• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Report: Major PlayStation Security Exploit Lets Hackers Use Customer Credit Card Info Without Needing the Security Code

CyberPanda

Banned
We’ll file this one under the “major screw up” category, as it seems Sony has been left vulnerable for years now there has been an exploit that has potentially been costing consumers and allowing thieves to profit. Due to the nature of this PlayStation Security exploit, we won’t disclose how to actually do it since, y’know, it’s illegal. However we do hope this stirs up awareness for Sony, which according to a user who’s filed a claim, that the exploit is still not being acknowledged.

[Update 2] We have decided to include the actually video and user who had decided to make this public finally since this isn’t something anyone can go out and do themselves as it requires a stolen PSN account. The video, which is about 15 minutes long shows the process of how hackers are able to commit fraud on stolen users account despite there being a security check for the users main account via CVV confirmation. We originally didn’t not want to include it for respect that it could do greater harm and per the request of some of the active scene members not wanting the video to garner attention as it’s harmful. Though Since it is public and the user does say they wish see this fixed we decided to include it.

https://t.co/8VgCQIPO47
New video without music
— Morteza Rahmani (@rmorteza21p) July 4, 2019
What you are seeing here is a bypass of the accounts CVV code. Again, there are measures in place to prevent this if the user hasn’t set-up 2-steps or security answers, but due to the nature of the bug it allows hackers to exploit it by providing a false form of payment that makes the account default to the first provided payment upon adding funds that become available on family accounts.

[Update] We have included some examples near the bottom of the article that are highly supportive that the exploit published today is very real and has been going on for some time now for accounts that have been breached from scams or other means for people to get access to accounts. This does not affect the majority of users out there, especially if they have 2-step verification enabled. Though this is not to say this isn’t an issue that shouldn’t go unnoticed as in the examples supplied its clear it can be harmful to folks who aren’t informed as many of us on the internet.

Original Story

Basically, how the exploit operates is that typically, PSN requires all credit cards to supply them with their CVV security number. When you normally operate PSN this isn’t something the system usually requests, but when you log in from a different console it will ask you for the CVV number of the credit card on file (if you have one) before you can proceed to log-in. However due to a very easy exploit, if a thief was to get their hands on someones PlayStation user’s account, they could potentially rack up victim’s credit cards without even knowing their CVV number as the process bypasses the requirement.


Screenshot_1-768x303.jpg


“It isn’t an exploit with the consoles, it’s an exploit with the network” one modder told us in a private message. When we asked the original poster of the method as to why this exploit is only coming out today in the form of a YouTube video, their response was rather shocking in stating that Sony simply did not care unless it was made public. This exploit has allegedly been around roughly for five full years. The user had claimed that they had sent Sony the exploit in the past, via their own hacking disclosure program, hackerone. The user eventually ended up getting a response that informed them that the exploit served no security risk and was simply fraud. This email was from just today as you can read below.

psn-exploit.jpg


We strongly disagree with this reply from one of the employees at Sony’s HackerOne as this opens up breached users to a larger threat. It more of an oversight, but should have been something sent up to the correct department rather than brushed off as just a “fraud issue.”
And the problem only gets worse as this typically ends up leading to illegal account selling and consoles pre-loaded with the latest games and on the latest firmware, a piece of information confirmed to us by the modder we spoke to earlier. There are countless black markets out there (mostly out of the USA due to high gaming cost in other countries) that sell PSN accounts loaded with PS3, PS Vita, PSP, and PS4 games using this exploit, and if you search hard enough you can even find consoles being sold like this. Shops in Brazil, up to the point until Sony changed their account authentication and gamesharing process would sell modded PS4 pre-loaded with titles via modchips. One other user familiar with the exploit informed us that the way sellers are doing this is that they are racking up credit card balances from one user, and applying it to three other PlayStation accounts that get placed on separate consoles to be sold; although they’ll eventually be banned if they ever go online.

0-1.png


For all intents and purposes, this is complete fraud, and one could argue borderline piracy since it involves the reselling of illegally obtained software and account selling which is definitely against PlayStation’s own Terms of Service (TOS). This certainly has been something that the major players in the PlayStation 4 hacking scene have been pretty much against for the longest time. In fact, while the latest PS4 firmware is no doubt exploited behind closed doors, many hackers have vowed to never release an exploit that is achievable on the latest hardware due to mass piracy and online cheating.

We have reached out to Sony for a reply and will let you know if anything comes of this. For safety purposes, keep an eye out on all your finances as you never know when someone may steal your information. We highly suggest you activate the two-step verification on your PlayStation Account, whether you want to store credit info is entirely up to you. This certainly isn’t as big as a blunder as Sony’s infamous PSN hack that happened eight years ago where millions of potential credit cards were possibly stolen, though it is a pretty big exploit in the wrong hands.

If you need help setting up Two-Step verification you can do so from either a PlayStation console or from the official PlayStation Two-Step Guide webpage, along with additional security questions to help protect your account.

Add an extra layer of security to your PSN account by creating a Security Question & Answer: https://t.co/211RMz55YJ pic.twitter.com/IvpS3ycqW1
— Ask PlayStation (@AskPlayStation) July 4, 2019


Minor Update:

We have searched for some potential cases and have actually found a very recent one that shows effects from someone most likely using this exploit, along with a good amount of other posts.

@PlayStation account was hacked and unauthorized purchased was made off credit card totaling over 1000 dollars pic.twitter.com/AtMFxfBz2q
— latonya williams (@ladyllw30) June 30, 2019


@PlayStation
— latonya williams (@ladyllw30) June 30, 2019

And this reddit post from 10 months back with a similar situation: Reddit

A Reddit Post from 7 month ago: Reddit

Another one dating as far back as three years: Reddit

A couple of people on the official PlayStation Forums also, one here ,here, and here.

Source of image below: PlayStation Forums From Last April

Screenshot_3-768x250.jpg


A Gamefaqs post detailing the same situation here.

There are several others out there with the exact same scenario, which all pertain to the use of the Family management sub-account, something we didn’t want to originally state in the article due to it being a part of the exploit.

 

DeepEnigma

Gold Member
You do the same in almost every service that harbors your credit card and if you steal the account.

Amazon, food delivery services, etc., all don’t ask you to confirm the CVV code.
 

Pallas

Member
If I remember correctly, it’s when the hacker/exploiter that had gained access to your account but uses it on a different Playstation 4, usually companies force you to re-enter some of the details if you’re using a different device.

I know Amazon has made me do it when I log into my account via another device I had never done before.
 

Petrae

Member
Well, glad I switched to PSN cards and codes years ago. Seems Sony still has work to do on this front.

I did this after the Great PSN Hack of 2011. No way is Sony getting my credit/debit card number. It’s much safer this way.
 

nush

Member
Well, glad I switched to PSN cards and codes years ago. Seems Sony still has work to do on this front.
I did too when Sony would always reject my new credit card details even after multiple support calls. I actually save money this way as the cards are discounted, probably saves my making impulse purchases as there's an extra step to get the codes.
 
Top Bottom