Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers.
In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.
From that blog post:
“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”
In short, if you have a PlayStation account, your name, address, email, birthday, user name and password have been compromised, and if you gave Sony a credit card number to fund your account, that and the card’s expiration date may also may have been taken (Sony says no card security codes were lost). Obviously, this becomes a much bigger problem for users who have ignored advice about how to choose and use passwords: If you are a Sony customer and picked a password for your PlayStation account that matched the password for the email account you used to register at Sony, change your email password now.
The first signs of trouble came nearly a week ago, when the PlayStation network went offline. Sony subsequently published at several blog posts apologizing for the outage. On April 22, Sony acknowledged that its networks had been breached, and a day later the company said it was rebuilding its system, but it didn’t disclose the extent of the breach until today. Judging by the comments left on the company’s blog post today, many PlayStation users are irate over having been kept in the dark for so long about the severity of a breach that potentially affects their personal and financial information.
It remains unclear what may have caused the breach, and while there are many theories, one explanation seems to hold more water than the rest: TorrentFreak cites a Reddit.com posting from “Chesh,” a self-proclaimed staff member from psx-scene.com, a site dedicated to hacking and modding PlayStations. According to Chesh, the breach came about because of a glitch in the system that allowed “extreme piracy of PSN content.”
Chesh believes that the problem stems from the availability of a new CFW (custom firmware) for the PlayStation 3. CFWs give hardware modified functionality and REBUG, as it’s known, turns a standard PS3 into a machine which provides access to some of the PSN’s features usually reserved for developers.
REBUG, which was released on the last day of March, apparently has a trick up its sleeve in that it is able to get previously hacked Playstation 3 consoles back online after they’d been excluded by Sony. It’s not a feature built in by design, but one that users have learned how to exploit. Chesh reports that some REBUG users were initially using it to play Call of Duty on the dev networks around April 3rd. Neat enough in itself but there was a monster in the shadows.
Since REBUG allowed users to connect to a previously secure and private developer network, certain information provided by users wasn’t security checked by Sony. According to Chesh, one of the items whose authenticity was never checked was – unbelievably – credit card numbers. People could apparently make them up and get access to whatever content they wanted.
I’m wondering how the credit card vendors are appreciating all the extra work-load caused by such mass insure storage of so many card numbers?
I’m not a Bank of America lover. However, their ShopSafe options has saved me from any chance of being cyber-swiped. Parking a static credit card number with any Internet site is saying, “Here, use my card!”
When, oh when will online companies stop demanding that they keep our credit card and financial information in their databases? “We’ll keep it safe, trust us!” they always say.
I stopped shopping online with any company that demanded I let them store my credit/debit card years ago. If you want to buy something there’s almost always somebody else who sells it who won’t keep your financial data, so that’s who I shop with. Sure, if you want to play Playstation games online, I guess you don’t have any other choices. I’m not a gamer, so that’s not a problem for me.
But it really isn’t safe to let your financial info go into anybody’s database except your bank. Even then, I stay away from the big banks. Why wear a target on your pocket book?
Deborah: Is there any topic where you won’t put in your two-cents worth, expressing your own loudly and lengthily self-proclaimed personal likes, dislikes, and opinions?
I’ve got a suggestion for you:
Start your own blog; you can call it “Debbie Does Disservice.”
But just because they don’t store your credit card info so you can come back and shop without re-entering it… does that really mean they don’t store your info for the one time you typed it in?
Maybe I’m completely wrong – but I generally figure anyone I give my credit card number to… online or in person, may be storing it in their back-offices or off-site. No, I don’t love that thought – but unless I want to go to only using cash everywhere I’m not really sure there’s a way to avoid companies storing your credit card, and possibly other types of, information… If the company itself isn’t – their processor and/or acquirer most likely is, and that may or may not be your bank.
I almost never opt for websites to remember my CC info. I doubt most are actually forgetting the information but I see this as a leaving a small hurdle for potential thieves.
Smaller operators that outsource payment services likely never see your info themselves but I think most larger organizations are storing the PIN and expiration date whether you ask them to or not. No one should be storing the security code anywhere.
A stored CC number is useful for such things as issuing refunds for returns.
In order to process your transaction, every retailer MUST store your credit card data temporarily. They MUST be able to submit the card information for processing, and MUST retain it for some time later in case there is a problem or dispute. Otherwise, people could just complain to the bank about charges on their card, and the retailer would have no proof that you made the transaction, or that you gave your card number.
@steve
Not so, Virtual Payment Clients redirect the user to the bank; The bank then redirects them back to the merchants site with a variety of response/transaction codes, none of which include the actual card number.
@Joel
“Virtual Payment Clients redirect the user to the bank; The bank then redirects them back to the merchants site with a variety of response/transaction codes, none of which include the actual card number.”
This does sound like a huge improvement over what we have now, at least then you would only have to trust your bank.
Googling “Virtual Payment Client” though, all I see are solutions for merchants and financial institutions to set this up, nothing for individual users to set it up for themselves. So basically, you can use this if your bank and your trading partners are set up for it, and not many are yet.
But still – a hopeful step in the right direction.
@DeborahS
You are correct, a consumer can’t decide to use or not use this system, the merchant needs to be signed up to it.
The point I was addressing however was the comment from @steve: “In order to process your transaction, every retailer MUST store your credit card data temporarily.”
This is the case with any business, they dictate the method of payment, if you’re unhappy with the method, go elsewhere.
Incidentally, VPC has been available for quite a long time; this isn’t a step in the right direction, it’s what merchants have been stepping away from.
Maybe we should start a “letter-writing” campaign. It could be as simple as asking any online merchant you do business with when they’re going to get Virtual Payment Client set up, and be ready to give them links to info and how-tos. And mentioning it online whenever an opportunity presents itself.
Just a thought.
@ T.Anne
You, and others, make the excellent observation that whenever you enter your financial information into an online form or make a point-of-sale purchase, the data will be kept for some length of time. There’s no work-around for that. You either do it and take all the attendant risks, or don’t use credit/debit cards.
My problem is with the companies who keep permanent databases on their customers, including their credit card info. Originally this practice started out innocently enough. They wanted to provide a service, a convenience for their customers. (And some of them wanted a way to automatically bill customers, but still, that was also innocent enough.) The problem is that these databases are permanent, and the longer something sits around on the internet the more likely it is that someone will try to do something with it. I personally don’t like those odds, and would rather shop from someone who doesn’t keep a permanent database.
YMMV.
But how do you know who does and who does not keep the data? How do you know how long they keep it for? Some keep it for a yr, 3 yrs, 10 yrs, some never delete it. However, I don’t kow that there’s an easy way for any customer to know that. As a shopper, in most cases, I don’t even know if they outsourse their payment processing or do it in house… how could I know if either party keeps those records?
I get the point that it’s risky – and the longer it’s out there, the more attempts someone can make at it… but think of it this way. Even if they do still have your card on file from 5 yrs ago – odds are it’s expired now. So really, after a certain point and point – the data can be stolen and the info can’t really be used (other than to possibly attempt social engineering scams of sorts)… And yes, the less places that the information is stored – the more secure it is… but as a customer at different establishments there’s no way to know or control how each one of those places stores your information. And if they do purge it eventually – you want that to be done securly as well…
Honestly – if you don’t like the thought of a company or their processor keeping your CC info, odds are you’ll have to stick to cash transactions. Otherwise, there’s always some risk in your information getting into the wrong hands.
The playstation network is free, there is no charge to use it. Even if you wanted to buy something like a game or rent a movie on the network, many use the psn cards that are sold at local retailers. So it’s possible to use the playstation network without ever revealing any financial data.
@JBV
Do you know another way I can get email notifications of all the comments? You have to leave a comment to be notified of them.
Besides, where’s the rule that you can’t have lots of opinions about lots of things? Internet security is a pretty important subject these days. How will I know how my opinions stack up against others if I don’t tell you what they are?
You can subscribe to the RSS feed at the top of the page to get notification of new blog posts. Then at the bottom of each blog post, there is tiny type with a link to a different RSS feed for the comments.
Thanks, I did see that, but I don’t use RSS. I have way too much stuff to read already, plus get my work done. I’ve tried RSS, but it’s way too much hassle for what it’s worth. Email notification works the best for me.
Besides, I find all this stuff rather fascinating and for as long as I’ve been aware of the issues and proactive on them, I’ve never had a chance to really talk to people about them. What’s the point of having comments if people aren’t supposed to use them? Sure isn’t like that on any other blog I’ve spent time on.
I use Seamonkey (like Thunderbird) and my RSS notifications are superficially indistinguishable from emails.
“I use Seamonkey (like Thunderbird) and my RSS notifications are superficially indistinguishable from emails.”
Well that does sound like a nifty invention and I’ll have to check it out someday. But my list of tools and toys to try out is very, very long. Not sure when I’ll get to that one.
Sony’s lack of prudence in picking fights with those who have time & motivation on their hands which enables them to seek and build means for retaliation should be a clarion call to others in the industry. OtherOS should have been a money maker; Sony ended up loosing face.
I’d be interesting if any iTunes related new gets turned over as a result of Sony’s ineptitude. The Apple hired NSA talent should take Sony’s lesson into account. Dev networks need to be secured differently. As Im still studying IOS, the similar question arises how do all those IOS in app purchases get tested by non-apple Devs.
The Dev signing keys for IOS seem to be the apple equiv to Sony Dev firmware. The certificate structure makes it a bit more difficult to spoof and swim up stream in the app store but possibly could be spoofed.
It is not just on-line places that keep our info excessively long time. It is also in person places.
I keep my credit card receipts, and check my credit card bills (also some other kinds of bills because some of them (phone bills especially) can pick up all sorts of unauthorized charges), so when I saw that a hotel had double charged me for a visit – I phoned them to complain, requesting a refund … Oh, they can credit my credit card … do I need to give you the # again … no it is still in our computer … weeks after I went there.
I told this story to some pals, and was regaled about the return of some merchandise, for credit, which went on same credit card as original purchase – no need to show it again, all the data is still in their computer, weeks after the original purchase.
My sister told a story about how the ATM gave her more money than she asked for, went into the bank to try to return the excess, it turned into a nightmare … banks make mistakes more often than people realize, have lots of trouble fixing them.
Username and address are meh. Any determined googler can track that down for most people. Credit card info is slightly less meh, but it’s pretty limited info – it’s not a magstripe dump so it’s largely worthless.
The big concern that nobody seems to be talking about is passwords. Granted this is largely based off of one quick press release, but was Sony really storing passwords for 70+ million users IN THE CLEAR?
The length of time it took to release information was due to the incident response team, or in this case an external forensics company, assessing the extent of the breach. In Sony’s case this is obviously a large company with data spread over several locations and trying to understand the level of the breach would be their first priority.
PCI DSS stipulates that they should not be storing the CV2 or CVV numbers and that they can store credit card numbers so long as they meet the requirements in that standard. Obviously they failed in this respect if CC data has also been accessed, but this has not been confirmed yet. This should be Sony’s next priority, to determine if CC data has been compromised, not bring their games network back online.
Forgot to mention that any network area storage for credit card info should be isolated from traditional network functions which is probably why they can’t yet confirm if this has also been breached as this would require a seperate branch of investigation running in parallel to the main breach.
They have one massive headache on their hands and it will take them a significant amount of time to get to grips with all the data audits and trails that have been left.
What he said.
I liked, “Sony says no card security codes were lost”. Presumably, because they don’t store them.
“PCI DSS stipulates that they should not be storing the CV2 or CVV numbers and that they can store credit card numbers so long as they meet the requirements in that standard. Obviously they failed in this respect if CC data has also been accessed”
If they’re allowed to store it and met the requirements – simply having someone access the CC data would not make them fail. Now if it’s in clear text – it’d be a serious failure… or if the CV2 or CVV (or any other sensitive authentication data for that matter) were stored – it’d be a serious failure… but again, if they met the requirements of the standard then those things wouldn’t happen. Everyone can be breached, simply being PCI DSS compliant doesn’t make you breach resistant… it makes it less likely, but not impossible. The PCI DSS is a minimum security standard, not the end all be all.
But yes, Sony has a serious headache on their hands and a lot of work to do to figure out the extent of the damage and the flaws/weaknesses in their system(s). I can understand their desire to be back online (profit potential), but I also agree that their main focus should be on the situation at hand and figuring out what was taken so that the appropriate actions can be taken to limit the damage as much as possible.
IF all the address, password, email, billing address, and especially credit card numbers (and they’re usable) were taken – someone’s got a treasure of information to potentially do some serious damage.
“The PCI DSS is a minimum security standard, not the end all be all.”
I would characterize PCI as more than a minimum standard. If there’s an organization that actually has the resources to follow PCI to the letter (much less determine what that “letter” is), that organization would be nigh uncrackable. Keeping the “man trap” physical access control properly lubed and tightly-sprung is, by itself, enough to rise above what I consider “minimum standards”.
(OK, so the “man trap” got dropped after the first version of PCI. It’s still one of my favorite requirements to cite.)
DavidA
The Verizon report, in a prior year, included which of the breached places were allegedly PCI compliant (on paper, or company claims) at time of being breached … many of them were.
The question then became … were they lying, was the PCI compliance a fraud at those places, was the claim of a breached place to be PCI compliant a misunderstanding of what it means to be PCI compliant, does being compliant mean the place let’s its security guard down?
“nigh uncrackable” does not apply to these statistics.
Firstly, I do understand that “uncrackable” is an impossibility.
Yes, I think they’re lying. I think almost everyone who claims to be PCI compliant is lying. I think even the auditors who validate upper-tier organizations lie. Between the vagaries in the standard and some of the more onerous requirements (a separate server for EVERY network service?), I honestly doubt anyone is truly compliant.
Do you have evidence we can test 🙂 Auditor speak here lol!
Compliant doesnt mean unhackable, it only provides a level of assurance. Also audits and assessments are so to speak point in time, there is a whole continuous monitoring effort that needs to be in place to ensure you stay compliant and protect yourself from risk.
I don’t want to hijack this thread with this tangent. So, suffice to say, my opinion on this subject is actually more nuanced than the expression in my last post. I don’t accuse either auditors or clients of malfeasance but rather kinda doing what they must to get by. Fudging the compliance requirements through such things as creative “compensating controls” seems to be the way PCI works.
The rules are quite thorough and explicit but implementation requirements are flexible. Different auditors have different ideas about what the rules /really/ mean and which can be safely ignored by certain organizations.
The PCI SSC even admits that the PCI DSS is a “baseline of technical and operational requirements… [and] comprises a minimum set of requirememets for protecting cardholder data…” There are plenty of things that can be done above and beyond the expectations of the PCI DSS – I do not view it as max security in any light, in fact there are some requirements that I expect to change to become more secure (like the WEP/WPA/WPA2).
I do think organizations can be compliant – though I would agree that some either lie or are only compliant at the time of the audit, check the boxes, and then go right back to their uncompliant behavior. The trick is consitant compliance – and that does take a lot of work.
As for the mention of needing different servers – it’s per primary function with the intent to secure your information keeping like security level things accessable on their own server… having a high security database like your CC data on the same server as a low security web application which needs to be open and directly faces the internet would be foolish and create un-needed risk to the database… unless you can separate the two in such a way to not make the web application a risk to the database.
But we digress – the point of the blog is in regards to the data potentially stollen and we have no clue if Sony was actually PCI DSS compliant or not… nor if any CC data was actually stolen. If it was, I’d be curious to know if it was encrypted or not and how it was stolen. If they had the CV2, CVV, PIN, or full magstripe data – they were clearly not compliant (which is an issue in and of itself) and they should be notifying their customer’s immediately so they can get new cards. I know the customer’s won’t be liable, but if you can limit some of the damage done – why not? It will cost Sony a lot more if CC data was stolen… and the blanet statement of, “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained” will not be near enough to protect them from the damage the breach will cost them.
The blog post and email state
“While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility”
Requirement 10 of the PCI DSS Standard (Track and monitor all access to network resources and cardholder data) lists a range of measures for monitoring access to the card data and also to the logs that monitor access.
From this it is a reasonable assumption that they were in fact not compliant, as compliance would ensure that they either had:
a) Evidence that it was accessed; or
b) No evidence that it was accessed with the ability to rule out the possibility;
That’s my take on it in any case.
I gotta ask, why would anyone give developers higher access to production systems, networks and data? Seriously? We’ve known this was a really bad idea for many decades.
Developers don’t get production access. PERIOD. If they need help troubleshooting a problem, then they need to request specific log files. If the log files don’t provide enough details, get a new developer. She/he has failed.
The way we do it:
– devs have dev environments.
– testers/qa has QA environments.
– customers have “production” environments.
You never mix these.
What should we do now ? I mean on PSN ! Change credit card is out of question.
Marcelo, at least in the United States, if you’re using a credit card, you’re not liable for any unauthorized charges on your card. Your main area of concern should be making sure that the password you’re using for the Sony account doesn’t match the password you’re using anywhere else. As a friend I follow Tweeted yesterday, hopefully PSN users will pick far more secure passwords for their email than they do for their Sony account: After all, how complex can Sony expect customers’ passwords to be when most people will be entering a password using a game controller?
Concerning your last sentence: I was given a Blu-ray player for Christmas. I set it up on my home network to enable movie downloads. It was a misery to try to enter user names and passwords using the remote. And, because I was having some issues using wi-fi for it, got the opportunity to do it more than once. Gave up on wi-fi and ran a CAT5 cable.
Off topic, but, was your Blu-Ray an INSIGNIA brand, by chance?
Well, since that password was protecting my credit card info it was one of those password I didn’t want to get hijacked.
Then again who is the idiot that stores passwords in clear text? Although given Sony’s security history (aka generation of PS3 keys) this probably shouldn’t come as a major surprise..
FWIW, I have a Citibank credit card that I can log into and create any number of virtual cards with predetermined spending limits and expiration dates. Very recommended if you’re concerned about credit card theft and you don’t check your statements. At most you’ll be out what you set the limit at.
@ Jonathon
This would be a very nice feature for the credit/debit card industry to universally adopt, but if your card issuer doesn’t offer it, you don’t have it. But use it if you’ve got it!
Maybe I’ve missed something here (after all I’m still trying to figure out how other PSN members can post comments on their blog, but when I try to log on I’m told the network is still down), but it sounds like the developer network had unrestricted access to not only user data, but their real CC info as well?
Yes: credit card numbers and expiration dates.
“If they’re allowed to store it and met the requirements – simply having someone access the CC data would not make them fail. Now if it’s in clear text – it’d be a serious failure… or if the CV2 or CVV (or any other sensitive authentication data for that matter) were stored – it’d be a serious failure…”
I am very curious for any response from Sony or their PCI QSA on how credit card numbers could have been accessed if PSN was compliant at the time of the breach. It’s especially concerning if the attackers were able to access CC#’s while the data was at rest. PCI DSS has fairly strong controls for data-at-rest, whereas you can still be PCI compliant transmitting plaintext CC#’s within the cardholder environment.
I stopped shopping online with any company that demanded I let them store my credit/debit card years ago. If you want to buy something there’s almost always somebody else who sells it who won’t keep your financial data, so that’s who I shop with. Sure, if you want to play Playstation games online, I guess you don’t have any other choices. I’m not a gamer, so that’s not a problem for me.
Any particular reason this post matches DeborahS’ word for word? It looks like a copy and paste to me so I’m not sure if there was a particular point trying to be made – is it simply agreeing with the quote?
Eight days is a long time to let the proud new owners of this data parse it for profit. In that amount of time anyone who re-used a password between Sony and email may be in trouble. From all the people I talk with, most do make their bank password stronger. Many of those same people think their online email is less important.
None of us know how this data was organized. Sony reported that challenge / response questions and answers were also taken. If the perpetrators can quickly link this data together, it wouldn’t take long to get into email accounts, find their financial institutions in archive, and start resetting passwords.
Everyone wants to do a post-mortem on the breach, but in my opinion Sony’s slow reaction is what needs to be dissected and used as a good “how not to handle a breach” lesson.
I would like to say this is the first time I’ve been glad I don’t own a PS3. What a weird feeling.
If 2010 was a slow year for breaches, this little ‘oops’ is gonna skew the numbers for 2011!
the only winning move is not to play
hello all.
Can we expect more info more details ,i mean what is the Vuln. and tech.. used .
i have no where to ask this one :p
and also have lost P.Assange Phone ..
YaKhOo
Many questions are NEVER answered, unless there is a law suit, and the depositions make it into the public record. If this happens, it could be many YEARS from now, by which time our attention span will have switched to many many other breaches in the mean time.
Even if the credit card numbers and passwords are encrypted, what encryption standard was used? And where do they store the key to decrypt the information the next time they want to access it themselves?
There are a large but finite number of credit card numbers and possible expiration dates. The people selling credit card data have thousands or millions of computers in their botnets available for computation. What are the odds no one has created a rainbow table (list of common data strings and their encrypted forms) for credit cards and expiration dates using all the common encryption standards?
Sony could have created an in-house encryption standard, and they may have if they were overconfident enough to give developers access to the database, but I would think if the data were encrypted at all they would have been quick to say so.
I’d agree – the fact that they say that CC data may have been stolen makes one wonder if it was simply plain text because otherwise you’d think that they’d say that the info may have been breached but it was securly encrypted… not to say it can’t be cracked, but you’d think they’d put some type of spin on it to make it sound safe and avoid people panicing…
oops… I take it back, they did say something:
“Sony reassured users of the PlayStation Network that ‘all credit card information stored in our systems is encrypted’, but underlined that it cannot rule out the possibility that the credit card data was stolen.”
Still leaves the question of how strong the encryption was – but better than thinking plain text 🙂
Brian, this was posted on twitter recently (#psnhack) as well as some scene forums
“Rumors are following thru various underground “credit card” trading forums, and on the new #psnhack twitter list that a large section of the PSN database containing complete personal details along with over 2.2million working credit card numbers with the much-needed CVV2 code are being offer up for sale to the highest-bidder, after the “hackers” tried to sell the DB back to Sony for a price, but they of course didn’t answer! ”
Have you seen/heard anything from your sources?
Heard you on KPCC/NPR the other day talking about this topic. Thought I would pop-in and say how much I enjoyed it!
Thank you!
Hey, Yevgeny, thanks for dropping by and for the kind words! Glad it was useful!
I really can not believe how much information was stolen from such a large company. I hope that Playstation is forced to make some major changes to their security system, and that Microsoft and Nintendo do something as well to prevent this from happening to them.
People just do not realize how much of their information is really out their, supposedly “secured” by these huge organizations.
Please, how can i start making use of mu New Credit Card? looking for your respond
thanks