PlayStation down again, this time until May 24 -
Following one of the largest security breaches in online history when Sony's PS3 servers were hacked and left open, Sony now faces some serious questions not just from users of their Playstation Network and Qriocity services, but now from some U.S. congress-people and users who just want their services back.
Whether or not the PlayStation was hacked because some hobbyists were protecting their hero George Hotz is now irrelevant as shortly after Sony's servers were relaunched, they were hacked in the blink of a proverbial eye. In all seriousness, their relaunched site could have been programmed by a $2/hour PHP scripter from a third world country, common practice for many sites that have been hacked.
In that instance, a user could reset their password by clicking a link to a password reset script, continue without clicking a confirmation in the email sent and simply reload the page but on a different regional server. (IE. Start on us.playstation.com, not confirming security questions sent to the owners email address and continue past the security checkpoint at another server link de.playstation.com).
Quote: Originally Posted by Kotaku
What could have stopped this new breach in Sony's online defense system? 1-2 lines of simple code. Code which many programmers use by default when designing these types of web pages.The prodecure WAS as follows:
1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=xx with the y's being a unique token) - do not enter the code at this point.
2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)
3) Click Recover password
4) Enter the email and date of birth of the target account
5) Click continue, then on the confirmation page, click "Reset using E-mail"
6) Switch back to the original tab, and enter the code, then click continue
7) You will now be asked to enter a new password for the target account
To worsen the situation for Sony and its users, F-Secure has reported that the web servers which Sony had its network services hosted on were the victim of a hack, resulting in the Sony servers hosting a Phishing site. This isn't just an additional hack, but reveals a security flaw in the core operating system running Playstation services.
So now that Sony again was hacked within days of coming back online, many will start questioning the reliability of Sony in keeping their data secure. It all seems so unbelievable that one of the richest companies in the world could come across such hurdles.
Without divulging into the fact that Sony has made no answers clear on whether users should contact credit card companies to change their card number, they simply promised U.S. users an identify theft service... which hardly means anything in reality. For the cost of possibly racking up huge unauthorized charges on prepaid credit cards or having to cover costs on cards without adequate protection OR the worst case scenario, true identity theft, they will offer users a couple of free online games.
Could your identity be stolen because you provided Sony with your billing address, credit card number and birthday? Most certainly. If you're registered on the PlayStation Network with those details, you ought to contact your credit card company and have them issue new account numbers and card(s).
On the point of whether you should trust your personal information with Sony any longer, I highly suggest you think twice or three times about possible future hacks on the PlayStation Network. Since their supposedly existent security auditors have done such a poor job on relaunching the service and reflecting on the original security breach of over 70 million accounts, users should be careful when handing over personal details.
Keep these thoughts in mind when the PlayStation Network returns on, reportedly, May 24.