Forgot your password?
typodupeerror
Crime PlayStation (Games) Privacy Security Sony The Almighty Buck Games

Sony: 10 Million Credit Cards May Have Been Exposed 251

Posted by timothy
from the translucency-failure dept.
WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."
This discussion has been archived. No new comments can be posted.

Sony: 10 Million Credit Cards May Have Been Exposed

Comments Filter:
  • Re:Encryption (Score:4, Informative)

    by Jaime2 (824950) on Sunday May 01, 2011 @07:48PM (#35993928)
    There's a bigger problem... If a system is sufficiently compromised, the attacker gets the encrypted card data, the encryption algorithm, and the keys (my favorite variation is where the database has a decryption stored procedure). We learned long ago to keep all encrypted card data in systems that have no users access and to only keep surrogate keys in transactional systems. For example, in our equivalent of the PlayStation Network, your credit card number would be stored as a meaningless number like "127". In order to process a transaction against the card, "127" and the transaction data is passed to the credit card system, where the credit card system looks up the real encrypted credit card number, decrypts it, and charges it. You could make the argument that we've simply moved the problem, but the credit card system is much easier to secure since no customer or even employee should ever be able to send a packet to it -- only a handful of controlled system can. Sure, if the transactional system is compromised, the attacker can process cards with our system, but as soon as we kick them out, the card data is useless to them.

    As for the cryptanalysis problem, simply use a salt the same size as the card number and XOR the card number with it. Presto, perfectly random looking plain text with no (new) differential cryptanalysis vulnerabilities. You don't even need to do this if you use proper initialization vectors and a block cipher in CBC mode
  • by YesIAmAScript (886271) on Sunday May 01, 2011 @08:13PM (#35994050)

    Sony never said no credit card numbers were compromised, they said that credit card numbers were in a separate encrypted database and probably were not accessed. But they can't be sure.

    And they are saying the exact same thing now.

1 Mole = 25 Cagey Bees

Working...