*ren* PSN Down, Customer Info Compromised

Was this discussed as well as considered:

http://www.gamespot.com/news/6310200.html

While I disagree at this report trying defend Anonymous/hackers it is still something that was caused by these guys who will never admit it.

Also I remember around 2008 or so someone attempted to sell a Sony PS3 Development kit on Ebay, I cannot provide links because the links that come up on google are hacker fansites that mainly discussed pirating games.
 
bkilian said:
How, exactly, does this help either protect the users data, or stop another attack in the future?

If a hacker steals the password database, they're still going to have the _current_ password, no matter if you changed it a week ago.

Fricking security theater...
Click to expand...

IT security is funny this way... one would imagine that frequently changing everyones passwords would result in better security, for the following reasons:

1) users are being reminded of sound security practices on a regular basis
2) if a single password or even the entire pw database is lost, then it's just a single time-range of accounts/passwords lost.

In practice:

1) Users who are forced to change their passwords regularly will simply write them down, or use a password series that is sequential: mypassword1 mypassword2, etc
2) Frequent password changes makes it hard to track / audit suspicious activity, and the act of changing passwords is itself a risk if the identity vetting/assurance process isn't very good.

I suspect if they implement this, it's because some "security consultant" or auditor is advising them to do this. Not a real IT security expert. There's a difference. Too many people associate physical security concepts with IT security. Frequently changing ones locks will be more secure, because you won't have multiple copies of the same key spread around to all your friends, neighbors, contractors, etc... not the same usage model with username/passwords.

At any rate, I think it would be a potential marketing plus for Sony to take advantage of the Sony eco-system and somehow implement Googles two-step authentication option for PSN. If you want a more secure authentication experience, couple your PSN account with the Google Authenticator app on your Android powered Xperia phone...

Perhaps not practical, but Google implemented this because of the issues they had in the past. Again, even this solution isn't fool-proof, in my opinion, but it is a bit more secure.
 
eastmen said:
You just prove my point with wow . Wow continues to be hacked but record numbers of users continue to pay monthly so Blizzard has no reason to fix the problems.

mandatory authenticators would fix 99% of the hacking problems but blizzard wont want to pay the cost of it. So we get shoddy security.
Click to expand...

The security you get on WoW is whatever security you have on your PC. All the "hacks" are just keyloggers from malicious websites or infected ads. As it is, authenticators are free for Android, iOS and a few other phones, or pay $6 to get a physical one.

As for the hacked authenticated accounts, that was a very narrowly distributed hack that cloned the WoW login screen, and sent your authentication code/login details to a machine waiting to login using that info.

In other words, WoW "hacks" have absolutely nothing in common with Sonys problems.
 
Reznor007 said:
In other words, WoW "hacks" have absolutely nothing in common with Sonys problems.
Click to expand...
For one, they're not hacked. I've yet to see a report of anyone's account actually being "hacked" in the true sense of the word. Stolen login info, yes.. happens all the time. That's because people are stupid, and fall for scam emails or websites that install keyloggers. That's the user's fault, plain and simple, and I have zero sympathy for anyone who gets their account stolen.

Second, the reasoning behind stealing WoW accounts is completely different. These aren't black market criminals trying to sell your information.. these are gold farmers who will strip your in-game items to sell to other users for real-world cash.

I'm fairly certain that Blizzard's servers have never been hacked. That would be just as bad as PSN, really, since Blizzard collects the same type of information.
 
Carl B said:
Be *very* careful with things like this. It may be that this is a legitimate fraud detection playing out for you, but every single time I have received an email such as this - and it has been many many times - the email itself is the scam/fraud. On email/return links, mouse over to see where the destination URL is; almost always it will be a fraudulent source masquerading as the vendor in question. Think about what email addresses the vendor has on file, how they normally structure their communications with you, whether what you're reading seems legitimate.

Emails specifically like the one you describe I should note. If they ask for login/password or to link from the email, do not do it. Go to the site directly via a different browser/window and check it out like that if you feel so inclined. Else you may find the fraud alert becomes self-fulfilling.

I would expect fake PSN related emails to begin propagating before too long; proceed very cautiously, and again, don't click any links.

Just as an example I got some fake Netflix email on Friday saying my account had been suspended. Well, first of all Netflix doesn't have the email address this email went to. The rest becomes pretty obvious, and as typical the link URL was to something other than the actual vendor domain, and in this case to netflix-check.co.cc (I wouldn't advise anyone visit that, whatever it is)

The above was one of the least sophisticated of the scam emails I regularly receive to my work email address, and believe me I worry about how others might pursue action in similar circumstances every time I get one myself. And reading what your own email supposedly said, I have to tell you that it wreaks of an Amazon pretender. Going to Amazon directly outside of that email and seeing if the account has indeed been shut down is the way to establish the veracity; following a link and entering username/password is just a way to directly validate ID and enable an actual thief.
Click to expand...

I'm quite familiar with those kind of phishing emails, this seemed genuine, no links or requests for account info. The email was from "account-alert@amazon.com" See here:

Greetings from Amazon.com.

Please take the time to read this message - it contains important
information about your Amazon.com account.

At Amazon.com, we routinely perform reviews of orders and customer
accounts to protect our customers. After careful review of your
account, we believe it may have been accessed and used by a
third-party to make purchases without your permission, but it appears
they did not use your credit card to make these purchases. It seems
that someone obtained your personal account and/or financial
information elsewhere, and used it on Amazon.com to access your
account.

We have closed your account effective immediately because of this
possible unauthorized account activity. If this recent account
activity (unusual sign-in activity) was authorized by you, please reply to
this message as soon as possible and we will reactivate your account.

Otherwise, you will need to open a new account when you place future
orders with us.

It is important to know that Amazon.com accounts can only be accessed
by those who know personal, specific information about you and your
account -- such as your email address, Amazon.com password, physical
address, credit card information, and other details. As mentioned
above, it appears someone obtained some of your personal account
and/or financial information elsewhere and used it on Amazon.com to
access your account.

While it is not clear how this happened in your case, we do know that
personal account and financial information are often obtained by scam
artists who send unsolicited email to unsuspecting users asking them
to "update" their account information. The email usually contains a
link to a website that is controlled by the thief asking the user to
submit personal information including email address, password, credit
card number, and other relevant information. Once the information is
obtained, the scam artist can then gain access to numerous online
accounts since many internet users frequently use the same user name,
email address, password, and financial information at multiple web
sites.

Please know that Amazon.com employees will *never* ask for your
password, nor will we ever send an email asking you to verify personal
information.

Although it appears someone did access your Amazon.com account, they
would not have been able to view your full credit card numbers as they
are never displayed on our site. However, it is possible your credit
card numbers may have been compromised at the time your other personal
information was obtained. Therefore, we suggest you carefully review
recent credit card statements to check for any unusual activity or
unauthorized charges.

In the future, you can protect your Amazon.com password and account by
following some of these safety tips:

-----------------------------------------------------------------------

1. Choose a good password: Use at least 8 characters and a combination
of letters and numbers. Do not use single dictionary words, your name
or other personal info that can be easily obtained, or a password that
contains part of your email address.

2. Password protection: Avoid using the same password at multiple
sites or for your email account. Do not share your password with
others.

3. Account protection: Be cautious of unsolicited emails that appear
to come from reputable online shops or services that ask you to submit
personal information such as your credit card number, email address,
and password. Often these emails will look as though they come from
the company you're familiar with, and the email will ask you to click
on a link and "sign in". You should never provide this kind of
personal information in an unsolicited email.

-----------------------------------------------------------------------

Please accept our most sincere apologies for any resulting
inconveniences, and feel free to contact us if you have any further
questions or concerns by writing to account-alert@amazon.com.

Sincerely,

Justin M
Account Specialist
Amazon.com
http://www.amazon.com
=========================
Click to expand...

And at the same time I got this email from Amazon Payments:
Greetings from Amazon Payments,

We're sorry, but your Apr 30, 2011 payment to Offerpal Media of $9.99 has failed. Details of this transaction are below:

Payment details:
---------------
Transaction ID: 15UJGJV7Z155MR8BJ1K2KCLIC58HN9EFMUD
Recipient: Offerpal Media
For: 49 YoCash (85MSPRD_357819719)
Amount: $9.99
Date: May 1, 2011
Payment method: Mastercard XXXX-XXXX-XXXX-9076
Reference: 49 YoCash (85MSPRD_357819719)

Thank you for using Amazon Payments.

Transaction details and your account history are also available online at https://payments.amazon.com/. Please refer to https://resolutioncenter.payments.amazon.com/cobranded-ui/actions/DisputeInitialisationAction.do? for inquiries about any errors.
Click to expand...

And the exact same transaction showed up on my credit card pending transaction list (I have notified my bank).

I replied to that first email and told Amazon that it probably has something to do with the PSN thing and they came back with this:
Greetings from Amazon.com.

Thank you for keeping in touch with us regarding this matter.

Although we are not permitted to provide you with any additional
details regarding this unauthorized activity, we will provide this
information to any law enforcement agency investigating the matter, as
well as to any applicable financial institution.

Please remember, as mentioned in our previous message, you will need
to open a new Amazon.com account should you decide to place future
orders with us.

For increased password and account protection, we
strongly encourage you to adhere to the safety tips provided in our
prior correspondence.

Feel free to contact us with any additional questions or concerns,
and thank you for shopping at Amazon.com.


Sincerely,

Ervin V.
Account Specialist
Amazon.com
http://www.amazon.com
=========================
Click to expand...

I'm pretty sure it has something to do with PSN as I normally use another email address for signing up to any other subscriber sites on the net (like forums) - even my XBL account is tied to that address, with my PSN I made the mistake of tying it to my proper email address (which itself is only tied to things like Amazon, eBay, PayPal, banking, tax) and while I have different passwords for the email account and Paypal, eBay etc. the Amazon & PSN accounts share passwords.

Furthermore, this is the first time that any account tied to my proper email address has been compromised.
 
Yay for me. :D I have no credit card information on their server and my e-mail accounts and passwords are pretty well sectioned for different uses. The only loss for me is a week or two of online Killzone 3, but that's fine since I took the time to read certain things I like.

Basically, I'm getting extra free stuff with no loss. I'll need to find out what I can keep after the PSN+ expires and I have an account in four regions as well. I'm almost tempted to wish they get hacked again so I get more freebies. :LOL:
 
(((interference))) said:
....
Click to expand...

Yeah it certainly looks more legit than the majority of stuff floating around. Did you try logging into your Amazon account just to check if it was indeed locked? But I'm with you as far as the conclusions go.

By the way - that sucks! I had an ATM card cloned two years ago and was *thankfully* checking my bank account right around the same time the thief was active (I am not checking my accounts daily, that's for sure), so I was able to stop all activity after *only* $2000 had been stolen. Luckily, the bank worked very quickly to restore the funds - I thought for sure I'd be in the midst of a months long paperwork drama.
 
oramay said:
The only loss for me is a week or two of online Killzone 3...
Click to expand...

I had just purchased a voucher from someone that didn't want it (extra maps, double point for faster rank ups etc) and I just sat down to redeem my voucher and PSN wouldn't log me in. This was lucky because certain benefits were only for the first 24hrs of redeeming the voucher, so imagine me playing 10mins then offline for 2 weeks!!!

Anyways, this has actually allowed me to go back and finish off KZ3 campaign, and also complete Uncharted 2. Now I've got my sights set on Socom 4.

Any mention on that PC about a possible end to this shutout?
 
Carl B said:
Yeah it certainly looks more legit than the majority of stuff floating around. Did you try logging into your Amazon account just to check if it was indeed locked? But I'm with you as far as the conclusions go.

By the way - that sucks! I had an ATM card cloned two years ago and was *thankfully* checking my bank account right around the same time the thief was active (I am not checking my accounts daily, that's for sure), so I was able to stop all activity after *only* $2000 had been stolen. Luckily, the bank worked very quickly to restore the funds - I thought for sure I'd be in the midst of a months long paperwork drama.
Click to expand...

Yeah, I'm not sure I couldn't log in yesterday, but was trying again now and can log in although I think i've created a new account with the same email address (due to how Amazon's login system is set up) as stuff like my past order history, addresses, credit card info etc aren't there, so it seems to be a new account unless Amazon have stripped my account of all the personal information.

I guess I'll be able to tell if it lets me successfully purchase anything or not.

My bank emailed me back saying

First of all I would like to sincerely apologise for the delay in my response as our team are currently receiving a high number of online enquiries.

Thank you for your recent email in regards to your credit card.

I have investigated transactions on your credit card and our records indicate there is no recent attempt to debit your credit card for $10 by a merchant called Offerpal Media.

In relation to the Playstation data breach, we are currently confirming if card numbers and expiry dates have been obtained as a result of this serious breach.

At this stage, there is no evidence to suggest that card details have been compromised. Please be aware that security of your accounts is important at all times, and if there is a need to replace your credit card we will be in contact with you.
Click to expand...

But I think they're confused as I can still see the following on my 'pending transactions' section of my online CC statement:
01/05/2011 PENDING - ASI*OFFERPAL MEDIA 510-403-7300 WA $9.18
01/05/2011 PENDING - Amazon.com AMZN.COM/BILL WA $0.92
Click to expand...
So the payment might have failed to go through (as Amazon indicated earlier) but someone was definitely trying to use my card to pay for something -
would the pending payment appear on my CC statement if they just had my CC number and did not have my correct CVC/CSC, or expiry date?

Or would they have had all my security info and the only reason the payment failed was due to Amazon or the bank spotting unauthorised activity (due to IP address monitoring etc.)?

And I read somewhere that you can send an email to a Sony address to get info on the credit card they have on file?
 
Last edited by a moderator:
(((interference))) said:
And I read somewhere that you can send an email to a Sony address to get info on the credit card they have on file?
Click to expand...

I'd be very suprised if you could send a email to get your credit card info, simply by asking them over e-mail.

What you can do however is check your email, and search for messages from DoNotReply@ac.playstation.net, those are the ones who's sending out receipts from PSN, it includes the country code of your visa (4 first numbers), and the 4 last numbers of the card used for the transaction, while the 8 middle numbers is censored, so you'll figure out what card you used. :)
It will also show the same way, when you go to change- or remove your card from PSN. :)
 
I watched the whole thing now. I'm pretty happy with everything that was said. I'm glad to see Sony is finally doing the right thing.

Has this been reported yet?

* At the 46:00 mark of the Q&A session, Hirai was asked if passwords were encrypted to which he replied that
"passwords were not encrypted." However, at the 61:10 mark, Hasejima corrected Hirai's answer and said that
"passwords were not encrypted, but were hashed."
Click to expand...

http://www.irwebcasting.com/110501/02/3a33cc2c90/index.html
 
I don't think anyone has posted this yet:

http://maintenance.station.sony.com/

Dear valued SOE Customers,

We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday).
Click to expand...

As an aside, someone needs to tell Sony's web staff to disable default indexes in Apache.

http://maintenance.station.sony.com/images/

Cheers
 
Last edited by a moderator:
Cornsnake said:
Has this been reported yet?
Click to expand...
That is an extremely important communication error that made Sony look more incompetent than they were. Hackers could still pass on the hash instead of the password, but they don't have straightforward access or use of the password, and Sony have not used any system less secure than any other system out there. It would appear that Sony weren't particularly insecure, or arrogant as some would like to suggest, but just got hacked by a new attack vector as can happen with any system - there is no perfect security (other than not being online!).
 
Well and there it is - no surprise at all, and reinforces my own feelings that the Sony execs and PR folks in charge of these PR releases and such *really* need to sit down with the technical folks. That even after this debacle had reached the post-FAQ "plain text" outcry level, Hirai himself still didn't seem to have a grasp of what needed to be said and himself needed correcting... ugh.
 
You must log in or register to reply here.

Similar threads

Z
Does being messed about by women or people in general, turn you bitter?
Replies
16
Views
1K
Zombietoid
Z
BRiT
Oracle finally does what everyone else couldn't...
Replies
11
Views
8K
Deleted member 2197
D
D
Serious Damage To A Religious Monument [Davros PC]
Replies
8
Views
2K
entity279
E
BRiT
About the latest Equifax Incompetence, Credit Freezes, and why it's all pointless
Replies
1
Views
1K
Grall
G
R
Retro VGS coming: 100% offline retro ARM based console in Atari Jaguar shell
Replies
5
Views
2K
Rangers
R
Back
Top