 77 million consumer data records! This is an enormous amount of data!
An article in the PlayStation® Knowledge Center states that it seems that the following PlayStation Network/Qriocity account holder data has been compromised:

  • name
  • address (city, state, zip)
  • country
  • email address
  • birth date
  • PlayStation® Network/Qriocity password
  • PlayStation® Network/Qriocity login
  • handle/PSN online ID

 

Other profile data may also have been obtained, including

  • purchase history
  • billing address (city, state, zip)


If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained.
If an account holder provided credit card data through PlayStation® Network or Qriocity, it is possible that the

  • credit card number (excluding security code)
  • expiration date

may also have been obtained.

 

What does it mean for me?
Whoever stole the data did it on purpose and cyber criminals mostly are after some money. Selling the complete user data (maybe even including credit card information) can bring a lot of money in the underground forums and boards. To give you an example of the current prices for data collections, we collected some examples:

  Sold for:
50€ PlayStation Network credit 10 to 25 €
Credit Card with renewable SecureCode 50 €
Gold Credit Card with renewable SecureCode   70 €
Credit Card without Verified by Visa 40 €
Gold Credit Card without Verified by Visa 50 €
   
Visa / MasterCard USA 1.5 to 2 US$
Visa / MasterCard UK 5 to 7 US$
Visa / MasterCard UK with date of birth 10 US$
Visa / MasterCard Europe 6 to 15 US$
American Express USA 3 US$
American Express UK 12 US$
American Express Europe 9 US$
   
Credit Card blanks (not embossed, no data) 25 US$
Credit Card blanks (embossed, no data) 40 US$
   
ID card Romania / Moldova 600 to 1,000 €
Driver's licence Romania / Moldova 600 to 1,000 €
Passport Israel 2,300 €
Passport Romania 2,500 €

 

Furthermore, the user data compromised is most likely to be genuine and valid – This means, that e.g. spammers could launch sophisticated and dedicated spam actions to obtain even more data or to lure the victims into various traps.
If you have a Sony PlayStation® account, you should be aware of the fact that your data might be used in further scam attacks.

 

What can I do?
The problem is that end-users are defenseless against such a kind of attack against a vendor! There is no possibility for them to intervene. This highlights the importance of user awareness and sensibility for his/her own personal data. The more information is provided online, the more information can possibly be used against you.
 

The advices we can give with regard to such a kind of user accounts are the following:

  • As soon as the network is online again, change your passwords!
  • In case you are using the same user name on other platforms, change the passwords for these platforms as well!
  • Only enter as much information into online accounts as is mandatory! Leave out all extra information not necessarily required to set up an account.
  • Check your credit card account statements for irregularities and immediately contact your credit card company in case you identify something unusual. The chances are very high that the bank’s insurance covers the costs resulting from this kind of fraud.
  • Use a dedicated credit card for internet transactions only!

Share Article