The Sony hack: passwords vs. financial details

April 27th, 2011 at 14:47 UTC by Joseph Bonneau

Sometime last week, Sony discovered that up to 77 M accounts on its PlayStation Network were compromised. Sony’s network was down for a week before they finally disclosed details yesterday. Unusually, there haven’t yet been any credible claims of responsibility for the hack, so we can only go on Sony’s official statements. The breach included names and addresses, passwords, and answers to personal knowledge questions, and possibly payment details. The risks of leaking payment card numbers are well-known, including fraudulent payment transactions and identity theft. Sony has responded by offering to provide free credit checks for affected customers and notifying major credit ratings bureaus with a list of affected customers. This hasn’t been enough for many critics, including a US Senator.

Still, this is far more than Sony has done regarding the leaked passwords. The risks here are very real—hackers can attempt to re-use the compromised passwords (possibly after inverting hashes using brute-force) at many other websites, including financial ones. There are no disclosure laws here though, and Sony has done nothing, not even disclosing the key technical details of how passwords were stored. The implications are very different if the passwords were stored in cleartext, hashed in a constant manner, or properly hashed and salted. Sony customers ought to know what really happened. Instead, towards the bottom of Sony’s FAQ they trail off mid sentence when discussing the leaked passwords:

Additionally, if you use the same user name or password for your PlayStation Network or Qriocity service account for other [no further text]

As we explored last summer, this is a serious market failure. Sony’s security breach has potentially compromised passwords at hundreds of other sites where its users re-use the same password and email address as credentials. This is a significant externality, but Sony bears no legal responsibility, and it shows. The options are never great once a breach has occurred, but Sony should at a minimum have promptly provided full details about their password storage, gave clear instructions to users to change their password at other sites, and notified at least the email providers of each account holder to instruct a forced password reset. The legal framework surrounding password breaches must catch up to that for financial breaches.

Entry filed under: Authentication, Banking security, Legal issues, Security economics

6 comments Add your own

  • 1. Ciaran  |  April 27th, 2011 at 16:22 UTC

    “and notified at least the email providers of each account holder to instruct a forced password reset” – seriously?

    1. I am not idiotic enough to use the same password in multiple places, and I don’t want to have changes forced upon me for no reason.
    2. I don’t want my email provider to accept instructions from Sony relating to my account!

    None of this applies, since a) I haven’t been anywhere near anything Sony-related since the rootkit/CD fiasco, nor will I ever again, and b) my email provider is me. The points still stand though, I think.

  • 2. outsourcing company  |  April 28th, 2011 at 09:00 UTC

    @ Ciaran

    Well said. We still have the right of ownership and their crossing the boundary, its not a good idea to have it forced but regarding the outage time frame, their running out of choice. I do hope Sony will go live soon cause I’m foreseeing of lawsuit complaints.

  • 3. IDTheftReview  |  April 29th, 2011 at 18:11 UTC

    Despite the fact that technology is at its peak and still reaching for perfection nowadays, information leaks like this can never be avoided. Systems, no matter how sophisticated, still have the possibility to fail in one way or another. In that case, it would best for everybody to take necessary precautions when providing vital information especially online. Identity theft is just around the corner waiting for the opportunity to fish for people’s information and use it to crash personal accounts.

  • 4. Clive Robinson  |  June 8th, 2011 at 08:20 UTC

    @ Joseph,

    With regard,

    “The implications are very different if the passwords were stored in cleartext, hashed in a constant manner, or properly hashed and salted.”

    What do you regard as “properly”?

    Bearing in mind the same strength method should also apply not only to other security information such as secret questions but also all PII that could be used to link accounts together such as email address, phone number etc.

    The reason I ask is the way things are going it apears you are going to need an “online account” for just about anything you do on the web with even blog sites requiring you “login” just to avoid adverts etc these days. And the get adds/no adds usage suggests the account information is going to be used for revenue raising purposes one way or another.

    I will make some assumptions in that in say ten to twenty years there will be 6billion online users with more than 50% having 3 or more ways onto the internet (home, phone, work) and lets say an average of 15 online accounts each they use across all access methods and another 5 unique to each access method. Giving something like 170 billion active online accounts and probably almost twice as many registered but nolonger used accounts, for a round 500billion accounts (~2^39).

    The other assumption being that the system used will be standardised by either law or external market pressure to some “best practice” norm (read the minimum that will stop us losing money).

  • 5. Mike bell  |  June 16th, 2011 at 16:37 UTC

    It’s good to see recognition of the externalities involved in such an attack. Too often it is just assumed that the company and its customers will be the victims.

    The other losers (apart from Sony) will be the number of online merchants / banks / etc. who will be defrauded using the information obtained. (Remember that online retailers are on the hook for all card-not-present transactions – not the unfortunate person whose credit card details were stolen.).

    Ultimately the cost of doing business online will rise due to the risk of fraud – and we will all get to pay more.

    @Clive – good point about the encryption of personally identifiable information and challenge questions answers – although the questions asked often seem to designed to be easy to answer from someone’s facebook profile.

  • 6. Clean conscious  |  June 17th, 2011 at 12:33 UTC

    Free credit checks? Is his the best Sony can do, given the huge inconvenience that was caused to their customers?! Bummer.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

April 2011
M T W T F S S
« Mar   May »
 123
45678910
11121314151617
18192021222324
252627282930