Sony: 10 Million Credit Cards May Have Been Exposed

WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."

Ok

[drolli]

Why does everybody collect and store all these data centrally?

Just store it locally, on the playstation, electronically signed and encrypted in a way that the customer has to enter a passphrase to decrypt it when its really needed. make the "it is needed" message also necessarily signed by an independent system with no other function. Let this system do a statistic. trigger an alarm if the number of signatures per minute is deviating significantly from the expected number.

not just theory

[e3m4n]

I just got up to speed on the whole PSN thing. I never once received an email from sony explaining the problems and I was too busy last week to spend an abundant amount of time on /. reading about the security breach. I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas. To me this seems a little too coincidental to be the victim of some completely different fraud in the middle of this big stink with the 77 million accounts compromised from the PSN.

Re:Fundementally broken system

[Stormy+Dragon]

Two big changes that would help:

1. Make companies legally liable for data losses that are worsened by the companies own negligence. In the Sony case, they've already admitted the breach occured due to a known vulnerablity that they failed to patch. There's also been some suggestion they were storing CVV2 numbers, which they're expressly told not to do by the credit card providers.

2. Make companies that process obviously fraudulent transcation liable for the losses instead of the card holder. E.g. if someone comes in and starts buying a ton of gift cards with an out of state credit card, and you don't do anything to verify their identity.

Re:I'm sure it will all be okay.

Yeah, as the last time this story came up - someone posted this champion comment:

"Did someone insert a Sony music CD into one of their computers?"

Couldn't happen to a nicer company quite frankly. I mean they have demonstrated total contempt for their paying customer by treating them like thieves - and now they hand over all of their information to actual thieves because they can't organise basic security.

Sony Corporation deserves to be eviscerated for their behaviour over the last 10 years... hopefully this will be the moment.

No it isn't..

[Junta]

An alternative is easy in concept, but the satus quo has the industry in a strangle hold. It's not like even a large consumer group acting together could *change* things from 'outside'

We are talking about 16 'secret' numbers that allow whoever figures them out to charge however much they want against your account. Occasionally an additional view on the back are needed for some retailers, but at the end of the day to even buy $5 of something with your card you must trust the seller to not do bad things with your account *and* keep it safe from others. This might have been about the best you could do when the seller was doing a carbon copy and would phone in the slips at the end of the day, but now everyone *immediately* contacts a server for validation and nearly every person with a card also has a pocket sized computer device capable of independently talking to bank servers. It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.

The common defense is "oh, well, most card companies don't hold the customer liable for everything", ignoring:
-Some companies will hold the cardholder liable for some of it
-Sometimes they may argue that the cardholder didn't act promptly or other circumstance
-Even when everything works as 'promised', there is a cost incurred *somewhere* and that impacts you, either in higher interest rates on credit, lower interest rates on checking, and/or merchant prices due to processing fees. I'm about convinced this last one is the biggest motivation not to change, they play funny games with margin and can blame identity theft.

Re:Say it aint so!

[ect5150]

A month of PSN Plus? All they have to do is take the deals of the month away to make that deal worthless.

It's a good thing I already changed my credit card number and all of my passwords, just in case.

By the way, I just happened to use the same login and password on the PSN as I did for my GMail account. Gmail informed me the other day that someone had accessed the account from an IP in China. That when I started changing EVERYTHING and started watching my accounts like a hawk.

Re:Fundementally broken system

[jamesh]

The Credit Card system could be done a lot better. Sony shouldn't need your CC number, all they should need is a magic number that authorizes Sony to transfer funds from your account to theirs. I think that what should happen is something like this:

. I go to Sony's website and sign up for a PSN account
. Sony give me their billing number and ask for an authorization number
. I go to the bank, log in to my account, and request an authorization number against Sony's billing number, for a maximum amount (eg $50/month)
. I go back to Sony's web page and enter in the authorization number and maybe some other identifying details (eg my banks number)

Sony now has a number that is _only_ good for transferring funds from my account to theirs. If someone obtained that number then the worst they could do with it is transfer up to my limit of $50/month to Sony.

It's not bulletproof but at least Sony don't have my CC number to share with the rest of the world.

Re:beating wrong horse

My credit card company (citicards) offers exactly that. They call it "virtual account numbers". There is a Flash applet (yeah, ick, I didn't say they had a nice website) where you can generate any number of extra credit card numbers. On use, they get linked to the merchant ID that first charged them. You can set expiration dates and amount limits for each one individually. It's not a perfect solution, but it's better and does not require a new system for the merchant so it can be implemented now.

Re:Say it aint so!

[hedwards]

Given the number of breaches in various companies that have led to information being compromised, I think the better question is why do we let them store more information than absolutely necessary? There's no legitimate reason for Sony to be storing that information for most users. One could make a case for those that pay for PSN Plus, but for people who only buy a game now and again, there's absolutely no reason for them to store it. It's not that hard for people to type it in again.

I mean for heaven's sake, if GOG doesn't need to store credit card information to stay in business, why does Sony?

Re:Fundementally broken system

[cptdondo]

The big deal is that your credit rating is determined by 3 private entities that have no practical oversight. Once you are subject to a fraudulent claim, you are screwed. There is no recourse and no way to clear your record.

I have a fraudulent claim by a bogus company on my record. I have no way to get them removed. They claim that I defaulted on a judgement; none of which is true. I've been told it would cost over $50K in attorney fees to try to get this removed.

So yes, maybe you can get your money back from Master Card or Visa, but basically you can be screwed on your credit rating for years.

Re:Fundementally broken system

[Jah-Wren+Ryel]

Such a system already exists. It was developed by an irish company called Orbiscom which was recently bought-out by Mastercard.
It's got different names - disposable credit cards, one-time use credit cards, Controlled Payment Numbers, etc. Bank of America call's theirs ShopSafe, Citibank calls theirs Virtual Account Numbers. I believe PayPal and Discover have their programs too -- all based on Orbiscom's technology.

It works pretty much exactly the way you described - you log into your account, generate a new CC# with a maximum limit and expiration date that you specify. Then the first merchant account that posts a charge to the number becomes the only merchant account that post any more charges to that number. So even if the number does get stolen, it isn't any good to the thieves. Other than those limitations, for all intents and purposes, it is just a regular credit card. Most merchants can't even tell the difference.

I've been using ShopSafe for well over a decade now and have never had a fraudulent charge. The only problems I've had have been when the merchant is sloppy and double-charges with the intent of cancelling the first charge - Parts-express.com is the only merchant that I know which does that for all of their transactions and fixing it was simple enough - I just double the max limit on the CC#.