Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony: 10 Million Credit Cards May Have Been Exposed

timothy posted more than 3 years ago | from the translucency-failure dept.

Crime 251

WrongSizeGlass writes "The LA Times is reporting that Sony has revealed that 10 million credit card accounts may have been exposed two weeks ago when a hacker broke into the company's computers in San Diego and stole data from 77 million PlayStation Network accounts. Sony said it will provide credit card protection services for the 10 million customers whose data were compromised. Sony last week said it had encrypted credit card data, but not other account information, including names, addresses, email addresses and birth dates."

Sorry! There are no comments related to the filter you selected.

Hey!! (0, Troll)

ae1294 (1547521) | more than 3 years ago | (#35993666)

When is the Playstation 4 coming out!! OMG I want one NOW!

Re:Hey!! (1)

Jeremiah Cornelius (137) | more than 3 years ago | (#35994080)

Who cares? I'm LOVING reading this story on RockMelt (TM)!

Fundementally broken system (5, Insightful)

Anrego (830717) | more than 3 years ago | (#35993694)

I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

Re:Fundementally broken system (-1, Troll)

Hotweed Music (2017854) | more than 3 years ago | (#35993754)

Offer an alternative, or quit whining. It's a pretty good system, with faults of course.

Re:Fundementally broken system (5, Interesting)

Stormy Dragon (800799) | more than 3 years ago | (#35993816)

Two big changes that would help:

1. Make companies legally liable for data losses that are worsened by the companies own negligence. In the Sony case, they've already admitted the breach occured due to a known vulnerablity that they failed to patch. There's also been some suggestion they were storing CVV2 numbers, which they're expressly told not to do by the credit card providers.

2. Make companies that process obviously fraudulent transcation liable for the losses instead of the card holder. E.g. if someone comes in and starts buying a ton of gift cards with an out of state credit card, and you don't do anything to verify their identity.

Re:Fundementally broken system (2)

larry bagina (561269) | more than 3 years ago | (#35993898)

merchants are liable for fraudulent or otherwise contested charges.

beating wrong horse (4, Insightful)

goombah99 (560566) | more than 3 years ago | (#35993956)

What would fix this is to have credit cards generate a contract not tap an open vein. that is, the credit card is used to authorize a one time transaction (after which the credit card number itself can be discarded for the transaction ID). For recurring charges the transaction authorized should only enable payments to sony, for goods provided to a specific address or online account, and include a cap. that is non-transferable transactions are the thing we should keep on record.

There needs to be a mechanism for generating these transaction IDs.

Re:beating wrong horse (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35994018)

My credit card company (citicards) offers exactly that. They call it "virtual account numbers". There is a Flash applet (yeah, ick, I didn't say they had a nice website) where you can generate any number of extra credit card numbers. On use, they get linked to the merchant ID that first charged them. You can set expiration dates and amount limits for each one individually. It's not a perfect solution, but it's better and does not require a new system for the merchant so it can be implemented now.

Re:beating wrong horse (2)

errandum (2014454) | more than 3 years ago | (#35994130)

In Portugal we have a system that allows you to generate any number of credit cards with a defined spending limit and with 1 month expiration dates.

More than that, you don't even need to own a credit card and pretty much every bank has access to it-

It doesn't get much better than this for web transactions.

Re:Fundementally broken system (1)

milkmage (795746) | more than 3 years ago | (#35994058)

um. your bank is on the hook for any fraudulent charges why the fuck do you think they work so hard to detect fraud? - banks don't care about customers. they do care very much about THEIR money. I normally spend less than $200 bucks per purchase on my credit card.. one day, I bought a TV.. there was a call from my bank on my answering machine BEFORE I GOT HOME. they had suspended my card until I could call to verify the charges. same thing happend when i went on a shopping spree and ran up a half dozen charges in a couple hours. to their credit, they also notified me of charges I didn't make - all they did was send me a form that I had to sign saying i was telling the truth.. the bogus charge never hit my balance.

how is the store supposed to know a card # is stolen. they call the bank.. bank says ok, store says thank you, come again.

here's the law which protects you.

http://www.federalreserve.gov/bankinforeg/regecg.htm [federalreserve.gov]

Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems such as automated teller machine transfers, telephone bill-payment services, point-of-sale (POS) terminal transfers in stores, and preauthorized transfers from or to a consumer's account (such as direct deposit and social security payments). The term "electronic fund transfer" (EFT) generally refers to a transaction initiated through an electronic terminal, telephone, computer, or magnetic tape that instructs a financial institution either to credit or to debit a consumer's asset account.

banks are generally on your side when it comes to a credit card because they make a shit ton of money on the interest you pay. that said, dont use your ATM card to buy anything - the bank cares waaaay less about your money than theirs.

Re:Fundementally broken system (1)

Anrego (830717) | more than 3 years ago | (#35993828)

More rigorous checks required for issuing credit and much tighter regulation over credit reporting?

I'm not downplaying capitalism or the economy or anything here... just the way the credit system works.

No it isn't.. (4, Interesting)

Junta (36770) | more than 3 years ago | (#35993854)

An alternative is easy in concept, but the satus quo has the industry in a strangle hold. It's not like even a large consumer group acting together could *change* things from 'outside'

We are talking about 16 'secret' numbers that allow whoever figures them out to charge however much they want against your account. Occasionally an additional view on the back are needed for some retailers, but at the end of the day to even buy $5 of something with your card you must trust the seller to not do bad things with your account *and* keep it safe from others. This might have been about the best you could do when the seller was doing a carbon copy and would phone in the slips at the end of the day, but now everyone *immediately* contacts a server for validation and nearly every person with a card also has a pocket sized computer device capable of independently talking to bank servers. It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.

The common defense is "oh, well, most card companies don't hold the customer liable for everything", ignoring:
-Some companies will hold the cardholder liable for some of it
-Sometimes they may argue that the cardholder didn't act promptly or other circumstance
-Even when everything works as 'promised', there is a cost incurred *somewhere* and that impacts you, either in higher interest rates on credit, lower interest rates on checking, and/or merchant prices due to processing fees. I'm about convinced this last one is the biggest motivation not to change, they play funny games with margin and can blame identity theft.

Re:No it isn't.. (4, Insightful)

MoonBuggy (611105) | more than 3 years ago | (#35994192)

It's completely reasonable to have point-of-sale equipment that pairs with a phone and have the phone connect directly to bank servers to *specifically* authorize a transaction amount and have the PoS verify that data as well without such a silly use of an account number and just exchangine public keys and per-transaction authorization data.

How should one generate an authorisation, though? Requiring a PIN is a good start, but since it's been introduced in the UK the banks have been using it to blame any and all fraud on the customer, because "the terminals can't be hacked" (demonstrably untrue, as I'm sure you guessed). Perhaps more importantly, many things that can be implemented on the terminals (such as a PIN requirement) are inappropriate for online use, meaning that when someone gets hold of your wallet (or your data from Sony's servers) they just run it through an offshore online casino.

It's a genuinely difficult problem, largely because cards need to be fast to be usable. When I do direct bank-to-bank transfers, the bank provides a randomly generated numerical key on the screen, and an automated system calls my phone (within about a minute) and asks me to input the key before the transaction is authorised; it then auto-allows subsequent transfers to that account, but sends me a text message whenever they take place. It's a good system, but I certainly wouldn't like to be stuck in line with everyone going through that process to get their lunch. Maybe require a PIN for in-person transactions, and phone authorisation for online. I guess auto-allowing transactions only below a certain threshold could work, too, but then they already have systems to block 'suspicious' transactions... I don't know. Like I said, it's a tough one.

Re:Fundementally broken system (1)

thopkins (70408) | more than 3 years ago | (#35993858)

All that would be needed is a system run by the credit bureaus that requires you to say "yes" to any credit/loan requests. Applying for a car loan? All you do is login and say yes. Someone tries to fraudulently do something using your identity? You deny it.

Re:Fundementally broken system (1, Flamebait)

AK Marc (707885) | more than 3 years ago | (#35993864)

Alternative:

The systems used in almost every other country in the planet.

Why is it that Americans use ignorance as an argument? "I don't know any better, so therefore, there can't be anything better." When it's almost always "I don't know any better because I'm an idiot and, for some bizarre reason, quite proud of my ignorance such that I reveal it on public forums on a regular basis."

Re:Fundementally broken system (1)

clang_jangle (975789) | more than 3 years ago | (#35994112)

Not knowing the particulars of how banking works overseas is "being an idiot"? Boy, the bar just goes lower and lower on slashdot nowadays. I was pretty smart when I first came here, now I've been downgraded to "idiot" twice in the past week.

Re:Fundementally broken system (2)

grumbel (592662) | more than 3 years ago | (#35993874)

The most simple alternative would be single-use credit card numbers and while some credit card companies offer those for single transactions, they don't offer them for recurring transactions, i.e. you want a number that only allows Sony to get your money, but not anybody else. Those a stolen Sony-only number would be completely useless.

I mean seriously, we are living in a age of hi-tech and yet still let so much depend on a single number that you can't even keep secret, as you have to give it to anybody from whom you want to buy.

Re:Fundementally broken system (1)

Anonymous Coward | more than 3 years ago | (#35993986)

It should be possible to purchase online with my PGP key paired with the vendor's public key. One could even generate a unique private key per vendor. Sony's private key gets stolen, it's invalidated with the CC company and the info the thief has is of no further use to make purchases. The customer's private key is still valid and she does not have to take any further action.

PGP has been around since what, 1991? Twenty years? Why aren't we using it for everything important? Why isn't ALL email PGP encrypted by default?

Re:Fundementally broken system (1)

mlts (1038732) | more than 3 years ago | (#35994076)

That would be nice.

Perhaps it would be good to have a small device about the form factor of a credit card:

It would have a PINpad and a fingerprint scanner (the scanner is for the equivilent of a day-lock on a safe -- protection while the device is unlocked.)

Then, using NFC or even BT, a sales transaction would post a prompt on the card stating that this mechant that had its name and key signed by this CA wants to charge this card in the list $amount (or an amount in CDS, but translated to USD). If the user wants to affirm, they run their finger on the fingerprint scanner, or type in a PIN. Saying no, click the "decline" button.

The vendor then is sent a PGP signed transaction, with the customer's key validated by the bank's CA.

There are obvious holes -- fingerprint scanners are not 100% accurate, PINs can be shoulder surfed, etc. However this raises the bar of consumer credit card fraud past just having possession of the CC information.

Re:Fundementally broken system (2)

mlts (1038732) | more than 3 years ago | (#35994042)

I'd give an alternative... nonces. These are used as IDs which are mapped to a credit card processor for subscriptions that are easily cancellable by the user.

This way, the user sets up a subscription. They get passed to the clearinghouse to enter in info (perhaps authorizing with two factor authentication.) The place offering subscriptions gets an ID back that they can use for cancelling a subscription (if someone got banned), or refunding all/part of a sub.

Worst that can happen if the blackhats get the sub IDs? They would have to forge the subscription maker's access, and then they might be able to issue bogus refunds, or just cancel everyone's subscriptions en masse.

Paypal does a mechanism similar to this.

As an added bonus, the user can cancel their subscription at their will, without having to go through calling a number staffed from 11:00 am to 11:01 each day, or other shit like that that a lot of places have started doing. I know people who have gotten to the point where they just mark their credit cards as lost/stolen, let the chips fall where they may.

Re:Fundementally broken system (0)

DogDude (805747) | more than 3 years ago | (#35993872)

How is getting a credit card "enough to seriously fuck with someones life"? You call the credit card company, tell them which charges are fraudulent, and get a new card. We have federal laws that protect credit card users. What's the big deal?

Re:Fundementally broken system (1)

Anonymous Coward | more than 3 years ago | (#35994150)

How is getting a credit card "enough to seriously fuck with someones life"? You call the credit card company, tell them which charges are fraudulent, and get a new card. We have federal laws that protect credit card users. What's the big deal?

You obviously haven't been the victim of or know anyone who has been a victim of identity theft.

Re:Fundementally broken system (1)

snowgirl (978879) | more than 3 years ago | (#35993880)

I know this is beating a dead horse... but the core problem here isn't Sony's epic failure... it's that the credit system is so broken that this information that was stolen is enough to seriously fuck with someones life.

I'm not trying to downplay Sony's screw up. I have a PSN account and as such am suitably nervous. This whole thing just reminds me of how messed up our system is.

Speak for yourself... due to the economy, there is no way that someone could use my identity to fuck my life up worse than it already has been... speaking of which, if they had a credit card for me on file, the thing is most certainly invalid by now...

Re:Fundementally broken system (1)

larry bagina (561269) | more than 3 years ago | (#35993910)

Knowing where you live and properly motivated, I think you life could get a little more fucked up.

Re:Fundementally broken system (4, Interesting)

jamesh (87723) | more than 3 years ago | (#35994016)

The Credit Card system could be done a lot better. Sony shouldn't need your CC number, all they should need is a magic number that authorizes Sony to transfer funds from your account to theirs. I think that what should happen is something like this:

. I go to Sony's website and sign up for a PSN account
. Sony give me their billing number and ask for an authorization number
. I go to the bank, log in to my account, and request an authorization number against Sony's billing number, for a maximum amount (eg $50/month)
. I go back to Sony's web page and enter in the authorization number and maybe some other identifying details (eg my banks number)

Sony now has a number that is _only_ good for transferring funds from my account to theirs. If someone obtained that number then the worst they could do with it is transfer up to my limit of $50/month to Sony.

It's not bulletproof but at least Sony don't have my CC number to share with the rest of the world.

Re:Fundementally broken system (0)

PNutts (199112) | more than 3 years ago | (#35994162)

all they should need is a magic number that authorizes Sony to transfer funds from your account to theirs

We could call it a "Credit Card".

Re:Fundementally broken system (1)

Sene (1794986) | more than 3 years ago | (#35994206)

Looking at how flawed the security was to begin with I think anything reasonable, like what you mentioned, would be to much to ask from Sony. Doesn't seem that the whole PSN setup has been taken seriously in the first place, not counting in taking money from subscribers/buyers, which Sony is extremely good at :)

Re:Fundementally broken system (1)

Bizzeh (851225) | more than 3 years ago | (#35994032)

this is why people should be signed up to "verified by visa" or "mastercard secure", where even if you do have all the details to someones debit or credit card, you still dont know their secure password that they are required to use to make an online purchase.

Re:Fundementally broken system (1)

Anrego (830717) | more than 3 years ago | (#35994090)

they are required to use to make an online purchase

Unless they arn't.

Seriously.. when verified by visa came out I thought: awesome.. that makes sense.

Until I realized it was optional on the merchant side. It's to protect the merchant from accepting fraudulent claims, not the card holder. Someone with your card can just use it at places that don't require verified by visa.

I really wish you could opt-in to some kind of "only accept online payments if verified by visa in use" or something. Maybe you can with some? I've asked.. you can't with mine :S

Re:Fundementally broken system (1)

John Bresnahan (638668) | more than 3 years ago | (#35994202)

I really wish you could opt-in to some kind of "only accept online payments if verified by visa in use" or something. Maybe you can with some? I've asked.. you can't with mine :S

Bank of America has a web applet that lets account holders create unique account numbers with user-specified credit limits and expiration dates for just this purpose.

Re:Fundementally broken system (0)

Anonymous Coward | more than 3 years ago | (#35994154)

The companies which have my credit card haven't been affected. I suppose one could tack on a "yet", but the fact that they aren't crap-tossing, customer-raping targets probably helps. No, this is an example of how messed up SONY's system is. But they promise the new system will be incredibly more restrictive, controlled, and they will defend you against the thieves who would take away what is rightfully yours.

But the good news (1)

Anonymous Coward | more than 3 years ago | (#35993700)

"The odds are only 1 in 10,000,000 that someone will use your card."

Re:But the good news (0)

Anonymous Coward | more than 3 years ago | (#35993720)

That made my day!

Re:But the good news (1)

Stormy Dragon (800799) | more than 3 years ago | (#35994022)

No, it's 10 million out of 77 miilion PSN subscribers, so the chances are 1 in 7

Re:But the good news (1)

Nemyst (1383049) | more than 3 years ago | (#35994066)

77 million PSN subscribers, but not necessarily individual people. Chances are there are millions of duplicates or child accounts that share the same credit card number.

Re:But the good news (1)

dohzer (867770) | more than 3 years ago | (#35994094)

Actually, one in seven is the odds that they will have your card's information. The odds that they will actually use each of those numbers may be a lot lower.

Re:But the good news (1)

MoonBuggy (611105) | more than 3 years ago | (#35994214)

I think the joke was that they've leaked so many card numbers, the chances of someone attempting fraud on yours in particular is low.

But the big question is... (2)

DurendalMac (736637) | more than 3 years ago | (#35993702)

...Were account passwords encrypted or hashed?

Re:But the big question is... (1)

x1r8a3k (1170111) | more than 3 years ago | (#35993736)

At a press conference earlier today, they announced passwords were hashed.

Re:But the big question is... (4, Insightful)

Stormy Dragon (800799) | more than 3 years ago | (#35993752)

They previously announced that no credit card numbers were compromised. Can we get some outside verification on this because they obviously have no issue with lying to us.

Re:But the big question is... (1)

smash (1351) | more than 3 years ago | (#35993940)

Ahhh but you fail at marketing speak 101. "no evidence to suggest there has been compromise of credit card information" is NOT "we have not lost any credit card info". a good hacker will not leave evidence of that, and from TFA they had lacking intrustion detection and network monitoring software to detect it. So no evidence is no surprise. But they didn't lie, they were just very selective with the truth.

Re:But the big question is... (1)

rsmith-mac (639075) | more than 3 years ago | (#35993944)

They announced that they weren't sure if CC info was compromised, which they've only now confirmed (it's not as if the hackers left a polite note stating what they took). They're definitely guilty of handling this poorly, but at no point can I recall them lying, nor is there reason to doubt that the passwords were hashed.

Re:But the big question is... (1)

Rallion (711805) | more than 3 years ago | (#35993946)

If you actually look at what was ACTUALLY said:

There have been 10 million cards used on PSN. They've continued to claim that this information was not only encrypted, but stored separately from the information that was compromised. They do not believe that even the encrypted data was accessed, but if they are wrong they will cover any costs people incur in correcting the problem.

This is what they said here, not necessarily what is true. Still, it seems to me that this particular story is misrepresenting Sony's claims, at least.

Re:But the big question is... (0)

Anonymous Coward | more than 3 years ago | (#35994034)

Credit card numbers were DEFINITELY compromised, as they are sent in plaintext.
http://173.255.232.215/logs/efnet/ps3dev/2011-02-16#1141

Re:But the big question is... (1)

ToasterMonkey (467067) | more than 3 years ago | (#35994046)

They previously announced that no credit card numbers were compromised. Can we get some outside verification on this because they obviously have no issue with lying to us.

Where does this "news" say a credit card number was compromised? It's just a rehashing of what we already know with stupid wording.

Or maybe you can tell me what this "credit card protection service" is? There is no such thing. It's "credit protection", because of the names, addresses, birth dates, etc that are known to be compromised.

Moron.

they never said no CC#s were compromised (4, Informative)

YesIAmAScript (886271) | more than 3 years ago | (#35994050)

Sony never said no credit card numbers were compromised, they said that credit card numbers were in a separate encrypted database and probably were not accessed. But they can't be sure.

And they are saying the exact same thing now.

Re:But the big question is... (0)

Anonymous Coward | more than 3 years ago | (#35994178)

From what I've read on various topics (including /.) the passwords were stored in PLAINTEXT format.

Thanks Sony!

I'm sure it will all be okay. (3, Funny)

senorpoco (1396603) | more than 3 years ago | (#35993706)

Using the credit cards will install a DRM rootkit on their computers right?

Re:I'm sure it will all be okay. (1, Interesting)

Anonymous Coward | more than 3 years ago | (#35993832)

Yeah, as the last time this story came up - someone posted this champion comment:

"Did someone insert a Sony music CD into one of their computers?"

Couldn't happen to a nicer company quite frankly. I mean they have demonstrated total contempt for their paying customer by treating them like thieves - and now they hand over all of their information to actual thieves because they can't organise basic security.

Sony Corporation deserves to be eviscerated for their behaviour over the last 10 years... hopefully this will be the moment.

Re:I'm sure it will all be okay. (0)

Anonymous Coward | more than 3 years ago | (#35993926)

Fuck yeah they deserve it. Between the fucking rootkit fiasco and this fucking fiasco Sony deserves to have their corporate charter revoked immediately. As far as the sheep that purchased their shit they deserve to have lack of support from those dipshits. If you need support for your camera? Tough Shit, purchase a non-sony camera. If your Playstation 3 doesn't have multi-player over the intarwebs? Tough shit, get a fucking Wii. The same fucking logic applies to all Sony's shit purchased.

Say it aint so! (2, Insightful)

Culture20 (968837) | more than 3 years ago | (#35993710)

Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?

Re:Say it aint so! (4, Insightful)

Anubis IV (1279820) | more than 3 years ago | (#35993866)

What I recall hearing them say was that they couldn't rule out the possibility that they had been exposed, but that they couldn't at that time confirm that it had happened either. I know we all like trolling Sony because they deserve it, but at least pick one of the many valid reasons for doing so, rather than making up one that doesn't exist.

Re:Say it aint so! (4, Interesting)

ect5150 (700619) | more than 3 years ago | (#35993882)

A month of PSN Plus? All they have to do is take the deals of the month away to make that deal worthless.

It's a good thing I already changed my credit card number and all of my passwords, just in case.

By the way, I just happened to use the same login and password on the PSN as I did for my GMail account. Gmail informed me the other day that someone had accessed the account from an IP in China. That when I started changing EVERYTHING and started watching my accounts like a hawk.

Re:Say it aint so! (2)

smash (1351) | more than 3 years ago | (#35993950)

more to the point, 30 days of playstation plus will give me approximately 10-40 minutes of value (I am busy, and use the ps3 mostly for media). for the multiple hours i had to spend dealing with people changing my cc details. not good enough sony.

Re:Say it aint so! (0)

ToasterMonkey (467067) | more than 3 years ago | (#35994072)

By the way, I just happened to use the same login and password on the PSN as I did for my GMail account. Gmail informed me the other day that someone had accessed the account from an IP in China. That when I started changing EVERYTHING and started watching my accounts like a hawk..

ZOMG, maybe you got it backwards and it was the Chinese who hacked into Google. Nah, that's impossible.

I'm not trying to connect these two unrelated things, but hey.. you are, so fuck it, right?

Re:Say it aint so! (0)

Anonymous Coward | more than 3 years ago | (#35993884)

Don't forget who brought us Root kits and what they told us then,
Sony execs lost face !!
Their top execs should all commit
Seppuku, !!

Re:Say it aint so! (1)

Cl1mh4224rd (265427) | more than 3 years ago | (#35993952)

Sony, I thought you said no CC numbers were exposed!

Q&A #1 for PlayStation Network and Qriocity Services [playstation.com]

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Re:Say it aint so! (1)

ToasterMonkey (467067) | more than 3 years ago | (#35994030)

Sony, I thought you said no CC numbers were exposed! How will we ever trust you again when you lie like this? A month of PSN Plus you say?

There is no news in the article, just a rehashing of what we've been already told, "out of an abundance of caution...", "... may have ...", etc.

There is no such thing as "credit card protection service", the dumb author meant "credit protection", which is offered due to the information we DO already know was compromised.

I'm not optimistic enough to not ask for new cards to be issued, that is the smart thing to do anyways.
But, there's no excuse for you running your mouth like a fucking retard.

Re:Say it aint so! (3, Interesting)

hedwards (940851) | more than 3 years ago | (#35994040)

Given the number of breaches in various companies that have led to information being compromised, I think the better question is why do we let them store more information than absolutely necessary? There's no legitimate reason for Sony to be storing that information for most users. One could make a case for those that pay for PSN Plus, but for people who only buy a game now and again, there's absolutely no reason for them to store it. It's not that hard for people to type it in again.

I mean for heaven's sake, if GOG [gog.com] doesn't need to store credit card information to stay in business, why does Sony?

Still won't stop people (5, Insightful)

skyphyr (1149207) | more than 3 years ago | (#35993712)

It took years after the rootkit fiasco before I decided to extend some trust to Sony and spend money on their products. Then came the removal of otheros, and I ceased spending any money with them. Then their bully tactics when the console got hacked, and I was glad I'd not spent any further money with them. Now, I find even after not doing any business with them for such a period I'm still not free of their incompetence and poor management. What will happen to Sony as a result of this? Nothing. All the muppets out there will continue to do business with this incompetent, morally bankrupt, behemoth. Will I be dumb enough to become one of those muppets again? I hope not.

Re:Still won't stop people (1)

discord5 (798235) | more than 3 years ago | (#35993822)

Will I be dumb enough to become one of those muppets again?

I don't know. How long do you remember stuff like this and when is the next Playstation coming out?

Re:Still won't stop people (1)

Doctor_Jest (688315) | more than 3 years ago | (#35994198)

I have a simple solution to "trusting those muppets"... Just use prepaid PSN cards. Available everywhere Sony crap is sold. Then you're only on the hook for crank calls should your data ever be compromised again. :)

Re:Still won't stop people (1)

Anonymous Coward | more than 3 years ago | (#35994160)

You may not be aware of this, but Sony is on the brink of bankruptcy since at least 15 years.
In 2004, I already got told by Sony employees, that they were 10 years in that struggle. Not much has change since then.

It's really not a big kick that's needed to kill them.
This, for example, could already be it, if one other bad thing happens.
And I have no doubt that the bad work quality is a result of bad morale inside the company because of having to live with a very tight belts for so long.

Look at the bright side... (1)

Anonymous Coward | more than 3 years ago | (#35993726)

...fill in here...

Ok (4, Interesting)

drolli (522659) | more than 3 years ago | (#35993732)

Why does everybody collect and store all these data centrally?

Just store it locally, on the playstation, electronically signed and encrypted in a way that the customer has to enter a passphrase to decrypt it when its really needed. make the "it is needed" message also necessarily signed by an independent system with no other function. Let this system do a statistic. trigger an alarm if the number of signatures per minute is deviating significantly from the expected number.

Re:Ok (4, Insightful)

Jaime2 (824950) | more than 3 years ago | (#35993776)

Why does everybody collect and store all these data centrally?

For recurring payments. With your scheme, every user would have to enter their password every month. The biggest problem for Sony would be that everyone would be making the decision to continue paying for the service every single month. If the number is on file, then the customer has to go out of his way to cancel, but has to do nothing to stay a customer.

Re:Ok (1)

drolli (522659) | more than 3 years ago | (#35993886)

Well to be honest *I* would not mind to enter a password one per month to legitimate payments if that keeps my data safe.

Re:Ok (4, Insightful)

Jaime2 (824950) | more than 3 years ago | (#35993942)

Of course you wouldn't. But the marketing department would never allow a system where you can passively unsubscribe.

Re:Ok (1)

PmanAce (1679902) | more than 3 years ago | (#35994020)

And when you forget to enter your password or go on vacation? Your account gets closed and you have to sign up again. Their billing cycle is on a certain day on purpose, it can't be done every single day for different users.

Re:Ok (0)

Anonymous Coward | more than 3 years ago | (#35993888)

Why does everybody collect and store all these data centrally?

For recurring payments. With your scheme, every user would have to enter their password every month. The biggest problem for Sony would be that everyone would be making the decision to continue paying for the service every single month. If the number is on file, then the customer has to go out of his way to cancel, but has to do nothing to stay a customer.

They didn't even have a subscription service until a few months ago. Clearly, that wasn't the deciding factor when they implemented everything in the beginning.

Re:Ok (1)

Goaway (82658) | more than 3 years ago | (#35993934)

Yes, nobody ever plans ahead.

Re:Ok (1)

larry bagina (561269) | more than 3 years ago | (#35993930)

Every credit card processor I've used allows you to set up recurring charges. They keep the cc info so you don't have to.

Re:Ok (1)

Jaime2 (824950) | more than 3 years ago | (#35993992)

There are limitation to those recurring charges. For example, Sony couldn't use the recurring charge for the monthly fee to submit a payment for a separate purchase. They need the card number for that. It's all about making it as easy as possible to spend your money, not security. The only reason vendors bother to encrypt data is because the payment card industry forces them to do so.

Making purchases simple creates so much revenue that it's worth almost any risk. Even if Sony had to pay every dime of every fraudulent charge that gets through, they would still come out ahead. Remember, they copies of bits, not widgets. Every add-on sale is pure profit.

Re:Ok (1)

_xeno_ (155264) | more than 3 years ago | (#35994010)

It wasn't for recurring payments, originally. Their original system used this crazy wallet thing where you'd have to load money onto your account, and then you could spend it.

They changed it so that you later just saved a credit card and could automatically load exactly the amount you needed onto your wallet without going through the whole "load wallet" step. (Which also meant that for the first time you didn't need to spend in $10 increments. Or was it $5? You get the point.)

To make things easier, they automatically - and, as I recall, with no option to opt out - saved your credit card when you used it on PSN.

I certainly don't remember telling Sony to save my credit card, but - well, they did anyway.

Re:Ok (4, Insightful)

notjustchalk (1743368) | more than 3 years ago | (#35993896)

Why does everybody collect and store all these data centrally?

Because "paying for stuff" isn't the only reason Sony collects your data. There's also advertising (especially targeted/predictive), data mining, data sharing (both internally and externally), tracking/trending, etc. I think that data is a lot more valuable sitting on their servers than it is hidden in your console - hence, whatever the cost, it will remain there. That really goes for any internet aware service, not just Sony/PSN.

Re:Ok (1)

Kenja (541830) | more than 3 years ago | (#35994228)

A better question is why is the database connected to the internet. There should be an abstraction layer fire-walled from the web servers. Web server can pass information to the DB server, but the DB server can only respond true/false.

not just theory (5, Interesting)

e3m4n (947977) | more than 3 years ago | (#35993740)

I just got up to speed on the whole PSN thing. I never once received an email from sony explaining the problems and I was too busy last week to spend an abundant amount of time on /. reading about the security breach. I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas. To me this seems a little too coincidental to be the victim of some completely different fraud in the middle of this big stink with the 77 million accounts compromised from the PSN.

Re:not just theory (2)

by (1706743) (1706744) | more than 3 years ago | (#35993834)

Have you tried contacting Sony to see if you are one of the lucky 10M with compromised CC info? Of course, not that I'd necessarily trust Sony after their lack of honesty and transparency throughout this fiasco ("oh just a PSN outage / actually some account info has been stolen / actually CC info has been compromised").

Another possibility could be that there are a lot of stolen CC numbers out there, but the thieves are biding their time so as not to draw unwanted attention. However, now that this PSN thing hit the fan, they figure they can get lost in the noise and have Sony blamed for their actions. A very shaky theory and I really doubt that's the case, but still.

Re:not just theory (1)

Verunks (1000826) | more than 3 years ago | (#35994138)

Of course, not that I'd necessarily trust Sony after their lack of honesty and transparency throughout this fiasco ("oh just a PSN outage / actually some account info has been stolen / actually CC info has been compromised").

I really don't see any lack of transparency, nobody sane would disclose a security breach while they are still investigating it, even open source software don't do that, for example in kde vulnerabilities are kept "secret" in the packagers mailing list for some days so every distro has the time to patch up and then they are disclosed to the public

Re:not just theory (0, Insightful)

Anonymous Coward | more than 3 years ago | (#35993968)

I just got a call today from fraud protection on my debit card tied to my main bank account. They got triggered to suspicious activity when multiple charges showed up in two different states at the same time. Someone had gone to 2 Home depots in FL and ran $100 gift cards 6 times in 2hrs today. This also happens to be the same card I had used to make a purchase from the PSN network a month ago for the DLC of fallout new vegas.

Seriously? A debit card tied to your primary checking account used to pay for DLC?
Epic fail dude.

Not news (1)

Kohath (38547) | more than 3 years ago | (#35993758)

This is not news. It was already posted on Slashdot. The only new item is that only 10 million of the 77 million accounts had credit card information associated.

BTW: Sony has said there is no evidence the intruders got CC info, but they can't rule it out either.

Re:Not news (1)

PatrickThomson (712694) | more than 3 years ago | (#35993846)

The best thing that comes out of all these breaches is the consequences of assuming the worst - Gary McKinnon, looks for UFOs, causes 6-figure damages because any machine he was within 1000 miles of pinging got tossed into a shredder. Likewise, with this, you know there's some hacker out there who's all like "shit, I missed that database, I was only in there for info on the PS4"

Re:Not news (2)

hedwards (940851) | more than 3 years ago | (#35994056)

That's what I was wondering about. I don't think that I've paid for anything via PSN, if I buy a game, I do it as disc and so it's unlikely that Sony has any information beyond my contact information. And let's be honest about that, it's been lost to crackers at least 3 times at this point, and I think it's probably been a few more times than that.

Encryption fail (0)

Anonymous Coward | more than 3 years ago | (#35993766)

Sony last week said it had encrypted credit card data

That doesn't help if the attacker has a copy of their private key. Given the apparent scale of the intrusion, I wouldn't be willing to bet that they don't have it.

May have been? (1)

rsilvergun (571051) | more than 3 years ago | (#35993780)

Help me out here guys. Should it be trivial in a modern data center to tell if that much data has been accessed? Also, I know California has a data breach law requiring disclosure if you do business there, any Californians with some extra letters from Sony?

Finally, adequate response (1)

Posting=!Working (197779) | more than 3 years ago | (#35993786)

Woah, some executives bowed in apology? That makes everything better now! All is forgiven, and we* can get back with our lives now.

They were in the prison shower with Bubba standing behind them when this happened, right?

* - "We" refers to each individual PSN member and the guy who's running around with the PSN member's ID and credit card.

Would you rather (0)

Anonymous Coward | more than 3 years ago | (#35993800)

The executive pulled out his sword and fell on it?

Re:Would you rather (1)

Osgeld (1900440) | more than 3 years ago | (#35994136)

that would have been more entertaining, but equally as useless

Encryption (1)

camcorder (759720) | more than 3 years ago | (#35993792)

What kind of encryption can completely satisfy security of credit card data, of which target space is limited and patterns are well known? Anyone competent enough to hack into their system, most probably competent enough to do cryptanalysis and decipher the data in no time. As they couldn't secure their own network, I don't think they had used methods to scrabble credit card data before encrypting it.

Re:Encryption (3, Informative)

Jaime2 (824950) | more than 3 years ago | (#35993928)

There's a bigger problem... If a system is sufficiently compromised, the attacker gets the encrypted card data, the encryption algorithm, and the keys (my favorite variation is where the database has a decryption stored procedure). We learned long ago to keep all encrypted card data in systems that have no users access and to only keep surrogate keys in transactional systems. For example, in our equivalent of the PlayStation Network, your credit card number would be stored as a meaningless number like "127". In order to process a transaction against the card, "127" and the transaction data is passed to the credit card system, where the credit card system looks up the real encrypted credit card number, decrypts it, and charges it. You could make the argument that we've simply moved the problem, but the credit card system is much easier to secure since no customer or even employee should ever be able to send a packet to it -- only a handful of controlled system can. Sure, if the transactional system is compromised, the attacker can process cards with our system, but as soon as we kick them out, the card data is useless to them.

As for the cryptanalysis problem, simply use a salt the same size as the card number and XOR the card number with it. Presto, perfectly random looking plain text with no (new) differential cryptanalysis vulnerabilities. You don't even need to do this if you use proper initialization vectors and a block cipher in CBC mode

Re:Encryption (1)

ToasterMonkey (467067) | more than 3 years ago | (#35994218)

(my favorite variation is where the database has a decryption stored procedure)

So? What matters is how you protect the key. I don't think you really understand the reasoning behind doing that which is protecting data at rest.

You're also just throwing random things out there without knowing what the PSN transaction processing backend really looks like. At this point, you do not know if any cardholder information was compromised outside of name & address. You don't even know if the address or name are from the PSN profile or CC account. You don't know if they violated any PCI guidelines which BTW, require isolation of this data, but not in the crazy manner that you prescribe. I like rumors as much as the next person, but get real.

PCI Compliance required (2)

SOLIDTRUSTPAY (2097584) | more than 3 years ago | (#35993818)

All online companies that store credit card data are required to be PCI Compliant, like the company I work for, http://solidtrustpay.com./ [solidtrustpay.com.] The only reason Sony would have been storing card info is to retain the ability to recharge cards monthly, etc. ALL data should be encrypted, not just card info; in particular, email addresses to prevent phishing and spam attacks. Let's hope they learn and adjust their database systems quickly!

Re:PCI Compliance required (1)

Chuck Chunder (21021) | more than 3 years ago | (#35993958)

You can encrypt the data all you like but that doesn't change the fact that the very same systems typically need to be able to decrypt the data in order to do their job (ie send emails or do CC transactions) so some part of the system at least has access to the encrypted data and the means to do decryption.

At best it typically means there is one additional server that needs to be compromised before the whole lot is exposed. Encryption is of course a useful tool but it is not a magic bullet.

Re:PCI Compliance required (0)

Anonymous Coward | more than 3 years ago | (#35994120)

Like some one said above. If the thieves are smart enough to lift the info then they are probably smart enough to decrypt the data. No encryption scheme is unbreakable considering there must be keys that automated processes use to run the recurring transactions.

New Information Revealed (5, Funny)

rudy_wayne (414635) | more than 3 years ago | (#35993912)

It has been revealed that the whole problem began when a PSN admin inserted a Sony music CD. The installed rootkit then allowed hackers to access the network.

so.. (1)

smash (1351) | more than 3 years ago | (#35993924)

Given that i have a life and time spent with the "free" offers of stuff over 30 days is likely to be approximately 45 minutes, what the fuck are sony going to do to compensate me for the 4+ hours of wasted time that I had to spend changing credit card details everywhere because they were so un-forthcoming with the distribution of my personal details?

I probably missed it, but... encrypted with what? (1)

tchernobog (752560) | more than 3 years ago | (#35993982)

Sony last week said it had encrypted credit card data

...with rot13.

Deleted? (1)

Cinder6 (894572) | more than 3 years ago | (#35994006)

I'm curious if you're at risk if you deleted your credit card info recently. A few days before the attack, I logged in to PSN on a friend's PS3. I didn't remember which card I had tied to the service, so when it asked me to confirm, I went ahead and said "delete credit card info". So, I guess we'll find out if Sony actually physically removes the data...

Fuck you Sony (0)

Anonymous Coward | more than 3 years ago | (#35994176)

Sony. You were warned BY MANY HACKERS about the vulnerabilities in your system MONTHS ago, and you did not do a damn thing to fix it or even bother to look into it. You fail and I hope your company dies because of this and how you treat your customers. This is what corporate greed has gotten you.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?