How safe are our personal details on the internet?
Last updated at 14:22, Friday, 06 May 2011
Computer gaming is supposed to be an escape from stress. But for millions of gamers, real life has just come crashing in.
Personal details of more than 100 million people could be in the hands of hackers who broke through the online defences of PlayStation owners Sony.
Details of 77 million PlayStation users – including three million in the UK – were stolen by hackers last month.
This week Sony announced that a further 25 million gamers who use Sony Online Entertainment have had their personal details taken. This attack goes beyond users of PlayStation, affecting PC and Facebook gamers who play via the internet.
The information taken includes names, addresses, email addresses, dates of birth, phone numbers and Sony account usernames and passwords.
Some users had credit card numbers and expiry dates taken. Sony claim this information was encrypted – converted into an unreadable form.
Even so, those whose details were taken remain vulnerable to fraud. And the attack shows there can be no guarantee of safety when personal details are entrusted to even supposedly secure websites.
Michael Robertson is managing director of Carlisle-based Commerce Media, which provides security for organisations including the Ministry of Defence, HMV and Betfair.
“Nothing is ever 100 per cent secure,” he says. “That’s the bottom line. Nothing is ever 100 per cent guaranteed in life. As with all things you can only do so much. But it’s your responsibility to do as much as you can. Security’s all about driving out risk as far as you can.
“I think it’s quite difficult to understand how somebody the size of Sony didn’t have that data encrypted. It was just plain text. Once the hackers were in there it would have been like reading a book.”
One of the biggest dangers for those affected is that the hackers have their Sony account username and password.
“People tend to use the same password for lots of different accounts. We’re all supposed to have a different password for every account and to change them regularly, but that’s difficult. Lots of people just don’t do it.
“If I have a list of usernames and passwords, I can go around farming the internet. I’ll visit different sites and use your Sony username and password to see if you have accounts there and if the username and password is the same for those accounts.
“If you’ve got the username and passwords, you’ve effectively got the keys to the front door. If you leave your keys on your desk, I’ll help myself to your stereo.
“It’s taking that kind of mindset to your online security. Don’t leave the windows open.
“If people are with Sony and they know they’ve got the same password for lots of different sites, the first thing they should do is change them.
“If you get emails from sites saying ‘Your password has been changed’, and you haven’t changed it, get in touch with them straight away. And look for transactions you don’t recognise in your bank account.”
Tony Wilson is managing director of Aspatria-based information security company Indelible Data. He feels the risk to personal information placed on the internet is increasing.
“Hacking attempts have increased 23 per cent this year. I do talks on cyber crime and hacking. Every talk I’ve done, someone has had a hacking attempt or has had money taken.
“I know four people who have had money taken from their accounts. I think by the end of the year most people will know someone in that situation.
“One of them was a phone call pretending to be from their bank. ‘Can you confirm your details?’ There’s one going around where they ring you up claiming to be from the tax office.
“What people have got to be careful of now is, people can pretend to be from Sony. The hackers have information about you so they can ring you and say ‘It’s Sony. And just to confirm we are Sony, your account log-in is this...’ Then they’ll say something like ‘Just to confirm your card hasn’t been stolen, can you give me the CVV?’ – the three-digit number on the back of the card.
“People need to be wary of that. Sony has said they will not be ringing anyone asking for information.”
Hacking can lead to identity theft. If hackers have enough personal information they can open store cards and mobile phone contracts, leaving the unwary victim with the bill.
Hackers may sell the information rather than use it themselves. “Not everyone knows what to do with personal identity information,” says Wilson. “If I find your mobile phone and it’s got your credit card details on, I might not know what to do with it. But I might know someone who does. He might pay me £500 and he might make £10,000.
“Sony have been lax but it’s been a persistent attack. It’s not just one lone hacker. You don’t get to break into somewhere like Sony without some funding. It’s very likely an organised crime syndicate. They’ve been trying and trying and they finally got in.
“A couple of months ago RSA, which produces security systems used by the US Defence Department, was hacked. That brought it home that people are attacking the major players. It’s not just one teenage hacker anymore.”
But many attacks are on individuals rather than corporations. These people are unlikely to be targeted. Instead they are the victims of “phishing expeditions” launched by hackers to find computers with inadequate protection.
“Why spend 2,000 man hours to attack a bank that’s highly defended and might even be able to track you when you could attack the greengrocer up the road?
“These hackers’ systems are automated. They trawl anyone with a broadband connection. It could be the greengrocer up the road. If the hacker’s system can get in, it has a look around his hard drive. It might find a spreadsheet that has his passwords on. They haven’t targeted him – it’s a phishing expedition.”
If money is lost, whether the victim gets it back depends largely on how much blame they are perceived to hold.
“There would be some investigation into how cavalier you’ve been with your accounts. The people I know have had their money given back. It could be a very good scam that most people would have fallen for.
“Or it could be that if your password is the same as your house name or something very simple for someone to crack, they might not be as lenient.”
Cumbria’s Deputy Chief Constable Stuart Hyde is president of the Society for the Policing of Cyberspace, and an expert on internet safety.
He is keen to highlight a hacking threat to people who use Wi-Fi wireless technology to connect their laptop or smartphone to the internet.
Millions of smartphone users who use Wi-Fi “hotspot” connections in public are vulnerable to fraud and identity theft.
Using a piece of communications equipment costing less than £50, and software available for download from the internet, crooks can set up bogus Wi-Fi “gateways” which smartphones automatically connect to. All the information passing through this gateway can then be read or decrypted.
Information including usernames and passwords can be taken without the users’ knowledge. This can happen even if they are not actively surfing the web.
The attack works because public Wi-Fi hotspots have no form of identification except their name, which an off-the-shelf device can mimic.
Mr Hyde says: “If you want to use an iPhone in the middle of nowhere and to have access to all kinds of facilities, that might mean you end up compromising your security.
“Technology allows people to do all sorts of weird and wonderful stuff. But with that comes a risk. People need to manage that risk.
“They have to know more about security than they did before. Just relying on the service providers is not enough. People need to take personal responsibility.
“It’s fairly easy to spoof a Wi-Fi spot. If you don’t know the Wi-Fi you’re going onto, you can be spoofed. Until there are improvements in security, I would advise people to be very wary when using insecure Wi-Fi in public places. Route it through somewhere you know.”
“It’s always a battle,” says Michael Robertson. “There are automated programmes running scripts to guess passwords. You’ve got everything in the spectrum, from spotty youths in the bedroom hacking for a laugh to people doing it to make money.
“People need to be saying to companies ‘What are you doing to look after my data? My information is precious to me.’”
First published at 14:12, Friday, 06 May 2011
Published by http://www.cumberlandnews.co.uk
Have your say
- Bus cuts across Cumbria loom in bid to save £1.3m (38 comments)
- Barrister buys historic Cumbrian hall to restore for son, 10 (12 comments)
- Row over Carlisle chip shop's plan to open until 4am (40 comments)