Sony: 10 Million Credit Cards May Have Been Exposed

WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."

Fundementally broken system

[Anrego]

I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

Re:Fundementally broken system

[Stormy+Dragon]

Two big changes that would help:

1. Make companies legally liable for data losses that are worsened by the companies own negligence. In the Sony case, they've already admitted the breach occured due to a known vulnerablity that they failed to patch. There's also been some suggestion they were storing CVV2 numbers, which they're expressly told not to do by the credit card providers.

2. Make companies that process obviously fraudulent transcation liable for the losses instead of the card holder. E.g. if someone comes in and starts buying a ton of gift cards with an out of state credit card, and you don't do anything to verify their identity.

Re:Fundementally broken system

[grumbel]

The most simple alternative would be single-use credit card numbers and while some credit card companies offer those for single transactions, they don't offer them for recurring transactions, i.e. you want a number that only allows Sony to get your money, but not anybody else. Those a stolen Sony-only number would be completely useless.

I mean seriously, we are living in a age of hi-tech and yet still let so much depend on a single number that you can't even keep secret, as you have to give it to anybody from whom you want to buy.

Re:Fundementally broken system

[larry+bagina]

merchants are liable for fraudulent or otherwise contested charges.

Re:Fundementally broken system

[jamesh]

The Credit Card system could be done a lot better. Sony shouldn't need your CC number, all they should need is a magic number that authorizes Sony to transfer funds from your account to theirs. I think that what should happen is something like this:

. I go to Sony's website and sign up for a PSN account
. Sony give me their billing number and ask for an authorization number
. I go to the bank, log in to my account, and request an authorization number against Sony's billing number, for a maximum amount (eg $50/month)
. I go back to Sony's web page and enter in the authorization number and maybe some other identifying details (eg my banks number)

Sony now has a number that is _only_ good for transferring funds from my account to theirs. If someone obtained that number then the worst they could do with it is transfer up to my limit of $50/month to Sony.

It's not bulletproof but at least Sony don't have my CC number to share with the rest of the world.

Re:Fundementally broken system

[mlts]

I'd give an alternative... nonces. These are used as IDs which are mapped to a credit card processor for subscriptions that are easily cancellable by the user.

This way, the user sets up a subscription. They get passed to the clearinghouse to enter in info (perhaps authorizing with two factor authentication.) The place offering subscriptions gets an ID back that they can use for cancelling a subscription (if someone got banned), or refunding all/part of a sub.

Worst that can happen if the blackhats get the sub IDs? They would have to forge the subscription maker's access, and then they might be able to issue bogus refunds, or just cancel everyone's subscriptions en masse.

Paypal does a mechanism similar to this.

As an added bonus, the user can cancel their subscription at their will, without having to go through calling a number staffed from 11:00 am to 11:01 each day, or other shit like that that a lot of places have started doing. I know people who have gotten to the point where they just mark their credit cards as lost/stolen, let the chips fall where they may.

Re:Fundementally broken system

[Terranex]

Why don't Visa and Mastercard implement a keyfob generator system like Blizzard do for World of Warcraft? It seems silly that my World of Warcraft account might be more secure than my credit card.

Re:Fundementally broken system

[cptdondo]

The big deal is that your credit rating is determined by 3 private entities that have no practical oversight. Once you are subject to a fraudulent claim, you are screwed. There is no recourse and no way to clear your record.

I have a fraudulent claim by a bogus company on my record. I have no way to get them removed. They claim that I defaulted on a judgement; none of which is true. I've been told it would cost over $50K in attorney fees to try to get this removed.

So yes, maybe you can get your money back from Master Card or Visa, but basically you can be screwed on your credit rating for years.

Re:Fundementally broken system

[Jah-Wren+Ryel]

Such a system already exists. It was developed by an irish company called Orbiscom which was recently bought-out by Mastercard.
It's got different names - disposable credit cards, one-time use credit cards, Controlled Payment Numbers, etc. Bank of America call's theirs ShopSafe, Citibank calls theirs Virtual Account Numbers. I believe PayPal and Discover have their programs too -- all based on Orbiscom's technology.

It works pretty much exactly the way you described - you log into your account, generate a new CC# with a maximum limit and expiration date that you specify. Then the first merchant account that posts a charge to the number becomes the only merchant account that post any more charges to that number. So even if the number does get stolen, it isn't any good to the thieves. Other than those limitations, for all intents and purposes, it is just a regular credit card. Most merchants can't even tell the difference.

I've been using ShopSafe for well over a decade now and have never had a fraudulent charge. The only problems I've had have been when the merchant is sloppy and double-charges with the intent of cancelling the first charge - Parts-express.com is the only merchant that I know which does that for all of their transactions and fixing it was simple enough - I just double the max limit on the CC#.

Re:Fundementally broken system

[Seumas]

The big deal is that it will impact your credit score, which is as vital as the home you live in, the car you drive, the clothes you wear, and the size of your dick in modern society. If you have to file a fraud alert on your credit report to keep any trouble from arising, it'll likely ding your score. Also, when you call your credit card company, they probably won't just say "we'll wipe those out and send you a new card". My understanding (and the way it was when it happened to me a few years ago) was that even the act of simply *losing* a card -- that is, not knowing that it was stolen or used nefariously, but simply misplaced -- was enough to warrant them to close the account and open a new account for me. Closing or canceling accounts negatively impacts your credit score as does your current open accounts having a short life (since they'd be opened right after the other was closed).

Re:Fundementally broken system

[hellwig]

My Visa credit card has a "ShopSafe" feature which does almost exactly what you suggest here. ShopSafe lets me create unique credit card numbers that are tied to my real account. These numers are only good at a single retailer (once one merchant has put a charge on the card, the card will be denied to any other merchant, but the same merchant can re-charge in the future). Additionally, I can set the expiration date (1 month from now is great for one-time purchases) and I can set a maximum dollar limit ($20 sounds good when I'm buying $19.99 worth of product). If the number hasn't expired or been exhausted, you can increase the limit or change the expiration date. I don't purchase anything on line with my real credit card number anymore.

Problem is, this seems to be limited to the bank. My card was originally through MBNA, who was bought by BankofAmerica. My wife's visa (through Wells Fargo), has no such option.

An additional option would be to buy gift cards (my Wii has never known my credit card number), or even Visa gift cards (which do have a fee associated, but accomplish roughly the same goal as ShopSafe).

Re:Fundementally broken system

[tibit]

You mean like a virtual credit card number, available -- for example -- from citi in at least the U.S. market? That's precisely what it is: a credit card number generated on the fly, with an expiration date and spending limit that you select, that locks to the first merchant that will charge it. The latter is because it's generally impossible for a 3rd party to know how the merchant will identify themselves to the credit card processor.

Re:Fundementally broken system

[DanielSmedegaardBuus]

I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

Where I'm from - Denmark - companies aren't allowed to keep credit card information stored. Why is this allowed in the USA? It seems completely retarded and totally unnecessary. If you're making so many purchases that you're getting arthritis from putting in your credit card data every time, get a paypal account and put some money on that instead.

"1-click buy?" When did saving a couple of dozen of keystrokes become good reason to allow someone to store your credit card data?

Re:Fundementally broken system

[cptdondo]

This is a company that does this for a living. They're located in Texas, a state known for notoriously weak consumer protection. The contract in question was signed in SC, the "collection agency" is in Texas, and I live in Oregon. No state AG will take this on. The feds aren't interested. I've checked.

The company is infamous for this behavior; they move every 6 months to make it more difficult to serve papers on them. They essentially extort money from people and if you don't pay they file a fraudulent default. Since none of the credit bureaus are required to verify any of the claims, there's nothing you can do short of hiring an interstate legal team, something that I can't afford.

But the big question is...

[DurendalMac]

...Were account passwords encrypted or hashed?

Re:But the big question is...

[Stormy+Dragon]

They previously announced that no credit card numbers were compromised. Can we get some outside verification on this because they obviously have no issue with lying to us.

I'm sure it will all be okay.

[senorpoco]

Using the credit cards will install a DRM rootkit on their computers right?

Say it aint so!

[Culture20]

Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?

Re:Say it aint so!

[Anubis+IV]

What I recall hearing them say was that they couldn't rule out the possibility that they had been exposed, but that they couldn't at that time confirm that it had happened either. I know we all like trolling Sony because they deserve it, but at least pick one of the many valid reasons for doing so, rather than making up one that doesn't exist.

Re:Say it aint so!

[ect5150]

A month of PSN Plus? All they have to do is take the deals of the month away to make that deal worthless.

It's a good thing I already changed my credit card number and all of my passwords, just in case.

By the way, I just happened to use the same login and password on the PSN as I did for my GMail account. Gmail informed me the other day that someone had accessed the account from an IP in China. That when I started changing EVERYTHING and started watching my accounts like a hawk.

Re:Say it aint so!

[smash]

more to the point, 30 days of playstation plus will give me approximately 10-40 minutes of value (I am busy, and use the ps3 mostly for media). for the multiple hours i had to spend dealing with people changing my cc details. not good enough sony.

Re:Say it aint so!

[hedwards]

Given the number of breaches in various companies that have led to information being compromised, I think the better question is why do we let them store more information than absolutely necessary? There's no legitimate reason for Sony to be storing that information for most users. One could make a case for those that pay for PSN Plus, but for people who only buy a game now and again, there's absolutely no reason for them to store it. It's not that hard for people to type it in again.

I mean for heaven's sake, if GOG doesn't need to store credit card information to stay in business, why does Sony?

Re:Say it aint so!

[hibiki_r]

There is a reason, the same reason every major online retailer under the sun remembers credit cards until you tell them otherwise.

The issue is not storing the number, but keeping it safe. Every large merchant is supposed to follow PCI DSS standards, which make mass copying of credit card data extremely difficult for attackers, or even lone trusted insiders. If the card encryption keys can be obtained by a single member of the organization, the system is not PCI compliant. Very large merchants, like Sony probably is, not only have to comply with the standards, but get audited regularly to see that the standards are met.

So if someone got the encrypted database and stole the keys, they either do an extremely good job at it, or our good friends at Sony and the security auditors should be ripped a new one. After this, there should be a new audit after such intrusion, and if the audit finds a problem, Sony's merchant status should be revoked.

Still won't stop people

[skyphyr]

It took years after the rootkit fiasco before I decided to extend some trust to Sony and spend money on their products. Then came the removal of otheros, and I ceased spending any money with them. Then their bully tactics when the console got hacked, and I was glad I'd not spent any further money with them. Now, I find even after not doing any business with them for such a period I'm still not free of their incompetence and poor management. What will happen to Sony as a result of this? Nothing. All the muppets out there will continue to do business with this incompetent, morally bankrupt, behemoth. Will I be dumb enough to become one of those muppets again? I hope not.

Ok

[drolli]

Why does everybody collect and store all these data centrally?

Just store it locally, on the playstation, electronically signed and encrypted in a way that the customer has to enter a passphrase to decrypt it when its really needed. make the "it is needed" message also necessarily signed by an independent system with no other function. Let this system do a statistic. trigger an alarm if the number of signatures per minute is deviating significantly from the expected number.

Re:Ok

[Jaime2]

Why does everybody collect and store all these data centrally?

For recurring payments. With your scheme, every user would have to enter their password every month. The biggest problem for Sony would be that everyone would be making the decision to continue paying for the service every single month. If the number is on file, then the customer has to go out of his way to cancel, but has to do nothing to stay a customer.

Re:Ok

[notjustchalk]

Why does everybody collect and store all these data centrally?

Because "paying for stuff" isn't the only reason Sony collects your data. There's also advertising (especially targeted/predictive), data mining, data sharing (both internally and externally), tracking/trending, etc. I think that data is a lot more valuable sitting on their servers than it is hidden in your console - hence, whatever the cost, it will remain there. That really goes for any internet aware service, not just Sony/PSN.

Re:Ok

[Jaime2]

Of course you wouldn't. But the marketing department would never allow a system where you can passively unsubscribe.

not just theory

[e3m4n]

I just got up to speed on the whole PSN thing. I never once received an email from sony explaining the problems and I was too busy last week to spend an abundant amount of time on /. reading about the security breach. I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas. To me this seems a little too coincidental to be the victim of some completely different fraud in the middle of this big stink with the 77 million accounts compromised from the PSN.

Re:not just theory

[by+(1706743)]

Have you tried contacting Sony to see if you are one of the lucky 10M with compromised CC info? Of course, not that I'd necessarily trust Sony after their lack of honesty and transparency throughout this fiasco ("oh just a PSN outage / actually some account info has been stolen / actually CC info has been compromised").

Another possibility could be that there are a lot of stolen CC numbers out there, but the thieves are biding their time so as not to draw unwanted attention. However, now that this PSN thing hit the fan, they figure they can get lost in the noise and have Sony blamed for their actions. A very shaky theory and I really doubt that's the case, but still.

PCI Compliance required

[SOLIDTRUSTPAY]

All online companies that store credit card data are required to be PCI Compliant, like the company I work for, http://solidtrustpay.com./ The only reason Sony would have been storing card info is to retain the ability to recharge cards monthly, etc. ALL data should be encrypted, not just card info; in particular, email addresses to prevent phishing and spam attacks. Let's hope they learn and adjust their database systems quickly!

No it isn't..

[Junta]

An alternative is easy in concept, but the satus quo has the industry in a strangle hold. It's not like even a large consumer group acting together could *change* things from 'outside'

We are talking about 16 'secret' numbers that allow whoever figures them out to charge however much they want against your account. Occasionally an additional view on the back are needed for some retailers, but at the end of the day to even buy $5 of something with your card you must trust the seller to not do bad things with your account *and* keep it safe from others. This might have been about the best you could do when the seller was doing a carbon copy and would phone in the slips at the end of the day, but now everyone *immediately* contacts a server for validation and nearly every person with a card also has a pocket sized computer device capable of independently talking to bank servers. It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.

The common defense is "oh, well, most card companies don't hold the customer liable for everything", ignoring:
-Some companies will hold the cardholder liable for some of it
-Sometimes they may argue that the cardholder didn't act promptly or other circumstance
-Even when everything works as 'promised', there is a cost incurred *somewhere* and that impacts you, either in higher interest rates on credit, lower interest rates on checking, and/or merchant prices due to processing fees. I'm about convinced this last one is the biggest motivation not to change, they play funny games with margin and can blame identity theft.

Re:No it isn't..

[MoonBuggy]

It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.

How should one generate an authorisation, though? Requiring a PIN is a good start, but since it's been introduced in the UK the banks have been using it to blame any and all fraud on the customer, because "the terminals can't be hacked" (demonstrably untrue, as I'm sure you guessed). Perhaps more importantly, many things that can be implemented on the terminals (such as a PIN requirement) are inappropriate for online use, meaning that when someone gets hold of your wallet (or your data from Sony's servers) they just run it through an offshore online casino.

It's a genuinely difficult problem, largely because cards need to be fast to be usable. When I do direct bank-to-bank transfers, the bank provides a randomly generated numerical key on the screen, and an automated system calls my phone (within about a minute) and asks me to input the key before the transaction is authorised; it then auto-allows subsequent transfers to that account, but sends me a text message whenever they take place. It's a good system, but I certainly wouldn't like to be stuck in line with everyone going through that process to get their lunch. Maybe require a PIN for in-person transactions, and phone authorisation for online. I guess auto-allowing transactions only below a certain threshold could work, too, but then they already have systems to block 'suspicious' transactions... I don't know. Like I said, it's a tough one.

New Information Revealed

[rudy_wayne]

It has been revealed that the whole problem began when a PSN admin inserted a Sony music CD. The installed rootkit then allowed hackers to access the network.

Re:Encryption

[Jaime2]

There's a bigger problem... If a system is sufficiently compromised, the attacker gets the encrypted card data, the encryption algorithm, and the keys (my favorite variation is where the database has a decryption stored procedure). We learned long ago to keep all encrypted card data in systems that have no users access and to only keep surrogate keys in transactional systems. For example, in our equivalent of the PlayStation Network, your credit card number would be stored as a meaningless number like "127". In order to process a transaction against the card, "127" and the transaction data is passed to the credit card system, where the credit card system looks up the real encrypted credit card number, decrypts it, and charges it. You could make the argument that we've simply moved the problem, but the credit card system is much easier to secure since no customer or even employee should ever be able to send a packet to it -- only a handful of controlled system can. Sure, if the transactional system is compromised, the attacker can process cards with our system, but as soon as we kick them out, the card data is useless to them.

As for the cryptanalysis problem, simply use a salt the same size as the card number and XOR the card number with it. Presto, perfectly random looking plain text with no (new) differential cryptanalysis vulnerabilities. You don't even need to do this if you use proper initialization vectors and a block cipher in CBC mode

beating wrong horse

[goombah99]

What would fix this is to have credit cards generate a contract not tap an open vein. that is, the credit card is used to authorize a one time transaction (after which the credit card number itself can be discarded for the transaction ID). For recurring charges the transaction authorized should only enable payments to sony, for goods provided to a specific address or online account, and include a cap. that is non-transferable transactions are the thing we should keep on record.

There needs to be a mechanism for generating these transaction IDs.

Re:beating wrong horse

My credit card company (citicards) offers exactly that. They call it "virtual account numbers". There is a Flash applet (yeah, ick, I didn't say they had a nice website) where you can generate any number of extra credit card numbers. On use, they get linked to the merchant ID that first charged them. You can set expiration dates and amount limits for each one individually. It's not a perfect solution, but it's better and does not require a new system for the merchant so it can be implemented now.

Re:beating wrong horse

[errandum]

In Portugal we have a system that allows you to generate any number of credit cards with a defined spending limit and with 1 month expiration dates.

More than that, you don't even need to own a credit card and pretty much every bank has access to it-

It doesn't get much better than this for web transactions.

they never said no CC#s were compromised

[YesIAmAScript]

Sony never said no credit card numbers were compromised, they said that credit card numbers were in a separate encrypted database and probably were not accessed. But they can't be sure.

And they are saying the exact same thing now.

Re:Not news

[hedwards]

That's what I was wondering about. I don't think that I've paid for anything via PSN, if I buy a game, I do it as disc and so it's unlikely that Sony has any information beyond my contact information. And let's be honest about that, it's been lost to crackers at least 3 times at this point, and I think it's probably been a few more times than that.

Let the processor store them

[ravenspear]

One solution is to let the payment processor store them.

I recently implemented an online payment system for a rather large client. We didn't want to store credit card numbers but had a need to process additional charges at a later date.

We used Paypal's Payflow Pro product (formerly offered by Verisign). They have a feature that allows you to store a reference number with any successful transaction processed. When you want to submit an additional transaction, you just supply this reference number along with the new amount and the credit card details are copied into the transaction data by the processor's system. You can then submit a new sale or auth without having to store the cc number.

Of course one issue with this is that since storing the CVV is prohibited, you cannot verify that this way. So what we do for that is submit a $1 auth at the data entry point, then void that. That allows us to verify the CVV from the customer before processing the transaction and storing the reference.

With this system, if the database is ever compromised the attackers would not be able to use the data to submit charges very easily since all they would have is the reference number which cannot be used on front end web or POS systems. It would only be valid with a backend hook into Paypal's payflow processing system.

Re:Question to Sony.

[tibit]

I have had data breaches happen to my personal data multiple times at a big-ten school in the U.S., *and* at a big-ten school's medical center. There was always a press release, then a delay of a couple of days, then an personalized email with link & pin to start a year's worth of service with some credit protection service provider.