Support NeoGAF

[QuantumBro]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

If it turns out that no credit card info has been compromised via PSN it's probably just a coincidence. People get there credit cards stolen all of the time, this incident has made a lot of people go check their credit card statements online now instead of waiting till the end of the month as usual.

 

[Dead Man]

Something about this being a nerd on nerd crime
They took everything except our virginity
and who would want to steal the identity of a 30 year old who still lives in their parents basement.

Really? I guess no one has told him about the actual gamer demographic these days.

 

[Raistlin]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

Or it could be a coincidence?

I had fraudulent charges (1st time for me) on a credit card about 3 weeks ago. Wasn't a card I used with PSN and obviously is completely unrelated to this situation. Had it happened a few weeks later I'd probably be cursing Sony right now in this very thread (falsely).



My greater concern is actually the potential for identity theft and not the specific card used on PSN. If a list of names, addresses, and birth dates goes online ... it won't be hard for someone to get the last two pieces needed to create some fraudulent credit in your name (SSN and mother's maiden is the only other pieces you'd need for a fair amount of cards/loans/etc?)

 

[androvsky]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

Credit cards get stolen or hacked all the time, in a user base as large as gaf, chances are a few people are going to notice fraudulent charges if they start checking. Doesn't mean it's due to the psn breach.

Remember, correlation is not causation.

 

[DoctorButt]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

no ones calling anyone a liar unless they actually say "you are a liar", or something similar that accuses one of being a liar

EDIT: i'd say most of them, if not an extreme majority, are liars, just saying those things to stir the pot

 

[Raistlin]

Really? I guess no one has told him about the actual gamer demographic these days.

Seriously. If you're on PSN you're obviously working two jobs.

 

[cartoon_soldier]

What I want to know is what kind of security Sony had for PSN to begin with. A hack that causes Sony to shut down the service completely while they figure out what is going on and later discover the extent of the intrusion is pretty alarming and points to a big flaw in their security setup.

Also would want to see how the hackers could get records of 77 million people before Sony was able to shut down the system.

Maybe this is known, but do we have information on how long the hackers were in the system before Sony detected this and shut PSN down?

 

[brentech]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

Maybe not liars, but that's not out of the realm of a typical forums discussion.

While there is the possibility, it would also be naive to act like identity theft isn't an every day issue that people are always having to fight. The people that attempt ID theft are smart enough to hear about the breach and realize there is a great window of opportunity for them to use info that already had as well.

In 2003, approximately 7 million people became victims of identity theft in the prior 12 months. That’s 19,178 per day, 799 per hour, and 13.3 per minute.
(July 2003 - Gartner Research and Harris Interactive -IDTheftCenter.org)

This isn't something new. Shit happens allllll the time.

 

[RuGalz]

My greater concern is actually the potential for identity theft and not the specific card used on PSN. If a list of names, addresses, and birth dates goes online ... it won't be hard for someone to get the last two pieces needed to create some fraudulent credit in your name (SSN and mother's maiden is the only other pieces you'd need for a fair amount of cards/loans/etc?)

I don't know... all you really need to know is a name these days... Places like http://www.spokeo.com/ has more information about people than most people are comfortable with. Most of the cards/loans I have dealt with recently asks me a series of questions to verify my identity. I always thought it was annoying but now I appreciate it.

 

[hauton]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

It might be real
or
It might be coincidence
or
It might be people lying

I certainly remember some of those "IVE HAD 12 RRODS IN A ROW" claims being somewhat suspect.

 

[DailyVacation]

It's odd that a week before this happened, I was trying to find out how to update my address on my PSN account, and couldn't find a way to do so.

Fortunately I have my old address there, and the credit card I used last year is already expired.

 

[lowrider007]

This comment is in NO WAY meant to make light or trivialize the troubles of those who may have had their credit cards stolen.

It is a serious question.

If you guys are still doubting that credit card info was taken, even after several users in this topic have said their card was used to buy X and Y, would that mean you're calling those people liars?

I'm confused.

My dear, thus far there has been 1426 unique people posting in this thread, I'm sure that statistically speaking it is quite probable that those few people that were effected were just unlucky victims of general identify theft, I certainly don't think that there has been enough people that have had money taken from their acc's fraudulently yet to blame it on this particular incident.

 

[btcollide]

All I know is that I only use my CC for major purchases (most recently, airline tickets back in March).

No way could anyone have pulled my card info (I'm not that stupid to swipe it EVERYWHERE) - I'm absolutely positive it was because of the PSN breach that my card was stolen. I'm just going prepaid when it comes to PSN now. Pretty disappointing.

 

[harriet the spy]

All I know is that I only use my CC for major purchases (most recently, airline tickets back in March).

No way could anyone have pulled my card info (I'm not that stupid to swipe it EVERYWHERE) - I'm absolutely positive it was because of the PSN breach that my card was stolen. I'm just going prepaid when it comes to PSN now. Pretty disappointing.

You have no way of being positive. Odds are overwhelmingly against your unjustified paranoia. Sorry about the fraud, though.

 

[Vagabundo]

Come at me bro.



At this point we have no evidence that this due to some sort of negligence. Also, you act as though there is no precedence.

Let me put it this way. If someone stole your car ... and let's assume for a second you aren't a git that left the doors unlocked and keys in the ignition ... should we be calling you out as having fucked up? How about someone breaks into a business and steals shit, and it employed industry standard (or better) security ... did the business fuck up? Again, assuming they didn't forget to activate the security system and lock the doors?

Maybe we should actually wait until there's enough information before blaming those who may be the victim?



People can feel free to bitch about how Sony has handled PR for this, but that's completely unrelated to what you seem to be bitching about.

We have plenty.

PSN security was lax; you have Linux servers running out of date software and a pretty shoddy network setup. We have passwords stored either in plaintext or using a hashing system without a salt. That's more than enough to label them incompetent and negligent.

However they also say that they cannot rule out that CC information may have been stolen. This is after the external security firm audit, which means their method of encrypting the information was sub-par.

With something the size of PSN all this is unforgivable, but with the advanced warning they had with all CFW/GeoHot/Anon and, they do not fix this or get an audit, it is nearly criminally negligent.

So no, Sony are not the victims here, they are lazy fucks and deserve to have all this bad PR and vitriol.

 

[btcollide]

You have no way of being positive. Odds are overwhelmingly against your unjustified paranoia. Sorry about the fraud, though.

lol ok

 

[whalleywhat]

If Sony plays the victim card, please feel free to burst out laughing. We're not talking about an indie developer being hacked. We're talking about one of the most visible (and arrogant) companies in the world, and they have utterly failed at securing a network that contained personal information from over fifty million customers. There is no conceivable excuse or rationalization for that.

Dunno if this has been posted.

 

[jim-jam bongs]

if there is no such thing as a 100% secure system, how do you define what is adequately secure? not being snarky.. serious question.

Yeah, it's a good question too. The important thing to remember is that most intrusions are PEBKAC (problem exists between keyboard and chair), so you can force users to jump through hoops to successfully authenticate but then if you go too far you end up forcing them to put their login details on a post-it on their monitor.

At the fundamental level you need to:
- Have a sysops team who know every piece of software on your servers and zealously watch the security alerts list for each application so that they can issue emergency patches 24/7. By the time a vulnerability is discovered it can already be in the wild, so you basically have a ticking timebomb sitting in your data-center until you patch it. Hyperbole perhaps, but unpatched systems scare the living shit out of me.

In addition to this you'll need to make sure that you have a staging environment to test those patches otherwise you might end up having to perform a rollback after an update to get your system back up and running. Easy to do on a staging environment, really hard to do on a live production environment being used by your customers.

- Don't trust user input, ever. I could go into a lot of detail about this but I think Blimblim has already discussed it a lot in these threads. You need to at the very least ensure that all user input is escaped before being used in database queries to protect against SQL injection, but it's considered to be good practice to go deeper and look for other junk in their input too, script tags which might indicate that they're trying to execute a XSS attack as an example.

- Use encryption a lot. Anything involving user information should be transmitted over SSL (https) and anything sensitive going into your database should be stored in a format which can't be easily parsed by humans. For example, passwords are usually stored as a hash, and when you login to a service the inputted password is munged with the same algorithm, and the result compared.

- Close all your ports that aren't in use. If any of your software (e.g. SSH server) shouldn't be open to the public then lock those ports down to a safe IP range which you own. As an example, if I need to do any remote work on our systems I have to first connect to the office VPN and then connect to the server. Also, I don't have a password for any of these systems; they're all secured using public-keys which are managed and installed to our (managed) workstations by our sysops team. This makes it a lot harder to impersonate one of our staff and compromise the system.

- Nobody but your most trusted sysadmins should know the passwords to anything. The easiest way to do this is to develop all of your applications to expect the environment to inform them of their settings, rather than the other way around. The added benefit of this is that all of your large applications can be deployed to any of your environments and be running in seconds, obviously a pretty handy thing to do in case of disasters.

- If possible, use a double opt-in system for authentication. An example would be the dongles given out by Blizzard for Battle.net accounts, or Google sending a PIN to your phone when you login. Basically it's the idea that you can at the very least protect against remote exploitation by requiring a physical presence to authenticate.

And that's just a handful of things off the top of my head, I'm an enterprise architect so you'd get a much more detailed answer from a sysadmin. At any rate those examples should give you a good idea of the kinds of things which an independent audit for lax security would check for. Again, doing those things doesn't make you 100% impenetrable but not doing them is like leaving your front-door unlocked.

Edit:

We have plenty.

PSN security was lax; you have Linux servers running out of date software and a pretty shoddy network setup. We have passwords stored either in plaintext or using a hashing system without a salt.

Welp, if this is true then yeah fuck these guys.

 

[arnoldocastillo2003]

OK this is to big for me to read, what new news has come out?

 

[Paches]

OK this is to big for me to read, what new news has come out?

Read the OP and you will be up to date.

 

[darkwing]

wow, pretty big news there, so the personal data was the only exposed eeep identity thief!

 

[Material541]

All I know is that I only use my CC for major purchases (most recently, airline tickets back in March).

No way could anyone have pulled my card info (I'm not that stupid to swipe it EVERYWHERE) - I'm absolutely positive it was because of the PSN breach that my card was stolen. I'm just going prepaid when it comes to PSN now. Pretty disappointing.

You don't think there are other ways besides user error that card numbers are stolen? Sony isn't the the only company to get breached. Even then, fraudulent purchases aren't always right after the breach.

 

[darkwing]

i wonder what kind of encryption they would be using on the credit card info

 

[androvsky]

Wasn't the outdated linux server story actually about a gracenote server that wasn't part of psn?

 

[btcollide]

You don't think there are other ways besides user error that card numbers are stolen? Sony isn't the the only company to get breached. Even then, fraudulent purchases aren't always right after the breach.

Yes I KNOW that there are other ways your credit card info can be stolen. The point is that I RARELY used this CC at all - only for major purchases. (two purchases within the past 7 months - a bed and airline tickets in person).

Anyways, done giving my 2 cents - all you get is shit in return anyways from some people.

Just giving people a heads up.

 

[darkwing]

Wasn't the outdated linux server story actually about a gracenote server that wasn't part of psn?

Gracenote? the album / song info thingy that Sony bought?

 

[aktham]

Ok I called to cancel my credit card. It seriously took 20 seconds to do it over the phone. They will mail me a new card. (all automated)

It was a whole different story with my debit card. I spoke with a lady who cancelled my card after asking for my info (which I did to the automated system already). I just happen to tell the lady that I'm sure they've had a lot of calls due to the PSN security issue. She told me they're sending me a new card and that I have to talk to their "identity theft" department. It was a basically a guy trying to sell me credit monitoring service for 16 bucks a month. These guys are real opportunists. He was trying to sell it using fear tactics too He knew about the PSN hack and the 70 million accounts that were affected.

 

[Averon]

We have plenty.

PSN security was lax; you have Linux servers running out of date software and a pretty shoddy network setup. We have passwords stored either in plaintext or using a hashing system without a salt. That's more than enough to label them incompetent and negligent.

However they also say that they cannot rule out that CC information may have been stolen. This is after the external security firm audit, which means their method of encrypting the information was sub-par.

With something the size of PSN all this is unforgivable, but with the advanced warning they had with all CFW/GeoHot/Anon and, they do not fix this or get an audit, it is nearly criminally negligent.

So no, Sony are not the victims here, they are lazy fucks and deserve to have all this bad PR and vitriol.

I need a source for that.

 

[Hellion]

Dunno if this has been posted.

Ahh a gaming expert...

Sony, publicly apologize or you can kiss your business goodbye.

 

[sangreal]

I'm sure I'm not the first, but I got a laugh when I searched my e-mail for playstation.net:

Welcome to PlayStation(R)Network.

Your registration confirmation follows below. Please keep a copy in a secure place.
--------------------------------------------------------------------------
<personal details>

 

[daemonic]

My bank called me a few weeks ago to tell my my credit card information had been compromised. I was issued a new card immediately. I'm pretty damn sure it was because of this whole ordeal.

 

[Dead Man]

I'm sure I'm not the first, but I got a laugh when I searched my e-mail for playstation.net:

:lol

 

[darkwing]

Ahh a gaming expert...

Sony, publicly apologize or you can kiss your business goodbye.

read the blog, they have been apologizing, maybe they need to put out an ad?

 

[Vagabundo]

Gracenote? the album / song info thingy that Sony bought?

No these servers were suppose to be part of PSN.

PSN is huge:

[user2] psn == 45 environments
[user2] and for example
[user2] every env has 50 subdomains
[user2] to external machines
[user2] its rly rly huge
[user2] who wants to do this xD
[user2] ppl r lazy
[user2] wont change

 

[jax (old)]

We have plenty.

PSN security was lax; you have Linux servers running out of date software and a pretty shoddy network setup. We have passwords stored either in plaintext or using a hashing system without a salt. That's more than enough to label them incompetent and negligent.

However they also say that they cannot rule out that CC information may have been stolen. This is after the external security firm audit, which means their method of encrypting the information was sub-par.

With something the size of PSN all this is unforgivable, but with the advanced warning they had with all CFW/GeoHot/Anon and, they do not fix this or get an audit, it is nearly criminally negligent.

So no, Sony are not the victims here, they are lazy fucks and deserve to have all this bad PR and vitriol.

source please. bullshit is so rampant.

 

[Sporran]

think people have to be realists. Yes this sounds bad and probably is bad. Im more relaxed at this whole affair as its not the 1st time for me to have had either my credit card details exposed (2 times already) and had my details taken elsewhere online due to hacks. It happens.

Said fact guys, as we enter the digital world and work/play more online so the risk of this happening increases, i couldnt even comprehend the amount of websites i have put my details in to legit, they are just waiting to be targetted. But God help if these attackers decided to target Governments or the Public Administration systems (whether local, or central) used in countries throughtout the world. These system hold far more info, and i bet their security is very primitive compared to Sony including outsided software on servers, and hold far more personal info, NI numbers etc for UK peeps and whatever is used in others.

Im not saying its right, far from it but the worst is still to come. Its a wake call for all, though im sure some will still work to the "it will never happen to us" and this attitude overrides the costs of doing it properly!!

btw, i just want PSN back, finished portal 2 SP last night, would love to try some coop and that copy of socom it itching to fire up

 

[LowParry]

My bank called me a few weeks ago to tell my my credit card information had been compromised. I was issued a new card immediately. I'm pretty damn sure it was because of this whole ordeal.

-facepalm-

Are people this paranoid? Cause it's pretty sad.

 

[Raistlin]

We have plenty.

PSN security was lax;

We know this explicitly?

you have Linux servers running out of date software and a pretty shoddy network setup. We have passwords stored either in plaintext or using a hashing system without a salt. That's more than enough to label them incompetent and negligent.

Again, do we know this? I'm seriously asking, as this thread is huge and I haven't followed everything.

If the point is simply that it's 'out of date software' (assuming this is even known), all I can say is I used to work at one of the big 3 defense contractors. You'd cry if you know what we were running. Still haven't moved past XP for client machines ... IE6 didn't go away all that long ago ... many of the server OS's are 'out of date'.

Shit, you should see what the gov uses. Many times though, this is actually on purpose. There's a difference between jumping to the newest and the best, and actually maintaining security. The reality is it's a devil you know sort of game. Jumping to the newest typically means new unknown security flaws. Large-scale systems and big companies with important data purposely wait a while until a lot of the issues have been rung out and patched.

Now if there is verifiable evidence that they were not patching known flaws that have released updates ... that's a very different argument and would certainly make accusations of negligence more realistic. If however they were keeping those sorts of things up-to-date, then it's likely they were keeping their system more protected, not less.


Of course all the above is predicated on the idea we know their stuff is out of date. Do we?

However they also say that they cannot rule out that CC information may have been stolen. This is after the external security firm audit, which means their method of encrypting the information was sub-par.

Actually we don't know what it means. It could very well mean they simply haven't made a determination of whether the data was even accessed. It's possible it was, but is still encrypted.

With something the size of PSN all this is unforgivable

As I said, refer to some of the systems I've had access to. It's actually typical for bigger systems to be running older software - both because costs (and downtime) can be huge to upgrade (they need to pick their places) ... and because it can make security worse.

, but with the advanced warning they had with all CFW/GeoHot/Anon and, they do not fix this or get an audit, it is nearly criminally negligent.

Again ... fill me in in case I'm missing something here. Are you talking about PS3? If so, what does that have to do with this situation? Gawker was attacked ... so I guess Citizen's Bank should audit their system? Other than the fact PS3 and PSN are from the same company ... are they actually related situations?

So no, Sony are not the victims here, they are lazy fucks and deserve to have all this bad PR and vitriol.

lol

 

[MustacheBandit_]

Ok I called to cancel my credit card. It seriously took 20 seconds to do it over the phone. They will mail me a new card. (all automated)

It was a whole different story with my debit card. I spoke with a lady who cancelled my card after asking for my info (which I did to the automated system already). I just happen to tell the lady that I'm sure they've had a lot of calls due to the PSN security issue. She told me they're sending me a new card and that I have to talk to their "identity theft" department. It was a basically a guy trying to sell me credit monitoring service for 16 bucks a month. These guys are real opportunists. He was trying to sell it using fear tactics too He knew about the PSN hack and the 70 million accounts that were affected.

you really got a new card? are you even following the new info? It amazes me how paranoid some of you guys are. I hope you are trollin' or just meth addicts because sane people shouldn't be acting like this.

 

[bangai-o]

this thread

1. fuck those hackers

2. waitaminnut, Sony fucked up

3. analogies

4. ponies

5. confused

6. Kratos sex stories

7. Sonic the hedgehog fanfics

8. Sony makes contact

9. wheres my Email

and now 10. identity theft happens all the time anyway.

is this about right?

 

[blazinglazers]

You have no way of being positive. Odds are overwhelmingly against your unjustified paranoia. Sorry about the fraud, though.

His PSN account, and all of his associated personal information including an email address, password, personal security answers, home address, billing address, and an associated credit card number was stolen. In one of the largest personal information security breaches ever.

Does anybody downplaying this have any idea how identity theft works?

I mean, it's possible that it's not related to the PSN hack... but certainly it's also possible that it is. Right?

I know I'm just getting trolled in here by the willfully stupid, but again for anyone who hasn't acted and isn't insane:

Why shouldn't you assume the worst here? Why do people keep saying this, what's the thought process? AT WORST consumers get informed that their personal info was been compromised, so they tighten up their personal security and get a new CC. What's that, an hour of their time for easy piece of mind? That's nothing compared to what could happen if the shit really hits the fan.

Seriously, I'm completely baffled by some of the responses in here. Who cares if the media runs with this? Maybe the bad PR will force Sony to be forthcoming with more info or institute something like the extended warranty MS did in response to the RROD fiasco. There's literally no downside here.

 

[aktham]

you really got a new card? are you even following the new info? It amazes me how paranoid some of you guys are. I hope you are trollin' or just meth addicts because sane people shouldn't be acting like this.

Wow dude, wtf? No I'm not glued to this issue. All I needed to read earlier today was that security was compromised. It's better to be safe than sorry.

 

[LowParry]

this thread

1. fuck those hackers

2. waitaminnut, Sony fucked up

3. analogies

4. ponies

5. confused

6. Kratos sex stories

7. Sonic the hedgehog fanfics

8. Sony makes contact

9. wheres my Email

and now 10. identity theft happens all the time anyway.

is this about right?

Not enough.

 

[arnoldocastillo2003]

Read the OP and you will be up to date.

Uhm yeah i already know all that ...... what i mean it has something relevant happened?

 

[Negator]

Not enough.

Lets not go there, for everyone's benefit.

 

[IchigoSharingan]

Can we all agree that stating (regarding the information theft) "this shit happens all the time" is a logical fallacy since it has zero bearing on what's going on right now?

It is a variation of the appeal to probability.

 

[Lord Error]

Yeah I was guessing that when they flip the switch I'd have to make a mad dash for the website to change my password.

But if they're just going to make it so we have to use the firmware then I'm kind of screwed until I get a new ps3.

I wouldn't really worry about it too much. Even in the chance that all this data leaks to public, you'd only have to worry if you have some kind of enemy in real life who would do it to you. If the data doesn't go public, the chance of it happening is so so small that it's not worth considering. All that said, I think it was possible to change the password though a website, so it should be possible now too.

 

[whalleywhat]

It's just not my first instinct to take circumstantial anecdotes from random forum posters as evidence of anything. I have less than zero interest in defending Sony or the way they've handled this, but I'm also not going into a panic before anything solid emerges.

 

[Vagabundo]

Some links. I posted this earlier, but this thread is huge:

http://www.vg247.com/2011/04/27/supposed-hacker-chat-logs-reveal-stunning-psn-security-lapses/

The hashing/plaintext issue I'll have to look up, but I've read it in a few sources. There is also some chat log from Anonymous that go into more detail on the PSN network issues.


@Raistlin: Regarding the warning; Sony knew that Anon was probing PSN months ago and with the backlash from the GeoHot lawsuit they knew PSN was a target.

 

[Persona7]

You guys should be getting new credit cards every so often for security reasons anyways. Especially if your card links into your bank account.

To obtain a new card including a entirely new set of numbers linked to your information takes a phone call that only takes mere minutes. Completely automated and you will have your new card in a week or less.

To some it may be an inconvenience but when your account gets compromised and your funds drained it could take weeks for the bank to set everything right.