Squid Division

Sony Shitshow

Recommended Posts

Just read on a Norwegian news site about a guy who had eleven mysterious withdrawals from PSN, with five more queued:

[image removed]

Not good. I'm glad I didn't get a chance to buy anything with my PS3 yet.

Even if that is true, which I doubt, that doesn't mean that the hackers have his credit card details. It would just mean that they have access to his PSN account and have bought items on his behalf from Sony. They wouldn't need his credit card for that.

Share this post


Link to post
Share on other sites

So Sony's PR finally made an update on the situation.

They gone from saying there was "a possibility that your info was taken" to:

Q: Was my credit card data taken?

A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

NO EVIDENCE! See! I told you they just said the previous stuff to cover their assess, I hope all you paranoid people had fun replacing your credits cards for nothing!

Patience=1

Paranoia=0

:mock:

While I'm still angry as hell with them for taking this long, I'm happy that they finally gave an update and confirmed how unlikely it is that my debit card info was really stolen.

I love how I'm the melodrama queen for telling you guys to calm down and not be paranoid, oh you anon taggers are so hilarious! :tup:

Share this post


Link to post
Share on other sites
So Sony's PR finally made an update on the situation.

They gone from saying there was "a possibility that your info was taken" to:

NO EVIDENCE! See! I told you they just said the previous stuff to cover their assess, I hope all you paranoid people had fun replacing your credits cards for nothing!

You do realise that that's exactly what they said in their first announcement about the issue? Word for word, in fact. The only difference is that now they're emphasising it in its own FAQ, rather than in the middle of a paragraph that everyone just skims over because they're too angry to actually bother to understand anything.

Share this post


Link to post
Share on other sites
You do realise that that's exactly what they said in their first announcement about the issue? Word for word, in fact. The only difference is that now they're emphasising it in its own FAQ, rather than in the middle of a paragraph that everyone just skims over because they're too angry to actually bother to understand anything.

It is? So they said they had no evidence of credit card info theft in the first press release and people STILL panicked and got their cards replaced? :eek:

While I'm angry at them for just repeating themselves for repeating in this "new" post, I'm mystified by the mass panic, since when does "no evidence" reads as "the hacker has your credit card, cancel it now!"?

Then again, my "please remain calm" reads as "I'm defending Sony" for some reason... :shifty:

Share this post


Link to post
Share on other sites

Here's how the ABC (Australian Broadcasting Corporation) reported on it yesterday:

yv9H3yTQdmY

My opinion:

Companies tend not to report the full scale of cyber attacks, there may be no evidence that the credit card details were stolen, but that doesn't mean they weren't. Besides, credit card fraud is probably preferable to identity theft; you can cancel a credit card and the bank will (at least in Australia) soak up the cost of the fraudulent purchases, you can't cancel your identity.

Edited by Thompson

Share this post


Link to post
Share on other sites
Companies tend not to report the full scale of cyber attacks

As they pointed out on the new Tested podcast - especially Japanese companies do this.

Share this post


Link to post
Share on other sites
It is? So they said they had no evidence of credit card info theft in the first press release and people STILL panicked and got their cards replaced? :eek:

Just to be on the safe side, I guess. It can't really hurt can it?

Q: Was my credit card data taken?

A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Share this post


Link to post
Share on other sites
Just to be on the safe side, I guess. It can't really hurt can it?

Well, considering I have debit card and not a credit card and it's attached to a "spendings account" and not my savings account, I might be one of the few who can afford the risk. That account practically exists only so I can buy things online are rarely has more that what I intend to spend online that week.

There is still identity theft though.

But how does identity theft work anyway? They can use your data to get a credit card for themselves? That doesn't sound like it would work in my country, they have to contact you by phone to activate the card and they actually try to make sure it's really you who is getting the card.

Is it easier to get a credit card in America? :erm:

Share this post


Link to post
Share on other sites
Well, considering I have debit card and not a credit card and it's attached to a "spendings account" and not my savings account, I might be one of the few who can afford the risk. That account practically exists only so I can buy things online are rarely has more that what I intend to spend online that week.

There is still identity theft though.

But how does identity theft work anyway? They can use your data to get a credit card for themselves? That doesn't sound like it would work in my country, they have to contact you by phone to activate the card and they actually try to make sure it's really you who is getting the card.

Is it easier to get a credit card in America? :erm:

Identity theft isn't just about credit cards, it's about anything and everything you use your identity for.

Share this post


Link to post
Share on other sites
Q: Was my credit card data taken?

A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

(color mine)

that's a straight out lie, they request the CVC code when you make a purchase.

ok, for joining PSN they don't request it, but they don't request a creditcard number either.

Share this post


Link to post
Share on other sites

Suddenly I'm glad that I had to use fake info because PSN is not officially supported in my country. I may have used a password there that I use elsewhere though.

Share this post


Link to post
Share on other sites
(color mine)

that's a straight out lie, they request the CVC code when you make a purchase.

ok, for joining PSN they don't request it, but they don't request a creditcard number either.

A bit unfair that. Of course they have to request a code to make a purchase - otherwise it won't work - and they've made it clear it isn't stored. Ok, so the statement is incorrect, but to say they they're lying is stretching it to fit your view of them.

Share this post


Link to post
Share on other sites

To me, the password thing is the most critical, since I've not been great at using different passwords everywhere. So, because of this, I've started generating unique passwords for each account I have and storing them in 1Password, which I have set up on my computers and phone, synced over Dropbox. It's easy to set up, and, though there will now only be one password for everything, it'll be much more secure since I'll never have to submit it to anyone on the internet.

I'm only doing this for stuff related to me personally or my money. For everything else I'll keep using my easy to remember (and guess) passwords. If someone else guesses it, they're welcome to my forum accounts.

Share this post


Link to post
Share on other sites

You do right. I've used keepass for years, but just switched over to 1password/dropbox for convenience, as keeping the keepass file sync'ed across platforms was a pain.

Anyway - you should be aware of a recent dropbox vulnerability, whereby a potential attacker can join his machine to your shared folder and view these files - while not trivial, it is certainly not impossible (however there is still some debate as to whether it poses a meaningful threat). Although the attacker might then be able to get your 1password db, make sure your 1password db is secured with a 30-odd character password that's not in a dictionary. I'm pretty sure there are currently no attacks against 1password's encryption algorithm at the moment.

As always, being secure is a trade off between absolute security and ease-of use (easier to imagine it as a simple sliding scale) and how much risk you are prepared to accept. I'm prepared to accept the risk of keeping my 1password in dropbox because of it's convenience, and in real terms is a pretty small attack surface.

Link to vuln. description for ya, if interested:

http://dereknewton.com/category/application-security/

Apologies for geeking out on y'all.

Edited by Scrobbs

Share this post


Link to post
Share on other sites

Why don't you guys simply write them down in a notebook? You can hide it a little too, but I'm hoping you can trust the people you live with to not break into your room and if they do, I doubt they come after a notebook for passwords.

While it may be true no site is truly safe from hackers, but if your own home isn't safe, you have bigger troubles than identity theft.

Share this post


Link to post
Share on other sites

Because you'd have to carry the notebook with you if you ever used the Internet anywhere else.

Share this post


Link to post
Share on other sites

Plus it would get tiresome typing in 25-30 char passwords all the time. 1password, once unlocked, integrates with your brower. Give it the https URL (if avail) of the website you want to sign in to, and it goes off, fills the details in and logs you in. :tup:

Share this post


Link to post
Share on other sites
Why don't you guys simply write them down in a notebook? You can hide it a little too, but I'm hoping you can trust the people you live with to not break into your room and if they do, I doubt they come after a notebook for passwords.

While it may be true no site is truly safe from hackers, but if your own home isn't safe, you have bigger troubles than identity theft.

I heard this post in Alan Cumming's voice in Reefer Madness.

8P_qjLhtA74

Share this post


Link to post
Share on other sites

So you can vouch of 1password's safety? Having something external deal with my passwords sounds kinda terrifying, then again, I'm probably sounding as paranoid as the people who are canceling their credits card by saying that.

PS: That clip is made of awesome, I almost didn't click on it because I though it was of another movie with nearly the same name, I guess this is a play on that movie's name?

Share this post


Link to post
Share on other sites

Well they use 128bit AES & open source algorithms. So weaknesses in that are found quickly because of the huge number of users, plus it is used in many different applications. Should a weakness be discovered, it would be big news. So in answer to your question, yes I am comfortable with the security trade-off of having long and difficult password stored in an encrypted file, as the benefit (much more secure day to day tasks) against a much less likely attack against a well known and popular open source encryption standard. A measured risk. It's up to you to decide whether you are comfortable with that.

Share this post


Link to post
Share on other sites

Man, what a messy situation. I think Sony's handling has been a bit iffy in that for days they knew there was a huge problem but were completely silent about it, however once the emails started rolling out a couple of days ago I think it's fair to say they've been very open and explained what's happened.

I've heard a lot of speculation, with a particularly interesting one being that firmware based on the development kits' firmware made it out into the wild shortly before the PSN take-down which could supposedly be reverse-engineered to gain access to things you shouldn't be able to due to weak authentication and relaxation of security measures on the kits. The last bit could be complete bollocks but the fact the firmware made it out is fact. Either way their system was well and truly arseholed to the point where it went well beyond plugging a hole that the hacker used to gain entry.

Whatever the case Tanukitsune, I don't think anyone was pre-emptive by informing their banks of a potential compromise of security and they certainly don't deserve to be ridiculed for it. I didn't personally do this because I monitor my statements online and will immediately report problems, plus HSBC has a particularly feisty fraud division who would ring me about any strange charges, but when a company says they think your credit card details have potentially been compromised it's best to err on the side of caution. If a company comes out and says something like this — which is usually catastrophic on them PR-wise — it's usually for a valid reason.

Share this post


Link to post
Share on other sites
(color mine)

that's a straight out lie, they request the CVC code when you make a purchase.

ok, for joining PSN they don't request it, but they don't request a creditcard number either.

I think they just worded it terribly. As I said in my "technical" blurb, they can't store the security code, but they have to ask for it on the first purchase you make.

So basically, my assumptions have all been correct so far. The CC's were encrypted, the CVC were not stored, the passwords were encrypted (but the hackers still got the encrypted data to reverse at will).

Share this post


Link to post
Share on other sites

From Le Bank:

You may have seen the recent news in relation to the Sony PlayStation Network data breach. Please be reassured that <Bank> treats data compromises extremely seriously. We do not believe at this time that enough information has been compromised to put your account at risk and therefore do not feel it necessary to block our customer's cards. We are however monitoring the situation and working closely with the Industry and will advise our customers if any further action needs to be taken.

Share this post


Link to post
Share on other sites
(color mine)

that's a straight out lie, they request the CVC code when you make a purchase.

ok, for joining PSN they don't request it, but they don't request a creditcard number either.

Having written several card processing systems, I can tell you it's actually pretty strictly forbidden by merchant agreements and PCI compliance rules to store CVV/CVC codes (also track data, but that's not really an issue with PSN).

That said, you also don't always need the number to auth a credit transaction. It depends on the amount of fraud detection the processor is doing, but sometimes if the address and name are correct they'll auth the card with an empty CVV (as opposed to a wrong one) if they consider other risk factors to be low.

Share this post


Link to post
Share on other sites

I am aware that there are rules you should follow, but that doesn't mean that Sony did it. To me Sony isn't a trust worthy company, and it's not just the sleazy EULAs they try to hide behind, or the way they try to get away with violating customer rights. Or the fact that they have been removing functinality from already bought products. It is also the fact that they have been spreading malware, and disrupting non-sony hardware people owned. And there is of course their shady business practices like fake film critics that give low ratings for films of competing studios, the plan to break the lives of people (/activists) critical of their company, or their failed attempt to hide the faulty battery issue.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now