backtop


Print 54 comment(s) - last by Moishe.. on May 2 at 4:31 PM

2.2 million users' cards are reportedly in the database

Millions of customers were shocked to hear Sony Computer Entertainment America LLC (U.S.) and Sony Computer Entertainment Europe (EU) had lost their personal information -- name, username, password, address, birth date, and password recovery question -- and, more importantly, that it potentially lost their credit and debit cards as well.

Sony wrote:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

It essentially then went on to tell people that they were on their own and that it was customers' own responsibility to protect themselves from credit fraud.

Now it appears the worse case scenario is indeed playing out -- according to recent forum posts, a database with "a large section of the PSN database containing complete personal details along (with credit card numbers)...are being offer (sic) up for sale."

Security researcher Kevin Stevens has witnessed malicious hackers discussing the supposed database.  He posted to Twitter, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," adding, "it is not a rumor, it was a conversation on a criminal forum."

If someone gains access to this database, it would be easy to issue hundreds of millions of fraudulent charges.  Such charges can put a black mark on your credit score.

Famed hardware jailbreaker George "GeoHot" Hotz chimed in on the reports, writing, "I sure am glad I don’t have a PSN account about now."

In his blog he adds:

And to anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.

...

...the fault lies with the (Sony) executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.

GeoHot, a self-admitted one-time victim of identity theft, isn't a huge fan of Sony.  He recently settled with the electronics giant in a lawsuit over his jailbreak of the PS3.  Reportedly, GeoHot essentially scored a big win with the settlement, though precise details haven't been revealed.

The attacks came soon after the settlement.  While few suspected GeoHot, some do suspect that members of the loosely organized hacker group Anonymous -- a group which supported GeoHot during the Sony legal battle (without his endorsement) -- might have been involved.

Regardless, this is bad news for Sony and worse news for its customers.  If you have a credit or debit card that you know is filed with service, you might want to talk to your bank about changing your number as soon as possible.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: CVV2?
By DanNeely on 4/29/2011 9:20:42 AM , Rating: 3
It's also possible that Sony was storing the CVV/2 numbers even though they shouldn't have been. They wouldn't be the 1st company to do so; and unlike MomAndPop.com Visa/MasterCard/etc can't simply ban them from their services over it because Sony's just too big.


RE: CVV2?
By kleinma on 4/29/2011 9:46:55 AM , Rating: 2
You don't always need a CVV2 code for a transaction to go through, even on an internet website. There are plenty of payment processing vendors that require nothing more than a credit card number, exp date (which you can usually make anything that is not yet expired) and an amount to process.

I know PayPal credit card processing services work like this, as do some others I have used in the past.

I am more surprised out of 70 million users only 2 million and change had a CC on file.


RE: CVV2?
By Solandri on 4/29/2011 1:09:48 PM , Rating: 2
That's correct. The credit card companies all make the merchant liable for any fraud, so they give them tools which they can use to decide whether to accept or reject a transaction. The CVV2 code is one. A zip code / address / phone number check is another. All of these are optional security measures that the merchant can choose to use. They are not required for a transaction if the merchant chooses to forgo them.
quote:
I am more surprised out of 70 million users only 2 million and change had a CC on file.

IIRC, it's illegal (in the U.S.) to store a credit card number without the cardholder's consent. So probably 70 million used a credit card on PSN, but only 2 million opted to have PSN "remember" their credit card info so they wouldn't have to type it in again.


RE: CVV2?
By cjohnson2136 on 4/29/2011 2:07:51 PM , Rating: 2
Sometimes the CVV number means nothing. The company I work has you enter a CVV number when you purchase your service but it could be completely wrong and it will still authorize. As long as it is a 3 or 4 digit number (I think it depends on the card) it will be approved.


RE: CVV2?
By fredgiblet on 4/30/2011 4:27:35 PM , Rating: 2
AMEX requires 4 (they take the last digit off the front and move it to the back).


"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki