Support NeoGAF

[DMeisterJ]

So the cc info was encrypted (not plain text), and there is no evidence of the data being taken.

So the tons of people with fraudulent charges are either true, and coincidental or false?

 

[Zoe]

In the UK at least and Australia sony is going to get hammered if thats true. The governments will say you didnt do the most you could to protect customer data

finetime

What are those countries' standards for encryption?

 

[Metalmurphy]

Only Sony could outdo Sony rootkit scandal

unencrypted passes. Now they feel the need to move to another datacenter and enhance security. Tell how shitty it has been for years.

We don't know that yet.

 

[BannedEpisode]

So the cc info was encrypted (not plain text), and there is no evidence of the data being taken.

So the tons of people with fraudulent charges are either true, and coincidental or false?

Hopefully coincidental.

 

[LumpOfCole]

I subscribed to DC Universe Online for a month (PC Version) but don't have any other Sony accounts otherwise, nor a PS3. Should I be concerned about my SOE information or is that separate from the PSN stuff?

 

[TTP]

I subscribed to DC Universe Online for a month (PC Version) but don't have any other Sony accounts otherwise, nor a PS3. Should I be concerned about my SOE information or is that separate from the PSN stuff?

SOE already stated it's all good with the DC Universe stuff. 100% Unaffected.

 

[Rewrite]

Honestly, many companies don't see that as vital information worth encrypting. Especially back when all of this was set up in 2006.

Let's say if they had changed their mind and wanted to encrypt the data, would they have had to shut down PSN to do this?

 

[shintoki]

Well go me.

http://ps3.ign.com/articles/116/1164340p1.html

Welcome to the big times. Population:You

 

[Psychotext]

So the cc info was encrypted (not plain text), and there is no evidence of the data being taken.

So the tons of people with fraudulent charges are either true, and coincidental or false?

Unless of course they've used some sort of easily reversible encryption...

But I still say that the chances are the CC details aren't out there.

Let's say if they had changed their mind and wanted to encrypt the data, would they have had to shut down PSN to do this?

No, but it would have required a firmware update.

 

[Kyoufu]

So...

If CC info was encrypted, how likely is it for the hacker to have obtained it all? How long does it take to decrypt millions of them?

 

[Kalnos]

Let's say if they had changed their mind and wanted to encrypt the data, would they have had to shut down PSN to do this?

They would have to patch most likely, as I imagine they would encrypt the data before sending it away to a database. It wouldn't take long though, certainly not days (probably not even hours).

Converting all of the non-encrypted data that is already there would probably be more tricky than adding encryption.

 

[Miggytronz]

New update = better than expected

 

[Zutroy]

In the UK at least and Australia sony is going to get hammered if thats true. The governments will say you didnt do the most you could to protect customer data

finetime

Probably not. The data protection act is more against the selling of your data, and keeping it accurate more than anything. Yes, you have to keep it secure to an extent (ie, not being the government and leaving it on a CD in a train), but as Sony mentioned, the data was stored behind some sort of 'sophisticated security' which will probably be enough to cover them.

 

[harriet the spy]

So the cc info was encrypted (not plain text), and there is no evidence of the data being taken.

So the tons of people with fraudulent charges are either true, and coincidental or false?

As I said previously, even a fair amount of anecdotes wouldn't prove anything, as CC fraud or ID theft are sadly more common than you think. You would have to register a significant spike to start hinting at any connection.

Until then, it's stupid journalists stirring up fake scandals out of nothing.

 

[A.R.K]

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

If Sony has used decent encryption wouldn't it be hard for hackers to get the CC info?. Its not easy to decrypt data without the key and it takes a long time to do that. Plus having no security code stored on Sony's servers is another plus. Most online transactions ask for the security code.

 

[Zoe]

They would have to patch most likely, as I imagine they would encrypt the data before sending it away to a database. It wouldn't take long though, certainly not days (probably not even hours).

Converting all of the non-encrypted data that is already there would probably be more tricky than adding encryption.

The second part would be troublesome plus all the QA needed to make sure everything can be encrypted/decrypted properly from all possible points of entry/exit.

 

[Cat in the Hat]

Holy shit VG catz managed to produce a funny comic for once.

 

[Ferrio]

They would have to patch most likely, as I imagine they would encrypt the data before sending it away to a database. It wouldn't take long though, certainly not days (probably not even hours).

Converting all of the non-encrypted data that is already there would probably be more tricky than adding encryption.

Are you saying they should of had the ps3 encrypt the data before sending it to sony? They were already doing that in the form of SSL, and it's terrible security too.

 

[Stoffinator]

Geez at ppl asking if trophies were stolen (in the blog comments). They are on your PS3 ffs! Even if they were deleted server side, a sync is all you need to do to get them back.

I am one who asked that. Mostly because most people would not know that. It would also be a FAQ I would imagine.

 

[Jburton]

I say we have a Gafdance party in PShome. Just like a gafer suggested in a previous thread.

I am behind this 100%

Would be a laugh.

Someone should start a thread near the time of relaunch.

 

[Rebel Leader]

Holy shit VG catz managed to produce a funny comic for once.

Is it the one with the papers and gawker security?

 

[Carl]

New PSN Q&A posted on the PS Blog

Actually helpful info in there. Good.

 

[Kalnos]

On how secure their encryption is. I'm assuming they're using TripleDES with a key, which is considered secure by modern standards.

 

[androvsky]

So...

If CC info was encrypted, how likely is it for the hacker to have obtained it all? How long does it take to decrypt millions of them?

Same amount of time it takes to decrypt one of them. If properly encrypted, millions of years. If Sony screwed that up like they did the PS3's encryption, a few weeks to a few years, depending on how badly they screwed it up.

Granted, even if Sony made the exact same mistake they did with the PS3, it'd be really hard to do the same reverse engineering that cracked the PS3 root keys, since the hackers wouldn't have access to the database engine to run multiple encryption / decryption steps.

Of course, Sony could've found a whole new way to screw up encryption, so nothing's certain.

 

[Kalnos]

Are you saying they should of had the ps3 encrypt the data before sending it to sony? They were already doing that in the form of SSL, and it's terrible security too.

I'm saying that's probably what they were doing.

 

[RustyNails]

Let's say if they had changed their mind and wanted to encrypt the data, would they have had to shut down PSN to do this?

It's not easy as changing mind and deciding to encrypt data. It's a performance issue. Besides, it would also depend on what encryption algorithm they used. Some are easily broken within minutes. Some take a million years. Even after putting in place the craziest encryption algorithm, if the data was breached they would still need to shut down PSN due to the fact that the data is compromised. For all we know, the hacker could have downloaded the user table (encrypted) into his USB drive and ran fancy decryption code and broken it. The chances are significantly small that he may be able to succeed, especially if you used advanced encryption methods. But still you gotta be 100% sure.

 

[Karma]

We don't know that yet.

Why has Sony not told us? I had to change all my security questions on paypal and a few other sites just in case. Suggest everyone does so.

 

[jiggles]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

 

[RustyNails]

So...

If CC info was encrypted, how likely is it for the hacker to have obtained it all? How long does it take to decrypt millions of them?

Depends on what encryption algorithm they used. If they used DES, it will be cracked open within a day. If they used AES, then not so much. US Govt uses AES to encrypt non classified data.

 

[lol51]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

Putting it in does not mean it is saved in their database.

Newegg for example requires you input it in every time even if your CC info is saved.

 

[Rebel Leader]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

I am unsure about that aswell. We need to confirm when PSN is up.
I don't remember putting it in.

 

[JonathanEx]

And could it also depend on the level of access the hacker had to Sony's system? They were on the PSN for three days that we know of before Sony noticed.

 

[jiggles]

Putting it in does not mean it is saved in their database.

Newegg for example requires you input it in every time even if your CC info is saved.

I know that, but the FAQ claims they've never asked a single user for the security code.

 

[Rebel Leader]

And could it also depend on the level of access the hacker had to Sony's system? They were on the PSN for three days that we know of before Sony noticed.

Wizard Class hacker
(was reading the Bloody Sunday manga)

 

[davepoobond]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

as far as i understood, it asks for it but it doesnt store it.


i dont know if im crazy about the personal info not being encrypted too, but if what someone said earlier that it would just be the least efficient system ever, then its probably not actually viable to do in the first place.


gotta wonder who was able to do this and download all 70 million usernames before it was realized.

 

[Zutroy]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

Now that you mention it, I'm fairly certain that I have too.

 

[Kyoufu]

The ultimate question; Will Sony ever find the person/people responsible?

 

[Jburton]

The ultimate question; Will Sony ever find the person/people responsible?

I highly doubt it, stranger things have happened though.

 

[davepoobond]

The ultimate question; Will Sony ever find the person/people responsible?

im sure they're hidden through multiple layers of proxies and hidden IPs and using serial ports and connecting through a kinkos internet connection and using a printer converted into a computer running off USB sticks that was thrown away and buried in a hole 100 miles deep in the middle of a desert.


its either that, or im imagining something like Mission Impossible is happening as we are speaking, and theres a helicopter flying through a tunnel somewhere right now.

 

[Biff]

Quick, change it to something embarrassing!

Yes, this!!

Here's some original artwork if you need inspiration:

 

[Majine]

The ultimate question; Will Sony ever find the person/people responsible?

Even if, when they do get to him, will it matter anymore?

 

[Rebel Leader]

Even if, when they do get to him, will it matter anymore?

For me it depends on was the person a hacker or cracker?

 

[Cruzader]

I say we have a Gafdance party in PShome. Just like a gafer suggested in a previous thread.

That won't be possible. When PSN goes up, Home will be crashing left and right from the massive amount of casuals trying to log in. Else it will be super slow.

Anyhow Home update 1.5 was gonna go up on the day psn went dead. Funny how that is. Lol

Also Home users are prolly freaking out right now. They need their Home fix. They need to buy some damn virtual clothes!!!

 

[paskowitz]

http://online.wsj.com/video/asia-today-asia-reacts-to-sony-hacker-bombshell/293364BE-3771-4609-B240-463B391ACFC0.html?mod=igoogle_wsj_gadgv1

 

[Shaneus]

gotta wonder who was able to do this and download all 70 million usernames before it was realized.

Majority of those 77 million accounts were probably just used for car duping in GT5 anyway.

 

[Hugh Buelow]

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

According to the PCI Data Security Standard (a certification required to process credit card transactions) forbid the storage of CVV.

 

[Zoe]

Even if, when they do get to him, will it matter anymore?

The biggest two credit card hackings in history were done in part by the same person. It's important they find the person.

 

[RustyNails]

That won't be possible. When PSN goes up, Home will be crashing left and right from the massive amount of casuals trying to log in. Else it will be super slow.

Anyhow Home update 1.5 was gonna go up on the day psn went dead. Funny how that is. Lol

Also Home users are prolly freaking out right now. They need their Home fix. They need to buy some damn virtual clothes!!!

Regardless, the gafdance party must happen! Private showing of course. There will be strippers.

 

[Wario64]

So how do we change security questions? Since ya know, changing password is gonna do jack shit.

 

[Lince]

Its neat that we will have to reset our passwords... since i forgot mine :3

just pray they don't ask you for the original password then in the first place

The weird thing about that FAQ is that I could swear I've put in my security code when buying something off PSN.

same here, but not always, weird.