Did Sony Hackers Expose Your Card Data?

Online gaming consoles and Internet-connected TVs might seem like mere entertainment systems, but in fact -- as the recent data breaches of the Sony PlayStation Network and Qriocity services have demonstrated -- these popular devices can expose consumers to financial crimes, including credit card fraud and identity theft.

Most people think, "it's a great toy, a wonderful toy," says Jay Foley, executive director of the Identity Theft Resource Center in San Diego. "But in fact, it's a computer, and if it's a computer, it can be hacked."

As many as 77 million registered accounts worldwide may have been compromised by what Sony Corp. described as "an illegal and unauthorized intrusion" into the PlayStation Network and Qriocity service between April 17-19, 2011. The PlayStation Network allows people to play electronic games with others online. Qriocity allows users to stream movies and music through certain Sony HDTVs, Internet TVs, Blu-Ray disc players, home theater systems and a network media player.

Sony Systems Hacked

According to a Sony website, an unauthorized person obtained names, the city, state and ZIP code portions of addresses, email addresses, birth dates, passwords, login information and online IDs. Individual purchase histories, the city, state and ZIP code portions of billing addresses, and password security answers also may have been taken. While there was "no evidence" that credit card numbers and expiration dates had been stolen, the company couldn't rule out that possibility.

Sony has advised its customers to do the following:

*Be aware of email, telephone or postal solicitations asking for personal information.

*Log on to the services, once they've been restored, and change all passwords.

*Change identical usernames and passwords used elsewhere.

*Review account statements and credit reports.

"Sony will not contact you in any way, including by email, asking for your credit card number, Social Security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking," the company stated.

The credit card data were encrypted, according to Sony.

That should prove an adequate security measure, if the company utilized proper controls to manage the keys, according to Avivah Litan, a security analyst at Gartner Group, an information technology research and consulting company in Stamford, Conn. A "key" is a long sequence of computer bits used to mathematically disguise data in electronic form.

In any case, you do have some fraud protection through your card company and federal law.

Unauthorized Transactions

MasterCard, Visa, Discover and American Express have "zero-liability" policies that protect customers from fraudulent-use losses. Such policies have restrictions, so consumers should be familiar with what their company offers, take responsibility to safeguard their card and notify the company immediately if the card is lost or stolen or upon discovery of any unauthorized charges.

Federal law also offers some protection against losses from unauthorized transactions. Thanks to the Fair Credit Billing Act, consumers are liable for only $50 once they report that a credit card has been lost or stolen. That limit drops to zero if the loss or theft is reported before any fraudulent charges are made.

A debit card offers more limited fraud protection. Under the Electronic Fund Transfer Act, if you report a check or debit card missing before any bogus transactions are made, the issuer cannot hold you responsible for any unauthorized charges. However, if you don't report the loss within two business days of discovering the loss of the card, you could be liable for up to $500 in unauthorized charges, according to the Federal Trade Commission. If you don't report the loss within 60 days after the bank statement containing the fraudulent transactions is mailed to you, you face unlimited losses.

When fraud involves only the debit card number and not the loss of the card itself, "you are liable only for transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss," the FTC's website states.

Many banks and credit unions also offer some protection from liability for debit card fraud, though again, prompt notification is crucial to avoid losses.

Online Security Tips

The Sony incident could be a wake-up call for people who've used devices with little thought of the risks. Essentially, any device that connects to the Internet and uses personal or financial data creates some exposure. That includes everything from handheld games that use a wireless, or Wi-Fi, network to smartphones, Foley says.

Consequently, consumers should take precautions when using these devices. Here are some suggestions:

*Beef up passwords. Create different single-use passwords for websites that require personal or financial data and change the passwords often, especially if a service has been compromised.

*Create unique answers to password questions. Answers to secret questions, like the name of your hometown newspaper, childhood best friend or first pet, are among the most sensitive data because these factoids can be used to reset your password and take control of the account. Whenever possible, vary or create customized questions and answers.

*Avoid using debit cards online. Always use a credit card online because credit cards offer much better protection from fraud and don't enable criminals to empty your bank account the way debit cards do.