Or subscribe now to read with unlimited access for as low as $10/month.
Don’t have an account? Sign up now.
A free account provides you access to a limited number of free articles each month, plus newsletters, job postings, salary data, and exclusive store discounts.
Sony revealed Tuesday that its PlayStation online video-game network had been breached, with the theft of account information from some or all of the network’s 77 million users. While Sony said in a blog post that it doesn’t think users’ credit-card information was stolen, Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University at Bloomington, believes the breach could be serious, giving the perpetrators the ability to access bank accounts and company Web sites as well as credit-card accounts. He discussed the implications of the problem with The Chronicle and suggested what users, and universities, can do to protect themselves.
Q: If people have PlayStation accounts that have been compromised, how does this affect other accounts they have?
A: There are two right now that we’re really worried about it. It seems pretty clear that the passwords on some or all of the 77 million accounts have now been compromised. Most people reuse passwords across accounts, so if I’m the perpetrator who took these data, I’m going to know your e-mail address, and I’m going to know your password. I can then digitally test them against bank-account Web sites, credit-card-company Web sites, and online-health-record Web sites to see if I can get access to your account.
ADVERTISEMENT
The second thing—and, to my mind, this is even more troubling—is that the challenge answers were breached. When you forget your password, which we almost all do pretty frequently, Web sites have now gone to using these challenge questions, like your first pet or the name of your high school. Most of us answer those questions honestly because that’s the only way we have any hope of remembering the answers when we need them later. If you use the same questions across multiple sites, that means not only can someone go in and access your account, but they can use that to lock you out of your own account.
Q: The PlayStation network is still down, but are there things PlayStation users should be doing with their other accounts?
A: If I knew that my PlayStation password or password-reset questions were the same ones I had used on some other accounts, I would go in and change them today. I would also take this as a really valuable object lesson of why you shouldn’t use the identical password across accounts.
Q: How do you think Sony has handled this?
A: It’s probably too early to answer that. This is the type of breach where individuals really can do something to protect themselves: by going in and changing passwords elsewhere. [Sony,] by having held on to the information for a week before [it] went public, that raises a question. That was a week when people could not protect themselves, because they didn’t know they needed to.
ADVERTISEMENT
Q: Are there things Sony should have been doing before to prevent this breach?
A: I have no sense of that. I would only say this: Most responsible companies usually take pretty good precautions, because it’s in their best interest to do so. If I had to guess, I think we will hear that this is a pretty sophisticated attack.
Q: That suggests that as much as we try to protect a network, essentially someone’s always going to figure out a way in.
A: I think that’s right. I think we have to start thinking about data theft the way we might think about environmental pollutants. We can try to reduce it, but at the end of the day we’re not just going to solve it. No one’s going to say, “OK, data security’s been taken care of. We can all go home and relax.”
Q: It’s realistic, but that’s a cynical outlook.
A: That’s right, but I do think we should be careful not to become cynical to the point of complacency or despairing. I think it’s a huge challenge for universities. We have massive data collections. With these huge data sets we make ourselves targets. We’ve seen a lot of attacks against universities.
ADVERTISEMENT
Q: Do you think universities are doing enough right now?
A: I think universities are doing a lot, but I would say the vast majority I have encountered still have gaps. Some of that’s because we tend to have pretty distributed computing operations; one department system might be run by that department. It’s pretty hard to do security when it’s widely distributed like that. We, like everyone else, live in a cash-strapped environment. If given a choice whether to spend a dollar on a new technology or spend it on a new security mechanism, I suspect we may, understandably, tend to err sometimes on the new technology instead of the new security.
