Slashdot Mirror


Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

4 of 141 comments (clear)

  1. Another, eh? by EveryNickIsTaken · · Score: 4, Insightful

    At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

    1. Re:Another, eh? by Anonymous Coward · · Score: 4, Insightful

      I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

      The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

      This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

      Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

      There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

  2. Re:Steam support is vapid by shaitand · · Score: 4, Insightful

    You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

  3. Re:Online game services by Dachannien · · Score: 3, Insightful

    Three cheers for virtual credit card numbers.