PlayStation breach highlights need for password safeguards
But there are still precautions players can take
I’m tempted to lead off this column with my PlayStation Network password. After all, it’s hardly a secret anymore. It’s been stolen, along with 77 million others from around the world. Data thieves also grabbed our names, street and e-mail addresses, and even our credit card numbers. It might just be the biggest, most destructive theft of personal data yet.
The PlayStation Network is an Internet-based service for owners of Sony Corp.’s PlayStation 3 video game console. Hook up the PS3 to a wired or wireless broadband connection, and you can compete online against other gamers. You can also download new games, rent or buy TV show episodes or full-length features, or stream movies through the Netflix online video service.
The company confused and outraged its users by shutting down the network without explanation, but it wasn’t until last Friday that Sony admitted the problem had been caused by a hacker attack. And Sony didn’t reveal the full scale of the disaster until Tuesday.
That gave the bad guys ample time to run up illicit credit card charges or rifle through victims’ e-mails in search of Social Security numbers or other sensitive data. A Birmingham, Ala., man yesterday filed a class-action lawsuit against Sony — what could be the first of many.
“This particular breach is the worst kind of breach that can occur,’’ said Robert Siciliano, a Boston-based identity theft consultant for the digital security firm McAfee Inc. Siciliano said the thieves may have obtained enough data to apply for new credit cards under the victims’ names.
That’s because millions of us use the same user names and passwords for many different online accounts. So there’s a good chance that the stolen PlayStation passwords will also open the victims’ accounts on, say, Google Inc.’s Gmail service.
If you have ever e-mailed your Social Security number, the thief could now have it, as well as access to your Google address book, your Google appointment calendar, any files you have created in Google Docs — you get the idea.
This is why we’re supposed to use different, very complex passwords for every single online account.
PlayStation Network users can start by changing their other passwords, and fast. And consider getting a password manager program, such as RoboForm or the one I use, LastPass. These programs automatically generate a new, tough password for every site, then save the passwords in encrypted files on your computer or smartphone, and on the Internet.
Some identity thieves use stolen e-mail addresses to launch phishing attacks. They send you e-mails aimed at tricking you into revealing more sensitive information or scamming you out of money.
To protect yourself, don’t sign up for online services with your primary e-mail account. Instead, set up throwaway e-mail addresses at Hotmail, Yahoo Mail, or Gmail, and use these only for sign-ups.
You can forward any incoming mail to your main account, so you don’t miss anything important, and if the throwaway address starts bringing you scam messages, just close the account.
While each site should have a different password, you might want to use the same credit card each time you shop online.
I didn’t, and now I don’t know which of my cards I used for my PlayStation account. The service is down, and I can’t log in to find out. Next time, I will stick to a single card or write a note to myself listing the cards I have used at various online services.
Meanwhile, I will be keeping an eye on all my bank and credit card accounts. Siciliano said that all consumers should check their statements online at least once a week, as a matter of routine. But we PlayStation users should now check every day, and contact the bank or card issuer the moment something seems amiss.
Federal regulations give credit card holders 60 days to complain about possibly fraudulent charges, but the time limit for debit card users is just two days.
However, John Hall, a spokesman for the American Bankers Association, said that virtually all banks go further than the law requires, reimbursing victims under nearly all circumstances.
“You are protected,’’ said Hall. “They’re going to make sure that they’re going to make everyone whole.’’ A Bank of America spokeswoman said the company’s zero-liability policy would fully protect its customers, whether they used credit or debit cards.
But thieves could still attempt to get new credit accounts under your name.
You can keep an eye on them by getting your free annual credit report from the nation’s three major credit-reporting bureaus: Equifax Inc., Experian Information Solutions Inc., and TransUnion LLC. Forget the silly TV ads for other sources and go to the Federal Trade Commission’s website, AnnualCreditReport.com, to get them. Every American is entitled to one free report each year.
But what about the other 11 months? You can protect yourself by putting a “security freeze’’ on your report. This bars lenders from viewing your reports, which usually leads them to refuse more credit.
Under a 2008 state law, all Massachusetts residents are entitled to have their accounts frozen whenever they like, for a fee of $5 to each credit bureau. It costs the same amount to have the freeze lifted.
The freeze applies to you, so forget about applying for a mortgage or credit card while it’s in place. But if you’re not planning to borrow money any time soon, it’s a good idea. Find out how to do it at defendyourdollars.org.
Who knew that owning a video game console would lead to so much hard work? And this is just the beginning. Our life stories are filed away at many other online businesses, and government agencies, too. And every one of them could be a looming privacy disaster. For now, the only simple, push-button solution is the one none of us want to use: the off switch.
Hiawatha Bray can be reached at firstname.lastname@example.org.