Hackers Offer PSN Credit Cards For Sale

[Longsight]

i regularly buy stuff from the psn and i have lost no faith in sony.

the people or person that pulled off this hack obviously used aggressive hack techniques that probably only the ministry of defence could deflect.

the fact that all this hit the fan so shortly after the threats from anonymous i don't think is a coincidence.

it all just sounds like threats and posturing to me.

While your defence of Sony is admirable, it doesn't change the fact that you're wrong here. There's a reason Sony is picking up a whole lot more flak for this than most do, and that's because it made some by now fairly-well-documented errors when storing the data that allowed it to be accessed far more easily than should ever be possible. They stored information in plaintext that should never, ever need to be stored that way, they forgot to securely hash passwords and they've repeatedly failed to hire external security auditors to perform penetration testing, even when the PS3 root key hack made it clear that whatever internal auditing was being performed was simply inadequate. Information disclosures of this level don't happen very often, because no matter how good your hackers are, there are fairly elementary things you can do to keep the risk to a minimum. Sony did not do them.

All Sony have said regarding card information is a) that they haven't found evidence that the card information was taken but don't know for sure, and b) that the card information was encrypted. Encrypted does not mean unbreakable, and encryption is only as good as the person implementing it. Sony have already proven they simply do not understand cryptography - the PS3 root key can be decrypted from two certificates in a matter of seconds thanks to a fundamental implementation failure on their part, and if similar techniques were used and abused elsewhere, Sony could potentially be the least secure major online entity in existence.

 

[RatRace123]

This could actually be helpful, if the morons who buy the cards use them, that could bring people to the assholes who raided the database, probably not though.

So, I'll just return to bitching and fostering my hatred for these hackers and now the people who may buy these stolen credit cards, I'm going to start hating them as well.

 

[Matthew Lynch]

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Which is where the problem lies; We don't know how extensive their protection actually was. You can lambast Sony all you want over a failure to protect your data, but if you don't know what they did to protect it, it's hard to say that they were somehow negligent in that protection.

Security has to work all the time; hackers only have to get lucky once.

I know...thats why even freeware security systems like norton update almost every day.

 

[Cade the Imperfect]

Didn't Sony announce, that the Credit card info was safe? and encrypted even if it was taken?
I doubt this claim is true.

 

[Adam Galli]

hmmm...can you get a new card from your bank with different numbers and stuff without opening a new account

Just phone them up and ask them to cancel your card because you think someone might have access to your card details. They'll cancel it on the system and send you a new one.

Just checked my account and I still have my prized $0.08 balance (its been a slow mouth ) But I'm still changing my card later today.

Best way to avoid having someone steal your stuff is to have no stuff to steal!

OT: Can anyone confirm these reports? If they can then things just got a lot more serious. This whole mess has made me very concerned about my card security (Don't use PSN but Xbox live has my info). Anyone else here plan on using prepaid store cards a lot more in the future?

Either that or just completely removing my card off the system as soon as I use it. Was trying to remove the card on my xbox live account, but it's tied to my subscription, and so I need to phone them up to cancel the subscription so I can remove the card. -.-

I find it interesting how this fallout is also un-nerving and hitting XBOX users hard.

Not trusting SONY is one thing, but here and there, you see people losing trust in microsoft as well, just incase this happens again.

About 2-3 weeks ago I was very tempted to put my CC number on the PSN... Glad I didn't

Is it wrong that we Xbox users are worrying too? If these assholes did it to Sony we can only assume that they can do it to Microsoft as well.

I'm just glad I only use prepaid cards.

 

[Matthew Lynch]

hmmm...can you get a new card from your bank with different numbers and stuff without opening a new account

Just phone them up and ask them to cancel your card because you think someone might have access to your card details. They'll cancel it on the system and send you a new one.

Just checked my account and I still have my prized $0.08 balance (its been a slow mouth ) But I'm still changing my card later today.

Best way to avoid having someone steal your stuff is to have no stuff to steal!

OT: Can anyone confirm these reports? If they can then things just got a lot more serious. This whole mess has made me very concerned about my card security (Don't use PSN but Xbox live has my info). Anyone else here plan on using prepaid store cards a lot more in the future?

Either that or just completely removing my card off the system as soon as I use it. Was trying to remove the card on my xbox live account, but it's tied to my subscription, and so I need to phone them up to cancel the subscription so I can remove the card. -.-

I find it interesting how this fallout is also un-nerving and hitting XBOX users hard.

Not trusting SONY is one thing, but here and there, you see people losing trust in microsoft as well, just incase this happens again.

About 2-3 weeks ago I was very tempted to put my CC number on the PSN... Glad I didn't

Is it wrong that we Xbox users are worrying too? If these assholes did it to Sony we can only assume that they can do it to Microsoft as well.

I'm just glad I only use prepaid cards.

Its already been tried on Xbox...however Mocrosoft must store details on seperate servers from the main live system as the hackers didn;t get anything.

 

[ace_of_something]

Are debit cards at risk? I mean it's a silly question but I used a Debit Card, not a Credit card to purchase stuff. Well at any rate this made me feel real bad... I feel nausea now.

A debit card is even MORE at risk. Once they use the money on that. It's gone. You're not getting it back, banks aren't required to cover their losses on it at all (which is part of the reason they push so hard for you to have one) Change your account number as soon as possible.

Remember not to trust everything you see on the internet.

One person said all debit cards have a 250Euro limit, this guy is saying all debit cards have no protection.

All debit cards, and credit cards, come with individual contracts. For example my Debit card has a $2000 limit and it does have fraud protection.

On Topic: I'd just get a new card. Better safe than sorry guys.

Allow me to rephrase that than.
In the united states there is no federal law requiring some sort of asset protection like there is for credit cards. I am not talking about a 'limit' everything has that even a home depot card. I am saying if you contest charges on a debit card a lot of times you're left in the breeze.
Most banks do not offer that sort of service on debit cards unless you specifically ask for it. If you don't think you have something like 'fraud protection' than it's safe to assume you don't have it with a debit card. Also, if I might inquire; what are the actual conditions of 'fraud protection' on your debit card? In the last dozen ID theft cases i've had to do (admittedly I do maybe like one a month) it's ALWAYS a debit card and the victim NEVER gets their money back even some who do have 'fraud protection.'

Though you and I are in agreement. Everyone needs to just change their account number and be cautious of your name. If they have all the things that PSN listed it wouldn't be hard to open an account elsewhere in your name. (Another favorite of these kind of scum)

edit:

 

[MattAn24]

Well, my bank is awesome! So fucking glad I live in Australia (though I feel sorry for the guy with the bogus $2000 transaction. Saw him on the news, I think he got it refunded and fixed though, no lawsuits needed~)

Anyway, my bank has assured me that they're monitoring transactions at all times, as a free part of the service, so they've said I will only require a new debit card if I really have mass-paranoia and desperately think I'm going to die without a new card.

So, basically, CHILL THE FUCK DOWN. This kind of shit happens. I know I've seen it happen before, from banks or any big-name institution. Cyber criminals gonna cyber crime. It's the nasty shit they do.

Sure, Sony may not have been "well prepared", but that's certainly no license to say "FUCKING ATTACK THEM, HACKERS! KILL SONY! " No, that just makes you a heartless twat!

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Yes. It is. And for all we know (not what news sites, aka the sensationalist media) want to report), SONY could have had a nicely encrypted system. Just enough to keep it safe. Hackers CAN bypass that. No. Not just any hackers. These are expertly trained cyber criminals who will stop at nothing to get information. If there's a wall, they'll break it.

Hell, what's the bet it's a butt-hurt ex-Sony employee who knew the way in and informed criminals? NOBODY KNOWS.

Unfortunately, their own agreements say they have to take the responcibility for losses from their security...at least when it comes to credit details. (At least thats what the agreement on xbox live is...not sure if it is different for Sony)

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Which is where the problem lies; We don't know how extensive their protection actually was. You can lambast Sony all you want over a failure to protect your data, but if you don't know what they did to protect it, it's hard to say that they were somehow negligent in that protection.

Security has to work all the time; hackers only have to get lucky once.

Pretty much agree with Raesvelg here. I'm absolutely not saying Sony is completely innocent. Far from it. Yes, they dropped a medicine ball of problems on themselves, but come on. Cyber criminals. I would totally be placing more blame on Sony if it were just GeoHotz supporters out for revenge.

But no, these guys probably aren't even gamers and don't CARE who they're attacking.

We can basically rule out Anonymous too, because aren't Anonymous the guys the defend privacy and user rights? If anyone in Anonymous reads this, please.. Don't go after Sony and attack their retail shops, etc. Find the ones that did THIS. This crime. And punish THEM. Then I might actually have much more respect for your cause..

 

[Laxman9292]

Someone needs to held accountable
No, No this not the place.

It is always the place. Although it is good to find a healthy balance.

OP: thank god I don't use PSN enough that I put my card in.

 

[MattAn24]

Are debit cards at risk? I mean it's a silly question but I used a Debit Card, not a Credit card to purchase stuff. Well at any rate this made me feel real bad... I feel nausea now.

A debit card is even MORE at risk. Once they use the money on that. It's gone. You're not getting it back, banks aren't required to cover their losses on it at all (which is part of the reason they push so hard for you to have one) Change your account number as soon as possible.

Remember not to trust everything you see on the internet.

One person said all debit cards have a 250Euro limit, this guy is saying all debit cards have no protection.

All debit cards, and credit cards, come with individual contracts. For example my Debit card has a $2000 limit and it does have fraud protection.

On Topic: I'd just get a new card. Better safe than sorry guys.

Allow me to rephrase that than.
In the united states there is no federal law requiring some sort of asset protection like there is for credit cards. I am not talking about a 'limit' everything has that even a home depot card. I am saying if you contest charges on a debit card a lot of times you're left in the breeze.
Most banks do not offer that sort of service on debit cards unless you specifically ask for it. If you don't think you have something like 'fraud protection' than it's safe to assume you don't have it with a debit card. Also, if I might inquire what are the actual conditions of that on your debit card, in the last dozen ID theft cases i've had to do (admittedly I do maybe like one a month) it's ALWAYS a debit card and the victim NEVER gets their money back.

Y'know, that's what makes me proud to be Australian. Banks aren't exactly entirely heartless bastards. And they don't just give out credit cards to random people. You need sufficient identification. 100 points of ID, which often includes birth certificate, drivers license/proof of age card, Medicare/health care card.. Enough to prove you are.. You.

I've been told that in America, ANYONE can apply for a credit card from practically zero identification. Time to reconsider that logic...

 

[Onyx Oblivion]

The story on Kotaku made it sound like there's no actual proof that they actually have enough of your CC's info to do this. Has solid evidence come to light since then or is this more sensational reporting?

It's the Escapist.

Sensational reporting is all the news room does anymore.

Kinda pisses me off.

 

[MisterColeman]

Didn't Sony announce, that the Credit card info was safe? and encrypted even if it was taken?
I doubt this claim is true.

Yes it is likely all Sony has on the network is an MD5 hash of the information that their internal computers then decrypt when needed. The hackers likely copied the encrypted data and put it against scripts on their own machines when they had time, and it doesn't take long for a script to run though an MD5 hash anymore. Even on a simple machine. Especially if it is against rainbow tables of likely values.

Actually from a computer security standpoint (as one with a degree in Information Assurance) the amount of time that would take lines up suspiciously closely with the claim that they are now selling it. They probably decrypted enough of it yesterday to get started.

 

[MattAn24]

Oh, here's a thought for everyone.. As my mother decided to tell me earlier..

Your personal details were already on the internet before all this happened. Your name can easily be found and used. Once your address has been viewed by anyone else, it has been seen. To say that THIS alone uncovered your private details is rather silly.

 

[Mr. Grey]

The more I follow the news on this, the less I'm freaking out.

Could be that I know to take anything that any media outlet says with a grain of salt. However, I haven't seen any hard evidence that it was taken, I haven't seen anyone walk up and hand me my credit card number, I haven't seen a single thing yet that proves I'm in any real threat that's different from any other day.

I'm not even going to take what this guy said seriously until he can back it up. Because all I've heard was backtracking and possibilities. Basically nothing different from what Sony has said or done, except Sony seems to be increasing with their information, not necessarily backtracking.

Not only that, if this guy was seriously interested in helping, why didn't he simply report what the hell was going on to the proper authorities instead of opening his yap and alerting the "hacker forums" in question?

Wow, Sony goes and claims that the info isnt usable, then are proven wrong... again.

Proven... by whom?

Here, let me give you an example.

* I HAVE STOLEN THE ACCOUNT INFO AND CC INFO OF EVERY AMAZON.COM CUSTOMER! IT WAS SO EASY! I WILL SELL THIS INFO TO THE HIGHEST BIDDER! *

By your standards, I have now "proven" that I got into Amazon's system and stole all their CC info.

You monster! Give it back!

 

[Raesvelg]

I know...thats why even freeware security systems like norton update almost every day.

Its already been tried on Xbox...however Mocrosoft must store details on seperate servers from the main live system as the hackers didn;t get anything.

My statement stands. You are apparently under the impression that this was the first, last, and only attempt to hack PSN. I think you can safely assume that it, in fact, was not.

Unfortunately, their own agreements say they have to take the responcibility for losses from their security...at least when it comes to credit details. (At least thats what the agreement on xbox live is...not sure if it is different for Sony)

Care to point out the precise part of the Xbox LIVE terms of service where it states that? I must have missed it, because the only section I was able to find that mentions anything of the sort placed a hard cap on Microsoft's liability to the tune of one month's subscription fees.

 

[Fasckira]

So..... the credit card information wasn't encrypted after all, or at least not as encrypted as it should have been?

 

[MattAn24]

The story on Kotaku made it sound like there's no actual proof that they actually have enough of your CC's info to do this. Has solid evidence come to light since then or is this more sensational reporting?

It's the Escapist.

Sensational reporting is all the news room does anymore.

Kinda pisses me off.

Heh.. It's so true.. Journalists of The Escapist, pick your damn act up. You may be able to use scare tactics on the teenagers of this community but it's not working on those of us who aren't entirely stupid. Report moar unbiased news plox.

 

[DonMartin]

Thank god I've never bought anything online other than with coupons.

Still, can't say I like having my personal information still online.. I mean offline?

 

[Ardenon]

silly consoles

 

[Kusabi]

I went ahead and canceled my debit card, got a new one, made up a new PIN number, put that new card onto ITS OWN email account and finally, changed ALLLL of my passwords.

I'm still going to use my PS3 as much as my Xbox 360... just from here on out, I will not be putting my cards onto a Sony-owned product. I don't blame them, partly because I'm currently in a Bachelors' degree for ethical hacking and security analysis therefore I know, slightly, how easy it is to hack into these companies.

Fun fact! Most companies put their PHP passwords onto an "easily viewable from the internet" page that is quite public. You have to know how to search for it, but its there and if you know this, you can get to the companies Sys/App server and steal confidential data from it by knowing this password. At the least, it'll give you some legroom to get into the network itself. A common control for this is to use PHPIDS instead and block your password from appearing on that page (again, being quite vague about what "page" this "PHP/PHPIDS" language is).

See, this makes me curious... did Sony know this? For a multi-billion dollar/yen/whatever company, I sure HOPE thats not what happened. Again, I'm a novice in this subject but if I knew this, I'm fairly certain the hackers knew this and more as well...