'Steal everything' era of hacking
- 27 April 2011
- From the section Technology
The devastating attack on the PlayStation Network (PSN) is yet another illustration of how technology-savvy criminals are determined to get their hands on our personal information.
As gamers rued the missed opportunity for online play over the holiday weekend, hackers were able to embark on an Easter hunt around the PSN, picking up small clues which could lead to a bigger prize: card fraud and identity theft.
The hack, which has led to the network being unavailable for over a week, has left observers wondering if a company as vast and seemingly advanced as Sony can get hit, who out there is safe?
The answer, according to experts, is no-one - and something similar will almost certainly happen again.
"We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs.
He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information.
Because of the need to be widely accessible and easy-to-use, networks like PSN are seen as being more vulnerable to attack than banks or big retailers.
"Any lock can be picked," said Blaine Price, senior lecturer in computing at the Open University and an expert in data protection.
"The reason is that there's always a trade off in security between usability - being able to get at what you want to get at, and making it secure.
"Your online banking site is much more sophisticated."
Setting up a PSN account involves a lengthy and sometimes frustrating process of entering personal data - usually on a games controller. But this is a one time inconvenience, as data is saved by the network so that next time around it only takes a few steps.
A more secure option would seriously hinder this process, Mr Price argues.
"A bank would usually use two-factor authentication, where you've not just got a password.
"It would be a real pain if every time you want to start up a game you had to scan your thumb, type in 15 digits and pull out a card reader.
"Any time you're just using a user ID and password, it's going to be a risk."
For networks like the PSN, or indeed, any system which encourages its users to share lots of data, this poses a massive problem.
Bombarded with countless passwords for a multitude of web services, users are prone to keeping the same or similar details for all.
Discovering the password on one account can often lead to clues about someone's online banking credentials, a far less difficult approach than attempting to hack the bank itself.
"The weakest link is always the individual," said David Emm.
"Clearly, trying to undermine a bank's security is a lot of effort. Whereas if you go after an individual, it's not going to be noticed, it's going to be easier to do."
As news of the PSN breach emerged, the list of exposed details proved as serious as it was lengthy. Customers' names, date-of-birth, addresses and, Sony fears, their financial details were all compromised.
A more cautious observer would argue that an obvious method of preventing personal information from being taken is to simply never share it, but this is unworkable for people wanting to make use of the latest technology.
There is an on-going debate over how just how much information is necessary for the safe and secure running of a service, and how much simply bolsters the company's marketing opportunities.
At the forefront of this debate is the Information Commissioner's Office (ICO), which said that as well as investigating whether Sony has adequate security measures in place, it will be taking a close look at exactly what data the company collected and why.
"Data minimisation is a security measure in itself," deputy information commissioner David Smith told the BBC.
"It's a very important data protection principle that you shouldn't collect excessive information or keep it longer than is necessary.
"The question about, for example, why an organisation asks for a specific date of birth, as opposed to an age band, is at the centre of our work."
In the mean time, Sony will be working to rebuild its network as securely as possible. For consumers however, worries will remain over the vulnerability of a system that they had previously trusted.
Other services too will be reviewing their own arrangements and seeking to assure customers that their details are safe.
Mr Price from the OU believes that networks must take a more open, transparent approach to security, sharing details about methods used so they can be peer-tested.
"The best thing for security is openness, believe it or not," he said.
"You publish the security method you've used, and that way experts can also test them. If lots of experts are testing your open security standard for a long time, that's usually and indication that it's pretty good.
"If you keep it secret, then it only takes one person to know the secret and then you're in trouble."