Sony Breach Follow-up

So, Sony has had a breach.  Security researchers say this may be the largest theft of identity data on record.  Some of my friends have expressed concerns because they and their kids have accounts on Sony’s PlayStation website.  From what I have heard, 1 million Canadians may be impacted by this attack.

What can they expect?

.

.

.

What is known:

  • There is no law in place that forces the company to tell customers about the breach.
  • The hack took place April 17 -19, and notification was delayed.
  • Passwords, logon information, email addresses and personal details were exposed.
  • Credit card details MAY have been compromised.

Suspected Impacts:

  • The criminals had time to make use of or sell credit card information.
  • Passwords are notorious for being used on multiple websites.
  • Login details are also commonly re-used.
  • Email addresses being exposed will very likely be used in spear phishing campaigns.
  • Personal information may be used to fine tune spear phishing attacks and identity theft.

I think that the risk posed by credit card fraud is pretty self-explanatory.  If the information MAY have been exposed, it probably was.

Spear phishing is an attack used to bait a user into clicking a link or opening an attachment in email, just like in a typical phishing attack that comes in the form of spam emails.  What sets it apart is that the attacker has some knowledge of, or information about, the target of the attack.  The attacker learns the targets’ likes, dislikes, interests and “hot items” that might cause them to trust, be curious, or react to their message.  They may use the Sony breach for instance, and send fake emails purporting to be from Sony, a news organization, an investigator, a lawyer associated with Sony, a subsidiary, or whatever creative device they can concoct.  Their message will entice the target to take some action that allows them to further defraud or abuse them, like install malware, gather more information about them, get passwords, or financial intelligence.  The ultimate target is generally financial gain.

What should you do?

  • Personally, if I had a credit card that I had registered with the Sony network, I would be cancelling that card.  Now.  I can hear the litany of “over reacting”, “tin-foil hatter” and “nonsense”, but that is what I recommend, take it or leave it.  Let me adjust my cap.  Your credit history, time, and money are better spent ordering a new card than dealing with the fallout of financial loss, explaining and fixing the situation for days, weeks, or even years to come.  Don’t be lazy, do it now.  At least call your bank and ask THEM what action they recommend.
  • Mind your bank account.  As Police Detective Superintendent Col Dyson said in a phone interview with reporter Asher Moses, “If you’re armed with enough personal information you could basically do  anything that the legitimate person could do themselves” including obtain various forms of credit, target their banking accounts, or steal their identity.
  • If you have an account on Sony’s network, change the password ASAP, and while you are waiting for Sony to come back online, change any accounts elsewhere that share the same login and/or password information.  And shame on you.  Don’t do it again!  I know, I know, I have a zillion passwords too.  Guess what?  There’s an app for that!  Invest in a password organizer that allows you to store and ENCRYPT all of your passwords.  then you only need to remember one. Many good ones are free, and can reside on your mobile device of choice.
  • Be especially wary of emails bearing links or attachments.  If you are deathly curious, open the attachment or link ONLY in a sacrificial environment.  To me, that means you setup a separate PC just for the occasion.  That old clunker you rest your feet on under your desk will do.  Setup a locked down O/S on it.  Add VMware.  Lock down the VM.  Copy the link/attachment to USB and examine it in the VM.  Afterwards, nuke the whole setup.  Do not trust it again.  Wipe the disk and start fresh again next time.  If you were clever, you would have installed Comodo Time Machine or something similar to save time in this regard.  If that’s all too much for you, -=[DELETE]=- works just nicely, thank you…
  • Pressure Sony to provide credit and ID monitoring services.  If your personal information was compromised because of their network breach, you have a right to expect certain remedies, and in my opinion, this is one such remedy that you should demand.

Just my 2¢, collect the whole dime.

Advertisements

One thought on “Sony Breach Follow-up

Comments are closed.