How many times have you had your signature checked by someone at the store? If you visited my store back when I was working at Dick Smith I can guarantee that I’d check it every single time, regardless of how big or small your purchase was. However, as a customer, I can count the number of times that someone has checked my signature on my right hand. This is probably a good thing for me as the years of keyboard warrior-ing has turned my hand writing into something that’s barely indistinguishable from random chicken scratchings, but that doesn’t make me any more comfortable in the supposed security system that is my signature.
Not that I’ve had to use it much in recent times as nearly everywhere now supports the use of a PIN with credit card transactions. Still there are a few places where I’ll have to sign, especially if I’m using my AMEX, and with only a few exceptions do they ever actually check to see if my signature matches the one on the back of the card. It’s even better when places have the NFC readers as they cut the already short amount of time required to complete the transaction down to almost nothing. This hasn’t yet made its way onto all cards or places of purchase however which is a shame as it would also mean that the second I get a NFC enabled phone I could theoretically do away with my cards completely.
I had figured that the signature was going to stick around for a fair while longer though since it’s still the defacto standard for authorizing or approving something. However I saw today that the big names in the credit card industry, namely Visa and MasterCard, have had their eye on phasing out the inherently insecure authorization method for some time now with it originally scheduled to be gone within the next couple months. That’s been pushed back until the chipped cards make up a greater percentage of the total cards in Australia but it does signal that the writing is on the wall for putting pen to paper when it comes to making your purchases.
It’s a good move for both sides of the credit card equation as anything that reduces the barrier to purchasing something, however small, will result in an increased usage of said payment services. Even though I may only save a handful of seconds using contactless payment I still find it a whole bunch more enjoyable than having to swipe, pin and/or sign (yeah sometimes I’ve put my PIN in only have it require a signature as well) in order to complete a transaction. Additionally the use of PINs and contactless payment devices is far more secure than a signature which is rarely checked for authenticity.
Now all we need in Australia is something like Google Wallet so I can do away with my wallet almost completely. Now that’d be something!
I’m not really sure I could call myself a fan boy of any technology or company any more. Sure there are there are some companies who’s products I really look forward to but if they do something completely out of line I won’t jump to their defense, instead choosing to openly criticize them in the hopes that they will get better. Still I like to make known which companies I may look upon with a rose tint just so that anyone reading these posts knows what they’re getting themselves into. One of these such companies is Sony who I’ve been a long time fan of but have still criticized them them when I’ve felt they’ve done me wrong.
Today I’ll be doing that once again.
As you’re probably already aware recently the Playstation Network (PSN), the online network that allows PS3 owners to play with each other and buy digital content, was compromised by an external entity. The attackers appear to have downloaded all account and credit card information stored on Sony’s servers prompting them to shut down the service for an unknown amount of time. The breach is of such a large scale that it has received extensive coverage in both online and traditional news outlets, raising questions about how such a breach could occur and what safeguards Sony actually has to prevent such an event occurring.
Initially there was little information as to what this breach actually entailed. Sony had chosen to shutdown the PSN to prevent any further breaches and left customers in the dark as to the reason for this happening. It took them a week to notify the general public that there had been a breach and another 4 days to contact customers directly. Details were still scant on the issue until Sony sent an open letter to Congress detailing their current level of knowledge on the breach. Part of the letter hinted that the hacktivist group Anonymous may have played a part in the breach as well but did not blame them directly for the breach. More details have made themselves public since then.
It has also recently come to light that the servers that Sony was using for the PSN were running out-dated versions of the popular Apache web server and lacked even the most rudimentary security provisions that you’d expect an online service to have. This information was also public knowledge several months before the breach occurred with posts on Sony’s forums detailing the PSN servers status. As a long time system administrator I find it extremely ludicrous that the servers were able to operate in such a fashion and I’m pretty sure I know where to lay the blame.
Whilst Anonymous aren’t behind this attack they may have unwittingly provided cover for part of the operation. Their planned DDoS on the PSN servers did go ahead and would’ve provided a timely distraction for any would be attacker looking to exploit the network. Realistically they wouldn’t have been able to get much of the data out at this point (or so I assume, Sony’s servers could have shrugged off the DDoS) but it would have given them ample opportunity to set up the system for the data dump in the second breach that occurred a few days later.
No the blame here lays squarely with those in charge, namely the PSN architects and executives. The reason I say this is simple, an engineer worth his salt wouldn’t allow servers to run unpatched without strict security procedures in place. To build something on the scale of the PSN requires at least a modicum of expertise so I can’t believe that they would build a system like that unless they were instructed to do so. I believe this stems from Sony’s belief that the PS3 was unhackable and as such could be trusted as a secure endpoint. Security 101 teaches you though that any client can’t be trusted with the data that it sends you however and this explains why Sony became so paranoid when even the most modest of hacks showed the potential for the PS3 to be exploited. In the end it was Sony’s superiority complex that did them in, pretending like their castle was impregnable.
The fallout from this incident will be long and wide reaching and Sony has a helluva lot of work to do if they’re going to fully recover from this damage. Whilst they’re doing the right thing in offering some restitution to everyone who was affected it will still take them a long time to rebuild all the good will that they’ve burned on this incident. Hopefully though this teaches them some valuable lessons on security and they’ll stop thinking they’re atop the impregnable ivory tower. In the end it will be worth it for Sony, if they choose to learn from their mistakes.