PSN password resets dribble in
I received my first correspondence from Sony since the great compromise of last month in the form of a password reset notification e-mail. Should we follow our phishing instincts and click on the link or attempt to change the password on our own time?
I have no reason to doubt the authenticity of the e-mail. It made it through spam filters and greylisting and didn’t resemble phishing bait at all.
It’s a shame Sony has little other options than to send out a URL with a time-limited token in it. In the event of a data breach, it’s difficult for an organisation to toss up a Web page and ask people to enter their login name (for example, an e-mail addy) and old password to then set it to a new one.
With the login credentials already out there, it’s possible the people with access to them to simply change an account password.
The message went as follows:
"To reset your PlayStation(R)Network password, please click on the link below. This link will expire in 3 hours from the time that it was sent. The link will direct you to a PlayStation(R)Network web page and allow you to enter and confirm your new password."
Unfortunately for me, three hours had already passed by the time I read the e-mail. It landed in my inbox at 9pm in a Friday night. It won't make any comment about the timing of that, nor the fact that only a three hour window was given for an e-mail correspondence.
So what are the options? I could:
- Wait for another e-mail with another time-limited token.
- Follow the link anyway and see what happens.
- Go to the PlayStation web site and attemp to reset the password with the online app.
All things considered I favour the third option. As I've written about before on TalkingTech, even if companies do send e-mails requesting updates, their systems will almost certainly allow your details to be updated simply by logging into the portal. So not following a random e-mail is the best way to avoid falling for a phishing scam.
However, Sony's one-time token was in the link's URL, which might not leave any other option. We know such a request isn't completely random, but keep in mind scammers are well versed at taking advantage of crisis situations. So it's not completely unreasonable to think it might be a fake.
What else can Sony do to recover people's confidence?
I'd love to hear some suggestions. For one, I would have thought Sony could leverage the actual PlayStation consoles more to distribute secure information and dig itself out of this mess. One thing the hackers don't have is access to is people's consoles. It could:
- Send a message to the consoles with a one-time token (like an SMS)
- Use a serial number or some other physical identifier on the console to reset account credentials
- Generate private keys on the consoles to replace the standard username-password system
Of course, the security of all of the above is dependent on how much information the attackers managed to sihpon out of Sony.
Any suggestions welcome as to what to do when the next correspondence arrives.