[URL]http://www.msnbc.msn.com/id/42806008/ns/technology_and_science-security/[/URL]
[quote]
Eight days after Sony took the PlayStation Network offline, rumors and misinformation continue to swirl around the unprecedented shutdown and massive data breach that affected an estimated 77 million users.
[URL="http://www.securitynewsdaily.com/sony-user-database-for-sale-online-bazaar-0740/#"]Security[/URL] expert Kevin Stevens of TrendMicro [URL="http://twitter.com/#%21/killercube/status/63625145977290752"]tweeted today[/URL] (April 28) that low-level cybercriminals using "carder" online forums were offering to sell a [URL="http://www.securitynewsdaily.com/sony-user-database-for-sale-online-bazaar-0740/#"]database[/URL] of 2.2 million credit-card numbers taken during the PlayStation Network breach.
Independent security blogger Brian Krebs then posted screenshots of four hackers discussing the purported database in a chat room.
"xxx: format is: fname, lnams, address, zipcode, country, phone, email, email password, dob, ccnum, cvv2, exp date," wrote user "Sutekh" in [URL="http://krebsonsecurity.com/wp-content/uploads/2011/04/dk1.jpg"]one of the screenshots[/URL].
In plain English, that's the first name, last name, address, postal code, country, telephone number, email address, email password, date of birth, credit-card number, credit-card security code and credit-card expiration date attached to each of 2.2 million accounts — including "150k german ones," as Sutekh said [URL="http://krebsonsecurity.com/wp-content/uploads/2011/04/dk2.jpg"]in a different posting[/URL].
"Sony was supposedly offered a chance to buy the DB (database) back but didn't," [URL="http://twitter.com/#%21/killercube/status/63625145977290752"]tweeted Stevens[/URL].
Neither Stevens nor Krebs claimed to have seen the actual database being offered, and it almost sounds too good to be true. Why, for example, would Sony have the passwords to users' third-party email accounts, such as Yahoo or Gmail accounts?
[B]Sony: Your credit card information is safe
[/B]For its part, Sony dribbled out a bit more information today.
In an FAQ [URL="http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/"]posted on various PlayStation websites worldwide[/URL], the company said that "your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
(Qriocity is a separate entertainment-delivery network owned and run by Sony, which was also affected by the PlayStation Network breach.)
Sony also stated that, "The entire credit card table was encrypted and we have no evidence that credit card data was taken."
So either the hackers selling the database are lying about having credit card security codes, or Sony is not telling the truth about having them in the first place.
The latter scenario seems far less likely, as Sony would open itself to enormous lawsuits if it were found to be less than truthful about the breach — except that, [URL="http://www.securitynewsdaily.com/massive-playstation-network-hack-work-amateurs-0736/"]as was reported yesterday[/URL], unencrypted credit card numbers with security codes are exactly what amateur hackers claimed to have found in PlayStation Network development channels [URL="http://173.255.232.215/logs/efnet/ps3dev/2011-02-16"]two months ago[/URL].
Anecdotal evidence of credit card fraud against PlayStation Network users has been showing up on several websites.
"My bank called me to notify me of a suspicious transaction and they confirmed it was indeed a fraudulent withdrawal," a man calling himself Josh Webb emailed to [URL="http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/"]the gaming site VGN365[/URL]. "I’ve had to cancel my card and order a new one which the bank will transfer my previous account’s money into."
"The number of Ars Technica readers who have had issues with their credit cards in the past few days, and have commented, e-mailed, or Tweeted about the issue, is alarming," wrote Ben Kuchera on [URL="http://arstechnica.com/gaming/news/2011/04/ars-readers-report-credit-card-fraud-blame-sony.ars"]the tech blog Ars Technica[/URL]. "We may be dealing with a coincidence in timing, but when your inbox is heavy with people saying they're fighting fraudulent credit card charges, it may be the first signs of fire somewhere in the smoke."
[B]The first lawsuit
[/B]Kristopher Johns of Alabama [URL="http://www.scribd.com/doc/54070618/JohnsvSony-Complaint-FINAL"]filed a federal class-action suit[/URL] against Sony on behalf of all PlayStation Network users on Wednesday in the Northern District of California.
The suit claims that Sony "failed to encrypt data and establish adequate firewalls to handle a [URL="http://www.securitynewsdaily.com/sony-user-database-for-sale-online-bazaar-0740/#"]server[/URL] intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line." (The PlayStation Network service is still offline.)
It might be hard for Sony to refute those allegations. In its own FAQ today, the company admitted that "The personal data table … was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
In other words, once someone got into the restricted part of the network, all user data except credit card numbers was easily obtainable — more than enough information to set up identity thefts and spear-phishing scams en masse.
George Hotz, the 23-year-old New Jersey hacker sued by Sony for hacking the PlayStation 3, pointed out the inherent flaw in the PlayStation Network's security in [URL="http://geohotgotsued.blogspot.com/2011/04/recent-news.html"]a blog posting today[/URL]. (He disavowed any connection to the data breach.)
"Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too," he wrote, referring to the PlayStation 3 console as the client. "So if they just put a trust boundary between the consumer and the client (can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?"
In other words, user authentication was done at the console level during routine logins. Consoles accessing the PlayStation Network were not individually verified, since Sony believed that retail consoles could not be modified to access the behind-the-scenes development channels of the PlayStation Network.
But the fact is that PlayStation 3 consoles could indeed be modified [URL="http://www.securitynewsdaily.com/massive-playstation-network-hack-work-amateurs-0736/"]to do just that[/URL], which led February's amateurs to allegedly find the unencrypted user data — and which may have opened the way for the data breach.
[/quote]
ffs, this should have never happened
[QUOTE=dude2193;29503173]ffs, this should have never happened[/QUOTE]
Why the fuck would anyone-
Whoever did this deserves a kick with the force of 1000 suns and 10 GETOVERHERE's.
I wonder where Zeke's is in there.
[QUOTE=little.sparrow;29503184]Why the fuck would anyone-
Whoever did this deserves a kick with the force of 1000 suns and 10 [b]GETOVERHERE's[/b].[/QUOTE]
I think it deserves something better.
[media]http://www.youtube.com/watch?v=6buKhNvAFqE&feature=related[/media]
the guy trying to sell the 'database of cards' is probably some 14 year old talking shit to try and impress people on the forum
2.2 Million credit cards
[img]http://www.robertjschwalb.com/wp-content/uploads/2010/08/dr-evil.jpg[/img]
Holy shit
If this is true, thank god we changed the password to our credit card.
Right as I was about to press "confirm checkout" for my ps3 all this stuff started happening, oh boy am I lucky
So we have no idea who's right or wrong in this.
We either trust a massive corporation who shits itself at the sight of people taking ownership of consoles
-or-
Hackers who aren't trust worthy in the least bit and could be trying to scam people
Meanwhile we get wild reports of hundreds of dollars missing but nothing to back them up.
We also get Sony saying they encrypted their data but we also have no proof to back it up.
This just seems to be getting into a bigger mess with the lack of evidence for either side becoming an avalanche.
[quote]"Eight days after Sony took the PlayStation Network offline, [b]rumors[/b] and [b]misinformation[/b] continue to swirl around the unprecedented shutdown and massive data breach that affected an estimated 77 million users."
""Sony was [b]supposedly[/b] offered a chance to buy the DB (database) back but didn't," tweeted Stevens."
"[b]Neither Stevens nor Krebs claimed to have seen the actual database being offered[/b], and it almost sounds too good to be true"[/quote]
Why is this a news article? It's just speculation and rumors
[QUOTE=Swilly;29503260]So we have no idea who's right or wrong in this.
We either trust a massive corporation who shits itself at the sight of people taking ownership of consoles
-or-
Hackers who aren't trust worthy in the least bit and could be trying to scam people
Meanwhile we get wild reports of hundreds of dollars missing but nothing to back them up.
We also get Sony saying they encrypted their data but we also have no proof to back it up.
This just seems to be getting into a bigger mess with the lack of evidence for either side becoming an avalanche.[/QUOTE]
sony may be wrong in not securing their data well enough, but there is no way the hackers are in the right, stealing money from uninvolved people is never a good thing
[QUOTE=I_Forgot;29503322]Why is this a news article? It's just speculation and rumors[/QUOTE]
Question, Do Sony has a backup of the database? If they don't and they were offered to buy it back and declined...
I wonder if the data is actually legitimate, or if it's people cashing in just to damage Sony's reputation even more.
These guys need to fuck off.
The credit card I have linked to my PSN account is probably 2 - 3 years old and I can't log in to check which one it was.
[QUOTE=DogGunn;29503469]I wonder if the data is actually legitimate, or if it's people cashing in just to damage Sony's reputation even more.[/QUOTE]
Me too. Either way, the damage has been done. Sony is sure to have suffered a huge hit in business just from the psn outtage, and I imagine console sales have plummeted in the last few weeks.
I'm still planning on purchasing a new PS3
If the hacker has been making purchases with the stolen credit cards then they must be really stupid to give away their location, so I really don't think the hacker got the CC information... and they wouldn't even have the security code.
Sony keeps saying the credit card info is safe.
I doubt any credit card information was stolen because of this incident, and if what I believe is true, then the people on Facepunch who supposedly lost money are just a bunch of idiots..
[quote]the company said that "your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."[/quote]
Don't worry. They have your Credit Card number, Expiration Date, Name, Address, Zip Code, State, Phone Number, and security question answer but NOT your 3 digit Security Code. You can thank us later
[QUOTE=Oblivion470;29503699]Sony keeps saying the credit card info is safe.
I doubt any credit card information was stolen because of this incident, and if what I believe is true, then the people on Facepunch who supposedly lost money are just a bunch of idiots..[/QUOTE]
Sony say alot of things, albeit I doubt people can trust them given they've lied, plus they took an entire week to inform people of the truth and a further 2/3 days to e-mail affected users. I would advise people to get their cards blocked and replaced as a precaution.
Addionally - Encrypted can mean virtually anything, it doesn't mean that it is secure.
[QUOTE=Gishank;29503808]Sony say alot of things, albeit I doubt people can trust them given they've lied, plus they took an entire week to inform people of the truth and a further 2/3 days to e-mail affected users. I would advise people to get their cards blocked and replaced as a precaution.
Addionally - Encrypted can mean virtually anything, it doesn't mean that it is secure.[/QUOTE]
It works both ways, we don't know if its good or bad. And since when you can trust the internet with shady deals :v:
Time to invest in credit card materials! (For all the new credit cards that people will be getting)
Sony is so fucked
2 200 000 lawsuits are a lot of lawsuits.
[QUOTE=Jimpy;29503832]Time to invest in credit card materials! (For all the new credit cards that people will be getting)[/QUOTE]
Petroleum? If you had already invested in that, you'd probably be rich.
[QUOTE=Gishank;29503808]Sony say alot of things, albeit I doubt people can trust them given they've lied, plus they took an entire week to inform people of the truth and a further 2/3 days to e-mail affected users. I would advise people to get their cards blocked and replaced as a precaution.
Addionally - Encrypted can mean virtually anything, it doesn't mean that it is secure.[/QUOTE]
They haven't lied and it took time for the investigation to see how much damage was done and when it was over they found out the information was taken.
[QUOTE=CubeManv2;29503427]Question, Do Sony has a backup of the database? If they don't and they were offered to buy it back and declined...[/QUOTE]
What good would it be for Sony to buy it back when the hackers can easily make a backup? I'm pretty sure Sony has backups.
Sorry, you need to Log In to post a reply to this thread.
