Just kidding – it’s only Part 2.  (Please see first article, just below this one for reference).

Sony has said that this information has been compromised:  User name; address; country; e-mail address; birthdate; PlayStation Network/Qriocity password and login; and handle/PSN online ID.

Wow – that’s quite a bit.  But it gets worse, and I always hate the “maybe(s), might have been(s)…” etc. – there may have been breach of user billing address, purchase history, and various password security answers.  Ouch.

I had to laugh at some counsel from the Washington Post Business with Bloomberg section (which I saw online – I no longer reside in DC, but have many fond memories…):

This is certainly a big data breach and spells a lot of trouble for Sony’s image, but there’s no need for consumers to panic.  Just deal with it the same you deal with any data breach…

Yah.  No big deal…  handle it like that last breach you suffered through – and, hopefully the next one won’t be any bigger a deal than this one either.

Now, I don’t advocate panicking – I’m all about serious, straight-ahead tackling of problems – establishing empirical measures and solutions, for meritorious outcomes and protections.

But frankly, a rather casual attitude seems to exist here – paired with some good advice, make no mistake – I like it the advice.  But, in the realm of risk, unmanaged possibilities become probabilities. 

And here, Sony had tipped into the realm of probability:  Given the outcome, there can be no argument.  Let’s understand this fully for anyone and their position in today’s Weave: 

1.      Sony was in the realm of risk – we’re all there, particularly if we have any kind of online presence and business.  Risk – assumed and beyond:  Acknowledged.

2.      Sony entered a zone of unmanaged possibilities; again, given the outcome, there can be no argument.  The possibilities were engendered by someone who was not surveying the environment adequately, nor putting in place the prudent, forward, security posture and measures necessary.  (Note:  This is not fault-finding; the “someone” or “someones” may not have been able to survey adequately; may have been inhibited by budget; lack of training; or maybe the appropriate “someone,” department, security posture, etc., was simply missing in action at Sony).

3.      As usual, the unmanaged possibility manifested as a probability – and – the probable happened, as it always must – simple odds favor the probable, to the point that an unmanaged probable will always manifest.

Odds favor the probable, and left unattended, the probable will always manifest.

Thus, in the realm of risk, unmanaged possibilities become probabilities.

Survey your domains.

NP:  Yardbird Suite, Charlie Parker, www.Jazz24.org – followed by Keep on Gwine, Stanton Moore…  all I can say is… wow – each over 13 minutes of fine, fine, fine jazz…

Something interesting happened to me the other day.  There was an unauthorized debit made to my checking account in the amount of $150 and some change by an entity that was unknown to me.  I was reasonably certain that I hadn’t conducted any business with any such business.

These days, as most here probably know, breaches involving bank accounts usually involve modest amounts; the “breachers” hope that this allows an unauthorized withdrawal to fly under the radar, and they’d rather hit several accounts for these modest amounts than to hit one account for a massive withdrawal – sure to garner unwanted attention and, hopefully (for us), thwart.

When I called my bank of 30+ years to report an unauthorized transaction, the initial contact was with a representative who was concerned with telling me what he (and the bank) could not do for me – their customer.  He explained that he could “delete” the transaction, but that the offending party could simply resubmit.  He suggested that I call the entity and discuss the transaction with them.  I patiently explained that they might not be the originating party – that it could be someone spinning the unauthorized transaction through them.  His counsel was to contact them none-the-less.  Having already Googled them, I called…

That entity, a web services company, was sympathetic – and of course, in order to validate whether I was a customer or not, they wanted… my name and address; the last six digits of the debit card; the three security digits on the back – as well as other things.  All of this to “look me up” in determining if I was even a customer of theirs – before getting to the question of the transaction.

My question to them was – how do I know you are who you say you are?  And, how do I know you’re a legitimate company, and not simply gleaning personal details and financial authentication information from people?  Fortunately, they were ultimately able to determine that I was not a customer with my name, primarily, and that they had not issued the charge to my account.

I called my bank back, and I’d like to credit the second representative with some intelligence.  He deleted the transaction and, in his words, “blew the bridge” to the card by cancelling the card and reissuing a new one.  Thank you.  I wish I had thought of it.  But that first rep had me thinking that the transaction had to be honored by the bank.  Hmmm… after all, what good is my word?  I’m just a customer in good standing for more than 30 years.

But – my question to you, dear reader, is… when you call your bank, or any business such as the one I had to contact, or any agency that wants things such as address, last four of SSN, mother’s maiden name, birth date – and essentially wants exposure of all sorts of security data and answers to security questions:  How do you know to whom you are speaking?  What is your security question to them?- with attendant, and correct, security answer(s) as provided to you for your comfort and identification of them? 

Phone numbers can be hijacked – what if, when you call your bank’s number, you instead reach a nefarious party out to harm you?  Consider:  What if your bank’s web page is taken over, or substituted, and you dial a number posted there that goes to a hacking agency out to grab your details, and your money?

As breaches and thefts become ever more clever, watch for breaches to be mere springboards:  A theft that causes an individual to launch a call, which in-turn may be hijacked into some spurious realm for further gleaning of confidential information. 

Security needs to be a two-way street.  Presently, in these circumstances, it is one-way and therefore only mounted half-way.  True security demands a face-to-face meeting in a physical location, to establish security questions that the bank, for example, must answer correctly to YOUR satisfaction when dealing with a disembodied voice on the phone. 

Of course, even that authenticating standard can be breached, but every layer helps.

August 21^st:  On this date in 1841, John Hampson patents the venetian blind.