The website for the computer game company Codemasters got hacked and announced it earlier today - a friend of mine at work was pretty miffed when he got an email about it. He was complaining that gaming platforms have been targetted by hackers so much his same details must have been stolen about 4 times now.
Another developer joined in and started lamenting the fact that the same rules that apply to online financial institutions (PCI DSS) don't seem apply to other websites who hold personal data.
Things are difficult to secure these days. Soon after PSN was hacked, Bloomberg reported that Amazon's EC2 elastic cloud servers had been used. For a small amount of money, a person can use a huge amount of processing power, and this includes brute force attacks on passwords - last year, SHA-1 was shown to be broken within 40 seconds. I suppose it is to be expected that if you allow people to hire Superman as a cheap labourer, someone will get him to rob a bank.
I've seen people seriously suggest that bcrypt is used to store passwords simply because the algorithm is slow to execute, in order to slow down attackers.
You can try and put in all the stops you can think of - for example, if they get 20 passwords wrong in quick succession, lock the account. That sort of thing. But if the attackers have already got in and can attempt to decrypt your data at their leisure, slowing them down is all you can do.
I still think when you're buying digital property, you shouldn't need to give out all this information. Why should you need to hand over your address etc, and why do these companies think they should be keeping this information?
All they need is temporary use of payment - perhaps an external payment provider - and perhaps some login credentials to their system. If card details need to be stored, tokenization will help (but note what I said earlier).
Earlier this week, the 3DS eshop came online and I added some funds onto the wallet for my 3DS to buy Legend Of Zelda : Link's Awakening DX (which is as brilliant as it always was!), and all it asked for were card details. They put through the transaction and Nintendo don't retain the card number, because they have no need to.
So a few weeks ago when the hackers broke in to Nintendo's systems, there was nothing there for them to take. And they said there was "no harm" meant, but it sort of seems more like "no paydirt".
It's a bit like... if there's no way to fully secure things, or you don't want to put money into seriously beefing up security, don't store anything valuable. Same as - if you're going to park your car somewhere you know people are likely to break a window to steal stuff, you don't leave your sat nav, wallet, ipad, work tools, or other valuables on display.
I also read that three people in Spain have been arrested for allegedly hacking the Playstation network. I hope they have the right people, and if so, that justice is fully served!
