PlayStation Network credit cards protected by encryption All credit card information stored on Sony's PlayStation Network was encrypted, the company said one day after warning users their user names, passwords, birth dates and home addresses were stolen in a security breach. “The entire credit card table was encrypted and we have no evidence that credit card data was taken,” Sony …
And you're basing that conclusion on.....?
Clearly this is a big embarrassment for Sony, but I don't believe for a second they're stupid enough think that lying about events is going to help. There are bound to be a number of investigations following this debacle, so any lie would be discovered and make things a whole lot worse for them.
That is, unless, you're keen on conspiracy theories and never believe anything you're told. In which case obviously Sony is in league with the legal system, the government , the Illuminati and our alien overlords, and the whole thing will be whitewashed.
But one important thing to learn from all this; never ever give your proper full name and correct date of birth to a website that has no genuine need, or right, to know them. It's not your job to help them build a detailed marketing database.
"A correct name and address are often required for cardholder-not-present credit card sales. Birthday though, no need to help em out with that."
Wrong, they need, name on card, card number, exp date, ccv (maybe issue number and valid-from date depending on card type)
That's all I had registered with them and it worked for me.
The name and address part is used by vendors to verify that the delivery and billing address are the same so they don't send their goods to a safe house. It won't stop the transaction going through.
Also with PSN - no product to deliver, no address needed. You can put any old crap in there, I honestly don't know why they ask for it.
The reason they ask for your date of birth is to make sure that you are not a minor trying to download content intended for more mature audiences such as 18+ rated games. They probably have to do this because of some stupid legislation, however why ask for a date of birth (which I consider to be confidential) in the first place when they can just ask your age and timestamp that - it's idiotic really.
>Wrong, they need, name on card, card number, exp date, ccv
Depends on the retailer - I just [reluctantly] bought an iPad 2 on my MC from the Apple Store UK - its shipping to my work address and no CCV was required just the card number, billing address and exp date....its on a new Apple ID too, so no purchase history or other verification is available to Apple.
[and pre-empting the 'nay' sayers, its risk free to try it yourself without confirming the order in the last step]
inachu,
Thank you for your recent order. This e-mail serves as your receipt for a purchase, ************** (NAME DELETED
Order Number: 1097793074
STATION CASH PURCHASES
Station Cash Funding Purchase
$10.00
Tax:
$0.00
Order Total:
$10.00
Sony Online Entertainment LLC
http://www.station.sony.com
Nothing has shown up on my cradit card yet. I never made these purchases with a credit card and if somehow I am billed for that $5 and $10 that I never made then I will go class action with this.
sony would be mad to tell all, say, if the whole thing was either an inside job (providing they dont know who did it or that person has a dead drop with all the data he stole set up) or perhaps if the whole blunder was 100%, completely and solely their fault.
"blame it on a hack" has been done before.
that said, personally I don't doubt there has been a hack, but i'm not certain sony are saying everything either. I wouldn't.
Either way, they can't repel a cockup of that magnitude.
inachu,
Thank you for your recent order. This e-mail serves as your receipt for a purchase, **************(NAME DELETED)
Order Number: 1097793142
STATION CASH PURCHASES
Station Cash Funding Purchase
$5.00
Tax:
$0.00
Order Total:
$5.00
Sony Online Entertainment LLC
http://www.station.sony.com
I NEVER BOUGHT ANYING worth $5 and never used any kind of credit card either.
Rainbow tables are not trivial to make. It'll take months to make one that has 8 chars or less, years for 9 chars. And rainbow tables only record 1-8 iterations of hashing (they're hard enough to make as it is). So, if Sony hashes passwords say, 32 times, then no current rainbow table will work. But if Sony is being lazy and only hashes once or a few times, then yes some of the passwords will be susceptible to a rainbow table if it's 8 chars or less and especially if it's a dictionary word. That is why I use 12 chars minimum for all my passwords. Short enough to be remembered and typed, long enough to be hard-to-crack, and most likely not yet found in any rainbow table.
But more importantly, if sony uses the same salt when hashing every user's password, then that single Rainbow Table will be of use when attempting to identify the hash collision for the entire dataset.
However, if like someone with a brain, sony have used a random hash per password, then a potential exploiter would need to construct a Rainbow Table for each and every salt/password combination, which even with immense distributed computing power is essentially impractical.
But let's be fair, we're not dealing with people who know the difference between same-salt and random-salt hashing here, we're dealing with sony.
An easier, and more user friendly way, is to apply a system salt, user salt, then hash.
No way any rainbow table will be able to crack that, as you'd need a different table for each user.
eg (not a real example)
sha($password . 'Sa1tY@5' . md5($userid))
Your password doesn't need to be so long that way.
12 chars isn't too long in isolation, but when users need to remember 10-20 different passwords it becomes unwieldy, and in the end just encourages users to write passwords on post-its under keyboards, on monitors etc, or as the story suggests, use the same password for everything.
In addition, just repeatedly hashing a hash of a hash may seem more secure, but it still allows your entire table to (potentially) be broken with one rainbow table.
A notebook full of strong passwords locked in your desk drawer is much safer than using the same simple password everywhere because you're afraid of forgetting the password.
The odds of someone breaking into your house to steal your book of passwords is orders of magnitude lower than the chances of someone hacking your online accounts with simple passwords.
Perhaps.
But we aren't generally referring to home users here.
Personally I was referring to people in office buildings who write down passwords and stick them to their monitors and keyboards etc. We had to fire a member of staff not too long ago for habitually writing down passwords, and leaving them in plain sight (in public areas!)
Also your solution of writing down passwords (and presumably usernames and site names too) doesn't help you when you aren't at home.
An encrypted password vault, for example on your mobile would be a far better solution.
If you also install remote shredding software you are protected even if your mobile is nicked too.
"But we aren't generally referring to home users here." - says who? Arent home users going to be the main users of the Playstation Network?
"Also your solution of writing down passwords (and presumably usernames and site names too) doesn't help you when you aren't at home."
Nope, but then you can always carry the passwords around with you. Usernames tend to be a lot easier to remember.
Of course there is always the risk that evil Chinese h4xx0r will fly all over the world to hunt you down and rob your password so they can use it to get into your gmail account. But I tend to see this as pretty low in the scale of things.
Businesses often take too harsh a line on writing down passwords. It is a rule that is frequently put in place without any assessment of what it is actually trying to achieve. How much damage did the business suffer as a result of the Staff member leaving their password written down? (or was it all theoretical?)
Its the same problem with password lengths - we have some received wisdom which sounds "right" so it gets repeated out of context and we end up with arcane password rules that become self-conflicting (35 alpha numerics that mustnt be written down and changed every 30 seconds...etc.)
Its almost as bad as the idea that because a password "looks" insecure it must be insecure. Patterns appear in random data so we even go as far as damaging the randomness protection so the password appears more random.
Sort of agree but:
"and in the end just encourages users to write passwords on post-its under keyboards, on monitors etc,"
What is wrong with putting your password for a remote internet service on a post it note next to the monitor?
Unless the hackers who pwn'd Sony can also break into my house and look at my monitor, the 32 character password I have written down is pretty safe. For most internet based services, the risk is from a distant hacker attacking the system and getting the hashfile. The defence here is for a hard to crack password. If you have to write this down is that really a risk?
If you are a TLA government agency running TS systems with a persistent threat from hostile foreign agencies who can spend the time and effort to hire cleaners etc., then writing down passwords is a bad move.
If you are a home user, having your internet banking password on a post it under the keyboard is a lot less risky than using an easy-cracked / easy-guessed password.
They can hack into your webcam and take a look at a reflection of your goggles lenses, provided you use goggles at all. Or any reflective surface facing the PC for that matter. Use dark non-reflective shades too, since your eyes can literally betray you at this moment.
(...)
As if I would let my webcam plugged in at all times, or play PS3 right next to a running PC with the said webcam on the same IP subnet. Now that's some hacking attempt.
1. Go to http://www.miraclesalad.com/webtools/md5.php and generate a hash
2. Copy and paste your hash into Google Search
3. Open the first result.
Bonus. Was covered by the reg a while back too: http://www.theregister.co.uk/2007/11/21/google_md5_crack/
More salt pls
"Rainbow tables are not trivial to make. It'll take months to make one that has 8 chars or less"
Only if you are using a 286. If you have a modern PC the creation times are nothing like this.
However, if you are trying to generate them with your wrist watch, there are easier solutions such as freerainbowtables.com.
It took me two weeks to generate rainbow tables for 16 characters using a VMware instance.
Where I do agree is in the hash and iterations but there is more to it than the simple number of goes through the cycle. Plus, if you have a windows box you probably want to be using 15+ character passwords.
“The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”
I would say that events suggest the security system wasn't that sophisticated at all!
The fact it took Sony several days work out exactly what was accessed says a lot for the capabilities of their intrusion detection system and auditing, assuming they have either of course. Unless the few days delay was due to them hoping the story would just go away on its own.
'Encrypted'. Brilliant. Just like Gawker with DES or something equally amazing. Maybe they've gone a step up all the way to ROT13 if we're reallly lucky...Bastards.
I take back all my previous statements on this - Sony's response has been utterly appalling.
I cancelled my card yesterday. I don't think I'll be putting my replacement card details anywhere near my PSFail.
They have lost me as a customer over this, the PS3 is not that good, if anything they whole platform is lacking. Fuck 'em.
And another thing... I haven't received any damn email.
I still suspect it was unencrypted and this is a halfarsed attempt to fend off the legal action, class action lawsuits and possible criminal prosecution (is it US jurisdiction?) that would lead from them admitting that they were storing credit card details in plain text.
Even though it's a bank holiday weekend and I won't see my new one for ages, I'm still glad I cancelled my card.
See the following undated chat transcript where some users had sniffed the communications from the PS3 to PSN and found that ALL credit card info was send in PLAINTEXT (creditcard info redacted here for obvious reasons)
http://bit.ly/gXFNLa
<user2> for example:
<user2> creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4xxxxxxxxxxxxxx1&creditCard.expireYear=20nn&creditCard.expireMonth=2&creditCard.securityCode=2nn&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20
<user2> sent as plaintext
How do you know that is actually what is sent? and not just some geek trying to "get one over Sony" and oh I don't know, making it all up? given it's all fake data and all. Also it uses the varible of province, rather than the more standard county or state as used by the payment gateways I've used in the past. I'm very very suspect about the authenticity of this "evidence"...but then you do have proof, it's from an internet chat room and everything....
Why bother cancelling it until something untoward has happened? I can understand that if it's a debit card (which is why using debit cards online are a bad idea) but with a credit card it doesn't matter. If/when someone uses your card details it's not your money being stolen. That's the time when you inform your CC issuer. Let them take the fight to Sony - the money they lose will be a juicy incentive.
I meant that it was the CC issuer who loses the money and will therefore have additional incentive to sort Sony out. But I suppose it could be the retailer - it wouldn't surprise me if the banks pushed it back.
Still - my point remains that it's not /your/ money so not worth you doing anything about it until it actually happens. I've had it happen once or twice before and it's no big deal. Call issuer, get replacement card in post two days later. I think there was a form to fill in and fax back but there wasn't much to it - basically just confirming the disputed transactions.
I am sure it would be public knowledge.
There are hackers who buy new products such as the PS3 just to hack them. Now if I was planning to do any reversing of PS3 and its protocols I would sniff packets. If I was a curious security researcher I would sniff packets. I would hazard a guess that hundreds maybe a thousand or more technically competent individuals have captured packets between PS3 and PSN.
The chances of all of those people keeping quiet about such a security failure are as close to zero as matters.
Regarding encryption:
There is no excuse for not salt hashing passwords, regardless of the data those passwords protect.
I was surprised that a company as large as Sony had to call in third party security analysts, they really should have their own dedicated security team that are fully clued up on the systems involved. Perhaps if they had, this breach may not have happened in the first place.
http://www.bbc.co.uk/news/technology-13231307
"That advice was echoed by Visa Europe, the company behind the Visa payment system. It explained that if card data was found to have been stolen and used to make unauthorised payments, users would not have to pick up the bill.
"Cardholders who are innocent victims of fraud will get their money back, subject to the terms and conditions of their bank," it said in a statement.
PlayStation Network members were urged not to cancel their cards at this stage.
A spokesman for Barclaycard said that such action was unnecessary until it was known if card numbers had fallen into the wrong hands."
So - no need to panic, Mr. Jones! Just wait until it happens (if it does).
Update:
wow, I received the email less then 5 minutes after I made my post!.... should I be worried?
Quote:
Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.
I've not seen any email from them yet, I know they have the right address as I've got the original welcome to PSN email. I never gave them credit card details, although I was foolish enough to give them the correct postal address, which is now out of date. As for the password, I gave them the one I use for random untrusted sites that demand passwords for no good reason, like this one!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
