Sony is the latest of a number of companies to suffer a breach of their security system. Sony don’t know, or won’t say, how many people have had their data stolen but it’s likely that a hacker (or group of hackers) is sitting somewhere in the world with the personal data of millions of Sony Playstation users who gamed online. The company doesn’t rule out the theft of credit card information, with its European Communications Director Nick Caplin warning customers:
“While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.”
Clearly, identity theft is a still greater risk, particularly as hackers could theoretically exploit stolen password data, which the vast majority of users use for multiple purposes. Indeed, though we know it’s silly, online security firm Trusteer conducted a survey showing that as many as 73 percent of us use our online banking passwords for other, less secure sites.
This relaxed approach contrasts with the fears sparked by the Playstation case – fears that are increased by our growing awareness that we cannot escape crime online. Online data doesn’t appear to be much more vulnerable than personal data held elsewhere but as more and more human activity shifts to the web, crime appears to be following.
So should we be panicking? Well, probably not. First, online theft is less stressful for victims. Being mugged or having your wallet slipped from your pocket is clearly far more intrusive than having information stolen in a virtual world – though online fraud is clearly still unpleasant.
Second, credit card fraud is falling, particularly in the UK, where internet banking fraud dropped by 17% last year. This is remarkable given the annual increases in the proportion of banking and wider commerce carried out online.
Third, much stolen data is never used for criminal purposes. Hackers are a funny lot. In 2002, the Deceptive Duo (20-year-old Benjamin Stark and 18-year-old Robert Lyttle) carried out high-profile break-ins to government networks, including the U.S. Navy, NASA, FAA and Department of Defense. Like so many other hackers, California-based Lyttle and Florida-based claimed they were merely trying to expose security failures and protect Americans in a post-911 world. The two hackers posted messages, left email addresses and defaced Web sites in an attempt to get the government’s attention…and get the government’s attention, they did. Lyttle and Stark pleaded guilty in 2005. Stark was sentenced to two years probation, Lyttle served four months in prison with three years probation, and both were ordered to pay tens of thousands of dollars in restitution for the damage they caused. Indeed, because hacking is rather difficult, you seem to get a rather different (and arguably less desperate) characters carrying out crimes online. In fact, many of the world’s most famous hackers have ended up making millions after switching from poachers to game-keepers or, in the case of the man who invented ‘worms‘, teaching computer science at MIT. So much easier to ‘go straight’ when you have skills..
Fourth, companies seem to be rather good at policing themselves. The police do some work against online fraudsters but internet security remains something that is primarily controlled by the private sector, who are keen to protect and reassure customers for commercial reasons. This is good news for consumers and citizens because this approach is certainly far cheaper than it would be to let the police handle the security of the online realm. Indeed, across the world industry groups fund (or otherwise financially support) police units focused on finding and prosecuting the most serious organised fraudsters.
Of course, both companies and law enforcement bodies need to ‘up their game’ in tackling certain types of online crime – and appear to be successfully targeting those using the internet to perpetrate sex crimes. But it seems clear that online crime is far from out of control, and companies aren’t yet overwhelmed by attacks. Be vigilant – but not frightened.