Sony customers with hacked accounts face small risk, security experts say

If your account was one of the 77 million on Sony Corp.'s PlayStation Network or Qriocity online music service, which was hacked into April 17, there's no reason to panic.

The Japanese company said this week that a computer hacker had stolen the personal data and possibly credit card information of customers who access its online entertainment networks via their PlayStation 3 consoles.

Security experts say that although the scope of the breach was among the largest in history, the resulting financial damage to consumers may be minimal, as many banks and nearly all credit card companies don't hold victims liable for fraudulent claims.

"You are at a greater risk [getting into an accident while] driving home today than you are of not being able to buy a house for the rest of your life because someone stole your identity," said Bruce Schneier, a security technologist who has written books on the topic. "There is a risk of crime. But it's not huge."

If you feel like taking measures to safeguard your online accounts, Philip Lieberman, a security consultant and chief executive of Lieberman Software in Los Angeles, suggested the following:

• Don't provide your correct birth date or other personal information.

• Use a throwaway email account.

• Use an anonymous debit card such as a prepaid cash card for online transactions.

• Use a unique password for each site.

• Always assume that the companies gathering your personal information are totally incompetent at securing the data. Consider what you share with them and how you would recover your personal identity if they lose your information.

But because the consequences are rarely dire, consumers are unlikely to change their online behavior, said Mark Rasch, a cybersecurity and privacy expert at CSC, a computer networking and security firm in Falls Church, Va.

"Yes, there's anger and outrage now, but what you'll see in coming weeks is the world's biggest shrug," Rasch said.

So the onus is on the "white hats," the security good guys who constantly duel with "black hat" hackers to defend against increasingly clever attacks.

One possible way hackers got into Sony's computer fortress is by leveraging information being openly shared on social networks, said John Pescatore, a computer security analyst with Gartner Inc.

"They do their research on LinkedIn, Facebook and other social networks to gather personal information on a targeted group of people who are most likely to have administrative-level passwords to these systems," Pescatore said.

"Then they send a highly personalized message to fool them into clicking onto a site that downloads malicious software that captures their user names and passwords. Once they log in, using a legitimate account, they have the keys to the kingdom, and the data goes flying out the door."

On Thursday, Sony issued a small consolation to its users, saying its credit card data had been encrypted, making it harder — but not impossible — to read. Other information, such as addresses, user names, birthdates and passwords, were not encrypted.

"Encrypted data is only safe if the attackers don't also get the decryption keys," Pescatore said.

Copyright © 2019, Los Angeles Times
EDITION: California | U.S. & World