Can Sony ultimately be trusted with your personal data?

By Christopher Walsh
May 20, 2011
PlayStation down again, this time until May 24
PlayStation down again, this time until May 24 -
Simple answer, no.

Following one of the largest security breaches in online history when Sony's PS3 servers were hacked and left open, Sony now faces some serious questions not just from users of their Playstation Network and Qriocity services, but now from some U.S. congress-people and users who just want their services back.

Whether or not the PlayStation was hacked because some hobbyists were protecting their hero George Hotz is now irrelevant as shortly after Sony's servers were relaunched, they were hacked in the blink of a proverbial eye. In all seriousness, their relaunched site could have been programmed by a $2/hour PHP scripter from a third world country, common practice for many sites that have been hacked.

In that instance, a user could reset their password by clicking a link to a password reset script, continue without clicking a confirmation in the email sent and simply reload the page but on a different regional server. (IE. Start on us.playstation.com, not confirming security questions sent to the owners email address and continue past the security checkpoint at another server link de.playstation.com).

Quote: Originally Posted by Kotaku

The prodecure WAS as follows:
1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=xx with the y's being a unique token) - do not enter the code at this point.

2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)

3) Click Recover password

4) Enter the email and date of birth of the target account

5) Click continue, then on the confirmation page, click "Reset using E-mail"

6) Switch back to the original tab, and enter the code, then click continue

7) You will now be asked to enter a new password for the target account

What could have stopped this new breach in Sony's online defense system? 1-2 lines of simple code. Code which many programmers use by default when designing these types of web pages.

To worsen the situation for Sony and its users, F-Secure has reported that the web servers which Sony had its network services hosted on were the victim of a hack, resulting in the Sony servers hosting a Phishing site. This isn't just an additional hack, but reveals a security flaw in the core operating system running Playstation services.

So now that Sony again was hacked within days of coming back online, many will start questioning the reliability of Sony in keeping their data secure. It all seems so unbelievable that one of the richest companies in the world could come across such hurdles.

Without divulging into the fact that Sony has made no answers clear on whether users should contact credit card companies to change their card number, they simply promised U.S. users an identify theft service... which hardly means anything in reality. For the cost of possibly racking up huge unauthorized charges on prepaid credit cards or having to cover costs on cards without adequate protection OR the worst case scenario, true identity theft, they will offer users a couple of free online games.

Could your identity be stolen because you provided Sony with your billing address, credit card number and birthday? Most certainly. If you're registered on the PlayStation Network with those details, you ought to contact your credit card company and have them issue new account numbers and card(s).

On the point of whether you should trust your personal information with Sony any longer, I highly suggest you think twice or three times about possible future hacks on the PlayStation Network. Since their supposedly existent security auditors have done such a poor job on relaunching the service and reflecting on the original security breach of over 70 million accounts, users should be careful when handing over personal details.

Keep these thoughts in mind when the PlayStation Network returns on, reportedly, May 24.


Please, do add your comment!
WYSIWYG Editor - Please login
Comments (3)
Highball's Avatar
Highball    May 24th, 2011
I do become concerned when any firm wants my personal information. SONY isn't the issue in my opinion. Just how secure are the data bases and also how trustworthy are the staffs? In my opinion my information should be restricted solely to me.
PoliticalNick's Avatar
PoliticalNick    May 24th, 2011
Thumbs Up! Rate this post positively.
+1
Can any online company or service be trusted in this day and age. I would say no. I consistently use false names and addresses and always use prepaid credit cards to prevent any intrusion as much as possible.
DurkaDurka's Avatar
DurkaDurka    May 25th, 2011
Thumbs Up! Rate this post positively.
+1
The Sony fiasco could happen to any company, all the more reason for there to be strict laws in place which dictate how said data can be stored and a minimum encryption standard required.