Sony have released a new Q&A for its customers regarding the PSN & Qriocity outage and security breaches, this new Q&A covers details on credit card details and passwords, reassuring customers that unlike rumours, “All of the data was protected” and “The entire credit card table was encrypted and we have no evidence that credit card data was taken.”
Here’s the entire Q&A #1 Post extract:
First off, we want to again thank you for your patience. We know that the PlayStation Network and Qriocity outage has been frustrating for you. We know you are upset, and so we are taking steps to make our services safer and more secure than ever before. We sincerely regret any inconvenience or concern this outage has caused, and rest assured that we’re going to get the services back online as quickly as we can.
We received a number of questions and comments yesterday and early today relating to the criminal intrusion into our network. We’d like to address some of the most common questions today.
We are also going to continue to post updates to this blog with any additional information and insight that we can over the next few days.
We are reading your comments. We are listening to your suggestions. Please keep them coming.
Thank you.
Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “[email protected]” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.
As always we’ll keep you updated when we hear more.
Source: PSBlog
Erroneus
So passwords and secret question password wasn’t encrypted…. *tsk* Sony, you do not store such things in clear text!
Kovacs
As I said in the other thread. But, hey, what do I know? I’m an ego-maniac (apparently).
theberzerka
Just had a read through that thread and laughed when I saw the ego statement.
Your such a big head for pointing out an obvious flaw :P
Bilbo_bobbins
just a maniac Kovacs
nofi
Secret question doesn’t need to be encrypted, but if the answer wasn’t… Fuck.
Erroneus
Yeah, was actually also answer I was thinking about.
I wonder how many can remember what secret question they used on PSN and if they used that same combination other places!
The Lone Steven
I hope they have encrypted the answer otherwise that is just pisspoor Data management. Sony might end up getting a huge fine if it turns out they didn’t encrypt it.
CNWLshadow
They want us to change our user names if we use the same one elsewhere. :(
CNWLshadow
Oops, I was meant to reply to the entire post.
InternationalGamer
That would suck if that wasnt encrypted, it just has to be, but we dont know. Goddamit.
Uhyve
Especially after you have been warned about your multiple fails. Mathieulh is claiming that he and other hackers warned Sony of this months ago:
http://twitter.com/#!/Mathieulh
3shirts
Sounds fair enough. As I expected, this has been blown out of all proportion by the media
Foxhound_Solid
Too true Three, too true mate!
cc_star
You think it’s OK for security flaws to have enabled everyone’s details to have been swiped
uuuhh
No, it was sad ass hacker scum that enabled everyone’s details to have been swiped.
Foxhound_Solid
Security Flaws which yes, but if it wasnt for the DAMN HACKERS trying and persisting and working out a way to steal that damn information in the fest place, this mess wouldnt exist?
No security measure is perfect, far from it. The blame in my eyes is and always will be firmly on the hackers head. Sony have a opportunity to learn from what is a severe mistake, they deserve a chance to put this right.
Its almost like being broken in to and being blamed for not having the PERFECT burglar alarm system? If a thief wants something they will find a way!
They are bastards for it but persistant creatures.
monty2k
@ uuuhh:
Which came first, the security flaws or the hacker? :P
The hacker couldn’t have done it without inadequate security. It’s as simple as that.
Roynaldo
you think every system is unhackable?
monty2k
@ roynaldo: Is that aimed at me? I don’t think any system is unhackable but Sony have the resources to make it the next best thing.
They’ve known about hacks and vulnerabilities with these details for about the last 2 months at least (http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars).
They could have tried to improve security since then. Sony have really ballsed up on this one.
Roynaldo
nah mate, cc :)
Foxhound_Solid
Hackers will always have the upper hand when it comes to security, always.
Things like this happen every single day, some large scale some not, but it happens every day!
To blame Sony for not covering every single possible angle is beyond short sighted, they have been HACKED! Since when did being hacked mean leaving the from door open, with keys in the lock, wallet, pin number and car keys on the side?
djhsecondnature
@monty2k – You do realise that the link you provided states that “the claims originally made by the hacker quoted in the article are unsubstantiated.”
In other words, not to be trusted.
squashme
actully if geohotz hadnt got past base level 1 security and published details on how to do it on the net PSN would still be working now
Jas-n
Of course it’s not ok for a system to have flaws, but only if those flaws were previously known. This flaw was introduced by hackers. It’s hard to make things completely future proof, and impossible to make things hack proof, if someone’s determined enough they’ll find a way.
As with you your determined to blame the wrong people and always persist that others’ opinions are incorrect.
cc_star
Every lock can be undone, sure, nothing is ever going to be 100% secure, but some ‘locks’ take weeks, months or years to undo… hence the reason everyone’s online bank/paypal/amazon etc accounts aren’t fleeced every week
But here’s the but… and its a big but. The security holes didn’t present enough of a challenge, customer details = customer trust, that’s the most precious thing Sony own. The fact that it looks like someone was able to introduce a line or 2 of Javascript to the network and bypass all this ‘security’ Sony are talking about isn’t security at all in any sane person’s book
Also lets assume Sony are right, although there’s no evidence beyond a carefully worded sentence in what amounts to a PR announcement, and the security was immense, imagine the file size of a database holding 77m accounts worth of data, dumping that sort of data over a 3 day period should have thrown flags up in a secure system. In addition imagine the filesize of 77m accounts worth of transaction history, it would surely be hundreds of GBs and again they never noticed, only shutting the stable door after the horse had bolted, since which they’ve behaved absolutely admirably other than the ‘maintainence’ lie (again) at the beginning of the downtime.
KeRaSh
But it’s Sony’s fault for not encrypting sensitive data such as passwords or answers to secret questions. So Sony did NOT do everything they could to protect our data.
3shirts
@cc_star – That is a bit of a leap from what I actually said mate. I said it had been blown out of proportion, which it has, not that it was in any way OK!
Please watch your tone.
Foxhound_Solid
Did they get details of every single account?
Or did they get some which compromises all of them?
I dont think they got ALL 77 million accounts?
minerwilly
Yea, agreed 3 shirts. Will todays headlines now be that there is no evidence our bank accounts are in danger and that the UKs top fraud experts have said there is no need to even contact your bank.
skibadee
some people love the hype.
iamtdogg
I am the only one who worries about the fact the mentioned a new more secure data centre? To me that implies possibly a physical intrusion?
gideon1451
That possibility hadn’t occurred to me either until I read this article.
adevow
That’s what I thought.Sounds more like a physical break in than a virtual one
Thechunkymunky
One particular line is worrying for me:
‘All of the data was protected, and access was restricted both physically and through the perimeter and security of the network’.
The key word there is physically. IMO that sounds like they had someone on the inside to deactivate that security measure!
Please correct me if i’ve read it wrong :)
squashme
your not reading it wrong does sound like an inside job
Awayze
No, it was a virtual hacks on PSN starting from 17th April, the IP adress, which is obviously behind a proxy, goes to a data centre in Ohio, USA.
Plus there’s an IRC chat log between some angry American teenagers saying how easy it is to access details and the flaws in PSN security as it used an old architecture.
Kovacs
“All of the data was protected” insomuch as it was behind security – security that was breached.
PSN passwords were not encrypted. Every security expert in the world right now are picking themselves up off the floor.
nofi
Mind blowing. Utterly disgusting if true.
grimm
That is seriously unbelievable. How can a tech giant such as Sony think it is acceptable to leave passwords unencrypted?
squashme
even basic websites encrypt passwords not encrypting them Sony might as well of just given our passwrods to the hackers
Jas-n
I’m sure security details (passwords and security answers) were in some way encrypted, just probably not as strongly as the Card data
Pitcher-T
So they’re saying, card details haven’t been taken, but just incase they have be vigilant.
If they’re encrypted and someone takes them anyway, could they decrypt them over time? Not very computer savvy lol.
Einride
In theory, yes, but that is both very time and resource consuming.
Since this is Sony though, they’ve probably done as good a job on this encryption as on the PS3 :P (#define rand() 4 // Carefully selected random number!)
Kovacs
Using a brute force attack it’s technically feasible but would be very, very unlikely.
I’m not a security expert but I know a man who is. I’ve presented the details of the this breach to him and here’s what he said:
“It depends on encryption scheme and your resources. Did they get the encryption keys? If so, it’s game over. Let’s say they didn’t. It would take so long that it is literally not worth it. If you also had all the user’s personal information it would be somewhat easier but still hard. In short: it’s doable.”
nemesisND1derboy
As the woman said about the horse…
Pitcher-T
Ahh cool. That’s not too bad then. You learn something new everyday :-)
I wish hackers would just leave things alone. It’s bad enough they get free games etc from piracy but now they’ve gone too far.
djhsecondnature
Depending on the encryption if would takes years and years to do each one, not worth it.
djhsecondnature
*it, not if. Hit submit too quickly.
cc_star
100% correct, would take years unless they got lucky
As long as they didn’t balls up the ‘key’ like they did with the PS3
Pitcher-T
So they’re saying, card details haven’t been taken, but just incase they have be vigilant.
If they’re encrypted and someone takes them anyway, could they decrypt them over time? I’m not very computer savvy lol.
gideon1451
Some transparency at last.
tonyyeb
“The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”
Not sophisticated enough… or too sophisticated for it’s own good?
Soild_Nat
Come on guys we are fine combing statements here to find things to be angry about. Our data was stored securely at different levels dependant on the nature of it.
We all keep precious valuable things in our homes and take reasonable steps to secure them, however it doesn’t stop someone breaking in and taking them, all to often sadly. That’s why we keep our money in the bank and not under the mattress. For me Sony kept the really important stuff encrypted and tightly secured, other information was stored and kept as appropriate.
So to everyone that is still moaning about this, how often have you shared your PSN account with a mate for game sharing? You have just given them all the info (bar payment details) for your account and don’t bat an eyelid, yes the hacker(s) aren’t our friends but I don’t think they will be stupid enough to do anything with the data.
Sony have acted very cautiously over this and have been more then transparent about the nature and extent of the breach, we have to commend them for that. I suspect that moving to another data farm might indicate that whoever they used has had some problems perhaps with staff etc and that might be the cause of the breach into data that wasn’t encrypted but held in a secure place.
hunterstryfe
At least be happy now that we HAVE answers, and a possible timeframe on activation, why still be angry? Seems to me people who keep picking at the holes in the statements will never be happy.
Soild_Nat
I agree with that, lets be happy, we have another 4 day weekend!
MaD dOctoR 79
nicely put, but the moaners will keep on moaning, even if all that was taken was their initials.
and to those people who still don’t understand what security is to a hacker…think of it as their system exclusive, they got past levels 1-3…but haven’t earned that trophy just yet…;)
cc_star
but a lot of evidence points to it not being /that/ secure in the slightest… I wouldn’t start lapping up propaganda until some more facts are known
Jas-n
If someone’s determined enough they’ll find a way in, rendering any security unsecure
MaD dOctoR 79
“I wouldn’t start lapping up propaganda until some more facts are known”
what the hell do you think you’ve been doing all this time?
you didn’t wait for any evidence/facts before spitting your dummy out…
Youles
Feel a little sorry for the people who panicked and cancelled their credit/debit cards, however guess it was best for Sony, and us, to side with caution. Good news. I guess it would have been more of worry if someone like Sony hadn’t encrypted card details.