Today we gained further confirmation of details around the Sony Playstation network breach; millions of account names and personal details have been lost and potentially payment card details including the payment card number and Expiry dates too, but excluding
the security code.
The types of data rumoured to be lost include: names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to the
old password reset classic: What is the name of your pet?
So should we be concerned?
If I was one of the potential victims of this theft I certainly would be. Why? Because the amount of personal data which has been supposedly taken is more than enough to allow a fraudster to begin the process of taking over my identity. Much of the rumoured
stolen data can be used to authenticate and validate a user for example, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.
These problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords
then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to their ability to validate and interact with us. They are also aware that an authentication failure could lead to a lost sale
or provision of a service. However they know that we remember personal details more successfully, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also
means this personal information becomes far more valuable to a hacker as well.
Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, part of the card authentication process included being taken to a 3D Secure card authentication screen where she suddenly found she
couldn’t remember her secure password.
Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, permission to reset the password was granted.
Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which
just happens to sound familiar. The problem is that much of this data can’t be changed - it’s easy to change a compromised password, but how do you change a compromised date of birth?
So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which share similar account names and passwords, change my email address and give serious thought to killing the
cat, or at the very least renaming her!