Hackers Hope Stolen Sony Passwords Are A Payday
MARY LOUISE KELLY, host:
Now Sony has been under attack by hackers across the globe. Customer accounts have been hit from Greece to Japan to Canada. But stolen credit card data is just part of the problem. An even bigger issue may be the usernames and passwords that were hacked.
NPR's Zoe Chace explains why they're so valuable.
ZOE CHACE: People use the same password for many different accounts.
Mr. KEVIN POULSON (Editor, WIRED): The Sony breach is far more significant for the passwords that were stolen than the credit card numbers that were potentially accessed.
CHACE: Kevin Poulson is a hacker gone straight - I think. He's also an editor at Wired, and author of a new book on cybercrime, Kingpin. I consider him an expert on the market value of the stolen Sony data.
Mr. POULSON: The hackers these days, they're not just about credit cards, they're very into online banking now and they've constructed elaborate networks to siphoning money out of people's bank accounts.
CHACE: I thought it seemed awfully time consuming, to try the username and password combination on various banking sites to find one that clicked. I'm obviously not a hacker because here's how it works.
Mr. POULSON: Well, the hackers, they don't have to go through one by one. They automate their attacks.
CHACE: They've written a computer program that plugs in the username-password combinations into lots of major banking log-in screens automatically. If they get into even 20 accounts, that's a pretty good score.
Why doesn't this activity crash the hacker's little bitty laptop? Because the program they've written runs from your laptop. Or, more likely, the desktop computer at your neighborhood pizza shop.
Mr. POULSON: They have what are called botnets, networks of millions of compromised computers that they can channel their attacks through.
CHACE: Meaning, the botnet uses your computer as a proxy. So it looks as though thousands of different computers are logging into the bank. That's why the first Sony hack was a big deal. A hundred million accounts accessed. That kind of scale points to sophisticated organized crime. But here's a twist in the Sony case. 'Cause I am right now...
(Soundbite of typing)
CHACE: ...Pastebin.com. Looking at a bunch of Sony user's names and email addresses. The passwords are an encrypted jumble next to them. And they're free. This self described Lebanese grey hat hacker posted them for all to see. What's the point of that?
Mr. CHESTER WISNIEWSKI (Senior Security Advisor, Sophos): Vigilante cyber justice.
CHACE: Chester Wisniewski is senior security advisor with Sophos, which sells security software. He and others who have watched these gleeful hacks unfold across the world say they're different. And the reason behind them probably isn't profits. It's this guy.
(Soundbite of music)
Mr. GEORGE HOTZ: Yo, it's Geohot. And for those that don't know, I'm getting sued by Sony.
CHACE: That's George Hotz. He's famous for jail-breaking the iPhone years ago, and in January, he cracked the Sony PlayStation 3. He showed people how to run their own software packages on the Sony system. He tweeted the instructions, and Sony sued him. Wisniewski thinks the hacks are revenge - that have, in a way, done Sony a service.
Mr. WISNIEWSKI: The thoroughness with which the attackers had been finding every single thing that Sony has on Earth seemingly, and trying to compromise it, the low hanging fruit I think has been picked.
CHACE: Now Sony knows what vulnerabilities they have. And the company says it is making consumer data protection a full-time company-wide commitment. Still, might be time to change your password.
Zoe Chace, NPR News. Transcript provided by NPR, Copyright NPR.