Musings of a Skeptical Super Nerd & Gamer



Lockdown Your PSN Account

Lockdown Your PSN Account

2011-05-02

Sony has screwed up royally, losing our personal information. I won’t go into details about how or why; you can find plenty of info on that already from Sony and analysis from others. That’s the long story; the short story is now we gamers have to deal with the fallout (not the good kind like New Vegas).

Alright, so where do we start?

First off, it’s important to know what information is compromised. Sony is flip-flopping on credit cards, so it’s safe to presume they’re exposed. Sony confirms other information including names, email addresses, birthdays, home addresses, and more is out there. It’s not everything someone needs to steal your identity, but it’s a damn good start.

PlayStation Network Logo

Ha, we still have your money!

So, go here and call all three credit reporting agencies and ask them to put a fraud alert on your account. This is a free service that expires in a few months, but in the meantime makes it difficult to get credit in your name, effectively requiring more verification before approving anything. You can also obtain one free credit report from each agency annually (so stagger them out for tri-annual effectiveness) from AnnualCreditReport.com. Note this is the legitimate legally mandatory site the credit reporting agencies offer (verify at the FTC), not a for-profit site like you see on TV so often (avoid those at all costs). Either way, keep an eye on your credit.

With the assumption your credit card is compromised, call your card issuer next. All of the big guys are damn efficient at cancelling your existing card and having a new one in your hands within a couple of days. It’s probably the least painful process to carry out after this breach.

Next up, unfortunately, many people reuse passwords. I know you wouldn’t do that, but Jim might, so let’s pretend as if I’m talking to that idiot.

You must change anything you share with other services; password, security question, etc. With 77 million user account details on the loose you can bet your ass bad people will be using this list to mine popular services like PayPal and banking sites in no time. Same password? You’re screwed. Same security question? They can reset your password. You’re screwed. Have a different password for your banking site but have the same password for your email account, which you use to reset your banking password, well, you get the idea.

Now, going forward we’ll all have to pay extra attention. Armed with our emails, PSN handles, real names, and account histories – bad people can make some damn convincing phishing emails. “Hey, we know you bought this DLC and think you might like this other DLC, so click this link and put in your CC!” Remain extremely skeptical about any contact from “Sony” for a while and don’t follow links inside emails.

See, this isn’t so hard? An hour or so of time and we’re set.

But what about preventing this going forward?

TNO: Trust No One

Frankly, the best thing you can do is not trust anyone. This breaks down into two main areas: not giving people information to begin with and providing false information to others.

If someone doesn’t absolutely need your personal information, don’t give it to them. Things like grocery store loyalty programs, toy store coupon mailing lists, and crap like that comes to mind. Just don’t do it.

Next up, think about when someone really needs your information. Magazines are a perfect example. Sure, they need your mailing address, but do they need your real name? After all, how many people in your house are expecting PC Gamer?

Generate a New Credit Card and Name

Here’s the trick to pulling this part off. First off, check your credit card issuer’s website; most of the big companies now offer one-time use credit card numbers. My bank has a slick little Flash app where I put in the maximum spending limit and expiration date, and boom, I have a $20 CC that expires in two months or on first use. Better yet, I can setup a subscription ($20/month max for 12 months) for Netflix and similar services. This is a great first step in limiting damage from data breaches; not only is your monetary risk less, but to “cancel” the compromised card all you have to do is login to your issuer’s website and click a button. No phone call with India or waiting for a new card in the mail required.

ShopSafe Temp Credit Card

Steal me. I dare you.

Next up is a helpful hint too few people use; call your credit card issuer and add an authorized purchaser. The name doesn’t have to be real, just make it something generic and common like “Bob Smith” (bonus points if you create and use a unique birthday with your alternate identity). They frankly don’t care because for legal/financial purposes everything that happens on the account still falls back to you. However, this feature, mainly aimed towards giving minors access to parents credit cards and similar, is very helpful. Think about it: now when you buy something online, subscribe to a magazine, etc. you can keep both your real name and credit card safe and sound. It all still ties back to you (e.g. you can’t abuse this method to rip someone off), but provides a solid layer of defense when someone inevitably loses your information.

Note you can also make a similar effect using prepaid credit cards. Purchasable with cash, prior to using for online purchases you must register with the vendors website, using the information of your choice. This permits you to have a valid yet limited credit card number (or several) using the name of your choosing. It’s also less likely to get some FBI guy to put a boot on your throat during a morning raid than above.

Change Your Passwords

Touching back on the topic of password reuse; don’t. Just bloody don’t do it. Drop $12/year on LastPass and create a unique password for all of your web services. There is simply no excuse these days to use the same password everywhere. Next time Sony loses our information (trust me, it’s just a matter of time), imagine how much easier it’ll be to just change your PSN password rather than scramble to dozens of sites hoping to not miss anything.

When PlayStation Network comes back online a new mandatory firmware will be available enforcing a password change. If you use your leaked password elsewhere you need to take the initiative to change it.

Change Your Email Address

Next up is your email address, which is a harder topic to discuss as every email vendor differs. I use Gmail, so I’ll use them as my example. If you host your own email you’re in great shape, but other free mail vendors offer similar services, though some (Yahoo! comes to mind) charge.

My email (not really, and I’m omitting the .com for technical reasons) is bob@gmail. Here’s a fun fact: I can add a plus sign and anything I want to that. Mail sent to bob+PlayStation@gmail and bob+unicorns@gmail will arrive to my inbox perfectly. However, should someone compromise a database containing such an address, all I have to do is add a quick filter in Gmail to automatically delete incoming mail sent to the exposed address, create a new alternative (bob+PlayStation2011@gmail), and enjoy the rest of my day.

Now, this isn’t a perfect system. Humans and some of the more intelligent bots are smart enough to catch this trick, at least with the major vendors. The only perfect solution is if you can make truly unique accounts when you want, which isn’t practical for many users. That said, utilizing services such as I describe above is a great way to shield your true email from compromise.

Whew.

Alright. We have unique passwords and email addresses, one-time use credit cards in place, and our real names and birthdays are protected. Talk about a good start. Consider this; with this setup, cleaning up after a data compromise entails changing your password and email for the exposed service only, then logging into your bank site and creating a new credit card number. This is all easily doable in less than five minutes.

Now, what’s the real risk; is all this really necessary? It really depends on how vulnerable you feel personally. If you use a unique password for PSN, your linked credit card expired, and you don’t mind a little spam, you have nothing to worry about. However, as details deepen things only get worse. Sony recently revealed SOE, originally thought isolated from the attack, is compromised along with tens of thousands of credit card numbers. Sony’s also now offering a free year of identity theft protection to all affected customers. So in the end, minus a little time, what’s the harm in playing it safe? That said, the only reason I insist upon proactive measure is if your bank account/debit card is tied to Sony. Legal protections for fraudulent claims are pretty tight with credit cards, but not so with banking/debit cards. You are at serious risk.

In short, we can’t trust everyone out there with our personal information. It’s a disillusion to think the dozens of businesses we interact with on a regular basis can 100% secure our private information for the rest of eternity. Shit happens, so take control for yourself. Just remember they’re not in the business of protecting you, quite the opposite: protecting you is a cost of doing business, one that they want to spend as little money on as possible while remaining effective. Accidents are going to happen, but what they don’t have, they can’t lose.