*ren* PSN Down, Customer Info Compromised

[Shifty Geezer]

Sorry, didn't mean it to go OT but I was trying to make a comparison that may have been missed. You said it generated noise because of false positives. That's what I wanted to convey. Nothing was stolen, there was just suspicious activity so they locked the accounts and broadcast the message to everyone. Same as UAC's "false positives" as you say. No harm, it's just suspicious activity and you get a message. My comparison was that much the same as Vista cried wolf as it were all the time, the people became numb to this transparensy and it defeated it's purpose, the same could be said of what is happening now of Sony if they keep spamming us every time nothing really happens. Sure, some people like all the noise. I do not.

This wasn't a false positive though, but a very legitimate positive! 90 thousand accounts were breached because people were using the same email and password they've used elsewhere and that info has been obtained. Enough stories like that and perhaps people won't use the same email and password for every website and service!

 

[-tkf-]

This wasn't a false positive though, but a very legitimate positive! 90 thousand accounts were breached because people were using the same email and password they've used elsewhere and that info has been obtained. Enough stories like that and perhaps people won't use the same email and password for every website and service!

And that list, and others for the matter, is a good tool on .. XBOX live as well

 

[Rotmm]

The MO....etc

Thanks for that, as it's the first I've heard of it. I would assume I'm safe as I use no only a unique password on Live, but a unique email address too? That was part of my action plan when Play (an online UK retailer in case you don't know) had a whole bunch of userdata stolen earlier this year.

Edit: Seems it's being reported now http://www.eurogamer.net/articles/2011-10-14-xbl-accounts-hacked-to-buy-fifa-packs

 

[patsu]

GAF found another article:

I Watched In Real Time As ID Thieves Spent My Money On Xbox Live
http://consumerist.com/2011/10/i-watched-live-as-id-thieves-spent-my-money-on-xbox-live.html

Folks, keep different passwords for accounts with payment capability. Or use alternate payment scheme if you want.

 

[joker454]

Was it ever determined conclusively if the psn attack leaked credit card numbers? I keep reading conflicting answers on that, some say yes, some say no, etc...

 

[patsu]

Nope. Sony never did confirm any PSN credit card leak. They only mentioned that they didn't find any evidence (but just to be safe, here's what you need to do...). The CC field is also encrypted.

I think CC data may be leaked from other smaller Sony website incidents though. Not entirely sure about that myself.

EDIT:
There you go:

Sony Online Entertainment Hacked, 12,700 Credit Cards Stole
http://www.pcworld.com/article/2268...ainment_hacked_12700_credit_cards_stolen.html

 

[joker454]

Ok was curious because a few days ago people from around the world started using my credit card, was curious if it was linked to the psn issue or just typical credit card fraud. I do have my card info with Sony in other areas aside from psn since I use Sony Vegas Pro, etc, but I guess who knows how it was leaked.

 

[patsu]

Damn hackers need cash for Christmas and Thanksgiving too.

Perhaps they are just making their rounds using whatever they have gathered all these years. Offline, PSN, Amazon, XBL. It doesn't really matter to them.

 

[bkilian]

The MO is they either brute force your password or use login credentials from somewhere else. Once they have access to your Live account they buy 6000 and then 4000 MS points using your attached credit card/paypal account. Then they spend all the points on XBLA games and DLC or transfer them to another tag, play some FIFA12, maybe they transfer your GamerTag to a new Windows Live account, maybe they transfer your tag to a new region (Russia or China). Basically they make themselves at home using your gamertag on their (presumably) modded 360 until you notice what's happening and notify MS support.

In my case there was no available balance on my card when they attempted to buy the points so the transactions were declined. I was also awake and at my computer right when it was happening and you get an email even for failed purchase attempt so I immediately logged in at xbox.com and changed my password. But since they couldn't successfully buy any points it seems they just moved on.

Not quite accurate. Brute forcing a password on Live is not usually feasible. They lock your account after a number of invalid attempts. Mostly they "social" the password. If they can steal your email account using social hacking techniques, then they can use it to reset your live password, even if the two are different. We need a better way to protect online identities than a 8-12 letter password or relying on the user being able to access a specific email account.

 

[-tkf-]

Ok was curious because a few days ago people from around the world started using my credit card, was curious if it was linked to the psn issue or just typical credit card fraud. I do have my card info with Sony in other areas aside from psn since I use Sony Vegas Pro, etc, but I guess who knows how it was leaked.

Did you scan your PC for trojans, virus etc..?

 

[patsu]

Social engineering should be more labor intensive, and hence smaller scale than the bulk attempt noted by the Sony security chief in this episode.

 

[tuna]

I don't have the answer, so thankfully can't carry on this OT. Actually, basically, the answer is the same in every such situation - design things right in the first place! Because legacy systems cause way too many problems, and anything that goes public as an open system will take on a life of its own.

You are right, I never realized it was this easy. From now on when I do anything I shall do it right the first time!

 

[Brad Grenz]

Not quite accurate. Brute forcing a password on Live is not usually feasible. They lock your account after a number of invalid attempts. Mostly they "social" the password. If they can steal your email account using social hacking techniques, then they can use it to reset your live password, even if the two are different. We need a better way to protect online identities than a 8-12 letter password or relying on the user being able to access a specific email account.

But my email account was NOT compromised and my Live password was not reset by the hackers. This is not what is being reported by the many victims. It is not what is happening with the widespread Live attacks. The other options are a database from another hack, but my info wasn't with PSN or Gawker or any other well publicized break in, or a flaw in Microsoft's security apparatus that perhaps allows brute forcing to occur.

 

[egoless]

Delete

 

[Brad Grenz]

That security page is actually new. It basically showed up a couple months ago as this epidemic was picking up steam. And again MS is content to pretend there is nothing wrong and blame their users for the theft. Of course, if you get a CS rep to talk candidly they're apparently in a "crisis". And, if you'll remember, they were in full denial mode about RROD for a long time...

 

[bkilian]

But my email account was NOT compromised and my Live password was not reset by the hackers. This is not what is being reported by the many victims. It is not what is happening with the widespread Live attacks. The other options are a database from another hack, but my info wasn't with PSN or Gawker or any other well publicized break in, or a flaw in Microsoft's security apparatus that perhaps allows brute forcing to occur.

Is your live password unique? Or do you use it with _any_ other service? If you do, there is a big underground that compiles lists of passwords and userids/emails that they've collected and sells them. It doesn't have to come from a major breakin.

I'd also question "widespread", it seems to indicate a larger percentage than what is most certainly the case.

 

[joker454]

Did you scan your PC for trojans, virus etc..?

Yeah I haven't had a virus in years. Basically I don't pirate software or go to torrent sites, hence viruses have never been an issue for me. Same with all the machines in our house, all clean for ages now.

 

[patsu]

Did you login to XBL website from a PC or other mobile devices, Brad ?

 

[-tkf-]

Yeah I haven't had a virus in years. Basically I don't pirate software or go to torrent sites, hence viruses have never been an issue for me. Same with all the machines in our house, all clean for ages now.

Reason i asked is that i sometimes in my job comes across "clean pc´s" that turn out not to be clean at all.
You don´t have to go any torrent, porn or other usefull stuff. It´s often the popular sites that are targetted for example game sites. mmo-champion has been the target a few times and plenty got their wow accounts hacked because of that

I guess what i am saying is, i would give it a real good "search" just to be sure, since something/someone really got to you. And that really sux

 

[Xenus]

Besides antivirus's tend to be nearly useless anymore to prevent the malware from getting on your computer. It's all about the malware now. So many machines I've seen terribly infected and the antivirus just keeps going on about it's business like nothing every happened.