• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

PSN Hack Update: FAQs in OP, Read before posting

Status
Not open for further replies.
Vestal

Vestal

Junior Member
Rebel Leader said:
Investigation takes time.

This isn't Law&Order or CSI where it's found out in minutes.

Even murder mysteries take years.
Click to expand...

Not in the IT world.. Something like this shouldn't take so long to determine.. Especially if you have a monitoring system in place to verify for suspicious activity, like say excessive queries to Customer Databases.. Thats not hard to do at all.

The moment they found out, the first thing they should have done after the Shutdown is verify the customer DB and CC DB logs to see what sort of activity transpired, and verify with the monitoring software for suspicious activity.
 
S

spindashing

Banned
It's weird. I got the e-mail on a PSN that I made and never used at all.

But for the PSN that I did use, I didn't get the e-mail. I'm not sure if I put my address on the PSN that I never used so I'm still freaked out. I know that I did not enter my CC onto that one though.
 
Zoe

Zoe

Member
Dead Man said:
From the OP:


Maybe they were not stored as plaintext, but if not I doubt they would have been included in the definite information lost section.
Click to expand...

That means nothing. Encrypted information could still be useful. For example, say there are a significant number of passwords that are equal to this*: 1e28284f59e926547bb6793ad8723722. All they have to do from there is start going through a list of the most common passwords.

(*not saying they used md5, just an example)

I've used that method on test databases at work many times when I couldn't be bothered to ask for a password someone created for a dummy account.
 
I

Ickman3400

Banned
Loudninja said:
Damn you have inside knowledge please tell me more.
Click to expand...

A company is going to say what they can get away with and what helps them the most. Always. It's impossible to take everything they say at face value.
 
UberTag

UberTag

Member
DevilWillcry said:
I think this is Sony protecting their asses just to be safe more than anything.
Click to expand...
This is clearly CYA time for Sony. Today's message was essentially drawn up by their legal department.

Furthermore, people need to stop taking anything Sony says at face value. For the first 48 hours of this disruption they didn't even acknowledge that they'd taken the network down themselves.

The Sony story changes every day based on what they're legally obligated to share. It's the Japanese way of doing business.

On Friday, we might hear that all of our credit card information was definitely compromised instead of "some accounts" and "may have" and "we just learned 24 hours ago after our team of experts told us".

Next Monday, we might learn that all of the existing PSN accounts were wiped when PSN was rebuilt, online accounts will need to set up from scratch and existing trophy data not linked to offline profiles will not be able to be migrated over.

And next Friday, PSN might come up and we'll learn that none of our previously purchased content can be recovered. Whoops! Our bad. Our experts just found out. We were only legally obligated to tell you now.
 
D

Das Boot

Banned
stupei said:
Canceling the card isn't necessarily enough. They have all your basic information that a bank would need, all they need to do is make a fake card, show up and say oh yeah, no, I found it. The teller isn't supposed to accept it, but people are also supposed to check your ID when you swipe a card. Nobody does that either.

I mean it's possible the guy at the bank gets some kind of commission for signing new accounts and it even counts if he's transferring all my stuff from old accounts to new ones, but I don't see how it's really in his or his company's best interest to lie about things that make banks sound like unreliable vaguely terrifying places. He basically said your debit card is like a key to all your accounts and once it's been compromised, you need to seriously consider a new account because leaving liquid cash in the hands of potential human error is insane.

That sounds pretty reasonable to me.

So not trying to be alarmist; just realistic. A debit card is a much bigger deal than a credit card.



Pretty sure I saw Sony was already quoted in one of the articles as saying everyone in all regions is compromised. It's not just the people getting the email; it's everyone.

So no need to freak out any more than you already were.
Click to expand...

The bank has protections in place if that type of situation were to occur with a hacker replicating your card and going in to the bank and attempt to withdraw funds. It would require several breakdowns in security for that to happen, which is to say that yes your scenario is not impossible, but is highly, highly unlikely. The teller would have to override several prompts in the system to allow for such a thing to occur. Furthermore, the bank would replace your funds in the event that something happened and the idiot teller would be put on corrective action or even terminated depending on the level of negligence.

The scenario that you describe would flag in the bank's fraud monitoring system, so the hacker may get the money, but you would be protected and your money would be safe.

I've worked in a bank, and even had my account drained by a hacker that got my debit card info a few years back. My funds were replaced in about an hour after calling my bank.

Everyone needs to calm down. This is a terrible breach of security, but it wont ruin your financial life. Even if your debit card was compromised.
 
D

daffy

Banned
spindashing said:
It's weird. I got the e-mail on a PSN that I made and never used at all.

But for the PSN that I did use, I did get the e-mail. I'm not sure if I put my address on the PSN that I never used so I'm still freaked out. I know that I did not enter my CC onto that one though.
Click to expand...
All registered accounts will get an email.
 
M

MrPink93485

Member
Metalmurphy said:
Seeing as they know have involved the authorities and actually hired people to find out what happened I'm not so sure they'd just flat out lie about it.
Click to expand...

Yeah, I don't think they would withhold that info beyond confirming their suspicions. I would guess they probably realized the potential of how bad the situation could be, but didn't necessarily confirm it till yesterday?

Still, they could have told us the possibility of what may have occurred, but they probably didn't just so they had a chance of avoiding the PR mess beyond the outage if it turned out to be nothing.
 
B

borghe

Loves the Greater Toronto Area
Sigh..... Those talking about the plain text cc post going around. Yes, your cc is included in the post data to the servers in plain text. And then that plain text is encrypted over SSL using whatever form of encryption and sent across the Internet. PSN servers then decrypt it and use the number. All you are seeing in that snippet is the post data. It has nothin to do with how the credit cards are actually stored.
 
M

Mrbob

Member
The crazy thing is Sony will probably make sure now PSN is the most secure network of all. Usually companies over compensate when something like this happens.
 
M

Metalmurphy

Member
DR2K said:
What a crock of shit. You don't completely shut down a service for 50 million people on a holiday weekend, without something major going down. The only people that would believe that are the ones apologizing for their incompetence in this thread.
Click to expand...
They knew they had an intrusion before, that's pretty major. But the investigators only found out what really happened yesterday. Or so they say.
 
E

expy

Banned
DR2K said:
What a crock of shit. You don't completely shut down a service for 50 million people on a holiday weekend, without something major going down. The only people that would believe that are the ones apologizing for their incompetence in this thread.
Click to expand...
So, you think someone broke into your house.. but you're not sure.. So you wait... until he kills you to call the police?
 
D

Dead Man

Member
Zoe said:
That means nothing. Encrypted information could still be useful. For example, say there are a significant number of passwords that are equal to this*: 1e28284f59e926547bb6793ad8723722. All they have to do from there is start going through a list of the most common passwords.

(*not saying they used md5, just an example)

I've used that method on test databases at work many times when I couldn't be bothered to ask for a password someone created for a dummy account.
Click to expand...
Maybe so. But that is not really passwords, that can be done without the encrypted data at all. Yeah, it will let you crack accounts faster, but it is not really a password as most people understand it. But that may be what the mean, I will grant you that.
 
F

FINALBOSS

Banned
Jinfash said:
Well his tip checked out, so I'm not sure what you're trying to say.
Click to expand...


His point is...you'll consider a jr member to be trustworthy with what he said, and then go ahead and not believe Sony with their timeline of when they discovered the scope of the attack.
 
S

sleepykyo

Member
Still using, but switching over to prepaid cards. Guess it'll help with cutting back on impulse purchases, seeing as I'm too lazy to walk to a walgreens to buy those cards.
 
K

Kyoufu

Member
Well I got an email from SCEJ notifying me that my PS+ subscription has expired.

It expired during the outage... Maybe I should get compensated for that? :lol
 
D

DevilWillcry

Member
UberTag said:
This is clearly CYA time for Sony. Today's message was essentially drawn up by their legal department.

Furthermore, people need to stop taking anything Sony says at face value. For the first 48 hours of this disruption they didn't even acknowledge that they'd taken the network down themselves.

The Sony story changes every day based on what they're legally obligated to share. It's the Japanese business way of doing business.

On Friday, we might hear that all of our credit card information was definitely compromised instead of "some accounts" and "may have" and "we just learned 24 hours ago after our team of experts told us".

Next Monday, we might learn that all of the existing PSN accounts were wiped when PSN was rebuilt, online accounts will need to set up from scratch and existing trophy data not linked to offline profiles will not be able to be migrated over.
And next Friday, PSN might come up and we'll learn that none of our previously purchased content can be recovered. Whoops! Our bad. Our experts just found out. We were only legally obligated to tell you now.
Click to expand...

Fixed that for you there, chief. I think you're being a little overly pessimistic here man, there's assuming the worse and then there's bat shit insane conspiracy theories.
 
M

Metalmurphy

Member
Dead Man said:
Maybe so. But that is not really passwords, that can be done without the encrypted data at all. Yeah, it will let you crack accounts faster, but it is not really a password as most people understand it. But that may be what the mean, I will grant you that.
Click to expand...

Not really sure how this works but... Gawkers passwords were encrypted too and they managed to decrypt mine... :/
 
scoobs

scoobs

Member
Don't think I have used my new CC on PSN... just my old ass one that expired like 3 years ago. I should be okay but this is freaking insane, I can't imagine the number of lawsuits Sony is gonna have to deal with
 
M

MrSerrels

Member
From what I'm hearing from Security experts Sony are actually disclosing far more than you would normally expect. They have their own investigations to conduct.
 
S

stupei

Member
FTH said:
PIN Number?
Click to expand...

Given the number of people who use one password across everything, I wouldn't bet on everyone necessarily having a secure pin. But yeah, that's a huge difference; fair point.

Zoe said:
A debit card number is not the same as your bank account number.
Click to expand...

If you go into a bank and swipe a card, they don't even need you to confirm that you know your bank account number.

Again: I don't think people should be tearing out their hair and crying into their pillow. Obviously, there's no reason to freak out or have an extreme reaction. But likewise I think being flippant about the risks of someone getting access to your debit card number is just as ridiculous in the opposite direction. Banks are not as good about protecting liquid dcash as they are credit. That's just fact. Sure, there are a lot of safeguards in the way to make it harder to use the number, but there are supposed to be safeguards on PSN. A debit card is far less secure than a credit card and if someone else gets that number, it is a big deal, which is what I was originally responding to.

Das Boot said:
Everyone needs to calm down. This is a terrible breach of security, but it wont ruin your financial life. Even if your debit card was compromised.
Click to expand...

The person I was responding to was saying there's no reason to even hesitate to put a debit card back up on PSN because someone gaining access to that number isn't really a big deal at all. Most people in the thread need to calm down and obviously nothing here is going to lead to financial ruin as long as people just keep an occasional eye on their accounts, but acting like it's pointless to take a few basic precautions to prevent this in the feature means you are probably being too calm about the whole thing.
 
V

Vamphuntr

Member
FINALBOSS said:
His point is...you'll consider a jr member to be trustworthy with what he said, and then go ahead and not believe Sony with their timeline of when they discovered the scope of the attack.
Click to expand...

How is being a junior = not being trust worthy. So far Sony has also been not trust worthy. Don't use a third party controller ! It may explodes!
 
S

sangreal

Member
Zoe said:
That means nothing. Encrypted information could still be useful. For example, say there are a significant number of passwords that are equal to this*: 1e28284f59e926547bb6793ad8723722. All they have to do from there is start going through a list of the most common passwords.

(*not saying they used md5, just an example)

I've used that method on test databases at work many times when I couldn't be bothered to ask for a password someone created for a dummy account.
Click to expand...

That is why you salt the hash -- so two identical passwords would have different hashes. So now you not only need to go through a list of the most common passwords, but you have to do it for each salt value.
 
F

Four_Chamber

Member
duckroll said:
Okay, I am FUCKING outraged at this. I'm not angry that Sony's security failed. That shit happens, although if you're not fucking incompetent it happens less. That's another issue which I generally don't get worked up about. What I am outraged about is the handling of this entire situation.

SONY KNEW AND THEY SAID NOTHING.

In one of the previous threads which is now locked, a jr member helpfully provided a tip off that his friend at SCEA suggested that personal information including usernames/emails/addresses/passwords/etc were DEFINITELY taken, and that CC data was PROBABLY NOT taken but that they did not know. This was DAYS ago. THEY FUCKING KNEW.

The assumption on our part, an assumption of GOODWILL, was that if Sony said nothing at all, it meant that nothing was compromised since they were required by law to tell people if it is compromised. Guess what? THEY JUST DIDN'T GIVE A FUCK. In 5-6 days, who knows what could have happened? That's a huge gap. Totally and utterly irresponsible.

Oh and guess what? The statement and the email is only coming from SCEA right now! I have received NO EMAILS for my other accounts, including my primary account. How is this acceptable? This slow and utterly inefficient communication to the consumer regarding high risk information of the more severe nature is unacceptable.

I no longer have any faith whatsoever in PSN, and I will have to carefully consider if I ever want to use this service again.
Click to expand...

Just from perusing the web (and the gaming press lol), it seems most folks are royally ticked off.

The misinformation is horrendous- I wish we had a nice timeline of the bullshit PS blog messages that were posted.
 
D

Dead Man

Member
Metalmurphy said:
Not really sure how this works but... Gawkers passwords were encrypted too and they managed to decrypt mine... :/
Click to expand...
Well, there you go, disregard my Sony pessimism, replace it with encryption standards pessimism.
 
R

RedNumberFive

Banned
MrSerrels said:
From what I'm hearing from Security experts Sony are actually disclosing far more than you would normally expect. They have their own investigations to conduct.
Click to expand...

Well then it's probably worst than we'd expect.
 
davepoobond

davepoobond

you can't put a price on sparks
ugh


i guess i should be glad my previous card number was "compromised" before this happened, so i never attached a working card to my PSN. although i dont think i saved it if there was a way to not save it anyway.


i have no idea which password i used on that account either.
 
Vestal

Vestal

Junior Member
FINALBOSS said:
I was under the assumption that the information was encrypted. If it wasn't, I figured they would explicitly say so.
Click to expand...
If it was encrypted I assure you it would be PLASTED ALL OVER THE Press release. It would help them save face.
 
C

Curufinwe

Member
UberTag said:
This is clearly CYA time for Sony. Today's message was essentially drawn up by their legal department.

Furthermore, people need to stop taking anything Sony says at face value. For the first 48 hours of this disruption they didn't even acknowledge that they'd taken the network down themselves.

The Sony story changes every day based on what they're legally obligated to share. It's the Japanese way of doing business.
Click to expand...

Because no Western company has ever delayed giving out information about something that went wrong?

This really has nothing to do with Sony being a Japanese company.
 
S

sangreal

Member
stupei said:
Given the number of people who use one password across everything, I wouldn't bet on everyone necessarily having a secure pin. But yeah, that's a huge difference; fair point.



If you go into a bank and swipe a card, they don't even need you to confirm that you know your bank account number.

Again: I don't think people should be tearing out their hair and crying into their pillow. Obviously, there's no reason to freak out or have an extreme reaction. But likewise I think being flippant about the risks of someone getting access to your debit card number is just as ridiculous in the opposite direction. Banks are not as good about protecting liquid dcash as they are credit. That's just fact. Sure, there are a lot of safeguards in the way to make it harder to use the number, but there are supposed to be safeguards on PSN. A debit card is far less secure than a credit card and if someone else gets that number, it is a big deal, which is what I was originally responding to.



The person I was responding to was saying there's no reason to even hesitate to put a debit card back up on PSN because someone gaining access to that number isn't really a big deal at all. Most people in the thread need to calm down and obviously nothing here is going to lead to financial ruin as long as people just keep an occasional eye on their accounts, but acting like it's pointless to take a few basic precautions to prevent this in the feature means you are probably being too calm about the whole thing.
Click to expand...

Using a debit card is stupid (always), but you are still protected by federal law in the US if your debit card number is stolen. You have 60 days from the date you receive your statement to report any unauthorized charges. People should use those 60 days to ponder their decision not to use the superior payment method.
 
O

obonicus

Member
Jinfash said:
Well his tip checked out, so I'm not sure what you're trying to say.
Click to expand...

Are we talking about arnoldocastillo? Did it check out? I mean, some of it did, sure, but I was under the impression that not all of it.
 
Status
Not open for further replies.

Similar threads

Helldivers 2 will soon require all Steam players to sign in with a PlayStation Network account
7 8 9 10 11
538
25K
ArtHands replied
Sony CFO: "We don't have enough original IP", will also look to drive growth via crunchyroll
9
783
Killjoy-NL replied
2.7 billion records with socials recently hacked
22
2K
CuckooBananaNuts replied
  • Locked
PS5 Firmware - customize widgets/backgrounds on home screen, party share, 3D audio profiles, more.
4
600
Kururu replied
New PlayStation Portal remote player system software update releases tomorrow
News
47
3K
N30RYU replied
Top Bottom