Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

Online game services

[stratjakt]

WTG.. Next stop, gametap.

Re:Online game services

[Jarjarthejedi]

Times like these make me glad that I rarely pay using a credit card for online things. I bought CS:S from a physical store using physical money and so I'm not at risk at all. Sometimes convenience is less important than security...

Re:Online game services

I dont know about you guys, but sounds to me like this Hacker found himself a Garbage file - Valve wouldnt have said anything but one of the main Valve admins was planning on sinking 12 virtual oiltankers in the Half-Life fleet using a virus they happened to be storing in that Garbage file - so now they need to catch the kid to find the source, and then silence the Hackers by framing them for the virus!

Jeez, this is like what, a 13 year old dupe? GG editors!

Re:Online game services

[stanmann]

Dude, the Gibson hacked you.

Re:Online game services

[mctk]

Meh. They probably had security cameras watching you. I had an illegitimate which I put up for adoption, which I adopted myself under a false name, whom I raised to adolescence which is when I hired him to steal a copy of CS:S from his friend Mikey who also bought CS:S from a store using cash.

Re:Online game services

[Dachannien]

Three cheers for virtual credit card numbers.

Re:Online game services

[CelticWhisper]

Now THAT's dedication. Did you manually crack the CD-Key algorithm in the garage behind your house a la "A Beautiful Mind?"

Figures

[HolyCrapSCOsux]

This is why I like my valves to be ball, gate, or ECC83 and EL34

Re:Figures

Being American, I prefer the good ol' 6L6-GC. And, like the interwebs, they are called "Tubes" not valves.

Re:Figures

[Random+Destruction]

They're also called valves. They're electricity valves. It's a pretty common term.

Another, eh?

[EveryNickIsTaken]

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

Re:Another, eh?

[EveryNickIsTaken]

Realize, even. Grammar police, set phasers to stun.

Re:Another, eh?

[ichigo+2.0]

I'm wondering when they will realize (zap) that they shouldn't be storing CC data at all.

Re:Another, eh?

[I'll+Provide+The+War]

Isn't this the same company that got their game code stolen because they placed it on a machine connected to the Internet?

Re:Another, eh?

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

Re:Another, eh?

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

You do realise that they surely did?

Sure, it is good policy to keep the db on the LAN only, but if you put the database on a machine that is not connected to any other machine at all, then all transactions would have to be done manually via sneakernet - which is not going to happen, your online business would flop instantly.

There are other much more effective and practical ways to fully secure a database server on the LAN that is accessed by a web server that serves the public internet.

You are familiar with the use of multiple network interface cards on a single machine each connected to a different physical network or different subnets on the same network, right?

Sheesh, an "offline" database - what's the good of that? I already have one of those, its called a filing cabinet, complete with the latest administrative assistant dictaphone interface.

Re:Another, eh?

[Sigma+7]

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? Placing an order online is a 3-step process. Select the items you want, enter your billing information, and place the order - and one of these can be skipped by "remembering" the billing information.

The proposed system will make it a 4-step process: Select the items, obtain your billing information, enter your billing information, and place the order - and none of these can really by skipped. It's a matter of personal taste on what you prefer, but most people go for convenience rather than security.

The implementation could easily handle this by having credit card numbers "linked" to a primary account, as there's at least 10 trillion possible combinations for credit cards from a single institution. No information on if it will work in practise, but given that most people aren't good with numbers, it would probably boost CS calls. ...

Re:Another, eh?

You morons! HE WAS CORRECTING HIMSELF!

Go get some sleep and/or stimulant of your choice.

Re:Another, eh?

[slyborg]

AC, stand and be recognized. +1 Funny if I had it for ya.

Re:Another, eh?

[vux984]

3 step? 4 step? No thank you. I want one-click! Why doesn't someone figure that out and patent it, he could make millions!

Re:Another, eh?

[MtlDty]

This process exists already. Its called Verified By Visa, or MasterCard SecureCode. In both cases the merchant site redirects you to the acquiring bank, gets you to enter a secure password, and returns a unique 'Cardholder Authentication Verification Value'.

Obviously this is currently an optional process, requiring you to sign up to the VBV or SecureCode service - but its becoming more mandatory.

No similar process exists for recurring transactions (or continuous authority as its sometimes known). This is obviously harder as you cant authenticate the cardholder each month. Your idea of returning a unique code that can only be used by the merchant that originated the transaction would be a good idea though.

Re:Another, eh?

[TheCRAIGGERS]

You missed the point. This whole process was a way to keep the actual credit card numbers out of the hands of the seller, not an added level of security.

Re:Another, eh?

[!coward]

While you're not entirely wrong, I think you've also misunderstood what he was trying to explain.

I've used Verified by VISA a number of times now (and have dealt with a number of on-line merchants which will only accept payment through it) and it's really quite simple. First of all, you need to tell your bank (I did it through its on-line banking interface) that you want to enable VFV on a given card.

Now, the way it's implemented in my country (don't know if it differs on other countries) is: you then stipulate a password for the VBV system for that card, and an overall daily "allowance" for VBV operations on that card (ie, the total daily amount you're willing to allow your card to be charged through VBV).

Then, for each transaction, you generate a virtual card on-the-fly (stipulating a specific limit for that card) which is good for one, and only one, transaction (after which it becomes unusable) and expires within a month (in case the merchant takes too long to charge you for the transaction). In my case, there's even a toolbar/FF extension-like program you can download, enabling you to generate the virtual card with just a few clicks without having to open a new tab/window/whatever. Which means the vendor/seller never gets his hands on your CC number/account. And he can only charge you for the amount you enabled the VCC to pay for, and not a penny more.

Now, like the GP said, it won't do for monthly/cyclical payments (as you can only use each card once), but for purchases on an unknown vendor/site, it's pretty handy.

Plus, the whole system is completely transparent and lightning-fast. You can create a VBV account (which you can manage through your bank's on-line banking system), delete it, change access password, change daily allowance, create and cancel virtual cards (on the VBV site), all within seconds of each operation. And all of this without paying a single fee.. You only pay what you charge to your card, no added cost.

Which means, at least to me, that it's more than just an added level of security.. First of all, it's a new card for each transaction.. And, because those cards expire within a month of their creation, the system can re-utilize them on a cyclical base (after all, the cardholder's name won't be the same, as well as the 3-digit security code). A card that you can cancel at any time (if it hasn't been charged yet, that is). All through a (secure) system that requires you to use a password (that you choose) and a username that your bank generates (not just the "cardholder's name/CC number/CVV2 security code" combo), all while still enjoying that same "chargeback if you've been ripped off" protection you get with traditional CCs.

Re:Another, eh?

[TheCRAIGGERS]

Your VBV must be different than mine. All mine does is ask for another password, just as an added security feature in case somebody gets your card info and tries using it on a site that supports it.

Re:Another, eh?

[!coward]

Yeah, I guess..

The banks over here had devised an on-line ATM system for on-line payments which didn't require CCs. You could use it with your CC, if you wanted to, but it was mainly for debit cards.. They had it in place long before VBV which is probably why they just used the already existing framework/infrastructure, made it compliant with VBV, and presto!

But I'm still surprised it's not a more widely-used system since a) it works pretty well, b) doesn't seem all that hard to implement and c) adds a significant layer of security for both bank and client at negligible cost (I mean, if they could do it over here, your banking institutions can certainly afford it).

Re:Another, eh?

[!coward]

Oh, and I should probably point out (in case I didn't make that clear) that you can use those VCCs anywhere you want, not just with VBV-enabled vendors/sellers. As far as the "normal" seller is concerned, the VCC (with your cardholder name, its own number and generated CVV2 code) is as real as your actual physical card.

Re:Another, eh?

Thanks for the heads-up, I was gonna call him a fucking moron and act like he just insulted my mother.

Re:Another, eh?

The fact that he was correcting himself doesn't make him NOT a grammar nazi. In fact there was no grammar or spelling error; he just chose the wrong word. This would merely make him a self-correcting semantics nazi.

Re:Another, eh?

[SupremoMan]

At what point will they realized they don't need to keep credit card numbers after transaction has taken place...

Credit card information?

[Reason58]

It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

Re:Credit card information?

[BAILOPAN]

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve games without Steam (it's pretty horrible software), but I totally disagree with outright pirating their games. These guys go a step further and brag about it. Our HL community has a very anti-"no steam" policy; you simply won't get support if you're running it.

Re:Credit card information?

[megamerican]

How could they require the last four digits of a credit card number to recover lost steam accounts when you don't need a CC to use steam? You can activate a new steam account without purchasing something through steam. One only needs a valid CD-Key and e-mail address. I have always been under the impression that Steam wasn't keeping peoples CC numbers. I thought they received a receipt of the purchase from the CC company. On a related note, I had to have a steam accounts password reset because someone I let use it changed the password and I couldn't get ahold of them. I only had to give them the e-mail address and the password was reset. I don't know how Valve could find someones lost account. It would leave a lot of people who never used a CC out to dry (it is hard to believe that people lose all the info of their steam account in the first place). I think that either the hacker is lying about the credit card information or this is some sort of hoax.

Re:Credit card information?

[tlhIngan]

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

Reports are all over the map - Valve's official statement says it's only cybercafe owners who are affected (Valve has their credit card information for billing purposes - looks like Valve licenses their games by the hour). And they claim it's the third party host that's afflicted who manages the cybercafe program, and that steam itself wasn't hacked.

Where the whole story lies, is somewhere in-between.

What I don't get is this:

It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

What does a California bill have to do with a company based in Washington? (Valve was formed out of some people from Microsoft). They may have to alert CA residents, I suppose?

Re:Credit card information?

[nbehary]

I was wondering about that.....was going to reply to an earlier post that Steam should do like Nintendo does with the VC, you enter everything every time. Then I remembered Steam does do that. It's easy to forget tho.....steam doesn't fail to connect in the middle of a transaction often. It's a good thing, but annoys the hell out of me with the VC sometimes.

(and Steam and the VC are the only online CC purchases i've made in years.....i usually avoid it.)

This is major news.

[imbaczek]

How is this not worthy of showing the whole summary is beyond me.

Oh and I sincerely hope that this kid gets his share of gulag.

Re:This is major news.

[Opportunist]

If he sits there with the dimwit who thought it's a bright idea to store CC info on a publically accessable server, fine with me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Check your credit cards

[Cerberus7]

I got a call today from Discover that the card I used to purchase some Steam games was used in several stores in the last two days, racking up over $1500 in charges. I've been trying to figure out how they got my number, and this seems a possible candidate. If you're a Steam customer, beware!

Re:Check your credit cards

Yeah, I just called Discover had my account number changed. :-(. Fortunately there were no suspicious charges. The account rep mentioned that Discover had no idea about the breach, and was going to pass the info up. I guess it just takes awhile for information to travel through channels.

Re:Check your credit cards

[casings]

the hacker claims not to be doing this to gain access to credit card information, but rather to bring valve into bad light.

at least thats what he says here: http://emp.damage-web.net/viewtopic.php?p=62590

Re:Check your credit cards

[statusbar]

And how do we know that he is the one and only who did hack it? Or is it just someone who said he did?

--jeffk++

Re:Check your credit cards

[casings]

he's the one taking responsibility for it, as well as providing the proof. Who can be certain? I was just referring to direct quotes from the guy.

Re:Check your credit cards

[GeorgR.]

i am assuming this only applies to people who bought/download their stuff right off steam. Since i got my steam account with the purchase of a game in a 3rd party store...i dont even think/remember that steam has my CC information.

Wii points?

[lpangelrob]

So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers? (Important note: I don't have a Wii yet, so I'm not sure of the technical details of how Wii Points work.)

Re:Wii points?

You can purchase Wii Points online via the Wii itself. It's basically just a Wii gift card. It's handy for young people that might not have credit cards, but do have cash.

Re:Wii points?

[Ahnteis]

No. Wii points can be purchased online with the Wii itself. Wii points (and xbox live points, etc) are just a way of guaranteeing that you will spend a minimum of X dollars at a certain store, AND that you will want to buy MORE points to use up the "left over" points you likely have.

Re:Wii points?

[grumbel]

### So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers?

I think the main reasons for "Wii Points" and similar systems are that one can do micro payment that way easily and that in some countries credit cards aren't very widespread, especially when it comes to younger audiences, so using only credit cards would lock a lot of users out of the system. Then there is of course the evil reason: You can spend your "Wii Points"-money on XBoxLive, while you could do so with real money.

Re:Wii points?

[VertigoAce]

I think there are two main motivations for the point systems. The first is that credit card companies have a per transaction fee that is around $0.25 - $0.35. This is really significant when you want to have multiple transactions around $1 - $2 each. By having you purchase points in increments of at least $5, they only pay the transaction fee once for a series of transactions. Apple does something similar with iTunes: they collect somewhere between one and three days worth of purchases and submit them together as a single transaction, hoping you buy more than just a single $0.99 track (I've never used iTunes, so this is a summary of what I've read about its behavior).

The other reason for the points system is to be able to set a single global price for content. I can post a piece of content for 800 points and tell people about that without having to convert it to a whole bunch of other currencies. Microsoft then sells points at some constant exchange rate for each country. This keeps content prices from fluctuating everywhere outside the US (compared to making the content $10 USD and having the exchange rate vary).

Re:Wii points?

I'm guessing so. I don't have a Wii, but I do play WoW and use XBox Live, and use pre-pay cards for both (in the case of XBox Live you can buy both subscription time and Microsoft points in pre-pay form) for exactly this reason.

Steam support is vapid

[spyrochaete]

Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

Here is my first email to Steam:

I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
http://emp.damage-web.net/viewtopic.php?p=62590

Is this true? Do I need to cancel my credit card? Please advise ASAP!

And here is my second one, posted this morning:

Do I really need to tell you that this urgent question is time-sensitive?

http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk

As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.

I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

Re:Steam support is vapid

[shaitand]

You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

Re:Steam support is vapid

[spyrochaete]

Different login name, and I've been checking my CC online invoice often since hearing of this incident. Plus my bank put my card on hold when I bought a CD and then made a charitable donation online in rapid succession, until they called me 30 minutes later to verify I had made those purchases. I have faith in my bank.

Re:Steam support is vapid

[Omeger]

You should only worry if you're a person who has a Cyber Cafe, because those are the numbers that were lost and they were already informed of this.

Re:Steam support is vapid

[n3tcat]

they probably have one person responding to emails. another person is answering phones. everyone else is busy trying to figure out what information got stolen, how it got stolen, and how to keep it from being stolen again.

Re:Steam support is vapid

[spyrochaete]

Thanks. I actually found this information shortly after commenting on /. on Steam's forums, but it was a reply by a regional Steam administrator to a poorly titled post by an ordinary user. Hardly a professional or exhaustive means of easing the minds of over a million subscribers.

Re:Steam support is vapid

[ShadowsHawk]

If you have more than one available card, you may want to call the CC company and tell them that you'd like a new card issued. They will cancel the existing card and you'll have the new card in a couple of days. My card appears to be clean, but I had a new card issued as a precaution.

Re:Steam support is vapid

[spyrochaete]

Thanks for the advice. I'm keeping a close watch on my online invoice but I'll take further action if required.

Full montey

Economic terrorism coming to a customer near you.

You need to store something for monthly billing.

[khasim]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Yes, I know. Some of the notifications go out over email. So? Dump the necessary email info to a USB stick and WALK that over to a different computer.

Re:It's an unconfirmed claim you Irish fools

[Alphager]

"B-b-b-but the source is a pseudonymous hacker with an axe to grind! Why would he lie?"

*head explodes* The source is a pseudonymous hacker with an axe to grind who released Account-data, certificates and several internal listings. Of course, he could have faked those listings, but they seem extremely accurate.

Re:It's an unconfirmed claim you Irish fools

[caramelcarrot]

http://forums.steampowered.com/forums/showthread.p hp?t=554840

"There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:You need to store something for monthly billing

[Ford+Prefect]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Who says it was even Valve's machine that was compromised? 1UP.com:

Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

overdrawn, lol.

[iPodUser]

My account that I used to buy the game is overdrawn, the joke's on him!

(That and I just switched banks so the account will be inactive in a matter of days)

Re:overdrawn, lol.

The bank you swithced from is gonna report you to the CHEX system if you dont pay them and then any bank that is affiliated with them will terminate or not let you make an account with them.

Just thought you should know

Re:Like Coder, Like Game

[caramelcarrot]

Fully securing a game is very hard without DRM built in to the hardware or moving all the computation to the server side (expensive). It's unfair to compare client security (impossible) with server security (possible)

Call me old-fashioned...

[313373_bot]

...but I never liked the concept behind "Steam", "X-Box Live", or any other "service" you have to subscribe (i.e., submit your credit card information and pay over and over) in order to enjoy the games (or any other software) you have already purchased.

Re:Call me old-fashioned...

[the+linux+geek]

You realize Steam is free, right?

Re:Call me old-fashioned...

> You realize Steam is free, right?

How so?

The game he purchased isn't free as in beer.
Steam, being the DRM technology that encumbers the game, sure as hell ain't free as in speech either.

Why is it suddenly cool for Valve to do with Steam, what Microsoft is doing with WGA?

Re:Call me old-fashioned...

[hansamurai]

Because Steam has relatively unobtrusive DRM, compared to WGA which regularly accuses you of pirating Windows. But DRM is DRM, so I understand your point.

Re:Call me old-fashioned...

[313373_bot]

Thanks for the information, I wasn't aware that there isn't a monthly fee. Nevertheless they are keeping some information then, at least to (re-)activate the games, and perhaps to sell you additional stuff. Do you have to log on the service each time you want to play, or just to reinstall? In any case, as another poster said, it feels a lot like WGA.

Re:Call me old-fashioned...

[Ahnteis]

There are no subscriptions that I'm aware of on Steam currently. You pay once, download as many times as needed.
(Unless you want a new game, then you have to pay a whole new price!)

Re:Call me old-fashioned...

[Ahnteis]

There's an offline mode I believe, but generally you just stay logged in to the service and play your games. I much prefer it to dealing with swapping CD/DVDs every time I want to play, and I don't have to deal with things like Starforce, or hacked .exe files from people I have no reason to trust.

Re:Call me old-fashioned...

[heinousjay]

Steam is free as in you don't pay for it. That's how so.

Re:Call me old-fashioned...

[tlhIngan]

There's an offline mode I believe, but generally you just stay logged in to the service and play your games. I much prefer it to dealing with swapping CD/DVDs every time I want to play, and I don't have to deal with things like Starforce, or hacked .exe files from people I have no reason to trust.

Yes, there's an offline mode, I've used it. It's quite nice - though it does delay startup by about 30 seconds while it tries to log into your account. The only thing is that you have to be offline when you start up steam, and of course, you can't play online. (For this reason, I wish Steam actually had an auto-quit option...).

As for what games you bought - those are linked to your account - just like non-AC /. posts are linked to the account.

But yeah, given the nastiness of commercial copy protection systems right now, and the rather lightness of Steam, I'd prefer Steam to installing tons of wierd crap in my system. Plus, you can backup your games to CD/DVD if you ever envision going back to dialup - Steam even splits the files into nice bundles of user-selectable size so you can burn them onto DVDs or something. Just remember to grab a copy of the Steam installer since the restoration process requires it. But heck, the first CD even has an autorun and stuff so it's trivial to restore. Or just re-download the whole thing. I'm on my 3rd download off a number of games...

Steam sucks, but it's like iTunes - among the best of a very broken system. (Slightly OT - Warner music has issues with AnywhereCD - a DRM free music store carrying major labels (which for a nominal extra fee, will even get you a real CD). So it's gonna take a while.)

Here's the full *original* screenshot

[TubeSteak]

http://i17.tinypic.com/2e0irza.jpg

The pic in TFA only shows the left half of the picture.

Re:Here's the full *original* screenshot

[cgenman]

Valve has "a stunning" 9 million dollars in the bank? Stunning? That's suprisingly low for a company that has made two of the most successful (or at least hyped) games of all time. That's probably about 1 year of operating capital for them.

This hacker isn't earning himself much respect.

Remember, he's at:

Maddoxx@no-steam.org

Re:Here's the full *original* screenshot

[Chosen+Reject]

I'd say they were more popular than just hyped.

Re:Here's the full *original* screenshot

[!coward]

Ditto.. $9M is really low.. Even if that account is only for Cyber Cafés. I know the hype for CS:S has somewhat passed but even so..

I had a feeling it was a hoax, what with Steam requiring you to always input your CC info everytime you make a purchase (which means it would make no sense for VALVe to store that info any longer than they need to), but if the hacked site was a third-party not affiliated with VALVe, who deals with the Cafés transactions then I guess it's possible. But I hardly see how it's VALVe's fault that they got hacked..

And looking at the pic, either that guy is reaping credit for someone else's handywork, or he/she has some serious self-esteem problems.. All that VALVe bashing BS seems out-of-place somehow, but then again, maybe that's because the hackers (real ones, I mean) I've known are from the old-school, when things were done mostly for bragging rights that were then kept within the circle.. Or just to mess with some clueless, thinks he's a hardcore BOFH admin.. (whatever.. typical "Damn kids, get off my lawn" comment.. Guess I'm getting old :) ).

Anyway, those lines on the right beneath "here's some proof" seem weird. The 1st 4 are marked as "Cash Sale". Well, doesn't "cash sale" usually mean a purchase made with.. cash?! Besides, the values seem too round: 40, 2 x 50, and then one 150 and one (the last) 860?! I'm assuming dollars here so, $860?? What, someone purchased their entire library of games? And even for a Café, it seems too high of a payment, if VALVe charges clients per-hour/per-account. Then there's the order numbers being, well, out-of-order (and that last one without any number at all, just the # sign).

While it doesn't seem that far-fetched that someone hacked into a billing system containing sensitive information, I'm getting the feeling again that at least part of this is an elaborate hoax. We have no way to verify the financial info regarding VALVe's bank accounts, but since VALVe did attibute some credit to the guy's claim, I'm assuming that the screenshots of VALVe's internal system looked real enough for them to investigate. Could that part have been an insider's job? Disgruntled employee, or something?

Comment removed

[account_deleted]

Comment removed based on user account deletion

All I can say is

[Lord+Kano]

pwn3d

I have always had serious issues with giving my credit card number to any high profile service like Steam primarily because I don't like "virtual" purchases, I like to have physical tangible objects in return for my money but this is just another reason for me.

LK

Re:All I can say is

I have always had serious issues with giving my credit card number to any high profile service like Steam primarily because I don't like "virtual" purchases, I like to have physical tangible objects in return for my money but this is just another reason for me. So does this mean you avoid e-tickets or sending out flash greeting cards?

Re:All I can say is

[Lord+Kano]

So does this mean you avoid e-tickets or sending out flash greeting cards?

I have sent flash greeting cards, free ones. I have never bought an e-ticket.

LK

Another day in CC paradise

[Opportunist]

Yes, I know, the CC companies will prolly cover it. But why is this necessary?

I see that the companies need the CC info for billing. That's ok. Why, though, does this info have to reside on a server that is accessable through the 'net? Of course, you have to register online. Ok. How about transfering that data once a day to a server which is usually NOT accessable from anything connected through the net save those 5 minutes the transfer takes, and only from the machine that has to dump the info? Banks use a similar system to access their vaults, where you need the combination and have to be there at a very specific time.

The only info the server really needs is whether the payment went ok or whether the card is overdrawn. This, too, can be updated once a day. The user doesn't need to see his CC info. He knows it. If anything, he needs to see a few parts of the card info to verify which card he used.

So the question stands, why is this possible at all?

Re:Another day in CC paradise

[Detritus]

You don't have to fall back to off-line batch processing. Another approach is to install an intermediate system that only allows the passage of messages in very limited and strictly defined formats. Anything else gets logged, discarded and triggers an alarm.

Yet another reason...

[anlprb]

You should not run your corporate networks over people's private computers. You are giving them the door and the location, it is a matter of time before they have the key. There is a reason that the telephone polls are on the public right of way. It makes it a crime to tamper with it. Once you put something on my land without a legal easement, it is mine to do with as I please. Even with a legal easement, I can still cause damage, I may just have to pay for it. You still lost service. Note to load "sharing" companies, stay off computers you don't have control over, you are just asking for trouble.

Re:Yet another reason...

[LordSnooty]

I spent three minutes wondering why someone would want to hold an American Idol-style vote on public rights of way. "Poles" not "polls"

Domestic Terrorism?

[malevolentjelly]

I would be really worried if I were that kid. If he's in any country with an extradition treaty, I'm pretty sure he'll get nailed by the authorities. Our post 9/11-government is pretty sensitive to electronic criminals like this.

I know being a l33t h4x0r is all about bragging about your crap, but honestly-- even claiming to have done this is very dangerous if you're not in the third world.

Re:You need to store something for monthly billing

That's not even needed, really. Put a nice, hardened firewall (ala IPCop) between the computers on a network and let the information be passed out but not in. If that makes sense.

Internet-->Firewall-->Processingserver-->Firewall- ->Firewall-->"Billing" Server

The only open INCOMING port on "Billing" is the port that records billing information; the only outgoing port is the one that tells the processing server to send mail to such and such.

Also, use end-to-end encryption!

Re:Full article

We're rubbing pennies together trying to make it from month to month

At first glance I read "rubbing penises together". Must reduce pr0n intake.

Why do online sites need to store CC#s at all?

[illegalcortex]

Some people have said that this may inaccurate since Steam requires that you enter a CC# at every purchase. In any case, I have to wonder why we don't have better technology than just storing CC#s. For purchases that happen instantaneously online, this would seem to be avoidable.

1. You enter your CC# on a company's website
   
2. Company sends CC# to credit card validation service
   
3. On successful transaction, the CC company uses its private key to encrypt a small message containing the cardholders name, address and CC# along with the billing companies name and address or other account info. It then sends that encrypted result back to the billing company. The billing company throws away the credit card number (except maybe the last four digits for easy identification purposes) and stores only this encrypted form.
   
4. Later, when the billing company wants to charge the customer again, it sends that encrypted form to the CC company instead.
   
5. The CC company accepts it and decrypts it using the private key, thus allowing payment only to the billing company listed in the file
   

Any obvious glaring errors? Any idea if this has already been proposed and shot down in the past? The data is never going to be truly secure. Someone is always going to get hacked. So it seems this might be a good way to minimize the amount of valuables lying around.

Re:Why do online sites need to store CC#s at all?

[spyrochaete]

If the company providing the goods or service to the end user gets broken into, wouldn't it be possible for the malicious party to charge huge fees to the victims' authenticated credit cards using valid private keys?

Re:Why do online sites need to store CC#s at all?

That's (more or less) the way it's supposed to be done. Where I work we only store the full name, address, last four digits and the expiration date in the DB. The rest gets tossed into the bit bucket when the CC processor authorizes the charge.

Re:Why do online sites need to store CC#s at all?

[Gunstick]

even better:
1) you click on checkout
2) the company directs you to the card processor
3) you enter your CC there
4) the card processor tells the company if it's valid
5) you get your goods

The internet shop NEVER sees the CC number
Instead of 1000 shops needing security you only need to secure a couple of processors, typically your bank or similar.
The shop even does not really need to have any SSL ...

Re:Why do online sites need to store CC#s at all?

[Dr_Barnowl]

Well, yes, but they can only make charges that get paid to the company they hacked, not to their own merchant account.

Because of the way that public key crypto works, you can be assured of the sender of a particular piece of information. If you have someone's private key, you can pretend to be that entity, sure. But the CC company would associate that key and content signed with it with that merchant account only, and would instantly detect requests to pay into another account. In fact, it would be unnecessary to quote an account number - the CC company would keep a DB of which account number goes with which key.

You could use it to discredit a company by racking up huge unauthorized charges against it's name, but unless you also have a means of transferring that money away from the company account, you can't use this method for personal financial gain.

Re:Why do online sites need to store CC#s at all?

[c0d3h4x0r]

Any obvious glaring errors?

Yeah -- the credit-card system as-is is so entrenched that you'll never get all the disparate parties involved to agree to throw it out and adopt something new all at the same time.

Banks, the banking backbone network, credit reporting mechanisms, ATM machines, point-of-sale hardware, retails... they would all have to throw away their existing systems and software/hardware investments and move to the new system, and they would have to do it altogether in concert for it all to work end-to-end.

The difficulty isn't in dreaming up a better system. It's in moving off the existing system without excessive cost or service disruption.

This isn't any different than the FOSS community's attempts the Windows monopoly -- coming up with something technically superior to Windows isn't hard. Coming up with a way to get the world to willingly transition away from the OS they already depend on for everything is the hard part.

Re:Why do online sites need to store CC#s at all?

[whizzter]

Because people would become confused and suspect foul play if you're directed to an unknown processor. (I personally do not know the names of any commercial processors on the net. but it's not my bank).

There's 2 other options.
1: Using links directly to your bank, where you could log in. This is actually used by my personal bank but i find it very scary. (Because by using devious tricks of javascript and co i could be entering login info to my bank account that somebody could steal. Not good.
2: Temporary internet creditcards. This way i log into my bank (from another browser or even computer maybe) and create a new card and authenticate it for ONE purchase. So anyone trying to do a new transaction will be refused because it simply ain't allowed. If i want to make another purchase. I just add another purchase to the list.

Re:Why do online sites need to store CC#s at all?

[illegalcortex]

Right, but I think you missed the point of my post. Some companies need to do recurring charges (WoW, for example). The other example is storing the card as a convenience, which really is very nice as long as you have some level of confidence in the site.

Re:Why do online sites need to store CC#s at all?

[illegalcortex]

This breaks for recurring charges or automatic bill payments. That's kind of the whole point the system I proposed.

Re:Why do online sites need to store CC#s at all?

[illegalcortex]

Just to add to the other reply, I'd like to note I wasn't proposing each of the companies that sent charges to the CC# should have their own public/private keys. That would be nice, but quite a hassle to administer. I just mean that the message content will include the company name and address before it is encrypted and sent back by the CC#. That way (like the other poster said), if someone stole that encrypted message and tried to send it back in, only the original company will be credited, not the thief. This pretty much nullifies the motivation for stealing and resending the encrypted message.

Re:Why do online sites need to store CC#s at all?

[illegalcortex]

I think you're assuming something that I didn't propose. I didn't say they should scrap the existing process and replace it with this. If you notice, the first bit of my process is the existing system of sending a regular CC# in. My system just adds functionality that companies can take advantage of. They could even have an extra little safety seal on their page for this system.

Right now, companies are having to pay a lot for security to try to avoid these attacks. Then when they get broken into, they may have to pay out compensation. Plus, they take a real financial hit from the bad public relations after getting hacked (there are several companies I tend to stay away from because of this). CC companies/banks also take a hit in people not using their CC to the maximum amount because they may be leery of the safety. They may have to pay for the fraudulent charges in a lot of cases. So really, it would be in everyone's interest to add this functionality.

If Amazon could be sure a breakin would only result in a couple thousand credit card numbers being stolen (the ones that had not already been tokenized and were waiting for a response from the CC company), they would be ALL OVER such a system.

Re:Why do online sites need to store CC#s at all?

[spyrochaete]

This pretty much nullifies the motivation for stealing and resending the encrypted message.

Indeed, and I think this is a great idea, but it still doesn't nullify the motivation for "proof-of-concept" mischief such as this Steam case.

Re:Why do online sites need to store CC#s at all?

[illegalcortex]

Well, the Steam thing turns out to be inaccurate (they put an update at the bottom of the linked story).

But if it had been true, the theft of credit card data would definitely have moved it out of the "mischief" category.

I dont excuse them, but no-steam has a point...

[sethstorm]

That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve games without Steam (it's pretty horrible software)... These guys go a step further and brag about it. Our HL community has a very anti-"no steam" policy; you simply won't get support if you're running it.

By the looks of things, keeping these people in the cold isn't exactly going to help much either. Not every place has a regular connection that runs these games, and is seen as spyware to some - exclusion in the modding community isn't going to help.

The only bad action in this case is this compromise and all the things with it.

Re:I dont excuse them, but no-steam has a point...

[BAILOPAN]

Supporting pirated game copies is a violation of the SDK license Valve gives us. At best, it's simply unprofessional to cater to people who haven't paid for the game and expect equal support on outdated/cracked versions.

Re:I dont excuse them, but no-steam has a point...

Forcing someone who purchased a game to install a memory resident program full of advertising which must be run in order to play is unethical by my standards. More imporantly, I will never buy another game that uses stream. I hated it from the start, then it "forgot" that I owned the game and refused my key. I spent hours searching and never got any information. I did save my reciept (something I don't always do) and it seem that reactivating my key requires that. Anyway, I finally figured out how to run it directly (the game still knows I paid for it). I just wish I'd pirated the game instead. Then I wouldn't have had any of this mess. It doesn't say anywhere on the box it uses Stream, so I guess I'll always have to research before buying a game now. Stream is like force DVD ads. It's scum.

hax0r teh planets

dude, I hacked the Gibson!

What about the little guys?

[Vacardo]

All I've ever bought over Steam is Garry's Mod - is how much money you spend a factor or will I slip under the radar?

Funny, never thought I'd be worried about my uber-secure Steam which will NEVER let pirated games be permitted but will turn a blind eye to a serious compromise... bad customer service IMHO.

1337

[kbox]

The 'hacker' uses windows and IE... As if being a scummy theif wasn't bad enough.

Good

[Trogre]

Well, not good for the people who had their credit card numbers taken, but the sooner these web-based DRM schemes are exposed and discredited the better. Valve made a *big* mistake by making HL2 require an open connection to Steam before letting you play. Sure, they've tacked on a bit of content delivery but that's not its main purpose.

Re:Good

[Broken+scope]

Actually you only need it on their once. Offline mode has been working rather well for a while now.

Re:Good

[Broken+scope]

FUCK I used their wrong. That should be there.

Re:Good

Offline mode has been working rather well for a while now.

mmm nope, still takes a while to load compared to cracked half life 2.

Interview with the "HACKER"

[ToasterMonkey]

The way "hacker" is used in the media and on slashdot always makes me laugh. This "hacker" seems to be affiliated with the Free Nation Foundation group in some way. Maybe the interview is a hoax too, lets face it, you can believe everything or nothing you read on the internet. Either way, I feel there are some very troubled and delusional kids out there that need help getting away from their computers for a while to play baseball or do something constructive. Read the interview, then go to the forums at FNF. Read the bits about the rights to name unclaimed islands they found on google maps, or the fiberglass huts and shipping containers they plan on living in. If this garbage makes it on slashdot, you have to wonder... how many articles read here everyday are instigated by lonely, frustrated teens with a blog and a need to feel important?

The source?
The interview
Please, read the forums at freenationfoundation.org so you all get an idea what goes on in these "hacker's" minds.
They really need your help.

-SJ

If you are emailing Steam support..

[RealityThreek]

... don't you think everyone else is too? Is it really all that surprising that they are backlogged?

Re:If you are emailing Steam support..

[spyrochaete]

That's what public statements are for. Regardless, the least they could have done was reply saying "We are currently investigating and will get back to you."

Re:If you are emailing Steam support..

You mean like the one Valve had, saying there was no breach of CC numbers?

Use Shopsafe to avoid this problem

There is an easy way to avoid this. Get a credit card that has Shopsafe. This is a method where you can create your own credit card number on their web site and it is linked to your credit card. When you create a new credit card you can give a limit on the card and an expiration date. The credit card is only good at one vendor. This way even if a site gets hacked, the credit card information they get is useless. I know of two banks that have it, MBNA, and Band of America are two.

Re:Use Shopsafe to avoid this problem

[skwang]

Citibank's credit cards allow users to create a similar "virtual credit card" number. I've used it for my online shopping/transactions. Unfortunately I didn't get the CC before I signed up for steam (sigh).

Turns out...

[PixelScuba]

The password was gaben.

Hummm

[A_Non_Moose]

Is Gabe using Outlook, again? Shame, shame, shame, figured he'd learn the first time.

I guess HL3 will be delayed again because of hackers. Damn those hackers!

Makes you wonder if Valve has a S.T.A.L.K.E.R.

Re:You need to store something for monthly billing

[Falladir]

Under the present system, you need the CC numbers for billing, but wouldn't it be better if the consumer instructed the CC company to periodically make a payment to a certain account, rather than the consumer providing the vendor with the information needed to extract money?

There's no reason for vendors and service providers to deal so directly with the CC company.

Looks like the "hacker" is full of crap

[Talgrath]

He hacked into a website, but it wasn't Steam itself but a third party site (the article linked itself has this correction at the bottom); at least that's the official line from Valve.

Re:Looks like the "hacker" is full of crap

[suriart]

my credit card was also listed in there system now my bank freezed my acount for couple days until i renewe the card

My CC details were "leaked" by Steam

[Contact]

Coincidentally, I'm currently fighting a running battle with Steam support to reclaim a hacked Steam account. After about five messages back and forth, it has finally emerged that the person actually stole my account by "reclaiming" it from Steam, after providing my steam account number, and my credit card details.

I don't have any spyware on this machine - I checked with SpyBot and Ad-Aware. I surf using Opera, I read mail using Eudora, and internet security is part of my job. I am at a loss as to how anyone could have got both my Steam account number and my credit card details by hacking a third party, however, unless that third party was Steam. (Yes, I could be an idiot, riddled with spyware that I have no idea is there.)

Re:My CC details were "leaked" by Steam

Someone may have conned an operator into doing it somehow.

Those that pirated HL2 and other Steam games

[Travoltus]

and didn't go pay to play it online, are laughing their butts off right now.

Mod Parent TROLL!

You have to have a physical card to purchase things at stores... If they are using them online where is the stuff shipping to? Discover has a strict policy of not shipping to non-billing addresses unless you add a new address to your account.

Re:Mod Parent TROLL!

[powerlord]

Haven't tried this (for obvious reasons), but I imagine you could order the merchandise and have them shipped to your home via the slowest possible UPS service, then, once its shipped and on its way, pay the extra $5 to have it rerouted to a different drop point.

Some shippers will not allow packages to be rerouted, some will. I imagine someone with more experience in these matters could shed more light.

Also, about needing a physical card, my understanding is that these can be relatively easily created now. Card blanks and mag-stripe writers have been used to clone physical cards for a while, I imagine creating the clone with just the information should be relatively straightforward also.

Re:You need to store something for monthly billing

[RiscIt]

Reason to store Card Info: The customer WANTS them too. I'm sure by now you've come across an online store that ASKED if you wanted them to save it for next time. I use this with Dell and New Egg. If they don't ask then it's a problem, but for everyone else it's the CUSTOMER'S responsibility to make the decisions as to whether or not they trust the company.

Reason to be connected to the intarweb: They PROCESS the cards online (via authorize.net, for example).
I write e-commerce apps for a living. My usual policy (unless the clients demands something else) is to take the card numbers, save them encrypted in a database, wait until a store employee reviews their order to make sure it is okay to ship, charge the card (via authorize.net), ship it, close the order and delete the security code, expiration date, and all but the last 4 digits of the card number.

Thus if (god forbid) someone were to break in the only card numbers they would have access to are orders which have been placed but not shipped yet, and even those would be encrypted unless they also got the encryption key. It's quite likely that an order will be shipped within an hour of it being placed, so the risk involved is almost nothing.

There will always be risk involved, no matter how secure you build a system (or ignorantly THINK you have). Deciding whether or not to allow a company to save your card info is simply saying how much risk you are willing to take.

Re:Another, eh? -- a retailer's perspective

Sorry, AC for a reason.

I work for a medium-sized regional business that takes orders over the web and I can tell you for our processor (Skipjack) one-time-use transaction codes work great.

The way I've got it set up is like swiping your card at a regular retailer -- pass them the CC number, get the authorization and move on. The only thing we save is the CC type, the last 4 digits and the expiration date. If I ever need to do an upcharge or issue a credit I just use the transaction code (15-20 chars, IIRC) and it all magically works. It's great -- secure transactions and I don't have to worry about a compromised database!

In fact I was told once that even Skipjack didn't have a way to look up the whole credit card number after the fact and that only the CC vendors themselves were allowed to store the whole account number.

It might be a little different once the transaction heads upstream to Vital/Novus/whoever, but I don't know -- I never tried to confirm that last bit, but I can tell you I sure as hell don't want to save that info!

Re: no such policy

[El+Gigante+de+Justic]

I've never had problems with using Discover card and shipping to an address not matching my billing address and not on my Discover account, so I'm not sure where you've ever heard of this policy from. My experience includes purchases from Amazon, Dell, Newegg and other online stores.

Re:Typical /. sensationalism...

Very true.
Steam was hacked years ago already.
You can play all of the steam games easily without buying them or even installing Steam.

So as it turns out,

[Vampyre_Dark]

Steam has officially gone up in smoke? =0)