The recent theft of Sony customers’ payment details has
put e-commerce security in the spotlight. Louise Naughton finds
that security measures can easily be improved, with little impact
on the consumer experience. What Sony needs is a little less trust
in its customers.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
Japanese
electronics giant Sony is certainly not the first company to have
had its customers’ payments details stolen by hackers, but it
certainly has the highest profile.
The scale of the attack on Sony’s
PlayStation network throws into sharp relief the risks many
corporates are taking with payments information and some would say
it betrays a degree of complacency and naïveté among companies
looking to drive e-commerce.
Others would say this is the
wake-up call the industry needs to reappraise itself
altogether.
In April, Sony announced via a blog
post on its website that certain PlayStation Network and Qriocity
service user account information had been compromised between 17-19
April in connection with an illegal and unauthorised intrusion into
the network.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataSony said the fraudster obtained
users’ personal details, including passwords and the answers to
security questions. Rather more worryingly, it didn’t rule out the
possibility that purchase histories may have also been hacked into,
putting its users’ credit card information at risk.
Sony CEO Howard Stringer has since
spoken out to reassure consumers there has been no confirmed
evidence any credit card or personal information has been misused
as yet.
Gaping holes
In addition to
the lack of security surrounding users’ personal details and credit
card information, Stuart Okin, managing director of security
consulting firm Comsec Consulting UK, claims there was neither a
segregation of Sony’s system database nor network monitoring.
“Sony’s perimeter not only had
holes in it but actually there was very little in the way of
security controls in place across the inside of the company,” says
Okin.
In a bid to minimise the risks to
its users, Sony turned off its PlayStation Network and Qriocity
services and engaged a security firm to conduct a full and complete
investigation into the breach. Sony plans to restore its
PlayStation Network in full by the end of May, but it is unclear as
to what it is currently doing and will do in the future to ensure a
breach of this size will not happen again.
Sony has publicly accused the
online activist group, Anonymous, of the data breach. It says it
found a file on one of its servers labelled ‘Anonymous’ and
contained the phrase “We are legion”– a phrase known to be used by
the group.
Anonymous was also the group
responsible for bringing down the websites of MasterCard, Visa and
PayPal in protest to the stoppage of donations to whistle-blowing
website WikiLeaks in December 2010. While it admitted to the
WikiLeaks-related attacks, it has denied being involved in the Sony
data theft.
“Let’s be clear, we are legion, but
it wasn’t us. You are incompetent Sony,” said the group on its
website.
The harsh realities of the network
hacking is becoming increasingly apparent. Sony shares plummeted by
almost 4% in early May 2011 ending up 2.3% weaker and 1.8% below
the benchmark Nikkei average. This has led to fears that trust in
the company may be irreparably damaged.
Serious
solutions
Stephen Howes, founder and CTO of
one-time-password (OTP) solutions provider GrIDsure says the Sony
hacking has sent a shiver through consumers. He says there is a
danger people will start to accept data breaches as “par for the
course” when engaging in internet-based services.
“Consumers should not have to
accept this, they should be demanding better security from whoever
they provide their data to,” says Howes.
“Just saying sorry isn’t good
enough.”
Sony’s data breach
is not just bad news for Sony but it is potentially bad news for
banks, social networking websites and other internet-based service
providers, as a lot of people use the same password for a range of
different companies.
Comsec’s Okin says the industry
needs to highlight that, while we live in a world where usernames
and passwords are predominant, the user population needs to be
firmly encouraged to move to multiple passphrases until more secure
solutions are in place.
Peter Regent, director of online
authentication at Gemalto, says OTPs using a token or smartcard
device are the answer to avoiding a repeat of such a large scale
data breach.
While OTP devices can be easily
integrated into the gaming environment, a far more sophisticated
security approach is a must to preventing networks from attacks,
says Regent.
A smartcard solution encompassing
certificate-based authentication and public key infrastructure
(PKI) certificates is claimed to enable only those authorised
employees to access sensitive information.
Gemalto argues this provides a
similar level of protection to corporate information assets that
chip and PIN cards provide for banking customers when accessing
cards from an ATM.
“Cyber criminals are becoming
increasingly sophisticated and no individual or corporation is
immune to attack,” says Regent.
“By integrating multi-layer
authentication into security processes and infrastructures,
consumer organisations and businesses will be better prepared for
fraud prevention.”
GrIDsure’s Howes is not so sure
that two factor type security solutions is the answer the industry
should be looking to.
He says it would be a “logistical
nightmare” to use OTP devices as a mass market solution, as there
are too many cost and usability battles to contend with. Okin
agrees.
“The two-factor authentication
method is not even a medium-term answer, unless all the banks come
together and agree to use the same type of token,” he says.
Howes says GrIDsure and its
innovative take on the OTP may have the answer consumers and
businesses alike are waiting for. Using the company’s model, a
consumer does not need to divulge their password, or PIN, to an
organisation’s website.
Rather it is something they retain
while they give away information that would be useless to a
potential cyber-criminal away. This process allows a consumer to be
protected by an OTP.
GrIDsure’s OTP authentication tool
works via a cell sequence in a grid. Instead of creating a password
when setting up an account with a company, a consumer would create
a shape or a pattern that would generally cover four-six cells
within a grid.
When it comes to logging back into
their account, the same grid appears but this time it is populated
with randomly placed, single digit numbers.
All the user has to do in order to
be allowed access to their account is type in the numbers in their
chosen pattern positions, thus retaining their ‘password’– the
shape or pattern they originally created. On a five-by-five grid
there are over 390,000 four-cell patterns that can be chosen and
this number increases on a dramatic scale when the grid size
increases.
Consumer
research
Usability tests of GrIDsure’s
technology have been conducted in conjunction with the University
College London, which shows pattern recognition to be much easier
for a consumer than remembering passwords or PIN number.
It is also claimed a consumer will
remember a pattern or shape for a longer period of time.
“OTPs are inherently more secure
but the difference with GrIDsure’s technology is the mental
exertion a consumer has to play to authenticate themselves is very
light,” says Howes.
“It combines strength of security
with ease of use for the consumer.”
Adrian Seccombe, research associate
for the technology advisory platform, Leading Edge Forum, gives
GrIDsure’s technology his seal of approval. He says it is the first
example of an end-to-end brain to device communication and is an
important step forward.
“A fraudster would have to shoulder
surf someone thousands of times to obtain any information useful to
them,” says Seccombe.
Comsec’s Okin believes the
long-term answer to security challenges lies in a combination of a
GrIDsure-type technology, to be used for large transaction amounts,
and an agent device, such as a mobile phone, that is able to hear
you all the time, pick up your image through its camera/video tool
and know with a high degree of certainty who you are.
This would allow small transactions
to take place without authentication through that device.
Cultural
sensitivity?
OTPs, multi-passphrases and agent
authentication – debating the potential these types of security
controls have is one thing, but what if Sony chose not to implement
them, not based of their cost or usability, but purely on a
cultural basis?
A thought-provoking comment on the
Sony hacking has come from PlayStation 3 hacker George ‘Geohot’
Hotz.
In his blog, Hotz says it is those
that make the decisions at Sony, not those that design the
security, that are at fault.
He says as Sony believes it ‘owns’
its clients, it has based the protection of its entire network
squarely on its trust with them.
“Since everyone knows the PS3 is
unhackable, why waste money adding pointless security between the
client and the server?” writes Hotz.
“[Sony’s] arrogance undermines a
very basic security principle: never trust the client.”
It is difficult to believe a
company of Sony’s size would hold this kind of attitude towards
security. There again, it is also difficult to believe a company
Sony’s size would have allowed a data breach of such magnitude to
occur.
Okin argues as soon as a company
moves away from a control framework to a trust framework, security
does not exist.
“A trust framework is a state of
nirvana that we are never going to get to,” says GrIDsure’s
Howes.
“You have to have controls in place
because there is always going to be the bad guy out there.”
It is unlikely Sony’s data breach
will be the catalyst for change that the industry needs in order to
unite and universally tighten its data controls.
Chris Russell, a member of the
technical team at security solutions provider Swivel, expects the
issue of data protection to be a hot topic for a few months with
minimal activity – mostly made up of knee-jerk reactions.
But in six months time, Russell warns, data breaches and tales
of hacking will all be a distant memory for most.
