Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

Online game services

[stratjakt]

WTG.. Next stop, gametap.

Re:Online game services

I dont know about you guys, but sounds to me like this Hacker found himself a Garbage file - Valve wouldnt have said anything but one of the main Valve admins was planning on sinking 12 virtual oiltankers in the Half-Life fleet using a virus they happened to be storing in that Garbage file - so now they need to catch the kid to find the source, and then silence the Hackers by framing them for the virus!

Jeez, this is like what, a 13 year old dupe? GG editors!

Re:Online game services

[stanmann]

Dude, the Gibson hacked you.

Re:Online game services

[Dachannien]

Three cheers for virtual credit card numbers.

Re:Online game services

[CelticWhisper]

Now THAT's dedication. Did you manually crack the CD-Key algorithm in the garage behind your house a la "A Beautiful Mind?"

Figures

[HolyCrapSCOsux]

This is why I like my valves to be ball, gate, or ECC83 and EL34

Another, eh?

[EveryNickIsTaken]

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

Re:Another, eh?

[EveryNickIsTaken]

Realize, even. Grammar police, set phasers to stun.

Re:Another, eh?

[ichigo+2.0]

I'm wondering when they will realize (zap) that they shouldn't be storing CC data at all.

Re:Another, eh?

[I'll+Provide+The+War]

Isn't this the same company that got their game code stolen because they placed it on a machine connected to the Internet?

Re:Another, eh?

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

Re:Another, eh?

[Sigma+7]

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? Placing an order online is a 3-step process. Select the items you want, enter your billing information, and place the order - and one of these can be skipped by "remembering" the billing information.

The proposed system will make it a 4-step process: Select the items, obtain your billing information, enter your billing information, and place the order - and none of these can really by skipped. It's a matter of personal taste on what you prefer, but most people go for convenience rather than security.

The implementation could easily handle this by having credit card numbers "linked" to a primary account, as there's at least 10 trillion possible combinations for credit cards from a single institution. No information on if it will work in practise, but given that most people aren't good with numbers, it would probably boost CS calls. ...

Re:Another, eh?

You morons! HE WAS CORRECTING HIMSELF!

Go get some sleep and/or stimulant of your choice.

Re:Another, eh?

[!coward]

While you're not entirely wrong, I think you've also misunderstood what he was trying to explain.

I've used Verified by VISA a number of times now (and have dealt with a number of on-line merchants which will only accept payment through it) and it's really quite simple. First of all, you need to tell your bank (I did it through its on-line banking interface) that you want to enable VFV on a given card.

Now, the way it's implemented in my country (don't know if it differs on other countries) is: you then stipulate a password for the VBV system for that card, and an overall daily "allowance" for VBV operations on that card (ie, the total daily amount you're willing to allow your card to be charged through VBV).

Then, for each transaction, you generate a virtual card on-the-fly (stipulating a specific limit for that card) which is good for one, and only one, transaction (after which it becomes unusable) and expires within a month (in case the merchant takes too long to charge you for the transaction). In my case, there's even a toolbar/FF extension-like program you can download, enabling you to generate the virtual card with just a few clicks without having to open a new tab/window/whatever. Which means the vendor/seller never gets his hands on your CC number/account. And he can only charge you for the amount you enabled the VCC to pay for, and not a penny more.

Now, like the GP said, it won't do for monthly/cyclical payments (as you can only use each card once), but for purchases on an unknown vendor/site, it's pretty handy.

Plus, the whole system is completely transparent and lightning-fast. You can create a VBV account (which you can manage through your bank's on-line banking system), delete it, change access password, change daily allowance, create and cancel virtual cards (on the VBV site), all within seconds of each operation. And all of this without paying a single fee.. You only pay what you charge to your card, no added cost.

Which means, at least to me, that it's more than just an added level of security.. First of all, it's a new card for each transaction.. And, because those cards expire within a month of their creation, the system can re-utilize them on a cyclical base (after all, the cardholder's name won't be the same, as well as the 3-digit security code). A card that you can cancel at any time (if it hasn't been charged yet, that is). All through a (secure) system that requires you to use a password (that you choose) and a username that your bank generates (not just the "cardholder's name/CC number/CVV2 security code" combo), all while still enjoying that same "chargeback if you've been ripped off" protection you get with traditional CCs.

Credit card information?

[Reason58]

It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

Re:Credit card information?

[tlhIngan]

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

Reports are all over the map - Valve's official statement says it's only cybercafe owners who are affected (Valve has their credit card information for billing purposes - looks like Valve licenses their games by the hour). And they claim it's the third party host that's afflicted who manages the cybercafe program, and that steam itself wasn't hacked.

Where the whole story lies, is somewhere in-between.

What I don't get is this:

It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

What does a California bill have to do with a company based in Washington? (Valve was formed out of some people from Microsoft). They may have to alert CA residents, I suppose?

This is major news.

[imbaczek]

How is this not worthy of showing the whole summary is beyond me.

Oh and I sincerely hope that this kid gets his share of gulag.

Re:This is major news.

[Opportunist]

If he sits there with the dimwit who thought it's a bright idea to store CC info on a publically accessable server, fine with me.

Check your credit cards

[Cerberus7]

I got a call today from Discover that the card I used to purchase some Steam games was used in several stores in the last two days, racking up over $1500 in charges. I've been trying to figure out how they got my number, and this seems a possible candidate. If you're a Steam customer, beware!

Re:Check your credit cards

[statusbar]

And how do we know that he is the one and only who did hack it? Or is it just someone who said he did?

--jeffk++

Steam support is vapid

[spyrochaete]

Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

Here is my first email to Steam:

I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
http://emp.damage-web.net/viewtopic.php?p=62590

Is this true? Do I need to cancel my credit card? Please advise ASAP!

And here is my second one, posted this morning:

Do I really need to tell you that this urgent question is time-sensitive?

http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk

As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.

I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

Re:Steam support is vapid

[shaitand]

You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

Re:It's an unconfirmed claim you Irish fools

[caramelcarrot]

http://forums.steampowered.com/forums/showthread.p hp?t=554840

"There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:You need to store something for monthly billing

[Ford+Prefect]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Who says it was even Valve's machine that was compromised? 1UP.com:

Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

overdrawn, lol.

[iPodUser]

My account that I used to buy the game is overdrawn, the joke's on him!

(That and I just switched banks so the account will be inactive in a matter of days)

Here's the full *original* screenshot

[TubeSteak]

http://i17.tinypic.com/2e0irza.jpg

The pic in TFA only shows the left half of the picture.

Why do online sites need to store CC#s at all?

[illegalcortex]

Some people have said that this may inaccurate since Steam requires that you enter a CC# at every purchase. In any case, I have to wonder why we don't have better technology than just storing CC#s. For purchases that happen instantaneously online, this would seem to be avoidable.

1. You enter your CC# on a company's website
   
2. Company sends CC# to credit card validation service
   
3. On successful transaction, the CC company uses its private key to encrypt a small message containing the cardholders name, address and CC# along with the billing companies name and address or other account info. It then sends that encrypted result back to the billing company. The billing company throws away the credit card number (except maybe the last four digits for easy identification purposes) and stores only this encrypted form.
   
4. Later, when the billing company wants to charge the customer again, it sends that encrypted form to the CC company instead.
   
5. The CC company accepts it and decrypts it using the private key, thus allowing payment only to the billing company listed in the file
   

Any obvious glaring errors? Any idea if this has already been proposed and shot down in the past? The data is never going to be truly secure. Someone is always going to get hacked. So it seems this might be a good way to minimize the amount of valuables lying around.

1337

[kbox]

The 'hacker' uses windows and IE... As if being a scummy theif wasn't bad enough.

Re:Wii points?

[VertigoAce]

I think there are two main motivations for the point systems. The first is that credit card companies have a per transaction fee that is around $0.25 - $0.35. This is really significant when you want to have multiple transactions around $1 - $2 each. By having you purchase points in increments of at least $5, they only pay the transaction fee once for a series of transactions. Apple does something similar with iTunes: they collect somewhere between one and three days worth of purchases and submit them together as a single transaction, hoping you buy more than just a single $0.99 track (I've never used iTunes, so this is a summary of what I've read about its behavior).

The other reason for the points system is to be able to set a single global price for content. I can post a piece of content for 800 points and tell people about that without having to convert it to a whole bunch of other currencies. Microsoft then sells points at some constant exchange rate for each country. This keeps content prices from fluctuating everywhere outside the US (compared to making the content $10 USD and having the exchange rate vary).

Interview with the "HACKER"

[ToasterMonkey]

The way "hacker" is used in the media and on slashdot always makes me laugh. This "hacker" seems to be affiliated with the Free Nation Foundation group in some way. Maybe the interview is a hoax too, lets face it, you can believe everything or nothing you read on the internet. Either way, I feel there are some very troubled and delusional kids out there that need help getting away from their computers for a while to play baseball or do something constructive. Read the interview, then go to the forums at FNF. Read the bits about the rights to name unclaimed islands they found on google maps, or the fiberglass huts and shipping containers they plan on living in. If this garbage makes it on slashdot, you have to wonder... how many articles read here everyday are instigated by lonely, frustrated teens with a blog and a need to feel important?

The source?
The interview
Please, read the forums at freenationfoundation.org so you all get an idea what goes on in these "hacker's" minds.
They really need your help.

-SJ

If you are emailing Steam support..

[RealityThreek]

... don't you think everyone else is too? Is it really all that surprising that they are backlogged?

Looks like the "hacker" is full of crap

[Talgrath]

He hacked into a website, but it wasn't Steam itself but a third party site (the article linked itself has this correction at the bottom); at least that's the official line from Valve.

Re:You need to store something for monthly billing

[RiscIt]

Reason to store Card Info: The customer WANTS them too. I'm sure by now you've come across an online store that ASKED if you wanted them to save it for next time. I use this with Dell and New Egg. If they don't ask then it's a problem, but for everyone else it's the CUSTOMER'S responsibility to make the decisions as to whether or not they trust the company.

Reason to be connected to the intarweb: They PROCESS the cards online (via authorize.net, for example).
I write e-commerce apps for a living. My usual policy (unless the clients demands something else) is to take the card numbers, save them encrypted in a database, wait until a store employee reviews their order to make sure it is okay to ship, charge the card (via authorize.net), ship it, close the order and delete the security code, expiration date, and all but the last 4 digits of the card number.

Thus if (god forbid) someone were to break in the only card numbers they would have access to are orders which have been placed but not shipped yet, and even those would be encrypted unless they also got the encryption key. It's quite likely that an order will be shipped within an hour of it being placed, so the risk involved is almost nothing.

There will always be risk involved, no matter how secure you build a system (or ignorantly THINK you have). Deciding whether or not to allow a company to save your card info is simply saying how much risk you are willing to take.