Print 54 comment(s) - last by Moishe.. on May 2 at 4:31 PM

2.2 million users' cards are reportedly in the database

Millions of customers were shocked to hear Sony Computer Entertainment America LLC (U.S.) and Sony Computer Entertainment Europe (EU) had lost their personal information -- name, username, password, address, birth date, and password recovery question -- and, more importantly, that it potentially lost their credit and debit cards as well.

Sony wrote:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

It essentially then went on to tell people that they were on their own and that it was customers' own responsibility to protect themselves from credit fraud.

Now it appears the worse case scenario is indeed playing out -- according to recent forum posts, a database with "a large section of the PSN database containing complete personal details along (with credit card numbers)...are being offer (sic) up for sale."

Security researcher Kevin Stevens has witnessed malicious hackers discussing the supposed database.  He posted to Twitter, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," adding, "it is not a rumor, it was a conversation on a criminal forum."

If someone gains access to this database, it would be easy to issue hundreds of millions of fraudulent charges.  Such charges can put a black mark on your credit score.

Famed hardware jailbreaker George "GeoHot" Hotz chimed in on the reports, writing, "I sure am glad I don’t have a PSN account about now."

In his blog he adds:

And to anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.


...the fault lies with the (Sony) executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.

GeoHot, a self-admitted one-time victim of identity theft, isn't a huge fan of Sony.  He recently settled with the electronics giant in a lawsuit over his jailbreak of the PS3.  Reportedly, GeoHot essentially scored a big win with the settlement, though precise details haven't been revealed.

The attacks came soon after the settlement.  While few suspected GeoHot, some do suspect that members of the loosely organized hacker group Anonymous -- a group which supported GeoHot during the Sony legal battle (without his endorsement) -- might have been involved.

Regardless, this is bad news for Sony and worse news for its customers.  If you have a credit or debit card that you know is filed with service, you might want to talk to your bank about changing your number as soon as possible.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By lowsidex2 on 4/29/2011 10:17:59 AM , Rating: 2
It wasn't that they didn't store it. they didn't ask for it.

Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.'

Those of you with an account should know.( I don't). Sounds like this sale is meant to be a joke. Those guys probably knew who was listening in.

By Chris Peredun on 4/29/2011 1:56:27 PM , Rating: 2
It wasn't that they didn't store it. they didn't ask for it.


By SpaceRanger on 4/29/2011 4:05:44 PM , Rating: 2
Regardless of whether or not they asked for it, they would be breaking the rules as part of the PCI-DSS standard for compliance:

I'd go out on a limb and say that in the US, it's against the law to store the CVV/CVC/etc.

By cjohnson2136 on 4/29/2011 4:17:53 PM , Rating: 2
Really the CVV is just a worthless number. Some companies don't ask for it, and some don't even need the number to be correct. The company I work for doesn't validate whether the number on the card is correct because the machines that are used to swipe the card don't collect the information all we validate is whether the number is a 3 or 4 digit number depending on the brand of the card. So I doubt most companies even save that number since it is not used much.

By 4745454b on 4/29/2011 9:39:45 PM , Rating: 3
they would be breaking the rules

LOL, you think Sony cares about rules? I assume I don't need to remind you that they put a rootkit on some of their audio CDs so that if you played them in your computer it would get infected. And when caught, they released a "tool" to remove it, that only did more damage so that you had to reinstall windows. I don't think Sony cares at all about rules.

By CZroe on 4/29/2011 4:24:15 PM , Rating: 3
Wow. So Sony is out-right lying about never requesting it? Crazy. I based my post on what Sony said because I assumed that they wouldn't dare lie about something like that. Who knew?

Now, before re-reading their statement, I assumed that they used CVV/CSC for the initial verification before storing the other details because it ensures that you have the actual card and not a cloned skimmed/sniffed card (data is not in the mag strip or RFID). After that, they optionally stored everything else for convenience. Someone cloning your card wouldn't likely be making purchases on the same PSN account with the saved details, so there is no reason to require the CVV again unless it is being added to a new/different account. Otherwise, it's a stolen PSN account and not a stolen CC being used anyway. Verifying stored details with CVV is pointless. Storing it is a huge no-no because the whole point is to ensure physical access to the card by requiring something that cannot be copied electronically and can only be verified live by the CC company. Live interception by trojan, phish, etc, and physically seeing the card should be the only way to get one short of hacking the CC company.

By CZroe on 4/30/2011 12:20:31 AM , Rating: 2
Looks like Sony finally updated their statement and made this post on their blog:
"While we do ask for CCV codes, we do not store them in our database."

So, either the people are lying about having Sony's information with CVV codes, or Sony's lying about not storing them, or they've been compromised for a long time (years) and they have been intercepted at the moment of the first transaction.

"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki