Slashdot Mirror
Sony: 10 Million Credit Cards May Have Been Exposed
WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."
When is the Playstation 4 coming out!! OMG I want one NOW!
I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.
I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.
"The odds are only 1 in 10,000,000 that someone will use your card."
...Were account passwords encrypted or hashed?
Using the credit cards will install a DRM rootkit on their computers right?
Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?
It took years after the rootkit fiasco before I decided to extend some trust to Sony and spend money on their products. Then came the removal of otheros, and I ceased spending any money with them. Then their bully tactics when the console got hacked, and I was glad I'd not spent any further money with them. Now, I find even after not doing any business with them for such a period I'm still not free of their incompetence and poor management. What will happen to Sony as a result of this? Nothing. All the muppets out there will continue to do business with this incompetent, morally bankrupt, behemoth. Will I be dumb enough to become one of those muppets again? I hope not.
...fill in here...
Why does everybody collect and store all these data centrally?
Just store it locally, on the playstation, electronically signed and encrypted in a way that the customer has to enter a passphrase to decrypt it when its really needed. make the "it is needed" message also necessarily signed by an independent system with no other function. Let this system do a statistic. trigger an alarm if the number of signatures per minute is deviating significantly from the expected number.
I just got up to speed on the whole PSN thing. I never once received an email from sony explaining the problems and I was too busy last week to spend an abundant amount of time on /. reading about the security breach. I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas. To me this seems a little too coincidental to be the victim of some completely different fraud in the middle of this big stink with the 77 million accounts compromised from the PSN.
This is not news. It was already posted on Slashdot. The only new item is that only 10 million of the 77 million accounts had credit card information associated.
BTW: Sony has said there is no evidence the intruders got CC info, but they can't rule it out either.
That doesn't help if the attacker has a copy of their private key. Given the apparent scale of the intrusion, I wouldn't be willing to bet that they don't have it.
Help me out here guys. Should it be trivial in a modern data center to tell if that much data has been accessed? Also, I know California has a data breach law requiring disclosure if you do business there, any Californians with some extra letters from Sony?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Woah, some executives bowed in apology? That makes everything better now! All is forgiven, and we* can get back with our lives now.
They were in the prison shower with Bubba standing behind them when this happened, right?
* - "We" refers to each individual PSN member and the guy who's running around with the PSN member's ID and credit card.
This sentence no verb.
What kind of encryption can completely satisfy security of credit card data, of which target space is limited and patterns are well known? Anyone competent enough to hack into their system, most probably competent enough to do cryptanalysis and decipher the data in no time. As they couldn't secure their own network, I don't think they had used methods to scrabble credit card data before encrypting it.
The executive pulled out his sword and fell on it?
All online companies that store credit card data are required to be PCI Compliant, like the company I work for, http://solidtrustpay.com./ The only reason Sony would have been storing card info is to retain the ability to recharge cards monthly, etc. ALL data should be encrypted, not just card info; in particular, email addresses to prevent phishing and spam attacks. Let's hope they learn and adjust their database systems quickly!
An alternative is easy in concept, but the satus quo has the industry in a strangle hold. It's not like even a large consumer group acting together could *change* things from 'outside'
We are talking about 16 'secret' numbers that allow whoever figures them out to charge however much they want against your account. Occasionally an additional view on the back are needed for some retailers, but at the end of the day to even buy $5 of something with your card you must trust the seller to not do bad things with your account *and* keep it safe from others. This might have been about the best you could do when the seller was doing a carbon copy and would phone in the slips at the end of the day, but now everyone *immediately* contacts a server for validation and nearly every person with a card also has a pocket sized computer device capable of independently talking to bank servers. It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.
The common defense is "oh, well, most card companies don't hold the customer liable for everything", ignoring:
-Some companies will hold the cardholder liable for some of it
-Sometimes they may argue that the cardholder didn't act promptly or other circumstance
-Even when everything works as 'promised', there is a cost incurred *somewhere* and that impacts you, either in higher interest rates on credit, lower interest rates on checking, and/or merchant prices due to processing fees. I'm about convinced this last one is the biggest motivation not to change, they play funny games with margin and can blame identity theft.
XML is like violence. If it doesn't solve the problem, use more.
It has been revealed that the whole problem began when a PSN admin inserted a Sony music CD. The installed rootkit then allowed hackers to access the network.
Given that i have a life and time spent with the "free" offers of stuff over 30 days is likely to be approximately 45 minutes, what the fuck are sony going to do to compensate me for the 4+ hours of wasted time that I had to spend changing credit card details everywhere because they were so un-forthcoming with the distribution of my personal details?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
What would fix this is to have credit cards generate a contract not tap an open vein. that is, the credit card is used to authorize a one time transaction (after which the credit card number itself can be discarded for the transaction ID). For recurring charges the transaction authorized should only enable payments to sony, for goods provided to a specific address or online account, and include a cap. that is non-transferable transactions are the thing we should keep on record.
There needs to be a mechanism for generating these transaction IDs.
Some drink at the fountain of knowledge. Others just gargle.
...with rot13.
42.
I'm curious if you're at risk if you deleted your credit card info recently. A few days before the attack, I logged in to PSN on a friend's PS3. I didn't remember which card I had tied to the service, so when it asked me to confirm, I went ahead and said "delete credit card info". So, I guess we'll find out if Sony actually physically removes the data...
If you can't convince them, convict them.
Sony never said no credit card numbers were compromised, they said that credit card numbers were in a separate encrypted database and probably were not accessed. But they can't be sure.
And they are saying the exact same thing now.
http://lkml.org/lkml/2005/8/20/95
Sony. You were warned BY MANY HACKERS about the vulnerabilities in your system MONTHS ago, and you did not do a damn thing to fix it or even bother to look into it. You fail and I hope your company dies because of this and how you treat your customers. This is what corporate greed has gotten you.
hahahahhahahaha
10 million cipher-text objects with plaintext customer details is an interesting target for cryptoanalysis.
If you know the card details of some of the people whose cards you have encrypted copies on, you have both plaintext and ciphertext to work on. And to make it even better credit card numbers have a checksum algorithm built into the number, so you have a method of testing the resulting decrypts for validity.
Why do I think that someone is probably running some GPU assisted EC2 machines at Amazon on these now ?
The only 'secret' protecting those cards is how the numbers are encrypted.
Powned
IANAL, but I'd imagine that if you accepted Sony's offer of 1 month of Qriocity and 1 month of PSN+, you forfeit any potential settlement from any kind of class action suit.
One solution is to let the payment processor store them.
I recently implemented an online payment system for a rather large client. We didn't want to store credit card numbers but had a need to process additional charges at a later date.
We used Paypal's Payflow Pro product (formerly offered by Verisign). They have a feature that allows you to store a reference number with any successful transaction processed. When you want to submit an additional transaction, you just supply this reference number along with the new amount and the credit card details are copied into the transaction data by the processor's system. You can then submit a new sale or auth without having to store the cc number.
Of course one issue with this is that since storing the CVV is prohibited, you cannot verify that this way. So what we do for that is submit a $1 auth at the data entry point, then void that. That allows us to verify the CVV from the customer before processing the transaction and storing the reference.
With this system, if the database is ever compromised the attackers would not be able to use the data to submit charges very easily since all they would have is the reference number which cannot be used on front end web or POS systems. It would only be valid with a backend hook into Paypal's payflow processing system.
Twice!
I stayed $599 richer.
But they said they are sorry, so that makes it ok, right?
Seven puppies were harmed during the making of this post.
but with a real Lady Gaga CD?
Boffoonery - downloadable Comedy Benefit for Bletchley Park
...with rot13.
It's actually the 2ROT13 (2 rounds of ROT13), double the security!
According to some of the PS3 Dev crowd...not even that...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Wow, Sony better get their act together real soon or they will be out in the cold, the new Wii 2 is going to be out soon, It sounds like it's going to be pretty cool, read this...
http://www.tech-adventures.com/2011/04/nintendo-says-wii-2-is-in-works.html
I sure hope they used something better than the standard mysql database hash functions for which there are plenty of complete hash tables which exist for the function....
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
I don't think "sorry" cuts it TBH... 30 day access to some Sony Services (which are OH SO Secure I am betting) shit isn't good enough and some services that most banks now offer for free anyway..... Way to go for apologizing to your customers.. You know the ones that PAY money for your shit and put you where you are today.....
Hey Sony, I have an idea, how about you give those 10 million customers Bravia KDL-55XBR8 TV's instead you frakking cheap corporate whores That would REALLY show that you are indeed "Sorry"...
What utter pricks!!..
THIS is why I wont buy Sony anymore and why YOU shouldn't as well, they deserve to go under for this.
I would like to know why I, as a customer of Sony's, an owner of a PS3, and a PSN user, why I have not received an email to notify me of this breach. I have had to read about it on various news websites, but I have not received any information from Sony. This does not place Sony in a good light.
Data has probably been stolen, including, but not limited to, my name, date of birth, credit card information, and other various data, but Sony has not warned me directly about this. Sony cannot rely on me to hear about this from a third-party, as it is not a third-party's responsibility to warn me. This just shows me to forget dealing with Sony from this point forward.
I can no longer trust Sony to do the right thing, so I will no longer spend money on Sony's products. That may or may not be to my detriment, as Sony might produce something that ends up being a really great product. Sadly, I will never know it.
I have a PS3, including my PSN account, and a lot of games that I am looking to sell. Actually, I have a few PS3s to sell, but whatever. I also have some video cameras, and many other devices that I must sell. Hopefully, I will be able to dump this stuff quickly.
Shame on Sony.
10 million of the 75 million users have actually submitted credit card information? DLC market fail.
I wonder if some of those attacks aren't covertly orchestrated by the very credit protection companies. Here's how it typically goes:
1. security breach at company X
2. company X realizes they are in deep shit
3. company X's legal team informs them that it'd "help" to preemptively protect the customers
4. company X buys credit protection services for a year for all of its customers in a deal with company C
5. company X issues a press release disclosing the breach
6. company X's customers are soon individually emailed with the disclosure, worded in a worry-free tone, with a link and a password/PIN needed to start service with company C
Company C has plenty all the motive needed to instigate the whole thing.
A successful API design takes a mixture of software design and pedagogy.
I stopped buying Sony products after the "rootkit" incident. trust me when I say that I don't feel that I've missed out on anything by not buying Sony. In fact, I feel like I've gained because I stop myself from getting, what ultimately turns out to be useless junk.
I'm not wasting my money with HD tv and it's associated Blu-Ray crap. I'm not even home enough to justify it. My last TV was given to me (although it is a Sony), as a friend bought a new TV.
The money I would have spent on home theater crap or videogames has instead been spent on a motorcycle, which has given me much more than any videogame or movie. As a bonus, I'm saving gas commuting to work compared to driving the car. And I'll get years more out of the car by not driving it every day.
If telephones are outlawed, then only outlaws will have telephones.
So they can apologize in advance for their next fuckup.
Because you *know* it's coming. I mean their entire corporate culture is about how they can screw their customers. They cannot change. From the MP3 player that wouldn't play MP3's to the rootkit to this, it's just once thing after another. They just say 'sorry' and then move on to do it all over again to their customers.
And you idiots that buy their shit are stupid for doing so. You'd think *you* would learn not to trust these pricks, but, whatever. It's your money. Throw it out the window if you like.
If telephones are outlawed, then only outlaws will have telephones.
This is precisely why I use temporary credit card numbers. BOA has this, not that I like dealing with them, but I don't know who else does.
It's because they didn't upgrade to Windows 7 yet isn't it :-)
http://it.slashdot.org/story/11/05/02/0055250/NSA-Advises-Upgrade-To-Windows-7
You knew that was coming right ;-)
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
God sony, let us play the damn online games without buying shit and having ability to do any transactions.
Just enable the game play part.
Liberty freedom are no1, not dicks in suits.
I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.
Stealing a credit card number was never sufficient to seriously fuck with someone's life. US credit card holders are limited by federal law to only $50 worth of liability for unauthorized transactions. Most credit card issuers won't even make the card holder liable for the $50, since that would be hugely bad PR for a small amount of money.
Indeed, my credit card information was compromised in the Monoprice breach last year. Visa saw a few suspicious transactions on my account, shut it down, and called me to let me know what happened. They had already reversed the charges and were sending me a replacement card. The only disruption to my life was having to use a different credit card for a few days.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
The credit card is an easy fix, yes... usually they catch it and even if they don't they'll reverse it.
It's when those transactions make it into your credit report that the nightmare begins. You don't have to spend too much time asking around to find horror stories.
The big risk is in my opinion, to people who don't really need credit at the moment. The people who in 3 years when they go to buy a house find out their credit rating is in the toilet despite never being in debt. This is the part of the system that's fucked up. We need heavy regulation on credit reporting.
The credit card is an easy fix, yes... usually they catch it and even if they don't they'll reverse it.
It's when those transactions make it into your credit report that the nightmare begins. You don't have to spend too much time asking around to find horror stories.
Well, yes, you are responsible for looking at your own credit card statements, and alerting your credit card issuer to any unauthorized transactions.
The big risk is in my opinion, to people who don't really need credit at the moment. The people who in 3 years when they go to buy a house find out their credit rating is in the toilet despite never being in debt. This is the part of the system that's fucked up. We need heavy regulation on credit reporting.
You know what? You're right. We definitely need some heavy regulation on credit reporting. We could call it something like the Fair Credit Reporting Act. And while we're at it, we could regulate those nasty collection agencies and debt collectors. We could call that regulation the Fair Debt Collection Practices Act. Lastly, we wouldn't want consumers to be unprotected from billing errors and unauthorized transactions on their credit cards. I hereby propose we regulate that as well. We could be original and call it the Fair Credit Billing Act.
Unfortunately, a lot of people don't know their rights and responsibilities under the law. Indeed, it would seem that some people aren't even aware of their existence. Reading up on them is definitely not a bad idea if you use credit in the US.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
For the record, I'm Canadian!
And from the stories (admittedly not first hand experience) I've heard, those laws arn't really doing much down there.
For the record, I'm Canadian!
Well, fair enough. However, I would assume that you have some similar type of consumer protection up there.
And from the stories (admittedly not first hand experience) I've heard, those laws arn't really doing much down there.
Naturally, you're only going to hear the horror stories. People don't tend to whine when the system works as intended. Could it be better? I believe it could. But at the same time, it still works pretty well as long as you act to protect your rights.
I've had my personal information leaked, and people have opened fraudulent accounts in my name. It was a nuisance, but not much more than that. Obviously I'd rather we change the system so that our Social Security Numbers aren't treated as some sort of shared secret, since they're not so secret. In the meantime, we have clunky but sufficiently effective laws in place that let us clean up the mess.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I am bad in computer,so now I have no idea yet. scarpehogan