Slashdot Mirror
Sony: 10 Million Credit Cards May Have Been Exposed
WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."
I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.
I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.
Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?
It took years after the rootkit fiasco before I decided to extend some trust to Sony and spend money on their products. Then came the removal of otheros, and I ceased spending any money with them. Then their bully tactics when the console got hacked, and I was glad I'd not spent any further money with them. Now, I find even after not doing any business with them for such a period I'm still not free of their incompetence and poor management. What will happen to Sony as a result of this? Nothing. All the muppets out there will continue to do business with this incompetent, morally bankrupt, behemoth. Will I be dumb enough to become one of those muppets again? I hope not.
They previously announced that no credit card numbers were compromised. Can we get some outside verification on this because they obviously have no issue with lying to us.
Why does everybody collect and store all these data centrally?
For recurring payments. With your scheme, every user would have to enter their password every month. The biggest problem for Sony would be that everyone would be making the decision to continue paying for the service every single month. If the number is on file, then the customer has to go out of his way to cancel, but has to do nothing to stay a customer.
Why does everybody collect and store all these data centrally?
Because "paying for stuff" isn't the only reason Sony collects your data. There's also advertising (especially targeted/predictive), data mining, data sharing (both internally and externally), tracking/trending, etc. I think that data is a lot more valuable sitting on their servers than it is hidden in your console - hence, whatever the cost, it will remain there. That really goes for any internet aware service, not just Sony/PSN.
Of course you wouldn't. But the marketing department would never allow a system where you can passively unsubscribe.
What would fix this is to have credit cards generate a contract not tap an open vein. that is, the credit card is used to authorize a one time transaction (after which the credit card number itself can be discarded for the transaction ID). For recurring charges the transaction authorized should only enable payments to sony, for goods provided to a specific address or online account, and include a cap. that is non-transferable transactions are the thing we should keep on record.
There needs to be a mechanism for generating these transaction IDs.
Some drink at the fountain of knowledge. Others just gargle.
I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas.
Seriously? A debit card tied to your primary checking account used to pay for DLC?
Epic fail dude.
It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.
How should one generate an authorisation, though? Requiring a PIN is a good start, but since it's been introduced in the UK the banks have been using it to blame any and all fraud on the customer, because "the terminals can't be hacked" (demonstrably untrue, as I'm sure you guessed). Perhaps more importantly, many things that can be implemented on the terminals (such as a PIN requirement) are inappropriate for online use, meaning that when someone gets hold of your wallet (or your data from Sony's servers) they just run it through an offshore online casino.
It's a genuinely difficult problem, largely because cards need to be fast to be usable. When I do direct bank-to-bank transfers, the bank provides a randomly generated numerical key on the screen, and an automated system calls my phone (within about a minute) and asks me to input the key before the transaction is authorised; it then auto-allows subsequent transfers to that account, but sends me a text message whenever they take place. It's a good system, but I certainly wouldn't like to be stuck in line with everyone going through that process to get their lunch. Maybe require a PIN for in-person transactions, and phone authorisation for online. I guess auto-allowing transactions only below a certain threshold could work, too, but then they already have systems to block 'suspicious' transactions... I don't know. Like I said, it's a tough one.