Hackers Offer PSN Credit Cards For Sale

 Pages PREV 1 2 3 4 5 6 7 8 9 10 11 NEXT
 

nothingspringstomind:
i regularly buy stuff from the psn and i have lost no faith in sony.

the people or person that pulled off this hack obviously used aggressive hack techniques that probably only the ministry of defence could deflect.

the fact that all this hit the fan so shortly after the threats from anonymous i don't think is a coincidence.

it all just sounds like threats and posturing to me.

While your defence of Sony is admirable, it doesn't change the fact that you're wrong here. There's a reason Sony is picking up a whole lot more flak for this than most do, and that's because it made some by now fairly-well-documented errors when storing the data that allowed it to be accessed far more easily than should ever be possible. They stored information in plaintext that should never, ever need to be stored that way, they forgot to securely hash passwords and they've repeatedly failed to hire external security auditors to perform penetration testing, even when the PS3 root key hack made it clear that whatever internal auditing was being performed was simply inadequate. Information disclosures of this level don't happen very often, because no matter how good your hackers are, there are fairly elementary things you can do to keep the risk to a minimum. Sony did not do them.

All Sony have said regarding card information is a) that they haven't found evidence that the card information was taken but don't know for sure, and b) that the card information was encrypted. Encrypted does not mean unbreakable, and encryption is only as good as the person implementing it. Sony have already proven they simply do not understand cryptography - the PS3 root key can be decrypted from two certificates in a matter of seconds thanks to a fundamental implementation failure on their part, and if similar techniques were used and abused elsewhere, Sony could potentially be the least secure major online entity in existence.

This could actually be helpful, if the morons who buy the cards use them, that could bring people to the assholes who raided the database, probably not though.

So, I'll just return to bitching and fostering my hatred for these hackers and now the people who may buy these stolen credit cards, I'm going to start hating them as well.

Raesvelg:

Matthew Lynch:

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Which is where the problem lies; We don't know how extensive their protection actually was. You can lambast Sony all you want over a failure to protect your data, but if you don't know what they did to protect it, it's hard to say that they were somehow negligent in that protection.

Security has to work all the time; hackers only have to get lucky once.

I know...thats why even freeware security systems like norton update almost every day.

Didn't Sony announce, that the Credit card info was safe? and encrypted even if it was taken?
I doubt this claim is true.

Celtic_Kerr:

Akihiko:

farmerboy219:
hmmm...can you get a new card from your bank with different numbers and stuff without opening a new account

Just phone them up and ask them to cancel your card because you think someone might have access to your card details. They'll cancel it on the system and send you a new one.

kajinking:

Best way to avoid having someone steal your stuff is to have no stuff to steal!

OT: Can anyone confirm these reports? If they can then things just got a lot more serious. This whole mess has made me very concerned about my card security (Don't use PSN but Xbox live has my info). Anyone else here plan on using prepaid store cards a lot more in the future?

Either that or just completely removing my card off the system as soon as I use it. Was trying to remove the card on my xbox live account, but it's tied to my subscription, and so I need to phone them up to cancel the subscription so I can remove the card. -.-

I find it interesting how this fallout is also un-nerving and hitting XBOX users hard.

Not trusting SONY is one thing, but here and there, you see people losing trust in microsoft as well, just incase this happens again.

About 2-3 weeks ago I was very tempted to put my CC number on the PSN... Glad I didn't

Is it wrong that we Xbox users are worrying too? If these assholes did it to Sony we can only assume that they can do it to Microsoft as well.

I'm just glad I only use prepaid cards.

Adam Galli:

Celtic_Kerr:

Akihiko:

Just phone them up and ask them to cancel your card because you think someone might have access to your card details. They'll cancel it on the system and send you a new one.

Either that or just completely removing my card off the system as soon as I use it. Was trying to remove the card on my xbox live account, but it's tied to my subscription, and so I need to phone them up to cancel the subscription so I can remove the card. -.-

I find it interesting how this fallout is also un-nerving and hitting XBOX users hard.

Not trusting SONY is one thing, but here and there, you see people losing trust in microsoft as well, just incase this happens again.

About 2-3 weeks ago I was very tempted to put my CC number on the PSN... Glad I didn't

Is it wrong that we Xbox users are worrying too? If these assholes did it to Sony we can only assume that they can do it to Microsoft as well.

I'm just glad I only use prepaid cards.

Its already been tried on Xbox...however Mocrosoft must store details on seperate servers from the main live system as the hackers didn;t get anything.

godofallu:

ace_of_something:

Misho-:
Are debit cards at risk? I mean it's a silly question but I used a Debit Card, not a Credit card to purchase stuff. Well at any rate this made me feel real bad... I feel nausea now.

A debit card is even MORE at risk. Once they use the money on that. It's gone. You're not getting it back, banks aren't required to cover their losses on it at all (which is part of the reason they push so hard for you to have one) Change your account number as soon as possible.

Remember not to trust everything you see on the internet.

One person said all debit cards have a 250Euro limit, this guy is saying all debit cards have no protection.

All debit cards, and credit cards, come with individual contracts. For example my Debit card has a $2000 limit and it does have fraud protection.

On Topic: I'd just get a new card. Better safe than sorry guys.

Allow me to rephrase that than.
In the united states there is no federal law requiring some sort of asset protection like there is for credit cards. I am not talking about a 'limit' everything has that even a home depot card. I am saying if you contest charges on a debit card a lot of times you're left in the breeze.
Most banks do not offer that sort of service on debit cards unless you specifically ask for it. If you don't think you have something like 'fraud protection' than it's safe to assume you don't have it with a debit card. Also, if I might inquire; what are the actual conditions of 'fraud protection' on your debit card? In the last dozen ID theft cases i've had to do (admittedly I do maybe like one a month) it's ALWAYS a debit card and the victim NEVER gets their money back even some who do have 'fraud protection.'

Though you and I are in agreement. Everyone needs to just change their account number and be cautious of your name. If they have all the things that PSN listed it wouldn't be hard to open an account elsewhere in your name. (Another favorite of these kind of scum)

edit:

Matthew Lynch:

MattAn24:

Matthew Lynch:

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Yes. It is. And for all we know (not what news sites, aka the sensationalist media) want to report), SONY could have had a nicely encrypted system. Just enough to keep it safe. Hackers CAN bypass that. No. Not just any hackers. These are expertly trained cyber criminals who will stop at nothing to get information. If there's a wall, they'll break it.

Hell, what's the bet it's a butt-hurt ex-Sony employee who knew the way in and informed criminals? NOBODY KNOWS.

Unfortunately, their own agreements say they have to take the responcibility for losses from their security...at least when it comes to credit details. (At least thats what the agreement on xbox live is...not sure if it is different for Sony)

Raesvelg:

Matthew Lynch:

I never said anything about that. I am just saying that it was their responcibility to protect the data their users entrusted the company with...

Which is where the problem lies; We don't know how extensive their protection actually was. You can lambast Sony all you want over a failure to protect your data, but if you don't know what they did to protect it, it's hard to say that they were somehow negligent in that protection.

Security has to work all the time; hackers only have to get lucky once.

Pretty much agree with Raesvelg here. I'm absolutely not saying Sony is completely innocent. Far from it. Yes, they dropped a medicine ball of problems on themselves, but come on. Cyber criminals. I would totally be placing more blame on Sony if it were just GeoHotz supporters out for revenge.

But no, these guys probably aren't even gamers and don't CARE who they're attacking.

We can basically rule out Anonymous too, because aren't Anonymous the guys the defend privacy and user rights? If anyone in Anonymous reads this, please.. Don't go after Sony and attack their retail shops, etc. Find the ones that did THIS. This crime. And punish THEM. Then I might actually have much more respect for your cause..

HankMan:
Someone needs to held accountable
No, No this not the place.

It is always the place. Although it is good to find a healthy balance.

OP: thank god I don't use PSN enough that I put my card in.

ace_of_something:

godofallu:

ace_of_something:

A debit card is even MORE at risk. Once they use the money on that. It's gone. You're not getting it back, banks aren't required to cover their losses on it at all (which is part of the reason they push so hard for you to have one) Change your account number as soon as possible.

Remember not to trust everything you see on the internet.

One person said all debit cards have a 250Euro limit, this guy is saying all debit cards have no protection.

All debit cards, and credit cards, come with individual contracts. For example my Debit card has a $2000 limit and it does have fraud protection.

On Topic: I'd just get a new card. Better safe than sorry guys.

Allow me to rephrase that than.
In the united states there is no federal law requiring some sort of asset protection like there is for credit cards. I am not talking about a 'limit' everything has that even a home depot card. I am saying if you contest charges on a debit card a lot of times you're left in the breeze.
Most banks do not offer that sort of service on debit cards unless you specifically ask for it. If you don't think you have something like 'fraud protection' than it's safe to assume you don't have it with a debit card. Also, if I might inquire what are the actual conditions of that on your debit card, in the last dozen ID theft cases i've had to do (admittedly I do maybe like one a month) it's ALWAYS a debit card and the victim NEVER gets their money back.

Y'know, that's what makes me proud to be Australian. Banks aren't exactly entirely heartless bastards. And they don't just give out credit cards to random people. You need sufficient identification. 100 points of ID, which often includes birth certificate, drivers license/proof of age card, Medicare/health care card.. Enough to prove you are.. You.

I've been told that in America, ANYONE can apply for a credit card from practically zero identification. Time to reconsider that logic...

Bags159:
The story on Kotaku made it sound like there's no actual proof that they actually have enough of your CC's info to do this. Has solid evidence come to light since then or is this more sensational reporting?

It's the Escapist.

Sensational reporting is all the news room does anymore.

Kinda pisses me off.

Cade the Imperfect:
Didn't Sony announce, that the Credit card info was safe? and encrypted even if it was taken?
I doubt this claim is true.

Yes it is likely all Sony has on the network is an MD5 hash of the information that their internal computers then decrypt when needed. The hackers likely copied the encrypted data and put it against scripts on their own machines when they had time, and it doesn't take long for a script to run though an MD5 hash anymore. Even on a simple machine. Especially if it is against rainbow tables of likely values.

Actually from a computer security standpoint (as one with a degree in Information Assurance) the amount of time that would take lines up suspiciously closely with the claim that they are now selling it. They probably decrypted enough of it yesterday to get started.

Oh, here's a thought for everyone.. As my mother decided to tell me earlier..

Your personal details were already on the internet before all this happened. Your name can easily be found and used. Once your address has been viewed by anyone else, it has been seen. To say that THIS alone uncovered your private details is rather silly.

The more I follow the news on this, the less I'm freaking out.

Could be that I know to take anything that any media outlet says with a grain of salt. However, I haven't seen any hard evidence that it was taken, I haven't seen anyone walk up and hand me my credit card number, I haven't seen a single thing yet that proves I'm in any real threat that's different from any other day.

I'm not even going to take what this guy said seriously until he can back it up. Because all I've heard was backtracking and possibilities. Basically nothing different from what Sony has said or done, except Sony seems to be increasing with their information, not necessarily backtracking.

Not only that, if this guy was seriously interested in helping, why didn't he simply report what the hell was going on to the proper authorities instead of opening his yap and alerting the "hacker forums" in question?

Raesvelg:

Kalezian:

Wow, Sony goes and claims that the info isnt usable, then are proven wrong... again.

Proven... by whom?

Here, let me give you an example.

* I HAVE STOLEN THE ACCOUNT INFO AND CC INFO OF EVERY AMAZON.COM CUSTOMER! IT WAS SO EASY! I WILL SELL THIS INFO TO THE HIGHEST BIDDER! *

By your standards, I have now "proven" that I got into Amazon's system and stole all their CC info.

You monster! Give it back!

Matthew Lynch:

I know...thats why even freeware security systems like norton update almost every day.

Matthew Lynch:

Its already been tried on Xbox...however Mocrosoft must store details on seperate servers from the main live system as the hackers didn;t get anything.

My statement stands. You are apparently under the impression that this was the first, last, and only attempt to hack PSN. I think you can safely assume that it, in fact, was not.

Matthew Lynch:

Unfortunately, their own agreements say they have to take the responcibility for losses from their security...at least when it comes to credit details. (At least thats what the agreement on xbox live is...not sure if it is different for Sony)

Care to point out the precise part of the Xbox LIVE terms of service where it states that? I must have missed it, because the only section I was able to find that mentions anything of the sort placed a hard cap on Microsoft's liability to the tune of one month's subscription fees.

So..... the credit card information wasn't encrypted after all, or at least not as encrypted as it should have been?

Onyx Oblivion:

Bags159:
The story on Kotaku made it sound like there's no actual proof that they actually have enough of your CC's info to do this. Has solid evidence come to light since then or is this more sensational reporting?

It's the Escapist.

Sensational reporting is all the news room does anymore.

Kinda pisses me off.

Heh.. It's so true.. Journalists of The Escapist, pick your damn act up. You may be able to use scare tactics on the teenagers of this community but it's not working on those of us who aren't entirely stupid. Report moar unbiased news plox.

Thank god I've never bought anything online other than with coupons.

Still, can't say I like having my personal information still online.. I mean offline?

silly consoles :P

I went ahead and canceled my debit card, got a new one, made up a new PIN number, put that new card onto ITS OWN email account and finally, changed ALLLL of my passwords.

I'm still going to use my PS3 as much as my Xbox 360... just from here on out, I will not be putting my cards onto a Sony-owned product. I don't blame them, partly because I'm currently in a Bachelors' degree for ethical hacking and security analysis therefore I know, slightly, how easy it is to hack into these companies.

Fun fact! Most companies put their PHP passwords onto an "easily viewable from the internet" page that is quite public. You have to know how to search for it, but its there and if you know this, you can get to the companies Sys/App server[s] and steal confidential data from it by knowing this password. At the least, it'll give you some legroom to get into the network itself. A common control for this is to use PHPIDS instead and block your password from appearing on that page (again, being quite vague about what "page" this "PHP/PHPIDS" language is).

See, this makes me curious... did Sony know this? For a multi-billion dollar/yen/whatever company, I sure HOPE thats not what happened. Again, I'm a novice in this subject but if I knew this, I'm fairly certain the hackers knew this and more as well...

ace_of_something:
Okay speaking as someone who investigates this kind of crap (albeit on a much smaller scale)
This has the air of bullshit around it. Most thieves even the stupidest ones, NEVER EVER say WHERE they got something they stole. Even online because if you admit where you got it it's much easier to trace it back to you.

They might have traced some of the credit cards that are being sold on the underground forums back to those that were taken from the PSN. Also I think it would be assumed that if you are selling a shit ton of credit card numbers at this point in time that it came from the PSN. As for me if I was the hacker I would lay low for a while and not try and sell them or sell like 5-6 at a time for a while.

So... Xbox fans cryout around the world, in songs of joy, upon the bad stream of luck that the arrogant Sony corporation is facing....

Men behind lawyers when they needed peopel to work in theyre own security... in theyre arrogance they tought themselfs to be Gods, and trough theyre arrogance theyre falling, right to the solid concrete, like mere man, facing a terrible problem that will end them (TILL THEY GET AN ESCAPE GOAT).

So the time has really come.... when PlayStation begins it dangerous descent into the pits of Lawsuits and Angry Costumers.... Truth be told its a horrible sight....

But i do not worry... PlayStation shall not fall like the incredible (and ahead of its time), the Mighty Dreamcast...

I know that after this descent PS will reappear.... like a soaring Phoenix.... in a Majestic Rebirth, after facing a catastrophy...

We can only wait.... and hope...

MisterColeman:

Cade the Imperfect:
Didn't Sony announce, that the Credit card info was safe? and encrypted even if it was taken?
I doubt this claim is true.

Yes it is likely all Sony has on the network is an MD5 hash of the information that their internal computers then decrypt when needed. The hackers likely copied the encrypted data and put it against scripts on their own machines when they had time, and it doesn't take long for a script to run though an MD5 hash anymore. Even on a simple machine. Especially if it is against rainbow tables of likely values.

Actually from a computer security standpoint (as one with a degree in Information Assurance) the amount of time that would take lines up suspiciously closely with the claim that they are now selling it. They probably decrypted enough of it yesterday to get started.

I assume that, with your degree in Information Assurance, you're aware that you can't "decrypt" an MD5 hash, or indeed any hash? That all you can do is find collisions, which are useful when verifying entered data (like passwords) but useless when you need to know the original data (like credit card info for repeated transactions)?

Rainbow tables are yesterday's news, and anybody that really wants to hash something these days uses the likes of bcrypt, not MD5. It's far more likely that they used something akin to RSA, which is breakable if poorly implemented. Which it may well have been.

beema:
oooh... reading this made me feel sick to my stomach
glad I had a new card issued...
hopefully some d-bag wont be using all my other info to just open up a new card though...

I don't think that's possible unless they also have your social security or something like that.

which the PSN doesn't require.

I cancelled my old card within 30 minutes of hearing the story... new one should be here next week! :)

Mr. Grey:
Not only that, if this guy was seriously interested in helping, why didn't he simply report what the hell was going on to the proper authorities instead of opening his yap and alerting the "hacker forums" in question?

If there were a comment on The Escapist that would make me believe humanity still exists, it would be this.

Why the fuck would anyone, much less Trend Micro, go and announce these "findings" to the media, potentially alerting the hackers involved.. Rather than contacting authorities and going "Um.. Y'know 'bout that whole Sony thing? Well here's what I just discovered!"

When it's shit like identity theft/fraud, you INFORM THE POLICE OR FBI.

Why are people here assuming that credit card encrytion can't be broken. They might of only had light encrytion on the CC numbers. What really irritates me is that Sony are now saying that they are moving the location of where they store all these details and making it more secure, but why wasn't it that secure in the first place. It should of been as secure as they could of made possible.

HankMan:
Someone needs to held accountable
No, No this not the place.

Laughter is the guardian of sanity in times of darkness

I wonder if the FBI is capable of getting involved? Sony's HQ is in Japan right? However, alot of the accounts stolen were Americans and I would bet dollars to donughts that the hacker team who did this is comprised of Americans.

Alot of the personal information they have acquired can change.
Really, the only thing that can't is names and reasonably addresses. So wouldn't Sony be in the green if it just compisated it's customers when the money is stolen? IDK. Idealism I suppose

Why would you need to change your account number ? Can't you just have your debit card cancelled and have a new one issued ?

Personally I think this is a threat, they do have the info and they have the means to sell it, they are using this to blackmail sony, and then they will probably sell the info as well.

The reason they are announcing how and where they got it is to put sony in a hard place, and they are not going to use the info themselves to avoid being caught.

All in all its pretty bad for people on the PSN, but I think sony have made one too many dick moves and they sort of deserve it

fuck, fuck fuck, fuck

i really hope these turn out to be rumors

Onyx Oblivion:

Bags159:
The story on Kotaku made it sound like there's no actual proof that they actually have enough of your CC's info to do this. Has solid evidence come to light since then or is this more sensational reporting?

It's the Escapist.

Sensational reporting is all the news room does anymore.

Kinda pisses me off.

It's not just the Escapist either. But yeah, I don't trust the titles of their stories anymore, I prefer checking what the source actually says.

Well I need to laugh right about now to keep from crying, so hey look, Sony gave an official statement on this whole situation!
http://www.youtube.com/watch?v=eaBUeINW_3s&t=42s

Haha, that's good for a chuckle right? Ah... I'll be over there weeping if you need me.

I bought something on the PSN once with a card, then deleted it off, but later switched to only using PSN cards. Is my CC in danger?

How many idiots said, "You're blowing this out of proportion."

Seriously. Looks like all that fear was well founded.

MattAn24:

Mr. Grey:
Not only that, if this guy was seriously interested in helping, why didn't he simply report what the hell was going on to the proper authorities instead of opening his yap and alerting the "hacker forums" in question?

If there were a comment on The Escapist that would make me believe humanity still exists, it would be this.

Why the fuck would anyone, much less Trend Micro, go and announce these "findings" to the media, potentially alerting the hackers involved.. Rather than contacting authorities and going "Um.. Y'know 'bout that whole Sony thing? Well here's what I just discovered!"

When it's shit like identity theft/fraud, you INFORM THE POLICE OR FBI.

yup this is clearly a lack of profesionalism and personal ethics.

 Pages PREV 1 2 3 4 5 6 7 8 9 10 11 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here