PlayStation Network (PS3)
Platform »
The PlayStation Network is the online service by Sony Computer Entertainment, providing downloads of games, trailers, themes and much more. The service is free, but also offers a paid version for various benefits.
Sony Pushes Back on Credit Card Speculation, Clarifies Password "Encryption" [Updated]
--
It's little surprise many of the 77 million users affected by the security breach of PlayStation Network continue to be skeptical of Sony's comments, despite it holding an all-hands-on-deck press conference in Japan over the weekend. The company took to the PlayStation Blog today to further address issues.
The fate of everyone's credit card information remains the thorniest issue. Sony admitted at its press conference roughly 10 million credit cards were exposed--a significant number. A Friday report filed by The New York Times also stoked the flames. The publication spoke to several security analysts, who said there was chatter on known hacker boards of a database containing the information 2.2 million PSN users--credit card details included. The hackers alleged they offered the database back to Sony, too..
"One report indicated that a group tried to sell millions of credit card numbers back to Sony," said senior director of corporate communications and social media Patrick Seybold. "To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list."
Eyebrows were also raised over Sony's description of stored PSN passwords. Encrypted? Not encrypted? Sony described the passwords as unencrypted, says the company, because they weren't. Rather, the passwords were accessed through a cryptographic hash function and not stored in cleartext.
Does that sound like gobbledygook? Sony provided a few links (number one, number two) with details.
"We continue to work with law enforcement and forensic experts to identify the criminals behind the attack," added Seybold. "Once again, we apologize for causing users concern over this matter."
Some aspects of PSN are expected to come back online this week, trophies and cloud saves intact.
--
It's little surprise many of the 77 million users affected by the security breach of PlayStation Network continue to be skeptical of Sony's comments, despite it holding an all-hands-on-deck press conference in Japan over the weekend. The company took to the PlayStation Blog today to further address issues.
The fate of everyone's credit card information remains the thorniest issue. Sony admitted at its press conference roughly 10 million credit cards were exposed--a significant number. A Friday report filed by The New York Times also stoked the flames. The publication spoke to several security analysts, who said there was chatter on known hacker boards of a database containing the information 2.2 million PSN users--credit card details included. The hackers alleged they offered the database back to Sony, too..
"One report indicated that a group tried to sell millions of credit card numbers back to Sony," said senior director of corporate communications and social media Patrick Seybold. "To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list."
Eyebrows were also raised over Sony's description of stored PSN passwords. Encrypted? Not encrypted? Sony described the passwords as unencrypted, says the company, because they weren't. Rather, the passwords were accessed through a cryptographic hash function and not stored in cleartext.
Does that sound like gobbledygook? Sony provided a few links (number one, number two) with details.
"We continue to work with law enforcement and forensic experts to identify the criminals behind the attack," added Seybold. "Once again, we apologize for causing users concern over this matter."
Some aspects of PSN are expected to come back online this week, trophies and cloud saves intact.
Considering I've been having some sketchy goings on with my card (not that they're even remotely connected), it's good to hear they're trying their best to rectify it.
I'm actually kind of OK with how they are handling things now. It's just that they keep proving that they are incompetent at security. I have trouble forgiving that.
" Credit card numbers were probably not taken; I'd assume they were 128-bit encrypted like all e-financing. "You mean like we all assumed their PS3 encryption random seed was random when it wasn't random at all? I think it's best to assume nothing or at the very least, the worst.
A report of a previous report about rumors about speculation in a forum from an outside report about a forum report.
" @Winsord said:I feel like even Sony isn't sure what they were doing anymore, and I'm starting to trust news from elsewhere more than news from Sony, which isn't a good policy to have." Credit card numbers were probably not taken; I'd assume they were 128-bit encrypted like all e-financing. "You mean like we all assumed their PS3 encryption random seed was random when it wasn't random at all? I think it's best to assume nothing or at the very least, the worst. "
" So.....many....psn....articles.... "Yeah, I say make them stop until we get some real news. I don't feel any more informed after reading these articles tbh.I know Sony is to blame for the lack of real news, but that doesn't mean we need new articles every day for every little tidbit they "announce".
" A report of a previous report about rumors about speculation in a forum from an outside report about a forum report. "This.
Hmm, the more I hear the more it sounds like they were doing a lot of the right things at the back-end in terms of storage. Obviously not so much in terms of actually keeping that stored data secure!
Based on this new info I'm slightly more optimistic about the usefulness of the data to the potential bad guys. Identity theft is still a possibility but if Sony's statements are true they must be lacking some of the data that would make it even easier. Phishing and spamming are the two most likely things now and chances are that's something people either deal with or fall for on a regular basis anyway!
The key remaining things for me will be the hashing function used, whether or not the hashes have been salted to prevent rainbow table attacks, and, of course, how the data was obtained.
And FWIW, I think kudos are due to Giant Bomb and Patrick in particular for the level-headed coverage of this whole story. While some news outlets spread thin details over multiple stories or engaged in fear-mongering Giant Bomb have kept the signal to noise ratio high. And I for one am grateful!
It's good to know that they're staying vigilant over this whole incident. The internal morale at Sony can't be all that strong right now. But truthfully people aren't going to stop being "spooked" until there's a good amount of evidence that credit cards weren't exposed. There isn't a lot of comfort to be had from the idea that the simply don'tknow if the breach went that deep.
Having had to cancel my credit card today, and now try to clear up $1300-odd of fraudulent activity on my account, I'm certain that at lease some credit card data is floating around out there and in use.
In my many many years of using the same credit card online, I have never once experienced anything like this. Suddenly my account is compromised now? That is way too coincidental to my liking.
" Having had to cancel my credit card today, and now try to clear up $1300-odd of fraudulent activity on my account, I'm under no illusions that at lease some credit card data is floating around out there and in use.In my many many years of using the same credit card online, I have never once experienced anything like this. Suddenly my account is compromised now? That is way too coincidental to my liking. "My parents have had their CC data stolen multiple times. My dad never uses CCs online, and my mom is extremely computer literate, and always makes sure that info is kept with the highest safety. They still managed to get that shit stolen, even once earlier this year.
Why has nobody in the media called bullshit on The New York Times writing articles based on message board posts and treating them as verifiable proof? I expect this crap from Fox News but the Times I thought had more integrity. Then again they did just lock away the majority of their articles behind asinine subscriptions so who knows.
Also, just out of curiosity, did you follow the steps Sony helpfully posted on how to make sure no one could run wild with your CC number, just in case?All their information pertained to US institutions and fraud hotline type things. None of which is of any use to me in South Africa, nor do my bank give enough of a shit to help me.
Good that Sony is trying to fight some of the FUD kotaku (and others) are spreading.
@Darkstalker said:Yea. I mean its not just giantbomb but all websites neeed to stop. plus its ju as t another excuse for people to say fuck sony and then the same people to retort with the same comments." So.....many....psn....articles.... "Yeah, I say make them stop until we get some real news. I don't feel any more informed after reading these articles tbh.I know Sony is to blame for the lack of real news, but that doesn't mean we need new articles every day for every little tidbit they "announce".
I just want psn up so we can all move on.
Isn't it a bit odd to first announce that the passwords were unencrypted, leaving everyone to think they were stolen, then announce they'd been hashed? Assuming they used a reasonable hash function, that's honestly more reassuring than if they'd simply been encrypted. Sony seems to have gone out of their way to stoke panic---how does this make sense?
From what I heard, the only information that was passed in cleartext was the ones with CFW. In order for them to gain access to PSN, they had to bypass certain parts of PSN's infrastructure including some SSL layer servers. That's just what i've heard down the grapevine so it's still speculation until Sony shows the world it's audits.
" @example1013 said:Jeez. You have my sympathies, then.Also, just out of curiosity, did you follow the steps Sony helpfully posted on how to make sure no one could run wild with your CC number, just in case?All their information pertained to US institutions and fraud hotline type things. None of which is of any use to me in South Africa, nor do my bank give enough of a shit to help me. "
@PatrickKlepek: Do you have, or can you get, any information on whether those 10 million credit cards are in fact all credit cards whose information was stored on PSN? If you consider that there were some 77 million PSN accounts, which most likely includes forgotten accounts, extra accounts (Japanese + American + European for the different stores), inactive accounts, accounts owned by people who don't buy stuff online and accounts owned by people who don't have/use credit cards (like most of Europe), 10 million sounds like an awful lot.
As for the password encryption thing, it's a strange technicality to get hung up on. Nobody would have blamed them if they'd said the passwords were in fact encrypted. Hashing is essentially a one-way form of encryption. Either way, the passwords aren't truly safe once hackers have access to the entire database. Anything that's encrypted can also be decrypted and once you have a huge list of hashes, it's fairly easy to generate passwords with the same hashes. The best we can hope for is that Sony salted the passwords and used a decent hashing method, but something tells me they used unsalted md5 hashes like most of the world, meaning everyone needs to act as if the passwords were actually leaked in their original plain text form.
Can someone tell me where this update to the article comes from. Because as far as I know Sony at no point admitted that. They said that out of the 77 million accounts only 10 million had CC attached
I would absolutely agree in any other circumstance, but I feel that the fact that this involves people personal and credit card information makes it's a special exception." @Legend
@Darkstalker said:Yea. I mean its not just giantbomb but all websites neeed to stop. plus its ju as t another excuse for people to say fuck sony and then the same people to retort with the same comments. I just want psn up so we can all move on. "" So.....many....psn....articles.... "Yeah, I say make them stop until we get some real news. I don't feel any more informed after reading these articles tbh.I know Sony is to blame for the lack of real news, but that doesn't mean we need new articles every day for every little tidbit they "announce".
" @tourgen: 5 bucks says MD5 :) "yeah you are probably right. Hopefully not but .. I just assumed the worst and made sure I didn't have any similar passwords.
Sony isn't helping themselves by slowly releasing bits of bad news every few days. They should just come out with everything now and deal with it all at once.
Please Log In to post.
This edit will also create new pages on Giant Bomb for:
Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.Comment and Save
Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.
Log in to comment