Dubai: Registered users of PlayStation Network (PSN) may want to consider replacing their credit cards as an extreme measure if they shared financial information with the breached online gaming network, suggests a global security expert.
Costin G. Raiu, director of Kaspersky's global research and analysis team, told Gulf News that the risk of future identity and financial theft for 27,000 cardholders in the Middle East resulting from an April 19 intrusion of the Sony-owned PSN may warrant cancelling existing credit cards used within the gaming network.
Data from an estimated 77 million PSN user accounts around the world were accessed, PlayStation confirmed earlier this week.
"What does it mean in practice for victims? Well, first of all, it probably means the credit card numbers were accessible to the attacker, so he or she could have copied them. Coupled with other personally identifiable information such as name, address, date of birth these could be easily used for credit card fraud," Raiu said.
"For now, though, there is no evidence to confirm the credit card numbers have been stolen. Of course, it usually takes months until stolen credit card numbers are used, in order to dissipate suspicious and connections between incidents, so even if they were stolen, it may be months until they are used. For PSN members, we recommend to keep an eye on their credit card statements for signs of fraud. As an extreme measure, it's probably a good option to cancel the card and require a replacement from the bank."
According to figures obtained by Gulf News from PlayStation Division in the Middle East, the PSN has 1,093,000 registered users in the region, 27,000 of whom have shared credit card information with the network.
In the UAE, alone, there are 250,000 registered users which include 14,000 users with credit cards. There are 650,000 PSN registered users in Saudi Arabia with 12,500 of them using credit cards.
Kuwait has 90,000 PSN members, 500 of whom shared credit card details with the network.
Bahrain has 26,000 PSN users, Lebanon has 21,000 members, Qatar boasts 46,000 users and Oman has 10,000 gaming network users.
Kaspersky's Raiu believes those who attacked the PlayStation Network did so with financial gain in mind.
"I believe the PSN compromise incident was a well prepared targeted attack that was designed for this specific purpose. For now, it is not clear how the attacker managed to obtain access to the servers or the PSN ‘cloud.'"
While data breaches are nothing new and happen each year, Raiu said he believes this one is different because of the amount of data involved.
"First of all, we believe this is the first major incident of this kind. Back in 2010, we predicted the emergence of attacks against cloud infrastructures; this is what just happened. When it comes to attacks against the cloud, probably the most important thing is the volume of data which can be stolen - in case of PSN, we are talking about 77 million subscribers. This easily beats most e-commerce websites out there, giving this cybercrime a whole different dimension," he said.
The size of the attack "indicates that the newly deployed cloud infrastructures are still in their infant years and will require a lot more efforts to secure. This is particularly difficult, because sometimes it requires special measures not from the cloud renter, but from the cloud provider."
Dimitrios Petropoulos, managing director of ENCODE Middle East in Dubai Internet City, said the impact of the PSN breach will be felt for some time to come given that the compromised data was of a global scope and scale.
While the storage conditions of the credit card data aren't known, Petropoulos wondered how hackers accessed credit card numbers via the online gaming network.
"Organisations with process payments have a contractual obligation to adhere to," told Gulf News in an interview.
Petropoulos noted that corporations and online networks that rely on Amex, Visa or MasterCard to do business with clients and customers should have proper security measures in place and that "cardholder information should be either encrypted or hashed. It should not be in a humanly readable form."
To meet security standards demanded by credit card companies, large firms are subject to conditions set down by the Payment Card Industry (PCI) Security Standards Council in Wakefield, Massachusetts.
"These standards have been designed to guard against incidents like this — to make sure this doesn't happen," said Petropolous.
However, the PCI Security Standards Council said on the heels of security breaches in 2009 that even annual compliance with all of its standards may not be enough to head off a major hacking incident.
"As the council has said many times, it is not enough to validate compliance annually and not adopt security into an organisation's ongoing business practices. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance, monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data — without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance," the organisation said in a statement at the time.
"Validation to the principles and practices mandated in the PCI DSS [Data Security Standard] plays an integral part in an organization's security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete. Reports by forensics companies suggest that this is an area of weakness among organisations. An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
The standards include stringent measures ranging from building and maintaining a secure network to protect cardholder data as well as maintaining a vulnerability management program to ushering in strong access control measures and regularly monitoring and testing networks.
