Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

Check your credit cards

[Cerberus7]

I got a call today from Discover that the card I used to purchase some Steam games was used in several stores in the last two days, racking up over $1500 in charges. I've been trying to figure out how they got my number, and this seems a possible candidate. If you're a Steam customer, beware!

Re:It's an unconfirmed claim you Irish fools

[caramelcarrot]

http://forums.steampowered.com/forums/showthread.p hp?t=554840

"There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:You need to store something for monthly billing

[Ford+Prefect]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Who says it was even Valve's machine that was compromised? 1UP.com:

Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Here's the full *original* screenshot

[TubeSteak]

http://i17.tinypic.com/2e0irza.jpg

The pic in TFA only shows the left half of the picture.

Re:You need to store something for monthly billing

That's not even needed, really. Put a nice, hardened firewall (ala IPCop) between the computers on a network and let the information be passed out but not in. If that makes sense.

Internet-->Firewall-->Processingserver-->Firewall- ->Firewall-->"Billing" Server

The only open INCOMING port on "Billing" is the port that records billing information; the only outgoing port is the one that tells the processing server to send mail to such and such.

Also, use end-to-end encryption!

Re:Wii points?

[VertigoAce]

I think there are two main motivations for the point systems. The first is that credit card companies have a per transaction fee that is around $0.25 - $0.35. This is really significant when you want to have multiple transactions around $1 - $2 each. By having you purchase points in increments of at least $5, they only pay the transaction fee once for a series of transactions. Apple does something similar with iTunes: they collect somewhere between one and three days worth of purchases and submit them together as a single transaction, hoping you buy more than just a single $0.99 track (I've never used iTunes, so this is a summary of what I've read about its behavior).

The other reason for the points system is to be able to set a single global price for content. I can post a piece of content for 800 points and tell people about that without having to convert it to a whole bunch of other currencies. Microsoft then sells points at some constant exchange rate for each country. This keeps content prices from fluctuating everywhere outside the US (compared to making the content $10 USD and having the exchange rate vary).

Interview with the "HACKER"

[ToasterMonkey]

The way "hacker" is used in the media and on slashdot always makes me laugh. This "hacker" seems to be affiliated with the Free Nation Foundation group in some way. Maybe the interview is a hoax too, lets face it, you can believe everything or nothing you read on the internet. Either way, I feel there are some very troubled and delusional kids out there that need help getting away from their computers for a while to play baseball or do something constructive. Read the interview, then go to the forums at FNF. Read the bits about the rights to name unclaimed islands they found on google maps, or the fiberglass huts and shipping containers they plan on living in. If this garbage makes it on slashdot, you have to wonder... how many articles read here everyday are instigated by lonely, frustrated teens with a blog and a need to feel important?

The source?
The interview
Please, read the forums at freenationfoundation.org so you all get an idea what goes on in these "hacker's" minds.
They really need your help.

-SJ

Looks like the "hacker" is full of crap

[Talgrath]

He hacked into a website, but it wasn't Steam itself but a third party site (the article linked itself has this correction at the bottom); at least that's the official line from Valve.

Re:Another, eh?

[!coward]

While you're not entirely wrong, I think you've also misunderstood what he was trying to explain.

I've used Verified by VISA a number of times now (and have dealt with a number of on-line merchants which will only accept payment through it) and it's really quite simple. First of all, you need to tell your bank (I did it through its on-line banking interface) that you want to enable VFV on a given card.

Now, the way it's implemented in my country (don't know if it differs on other countries) is: you then stipulate a password for the VBV system for that card, and an overall daily "allowance" for VBV operations on that card (ie, the total daily amount you're willing to allow your card to be charged through VBV).

Then, for each transaction, you generate a virtual card on-the-fly (stipulating a specific limit for that card) which is good for one, and only one, transaction (after which it becomes unusable) and expires within a month (in case the merchant takes too long to charge you for the transaction). In my case, there's even a toolbar/FF extension-like program you can download, enabling you to generate the virtual card with just a few clicks without having to open a new tab/window/whatever. Which means the vendor/seller never gets his hands on your CC number/account. And he can only charge you for the amount you enabled the VCC to pay for, and not a penny more.

Now, like the GP said, it won't do for monthly/cyclical payments (as you can only use each card once), but for purchases on an unknown vendor/site, it's pretty handy.

Plus, the whole system is completely transparent and lightning-fast. You can create a VBV account (which you can manage through your bank's on-line banking system), delete it, change access password, change daily allowance, create and cancel virtual cards (on the VBV site), all within seconds of each operation. And all of this without paying a single fee.. You only pay what you charge to your card, no added cost.

Which means, at least to me, that it's more than just an added level of security.. First of all, it's a new card for each transaction.. And, because those cards expire within a month of their creation, the system can re-utilize them on a cyclical base (after all, the cardholder's name won't be the same, as well as the 3-digit security code). A card that you can cancel at any time (if it hasn't been charged yet, that is). All through a (secure) system that requires you to use a password (that you choose) and a username that your bank generates (not just the "cardholder's name/CC number/CVV2 security code" combo), all while still enjoying that same "chargeback if you've been ripped off" protection you get with traditional CCs.