zomgbbqftw said:

So almost all CC transactions on the internet which us HTTPS are bogus then?
Seriously, give it a rest. Your earlier post was full of assumption and hyperbole as well...

Click to expand...

Pistolero said:

You are on the verge of opening another Pandora's box, gofreak!

Click to expand...

Fallout-NL said:

Damnit.

Still can't play my PC version of Portal 2. That's the biggest tragedy of all.

Click to expand...

Blimblim said:

You can't encrypt on the client when it's a SSL transaction done with a web browser (well technically you could do it with JS, but there is no point in doing that), which is about 99% of the CC transactions you'll ever see over the internet. So no, it's not a problem under normal circumstances.

Click to expand...

We prefer that you use the website to place your orders. We use double encryption to pass credit card information using SSL technology. We can assure you that all of your information will be safe. You can also purchase select cars at your participating Chevron station.

Click to expand...

1 Take care.
2 Think if you really have to store these.
3 Think about "30 days".
4 Encrypt - preferably double encryption using a key supplied through a browser over an SSL connection periodically.
5 If you're only "thinking about" getting a private SSL I'd put all this on hold until you've got a good scheme.

Click to expand...

Jax said:

You just kind of need to Shut the fuck up already.

Click to expand...

BeeDog said:

Seeing as how the e-mail addresses and PSN passwords leaked out, it's safe to assume that hackers/criminals try to hijack the e-mail accounts by retrying the passwords. But what about other websites, e.g. big webstores like Amazon, eBay and so on? Is it common that criminals try to pair up passwords and e-mail addresses in other places, or is it almost always restricted to hijacking e-mail accounts only? Probably a stupid question, but I have no idea about how these hackers operate, and I'm curious.

Click to expand...

Genjikage said:

Now that everything is cleared up on my end, I'm just waiting for psn to come back up.

To those mocking us who got new CC's... why? Better safe than sorry? It took me a few minutes to call up my bank and tell them what was up. She told me I'm better off just getting a new card and they disable my current one. I'm without a card for a week, but I'd rather that then deal with someone charging Hungarian foot rubs to my account 3 months from now.

Cant wait to play Crysis2 online again, working towards rank 50 xD

Click to expand...

BeeDog said:

Seeing as how the e-mail addresses and PSN passwords leaked out, it's safe to assume that hackers/criminals try to hijack the e-mail accounts by retrying the passwords. But what about other websites, e.g. big webstores like Amazon, eBay and so on? Is it common that criminals try to pair up passwords and e-mail addresses in other places, or is it almost always restricted to hijacking e-mail accounts only? Probably a stupid question, but I have no idea about how these hackers operate, and I'm curious.

Click to expand...

nofi said:

Absolutely.

Obviously emails are the first port, as that's where 'reset my password' attempts will go, but yeah, they'll test anything with financial possibilities, I'd imagine.

Click to expand...

BeeDog said:

Logical enough. I seriously wish for the bigger websites to implement security measures like Gmail has to be able to sense if IP's from other countries try to use the accounts. I mean, wouldn't stores be suspicious if someone from, let's say, Brazil starts using an account made in Europe? And then changes shipping addresses and whatever to this other country?

Click to expand...

BeeDog said:

Seeing as how the e-mail addresses and PSN passwords leaked out, it's safe to assume that hackers/criminals try to hijack the e-mail accounts by retrying the passwords. But what about other websites, e.g. big webstores like Amazon, eBay and so on? Is it common that criminals try to pair up passwords and e-mail addresses in other places, or is it almost always restricted to hijacking e-mail accounts only? Probably a stupid question, but I have no idea about how these hackers operate, and I'm curious.

Click to expand...

BeeDog said:

Logical enough. I seriously wish for the bigger websites to implement security measures like Gmail has to be able to sense if IP's from other countries try to use the accounts. I mean, wouldn't stores be suspicious if someone from, let's say, Brazil starts using an account made in Europe? And then changes shipping addresses and whatever to this other country?

Click to expand...

carlos said:

This probably has nothing to do with it, but for months I've been getting emails saying "someone has requested a password reset of your EA account".
I remember having to make an EA account for burnout paradise, and this uses the same email as the psn login....completely unrelated, I hope.

Click to expand...

The only people who will know if there has been a breach of the CC data is Visa/Mastercard. They should see a significant statistical bump and, with a little research, could find out if those cards had ever been used on PSN.

I don't think they release that kind of data though.

Click to expand...

carlos said:

This probably has nothing to do with it, but for months I've been getting emails saying "someone has requested a password reset of your EA account".
I remember having to make an EA account for burnout paradise, and this uses the same email as the psn login....completely unrelated, I hope.

Click to expand...

To start, I sure am glad I don't have a PSN account about now. And, as a onetime victim of identity theft, I feel for everyone who's data has been stolen. I'm not going to make cracks at Sony for flipping a shit when /their/ data is compromised, and not even having the decency to apologize when it's your data that's misappropriated.

Click to expand...

And to anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.

Click to expand...

Also, let's not fault the Sony engineers for this, the same way I do not fault the engineers who designed the BMG rootkit. The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.

Click to expand...

To the perpetrator, two things. You are clearly talented and will have plenty of money(or a jail sentence and bankruptcy) coming to you in the future. Don't be a dick and sell people's information. And I'd love to see a write up on how it all went down...lord knows we'll never get that from Sony, noobs probably had the password set to '4' or something. I mean, at least it was randomly generated.

Click to expand...

VisanidethDM said:

As I posted on the last page, I've spoken with a VISA representative yesterday who told me VISA was informed by Sony last week before the Easter break, and they took whatever measure they take in this cases (they've been monitoring the cards who had operations tied to PSN ever since).

In short, I called to activate security/potentially cancel the card and was told that they got it covered. Take it as you will.

Click to expand...

VisanidethDM said:

As I posted on the last page, I've spoken with a VISA representative yesterday who told me VISA was informed by Sony last week before the Easter break, and they took whatever measure they take in this cases (they've been monitoring the cards who had operations tied to PSN ever since).

In short, I called to activate security/potentially cancel the card and was told that they got it covered. Take it as you will.

Click to expand...

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Click to expand...

Vagabundo said:

The credit card information - from tat chat log - is sent in plain text over the SSL channel (which itself is encrypted). The poster comments that this not usually sufficient and that the CC info is usually encrypted on the client and then sent over SSL. This has nothing to do with how the CC info may have been stored on the PSN servers.

Click to expand...

Vagabundo said:

Hmmm, so they knew there was a possible CC breach on the 21th and told Visa. When did they tell the rest of the world? Wasn't it the 26th?

Click to expand...

shagg_187 said:

I think you forgot to read the "fake" part in that chat log:

[user2] [redacted plain text code, includes false credit card number]
[user2] sent as plaintext
[user3] uh
[user3] did you censor that card?
[user2] ya its fake
[user3] good
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] im never putting in my details like that
[user2] ya is all fake lol

Click to expand...

shagg_187 said:

I think you forgot to read the "fake" part in that chat log:

[user2] [redacted plain text code, includes false credit card number]
[user2] sent as plaintext
[user3] uh
[user3] did you censor that card?
[user2] ya its fake
[user3] good
[user1] wow, plaintext :S
[user5] plaintext wow
[user3] im never putting in my details like that
[user2] ya is all fake lol

Click to expand...

Vagabundo said:

No these servers were suppose to be part of PSN.

PSN is huge:

Click to expand...

BeeDog said:

While Sony HAVE handled this poorly, people need to realize they're handling a major money-making business, and every decision to inform people about potentially compromised information is costly. They will, for obvious reasons, want to make sure they can cover their asses as much as possible before putting out a PR statement that will inevitably do major damages to their treasure chests.

Click to expand...

Jburton said:

The IRC chat log you are referencing is bullshit.

That's your source?

Click to expand...

Vagabundo said:

Five days is a long time to craft a statement. I commend them for at least contacting Visa, but I'd bet that it was a legal requirement for them to do so.

Criminals had that data for at least six days (probably more) before Sony decided to tell the people affected. Inexcusable IMO.

Click to expand...

get2sammyb said:

God, the amount of bullshit being spread regarding this is terrifying. It's Sony's fuck up really for letting rumours people don't even understand take hold.

The amount of comments I've seen damning Sony for "storing credit card information in plain text" is annoying at best. Particularly when they've confirmed otherwise. People also keep citing the Kotaku story on an Australia charge as evidence that "all credit cards have been stolen".

Worse still, people believe it.

Click to expand...

BeeDog said:

I'm not trying to defend them, I'm trying to look at it from their point of view. 5 days is not just crafting a PR statement, they're looking at the situation from all possible economical and legal angles. As said, they're trying to cover their sides as much as possible before dropping the bombshell. It is poor form for the affected customers, that's entirely true, but it's also a matter of actually finding out if the stuff leaked or not. For what it's worth, the heads-up to VISA could be a matter of "there MIGHT be a potential CC leak", but "mights" are weak in a business world. They will want to make it perfectly certain that stuff may have leaked before issuing statements that will cost them enormous amounts of money. The uncertainty that can be seen in the big PR statement is most likely pressure from people and various outlets; if it wasn't for that, they probably would've withheld the information even more.

Click to expand...

BeeDog said:

While Sony HAVE handled this poorly, people need to realize they're handling a major money-making business

Click to expand...

A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3's connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection. So far so good; this is all safe, and your web browser depends on the same mechanisms for online purchases.

Click to expand...

As flaws go, the risks here are not substantial. There is no generalized ability for hackers to grab credit cards from PSN users; only those using specially devised custom firmwares would be at risk. Essentially the same risk could be faced by anyone downloading a pirated version of Windows: extra certificates could be added to those normally trusted, along with suitable DNS entries, to allow interception of any traffic destined for, say, amazon.com. In practice, the risk of either of these is slight, and in any case, trivially avoided: don't use custom firmware.

Click to expand...

Vagabundo said:

I agree with you. It is just business.

However, my opinion of Sony as a company has dropped off the charts in recent years. This year they have been particularly shit.

4000+ news articles on Google news is a nice little PR storm they have brewed for themselves.

Click to expand...

iapetus said:

Not if they carry on like this, they're not.

Click to expand...

Relaxed Muscle said:

I think, people meant CC info stored locally in any PS3 is stored in plain text and then send encrypted through SSL to PSN servers.

No one thinks actual CC info was stored in PSN servers in plain text.

Edit:http://twitter.com/#!/Mathieulh

Wow if just half of the things is telling this guy is true....

Click to expand...

get2sammyb said:

God, the amount of bullshit being spread regarding this is terrifying. It's Sony's fuck up really for letting rumours people don't even understand take hold.

The amount of comments I've seen damning Sony for "storing credit card information in plain text" is annoying at best. Particularly when they've confirmed otherwise. People also keep citing the Kotaku story on an Australia charge as evidence that "all credit cards have been stolen".

Worse still, people believe it.

Click to expand...

BeeDog said:

I'm not here to judge your loyalties to Sony, if you feel they don't do stuff well then who am I to object. I personally don't care about their extracurricular activities (e.g. fights with hackers, stupid statements etc.) as long as it doesn't affect me, which cannot be said about the PSN woes. I'm an egoistic consumer, and only care about the entertainment the PS3 games provide me, which, out of the three major console makers, I find the best. The PSN was fair game up until now, and I'm eager to see how well it recovers by next week. If my purchase list is wiped out for one reason or another, I'll write off Sony's service and won't look back if I find myself strong enough.

Click to expand...

Luckyman said:

http://pastie.org/private/wlesnpatnf8fwdnhx3gqq

Click to expand...

butter_stick said:

Poor Sony

Click to expand...

I'm looking forward to getting a nice freebie from Sony too.

Click to expand...

iapetus said:

Not if they carry on like this, they're not.

Click to expand...

Vagabundo said:

Hmmm, so they knew there was a possible CC breach on the 21th and told Visa. When did they tell the rest of the world? Wasn't it the 26th?

Click to expand...

Metalmurphy said:

I wonder if you actually believe that...

Reminds me of those 2006 "Sony going bankrupt!! Jump ship!" Doom-sayers. As stupid as it was, it was still a bigger reality then this is.


And what exactly do you mean by "carry on like this" btw? Pretty sure that getting hacked is not something within their control so they can carry on or not.

Click to expand...

xbhaskarx said:

That would be quite fucked up if true, what possible reason could they have had to wait that long before informing consumers?


Also, questions for the don't blame Sony crowd...

Would you only be angry at the thief and not at the airline if your luggage was stolen?
Would you only be angry at the thief and not your home security system if your house was cleaned out?

Can the blame only be placed only on one party, is there really not enough here to spread it out between both?

Click to expand...

Wazzim said:

People keep saying this.. It's Sony's FULL responsibility, they are a multi billion dollar company and it's fully their fault if they lose control over server attacks.

Click to expand...

Wazzim said:

People keep saying this.. It's Sony's FULL responsibility, they are a multi billion dollar company and it's fully their fault if they lose control over server attacks.

Click to expand...