Sony Breach Ignites Phishing Fears

Other Concern: Are Consumers Suffering 'Breach Fatigue?'

By , April 28, 2011.
Sony Breach Ignites Phishing Fears

A

See Also: Investigative Analytics: Velocity to Respond

re consumers getting apathetic about data breaches - and are the fraudsters taking advantage?

Sony Corp.'s announcement that hackers may have accessed personal information it stores on 77 million users of its PlayStation Network and Qriocity online service follows a long line of recent breach announcements. And Neal O'Farrell of the Identity Theft Council says that string of incidents has led to consumer "breach fatigue." "The hackers understand the apathy and are taking advantage," he says.

From the RSA hack to the Epsilon e-mail breach and the Oak Ridge phishing attack, database breach announcements have become nearly daily news.

O'Farrell says hackers are wising up, taking advantage of consumers' growing apathy and corporations' reluctance to better protect their customers' personal information. "We have awareness," he says. "People know about identity theft. We just don't have vigilance."

Targeted Attacks

Spear phishing is a growing threat, and in the case of the Sony breach, it's the primary concern. Hackers appear to have penetrated a Sony server or file sometime between April 17 and April 19, gaining access to names, mailing addresses, e-mail addresses, birthdates, login and password details for the PlayStation Network and Qriocity, as well as handles [online IDs] used by Sony gamers. Additionally, cyber intruders are suspected to have gathered other details, including gamers' credit card information, billing addresses and purchase histories.

A Sony spokeswoman says, "We cannot rule out the possibility."

With billing information and other details like purchasing history, fraudsters have plenty of information to launch targeted attacks, says Alan Paller, director of research for the SANS Institute. "So, you have knowledge of these people as being gamers; you have knowledge of their music; you know what kinds of games they bought," he says. "That's the way they perpetrate fraud on the Internet."

From there, it's easy for cybercriminals to use socially engineered tactics to trick consumers into revealing other personal details, such as Social Security numbers and bank account information.

"The correlation of data is very useful," says Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University. "You combine the e-mail address with other information, and it's easy for fraudsters to turn that combined information into cash. People also have to realize that privacy online is hard to maintain. Consumers should be very much on the defensive."

Sony's PlayStaion Network is offline until more about the breach is uncovered. Sony has not said when it expects to be back online. A lawsuit also has been filed against Sony, alleging the gaming powerhouse waited too long to notify its customers of a possible breach. That delay, the suit filed in federal court claims, exposed PlayStation users to financial losses related to potential credit-card data theft.

Sony states on its blog that all of the credit card information it stores is encrypted. But Sony cannot rule out the possibility that the card data may have been stolen until its investigation into the breach is completed. In the meantime, Sony is sending a system software update to its gamers and asking them to change their passwords once the PlayStation Network is restored.

The investigation could take months and still not pinpoint the source of the compromise. But Paller says, given Sony's high-value as a company, a phishing attack on Sony itself likely opened the door for the hack.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Feds Enhancing Cloud Security Vetting Process

Seeking to boost participation by federal agencies and cloud-service providers in the security...

Latest Tweets and Mentions

ARTICLE Feds Enhancing Cloud Security Vetting Process

Seeking to boost participation by federal agencies and cloud-service providers in the security...

The ISMG Network