Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime PlayStation (Games) Privacy Security Sony The Almighty Buck Games

Sony: 10 Million Credit Cards May Have Been Exposed 251

WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."
This discussion has been archived. No new comments can be posted.

Sony: 10 Million Credit Cards May Have Been Exposed

Comments Filter:
  • by Anrego ( 830717 ) * on Sunday May 01, 2011 @06:10PM (#35993694)

    I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

    I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

    • I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

      I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

      Speak for yourself... due to the economy, there is no way that someone could use my identity to fuck my life up worse than it already has been... speaking of which, if they had a credit card for me on file, the thing is most certainly invalid by now...

    • by jamesh ( 87723 ) on Sunday May 01, 2011 @07:04PM (#35994016)

      The Credit Card system could be done a lot better. Sony shouldn't need your CC number, all they should need is a magic number that authorizes Sony to transfer funds from your account to theirs. I think that what should happen is something like this:

      . I go to Sony's website and sign up for a PSN account
      . Sony give me their billing number and ask for an authorization number
      . I go to the bank, log in to my account, and request an authorization number against Sony's billing number, for a maximum amount (eg $50/month)
      . I go back to Sony's web page and enter in the authorization number and maybe some other identifying details (eg my banks number)

      Sony now has a number that is _only_ good for transferring funds from my account to theirs. If someone obtained that number then the worst they could do with it is transfer up to my limit of $50/month to Sony.

      It's not bulletproof but at least Sony don't have my CC number to share with the rest of the world.

      • by Jah-Wren Ryel ( 80510 ) on Sunday May 01, 2011 @08:43PM (#35994598)

        Such a system already exists. It was developed by an irish company called Orbiscom which was recently bought-out by Mastercard.
        It's got different names - disposable credit cards, one-time use credit cards, Controlled Payment Numbers [wikimedia.org], etc. Bank of America call's theirs ShopSafe, [bankofamerica.com] Citibank calls theirs Virtual Account Numbers. [citibank.com] I believe PayPal and Discover have their programs too -- all based on Orbiscom's technology.

        It works pretty much exactly the way you described - you log into your account, generate a new CC# with a maximum limit and expiration date that you specify. Then the first merchant account that posts a charge to the number becomes the only merchant account that post any more charges to that number. So even if the number does get stolen, it isn't any good to the thieves. Other than those limitations, for all intents and purposes, it is just a regular credit card. Most merchants can't even tell the difference.

        I've been using ShopSafe for well over a decade now and have never had a fraudulent charge. The only problems I've had have been when the merchant is sloppy and double-charges with the intent of cancelling the first charge - Parts-express.com is the only merchant that I know which does that for all of their transactions and fixing it was simple enough - I just double the max limit on the CC#.

      • My Visa credit card has a "ShopSafe" feature which does almost exactly what you suggest here. ShopSafe lets me create unique credit card numbers that are tied to my real account. These numers are only good at a single retailer (once one merchant has put a charge on the card, the card will be denied to any other merchant, but the same merchant can re-charge in the future). Additionally, I can set the expiration date (1 month from now is great for one-time purchases) and I can set a maximum dollar limit ($
    • One solution is to let the payment processor store them.

      I recently implemented an online payment system for a rather large client. We didn't want to store credit card numbers but had a need to process additional charges at a later date.

      We used Paypal's Payflow Pro product (formerly offered by Verisign). They have a feature that allows you to store a reference number with any successful transaction processed. When you want to submit an additional transaction, you just supply this reference number along with

      • by Svartalf ( 2997 )

        The problem is that you're centralizing the stuff to the payment processor now- which while it's more secure, it's a much more lucrative target. Effort's vastly higher, yes, but the payoff's porportionate.

    • Why don't Visa and Mastercard implement a keyfob generator system like Blizzard do for World of Warcraft? It seems silly that my World of Warcraft account might be more secure than my credit card.
  • by DurendalMac ( 736637 ) on Sunday May 01, 2011 @06:13PM (#35993702)
    ...Were account passwords encrypted or hashed?
  • by senorpoco ( 1396603 ) on Sunday May 01, 2011 @06:13PM (#35993706)
    Using the credit cards will install a DRM rootkit on their computers right?
  • Say it aint so! (Score:2, Insightful)

    by Culture20 ( 968837 )
    Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?
    • Re:Say it aint so! (Score:5, Insightful)

      by Anubis IV ( 1279820 ) on Sunday May 01, 2011 @06:38PM (#35993866)

      What I recall hearing them say was that they couldn't rule out the possibility that they had been exposed, but that they couldn't at that time confirm that it had happened either. I know we all like trolling Sony because they deserve it, but at least pick one of the many valid reasons for doing so, rather than making up one that doesn't exist.

    • Re:Say it aint so! (Score:5, Interesting)

      by ect5150 ( 700619 ) on Sunday May 01, 2011 @06:40PM (#35993882) Journal
      A month of PSN Plus? All they have to do is take the deals of the month away to make that deal worthless.

      It's a good thing I already changed my credit card number and all of my passwords, just in case.

      By the way, I just happened to use the same login and password on the PSN as I did for my GMail account. Gmail informed me the other day that someone had accessed the account from an IP in China. That when I started changing EVERYTHING and started watching my accounts like a hawk.
      • by smash ( 1351 )
        more to the point, 30 days of playstation plus will give me approximately 10-40 minutes of value (I am busy, and use the ps3 mostly for media). for the multiple hours i had to spend dealing with people changing my cc details. not good enough sony.
    • Sony, I thought you said no CC numbers were exposed!

      Q&A #1 for PlayStation Network and Qriocity Services [playstation.com]

      Q: Was my credit card data taken?
      A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

    • Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?

      There is no news in the article, just a rehashing of what we've been already told, "out of an abundance of caution...", "... may have ...", etc.

      There is no such thing as "credit card protection service", the dumb author meant "credit protection", which is offered due to the information we DO already know was compromised.

      I'm not optimistic enough to not ask for new cards to be issued, that is the smart thing to do anyways.
      But, there's no excuse for you running your mouth like a fucking retard.

    • Re:Say it aint so! (Score:4, Interesting)

      by hedwards ( 940851 ) on Sunday May 01, 2011 @07:11PM (#35994040)

      Given the number of breaches in various companies that have led to information being compromised, I think the better question is why do we let them store more information than absolutely necessary? There's no legitimate reason for Sony to be storing that information for most users. One could make a case for those that pay for PSN Plus, but for people who only buy a game now and again, there's absolutely no reason for them to store it. It's not that hard for people to type it in again.

      I mean for heaven's sake, if GOG [gog.com] doesn't need to store credit card information to stay in business, why does Sony?

      • There is a reason, the same reason every major online retailer under the sun remembers credit cards until you tell them otherwise.

        The issue is not storing the number, but keeping it safe. Every large merchant is supposed to follow PCI DSS standards, which make mass copying of credit card data extremely difficult for attackers, or even lone trusted insiders. If the card encryption keys can be obtained by a single member of the organization, the system is not PCI compliant. Very large merchants, like Sony pro

  • by skyphyr ( 1149207 ) on Sunday May 01, 2011 @06:14PM (#35993712) Homepage
    It took years after the rootkit fiasco before I decided to extend some trust to Sony and spend money on their products. Then came the removal of otheros, and I ceased spending any money with them. Then their bully tactics when the console got hacked, and I was glad I'd not spent any further money with them. Now, I find even after not doing any business with them for such a period I'm still not free of their incompetence and poor management. What will happen to Sony as a result of this? Nothing. All the muppets out there will continue to do business with this incompetent, morally bankrupt, behemoth. Will I be dumb enough to become one of those muppets again? I hope not.
    • Will I be dumb enough to become one of those muppets again?

      I don't know. How long do you remember stuff like this and when is the next Playstation coming out?

      • I have a simple solution to "trusting those muppets"... Just use prepaid PSN cards. Available everywhere Sony crap is sold. Then you're only on the hook for crank calls should your data ever be compromised again. :)

  • Ok (Score:5, Interesting)

    by drolli ( 522659 ) on Sunday May 01, 2011 @06:17PM (#35993732) Journal

    Why does everybody collect and store all these data centrally?

    Just store it locally, on the playstation, electronically signed and encrypted in a way that the customer has to enter a passphrase to decrypt it when its really needed. make the "it is needed" message also necessarily signed by an independent system with no other function. Let this system do a statistic. trigger an alarm if the number of signatures per minute is deviating significantly from the expected number.

    • Re:Ok (Score:5, Insightful)

      by Jaime2 ( 824950 ) on Sunday May 01, 2011 @06:26PM (#35993776)

      Why does everybody collect and store all these data centrally?

      For recurring payments. With your scheme, every user would have to enter their password every month. The biggest problem for Sony would be that everyone would be making the decision to continue paying for the service every single month. If the number is on file, then the customer has to go out of his way to cancel, but has to do nothing to stay a customer.

      • by drolli ( 522659 )

        Well to be honest *I* would not mind to enter a password one per month to legitimate payments if that keeps my data safe.

      • by _xeno_ ( 155264 )

        It wasn't for recurring payments, originally. Their original system used this crazy wallet thing where you'd have to load money onto your account, and then you could spend it.

        They changed it so that you later just saved a credit card and could automatically load exactly the amount you needed onto your wallet without going through the whole "load wallet" step. (Which also meant that for the first time you didn't need to spend in $10 increments. Or was it $5? You get the point.)

        To make things easier, they aut

    • Re:Ok (Score:4, Insightful)

      by notjustchalk ( 1743368 ) on Sunday May 01, 2011 @06:42PM (#35993896)

      Why does everybody collect and store all these data centrally?

      Because "paying for stuff" isn't the only reason Sony collects your data. There's also advertising (especially targeted/predictive), data mining, data sharing (both internally and externally), tracking/trending, etc. I think that data is a lot more valuable sitting on their servers than it is hidden in your console - hence, whatever the cost, it will remain there. That really goes for any internet aware service, not just Sony/PSN.

    • by Kenja ( 541830 )
      A better question is why is the database connected to the internet. There should be an abstraction layer fire-walled from the web servers. Web server can pass information to the DB server, but the DB server can only respond true/false.
  • not just theory (Score:5, Interesting)

    by e3m4n ( 947977 ) on Sunday May 01, 2011 @06:19PM (#35993740)
    I just got up to speed on the whole PSN thing. I never once received an email from sony explaining the problems and I was too busy last week to spend an abundant amount of time on /. reading about the security breach. I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas. To me this seems a little too coincidental to be the victim of some completely different fraud in the middle of this big stink with the 77 million accounts compromised from the PSN.
    • Have you tried contacting Sony to see if you are one of the lucky 10M with compromised CC info? Of course, not that I'd necessarily trust Sony after their lack of honesty and transparency throughout this fiasco ("oh just a PSN outage / actually some account info has been stolen / actually CC info has been compromised").

      Another possibility could be that there are a lot of stolen CC numbers out there, but the thieves are biding their time so as not to draw unwanted attention. However, now that this PSN thi
      • Of course, not that I'd necessarily trust Sony after their lack of honesty and transparency throughout this fiasco ("oh just a PSN outage / actually some account info has been stolen / actually CC info has been compromised").

        I really don't see any lack of transparency, nobody sane would disclose a security breach while they are still investigating it, even open source software don't do that, for example in kde vulnerabilities are kept "secret" in the packagers mailing list for some days so every distro has the time to patch up and then they are disclosed to the public

    • by Kohath ( 38547 )

      As of a couple days ago, the CC security people were saying there was no indication the card info had been used. If someone steals 10 million credit card numbers and tries to use them, it gets noticed.

      From most likely to least, your problems are:

      - a coincidence that happened during the 12 days since the breach or
      - a complete fabrication or
      - the only card (or one of the few cards) the hackers decided to use or
      - the first report in the pattern that the banks and card companies are looking for.

      Too bad dude.

  • This is not news. It was already posted on Slashdot. The only new item is that only 10 million of the 77 million accounts had credit card information associated.

    BTW: Sony has said there is no evidence the intruders got CC info, but they can't rule it out either.

    • The best thing that comes out of all these breaches is the consequences of assuming the worst - Gary McKinnon, looks for UFOs, causes 6-figure damages because any machine he was within 1000 miles of pinging got tossed into a shredder. Likewise, with this, you know there's some hacker out there who's all like "shit, I missed that database, I was only in there for info on the PS4"

    • That's what I was wondering about. I don't think that I've paid for anything via PSN, if I buy a game, I do it as disc and so it's unlikely that Sony has any information beyond my contact information. And let's be honest about that, it's been lost to crackers at least 3 times at this point, and I think it's probably been a few more times than that.

  • Help me out here guys. Should it be trivial in a modern data center to tell if that much data has been accessed? Also, I know California has a data breach law requiring disclosure if you do business there, any Californians with some extra letters from Sony?
  • Woah, some executives bowed in apology? That makes everything better now! All is forgiven, and we* can get back with our lives now.

    They were in the prison shower with Bubba standing behind them when this happened, right?

    * - "We" refers to each individual PSN member and the guy who's running around with the PSN member's ID and credit card.

  • What kind of encryption can completely satisfy security of credit card data, of which target space is limited and patterns are well known? Anyone competent enough to hack into their system, most probably competent enough to do cryptanalysis and decipher the data in no time. As they couldn't secure their own network, I don't think they had used methods to scrabble credit card data before encrypting it.
    • Re:Encryption (Score:4, Informative)

      by Jaime2 ( 824950 ) on Sunday May 01, 2011 @06:48PM (#35993928)
      There's a bigger problem... If a system is sufficiently compromised, the attacker gets the encrypted card data, the encryption algorithm, and the keys (my favorite variation is where the database has a decryption stored procedure). We learned long ago to keep all encrypted card data in systems that have no users access and to only keep surrogate keys in transactional systems. For example, in our equivalent of the PlayStation Network, your credit card number would be stored as a meaningless number like "127". In order to process a transaction against the card, "127" and the transaction data is passed to the credit card system, where the credit card system looks up the real encrypted credit card number, decrypts it, and charges it. You could make the argument that we've simply moved the problem, but the credit card system is much easier to secure since no customer or even employee should ever be able to send a packet to it -- only a handful of controlled system can. Sure, if the transactional system is compromised, the attacker can process cards with our system, but as soon as we kick them out, the card data is useless to them.

      As for the cryptanalysis problem, simply use a salt the same size as the card number and XOR the card number with it. Presto, perfectly random looking plain text with no (new) differential cryptanalysis vulnerabilities. You don't even need to do this if you use proper initialization vectors and a block cipher in CBC mode
      • (my favorite variation is where the database has a decryption stored procedure)

        So? What matters is how you protect the key. I don't think you really understand the reasoning behind doing that which is protecting data at rest.

        You're also just throwing random things out there without knowing what the PSN transaction processing backend really looks like. At this point, you do not know if any cardholder information was compromised outside of name & address. You don't even know if the address or name are from the PSN profile or CC account. You don't know if they violated any PCI g

        • by Jaime2 ( 824950 )
          I'm not accusing anyone of anything. The phrase "my favorite version" obviously refers to my previous experiences elsewhere; for it to mean Sony, I would have to have a long history of experiences auditing their systems, and I would have mentioned that. Also, I do understand encryption at rest. That is exactly why a decryption stored procedure is so useless as the stored procedure gets backed up with and lives on the same storage as the data. In order for the it to work, the stored procedure has to have
  • All online companies that store credit card data are required to be PCI Compliant, like the company I work for, http://solidtrustpay.com./ [solidtrustpay.com.] The only reason Sony would have been storing card info is to retain the ability to recharge cards monthly, etc. ALL data should be encrypted, not just card info; in particular, email addresses to prevent phishing and spam attacks. Let's hope they learn and adjust their database systems quickly!
    • You can encrypt the data all you like but that doesn't change the fact that the very same systems typically need to be able to decrypt the data in order to do their job (ie send emails or do CC transactions) so some part of the system at least has access to the encrypted data and the means to do decryption.

      At best it typically means there is one additional server that needs to be compromised before the whole lot is exposed. Encryption is of course a useful tool but it is not a magic bullet.
  • by rudy_wayne ( 414635 ) on Sunday May 01, 2011 @06:46PM (#35993912)

    It has been revealed that the whole problem began when a PSN admin inserted a Sony music CD. The installed rootkit then allowed hackers to access the network.

  • by smash ( 1351 )
    Given that i have a life and time spent with the "free" offers of stuff over 30 days is likely to be approximately 45 minutes, what the fuck are sony going to do to compensate me for the 4+ hours of wasted time that I had to spend changing credit card details everywhere because they were so un-forthcoming with the distribution of my personal details?
  • Sony last week said it had encrypted credit card data

    ...with rot13.

  • I'm curious if you're at risk if you deleted your credit card info recently. A few days before the attack, I logged in to PSN on a friend's PS3. I didn't remember which card I had tied to the service, so when it asked me to confirm, I went ahead and said "delete credit card info". So, I guess we'll find out if Sony actually physically removes the data...

  • But they said they are sorry, so that makes it ok, right?

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...