*ren* PSN Down, Customer Info Compromised

[eastmen]

Brad G4 TV station has already reported that multiple users have been hit with charges up to $600 on their credit cards tied to psn

 

[Brad Grenz]

Yeah, with a pool that big there is bound to be unrelated, coincidental credit card fraud on cards that are also tied to PSN accounts. There was fraud on PSN linked cards this week, last week, the week before, the week before that. You have 77 million members and credit card fraud is very common. Of course there has been overlap, but that's not the same as proving the PSN breach resulted in those fraudulent charges. That would require a detailed chain of evidence no one will ever have, or a very thorough statistical analysis of the rate of fraudulent charges on cards attached to PSN account prior to and after the breach in order to determine a measurable increase. No one has either of these things and Sony has said they can find no evidence the credit card table was copied, and it was encrypted as well. So excuse me if I don't trust the average G4 viewers PSN related fraud self diagnosis.

 

[eastmen]

Oh okay I see at least you admit that no matter what happens from here on out you will never believe that sonys shoddy security is at fault for users info getting out there and cards being abused.

I can now add you to ignore

 

[minimoke]

Do we know for a fact that the PSN Password was not encrypted? And if it wasn't encrypted there must be a logical reason why it wasn't, not just slackness on Sony's part.

 

[Brad Grenz]

Oh okay I see at least you admit that no matter what happens from here on out you will never believe that sonys shoddy security is at fault for users info getting out there and cards being abused.

I can now add you to ignore

Hey, you've been on my ignore list since a couple days after you registered! Now we can be ignore buddies!

And yes, I shamelessly expect claims to be backed by facts. I know this is confusing for one such as yourself who must bend the world to reflect your preconceived notions of what can and can't be. You'll be interested to know a Norwegian paper was reporting on PSN related fraud charges. Of course, the charges in question predate the breach of PSN security and therefore are completely unrelated, but don't let that get in the way of the Sony FA1L game!

 

[-tkf-]

Oh okay I see at least you admit that no matter what happens from here on out you will never believe that sonys shoddy security is at fault for users info getting out there and cards being abused.

I can now add you to ignore

He has a valid point, if 77 million credit cards (we know it´s less but big numbers work) that are used on PSN it´s very likely that those credit cards are used on other online services, well that they just are used and in any case are "exposed" to criminals all over the world.

So far there has not imho been any "real" evidence of CC fraud related to PSN. But you know what, it doesn´t matter, because the leak of emails adresses, user and passwords is more than enough to call it a disaster and a testament to "sonys shoddy security". I find it beyond mindnumbing that they could be so stupid. I don´t have high hopes that they secured CC information different than user info.

I get the sense that they are using a old system that was "fine" before the internet turned bad and evil (i ran NT4 IIS servers WITHOUT firewalls when i was younger ).

Someone didn´t focus on the obvious flaws. If the emails, users and passwords had been exposed in crypted form or at least not plain text the damage would have been greatly reduced...

SIGH!

 

[Shifty Geezer]

I received the email to my US account. Nothing on my EU account! I wonder if the breach is more regional? Or SCEE is even more slothful than SCEA?

 

[Rotmm]

I received the email to my US account. Nothing on my EU account! I wonder if the breach is more regional? Or SCEE is even more slothful than SCEA?

I got my email at 6:04pm yesterday (UK'er). I just assume they are sending emails out in batches?

 

[BadTB25]

I got my email today for my US account, nothing for my UK account.

 

[Phil]

I received the email to my US account. Nothing on my EU account! I wonder if the breach is more regional? Or SCEE is even more slothful than SCEA?

I received the email too for both my accounts. I wouldn't put much emphasis for which accounts you received the email or not - they probably are just letting out the information in batches, as sending out out 77 million emails is not a small feat.

 

[Rotmm]

Hey, you've been on my ignore list since a couple days after you registered! Now we can be ignore buddies!

I think your B3D account must have been hacked, as in normal circumstances you are not forced to read (and therefore respond to) comments from users on Ignore.

He has a valid point,

Of course he does. How many times have we heard "Halo 3 caused my 360 to RROD" or "I updated my PS3 firmware and soon after my PS3 died... the firmware killed it!"

And the reality is that this is going to be the biggest problem for Sony, if someone does have strange transactions on their accounts over the next few months or is a victim of identity theft, it will be an automatic assumption that the PSN breach is the reason why.

However, conversely, even if such a situation occured directly due to the breach, it's next to impossible to actually pin it to that, to prove it. And that is the message that the hardcore Sony loyalists are going to take out there into the interweb. We;ve already seen them first blaming Anon, then blaming Geohotz and now there seems to be a concerted effort by those loyalists to downplay the actual seriousness of this, with maybe a sideline to say that Sony could have informed us sooner.

I think the only person or organisation we should take a lead on regarding the seriousness of this is Sony themselves, and if they have see it as serious enough to take down the PSN service for (what now looks like) up to two weeks and are (probably) spending in the tens of millions to relocate to new, more secure, data centres and are instigating a complete overhaul or their data security proceedures, then that tells us all we need to know.

So it's somewhere between, "relax, it's no big deal and it's only Sony haters who are making it seem to" and "Oh my god, Sony have sold my soul to the devil".

Personally, I see it as somewhere around 75-80 on the seriousness scale. But maybe that's because I only give my correct personal information to a few trusted companies, such as Sony, Santander, MS and a couple on online stores. My details here were created via a free online email service that neither has my real name nor address nor date of birth. The same goes for other forums, facebook and most fo the rest of the web.

 

[rabidrabbit]

Brad G4 TV station has already reported that multiple users have been hit with charges up to $600 on their credit cards tied to psn

That's hardly yet any evidence that those credit card charges are indeed PSN hack related.
As is always the case when something like this is in the news, there are individuals who overreact and panic, and are sure they must be affected, and when investigated further it usually turns out they'd spend that money themselves or it was their spouses who'd used the card
Until there's more reliable info than G4TV, it'd be wiser not to fan the flames.

 

[Rotmm]

I....they probably are just letting out the information in batches, as sending out out 77 million emails is not a small feat.

Or maybe they lost all of our details and are buying it in blocks from the hackers?

 

[minimoke]

I got my EU (Australian) email today.

As an aside at least Sony didn't try and somehow link the hack to lapsed security due to the recent earthquake and Tsunami in Japan - If I was PR manager at Sony I would have tried to get the sympathy vote

 

[KKRT]

http://www.eurogamer.net/articles/2011-04-28-sony-your-card-data-data-was-encrypted

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," Seybold said.

Sony has come under increasing scrutiny for the way it protected the personal data tied to over 70 million PSN and Qriocity accounts.

The fact that user passwords have been "obtained", as Sony puts it, suggests Sony stored user passwords as plain text – and did not encrypt them.

How the fuck is it even possible in 21st century? What idiots are working there and was writing Sony's database?
Really, if its true, Sony will lost much more money than i thought.

 

[Arwin]

The full offical Q&A here:
http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Incidentally, I don't know if the latter is correct. If I remember correctly, I definitely do have to supply my CVC code when I provide my Credit Card settings the first time. But when I got my second PS3 (and replaced my first) and I enabled my main account on that again, the credit card information was stored, but I had to provide the CVC code again, so I presume that what they mean is that this information is never stored in the database (I don't think *any* system is allowed to store that).

 

[-tkf-]

The full offical Q&A here:
http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/



Incidentally, I don't know if the latter is correct. If I remember correctly, I definitely do have to supply my CVC code when I provide my Credit Card settings the first time. But when I got my second PS3 (and replaced my first) and I enabled my main account on that again, the credit card information was stored, but I had to provide the CVC code again, so I presume that what they mean is that this information is never stored in the database (I don't think *any* system is allowed to store that).

Well well, the CC data WAS encrypted which makes it at least harder to get info from, and unlikely that it´s already has been breached. In regards to CVC, i purchase without submitting it, so they do have it in my case. Or doesnt use it?

 

[Gerry]

Well well, the CC data WAS encrypted which makes it at least harder to get info from, and unlikely that it´s already has been breached. In regards to CVC, i purchase without submitting it, so they do have it in my case. Or doesnt use it?

I would have been amazed if the CC data wasn't encrypted; absolutely flabbergasted.

I'm pretty certain that any companies that adhere to PCI DSS shouldn't be storing CVC information anyway. Whether Sony asked for it or not, they shouldn't be storing it anywhere on the system.

 

[mrcorbo]

The hysterics around the PSN breach have become incredibly hyperbolic. At this point it seems clear that no one got any credit card info, Sony just has to warn people to be cautious since, in theory, someone could have downloaded the entire database, although they have no evidence of this, and by some miracle brute force decoded the whole thing. Likewise, identity theft isn't too big a problem since Sony didn't have anybody's social security number which is the most salient piece of data. No, the real biggest problems are compromised passwords which you may have used elsewhere, and downtime for the service itself. In both cases this isn't really any worse than any number of well publicized hacks in recent memory.

Actually, this is not clear at all. At least not to me. It may be that since the credit card info was encrypted that even if it was obtained that it will be very hard (virtually impossible?) to access, but there's a distinction there. If I had submitted my CC info to PSN, I would report my card as compromised and get a new one.

The problem is people are holding Sony to an impossible standard. They should have immediately notified everyone who was effected last week, but you can't assume they automagically knew what had happened and who was impacted back then, and Sony have come out and directly said they didn't really have a good idea until Monday.

I don't care what they knew. As soon as a company that has my personal info suspects that my info might have been accessed by an unknown party I want to be notified. This is the standard I hold any company I provide this type of information to and this is the standard I will continue to hold them to, regardless of what I think about their products/services.

It does not help that so much schadenfreude is being expressed by fanboy partisans around the net who have a distaste for Sony anyway and are more than happy to fan the flames of panic and anguish. My Google Reader feed is filled with outlandish, unsubstantiated and, frankly, unconscionable link bait stories written by people who don't understand what they are saying, but are happy to repeat anything that makes Sony look bad. Ars Technica loves telling us correlation does not equal causation when it come to videogame violence, but as soon as three idiots email them to claim they saw fraud on their credit cards (and depressingly common occurence, PSN notwithstanding), so few that you can't even rightfully claim even correlation, they are more than happy to report these coincidences as though they are news. Many outlets have also made the mistake of using the statements from random customer service reps in the banking industry to supposedly discredit Sony's claim to have warned major financial institutions. Speaking as someone who has worked in a call center for a major bank I can guarantee you Sony doesn't call the same 800 number that's on the back of your debit card to make such notifications and that kind of information takes a while to trickle down the chain.

To date, I haven't seen any evidence of actual damages incurred by customers due to the breach. Associated services like Hulu Plus have already done the cool thing and offered subscription extensions to impacted users. The biggest losers are small developers dependent on PSN sales for their livelihood. Talk of congressional inquiries are premature, as are class action lawsuits. The breach of PSN has been a massive inconvenience, to be sure, but it is not the business catastrophe it is being made out to be.

There's a lot of FUD being spread, no doubt. That doesn't make all of the criticisms invalid. Sony (and every other company that holds similar information) needs to look at this debacle and learn from it. They did a lot of things wrong. One of the primary ones is that their response put their corporate welfare above the welfare of their customers. In this area, that's unacceptable.

 

[ShadowRunner]

I would have been amazed if the CC data wasn't encrypted; absolutely flabbergasted.

I'm pretty certain that any companies that adhere to PCI DSS shouldn't be storing CVC information anyway. Whether Sony asked for it or not, they shouldn't be storing it anywhere on the system.

They likely only use CVC for validation of the credentials provided on first use, never storing it or requiring it again for further transacions.