Sony’s Weakest Link Hijack 8

Sony announced today that a large number of accounts were hijacked using an attack based on the fact that people reuse passwords across websites. These “weakest link hijackings” are an evolution of the phishing attacks that have become so well known over the last few years.

These attacks are referred to as “weakest link hijackings” because the hackers attack websites with the weakest security, and then collect user passwords. Since it is common for users to reuse passwords across websites, hackers can then try those collected passwords against other websites like Sony as well as social network accounts, email accounts, work accounts, etc. When hackers take over the user’s social network or email account, they frequently change the user’s password on the account to lock the real user out, then use it to try to trick the user’s friends into sending money. One scam claims the person was stuck while travelling and needs money wired to them. Imagine losing access to all your contacts, email, photos, etc. and then having your friends lose thousands of dollars.

Unfortunately it is extremely difficult for websites to protect themselves against the weaker security of these other websites. Only some of the largest websites with the most sophisticated security tools can detect these types of attacks and try to automatically reduce their impact on their own accounts as Sony has done. Some of those websites offer users the option to add an additional layer of security to their account, for example by sending a code to their phone number each time they want to login. However if every website took that approach, users would revolt because of the pain it would create for them.

It’s time for website owners to wake up and realize they are probably the “weakest link.” Most websites need to stop trying to run their own login system and instead rely on third-party tools and websites that provide users with highly secure login systems. This type of login approach has become popular with websites that want to integrate with social networks, but it can also be used by any website by simply letting users choose an identity provider that runs a secure login system. It also has the advantage of making it easier for users to register for a new website on a mobile device and we all know what a hassle that can be.

Consortiums of companies such as the OpenID Foundation are working together to solve the problem of passwords and weak login systems, and are making great strides on security, usability, and privacy. With so much of our digital identities and information at stake, it’s critical that we create a better, more secure system before we see more victims of the “weakest link”.

Leave a comment

Your email address will not be published. Required fields are marked *

8 thoughts on “Sony’s Weakest Link Hijack

  • Nalika

    Its sure some subscribers have simple passwords that rhymes. Therefore, if with bad intentions they may sneak in to someone’s account and change his or her password then use the same account to convince members linked to the same account to raise funds illegally minus the concent of the owner. The owner will just find his or her account blocked instantly and then lose links with important networks.

  • Michael Heraghty (@UserJourneys)

    The ‘weakest link’ problem is not only a security issue, it is also a usability problem.

    Users hate being asked to fill out forms — they are, if anything, a ‘necessary evil’. On the website of well-known bookstore in Ireland, as soon as the user tries to proceed (with books just added to the cart) to the checkout, they are asked to register.

    Users get really annoyed by being asked to create a username and password at this point. From the retailer’s perspective — forcing registration at this juncture means mass cart abandonment and loss of sales.

    So it makes sense not to require registration. After all, how many different usernames and passwords can we be expected to remember?

  • Shaun

    What really gets me about all of this is that the normal conceptions about hackers are that they game to an extent. If this is true, then why would they feel it necessary to bring the one of the worlds largest gaming systems. Unless they are of course all xbox fanboys. Oh well, at least it’s all over now.