PSN: Hackers Claim To Have Card Details

This morning, rumours are surfacing that our credit card details might be out there on the black market already. According to the New York Times, hackers are claiming to have 2.2 million sets of card details and are offering them for sale on internet message forums.

Their information seems to be sourced from a securities analyst called Kevin Stevens (although there are claims that several other researchers have backed up his claims) who says he was offered the details personally and also that the hackers have tried to sell the information back to Sony but were turned down. Apparently, the asking price for 2.2 million European credit card numbers is around $100,000.

– ARTICLE CONTINUES BELOW –

PSX Scene, a site which seems to be dedicated to the hacking of PlayStation products, has some more information. They’d posted a transcript from an IRC chat and some screenshots taken from what they call “underground” forums.

Here’s the IRC transcript:

Discussion about #psnhack and possible speculation about the hackers being from Europe Logs – efnet – #ps3dev – 2011-04-26

trixter, people I know had a shell on the psn servers

did you know that sony didn’t disable the function that sets the psn server under maintenance ?

The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack

Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack

@mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything

@the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers

@RiquezJP Well not properly securing your server breaks compliance as far as I know.

@RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.

Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date

No, I have not seen the DB so I can not verify that it is true

The most important piece of into there is the reference to CVV2 numbers, these are the 3 digit numbers on the reverse of a card which it had previously been assumed had not been taken. So, it seems that the sellers are at least claiming to have all information needed to use our cards for fraudulent transactions.

It’s important to stress that these reports have not been confirmed by Sony. In fact, they have been denied, albeit in a way with the traditional indemnifying phrases by Patrick Seybold:

To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list. The entire credit card table was encrypted and we have no evidence that credit card data was taken.

Whether you believe these claims or not is a personal judgement call but as ever, we advise you to be cautious with your personal information and security at all times, online or off.

Source: NYT and PSX Scene

– PAGE CONTINUES BELOW –

115 Comments

  1. If they have the zip code, would that mean the hackers only have US account details?
    Oh, i though it was unlikely that hackers would have the CVV numbers as they are encrypted or something…

    • These 2.2 million details are said to be European.

      • Do’h

      • Sixthaxis should be ashamed of themselves for reporting this nonsense. Its clearly fake for one simple reason, which you should have checked. Namely that PSN does not use CV daya,nobody was ever asked for it, Sony therefore don’t ha e it either.

        Go hang your heads in shame for this scaremongering sensationalist tripe.

      • @clash. That’s why it says whether you believe it or not. This is a gaming news site and whether it’s true or not this is gaming news.

      • People are asking for updates clash. Whether true or not, this is important for people to know.

      • I couldn’t have put it better than that raider. Spot on.

      • this is a stupid story imo.

      • @ theberzerka – This is not gaming ‘news’ this is gaming hearsay!

      • Well I haven’t heard it before so it’s new… s to me :P

      • So if we can’t have “hearsay” about this on the website I presume you don’t want to have any more articles about rumoured game’s coming out and rumoured features?

        You know the title does have the word “claim” in it and nowhere in the article does it state this as fact…

      • There’s a slight difference jonny_bolton, articles about rumoured games don’t send people into a blind panic.

      • To be fair, it motivated me to cancel my card and apply for a new one. I probably would have had a “wait and see attitude” with regards to it and we all know how that stance works. Just ask Neville Chamberlain.

      • Everyone I know that has had their ID cloned has ended up having it refunded in full, and that’s why I’m not too bothered!

      • Yeah but mine was my debit card as opposed to a credit card so it’s not as easy/likely to be able to recover lost funds.

      • The people I know had their debit cards cloned, and I too have my debit card details stored on PSN.

      • Well it seems were going over a bit of a moot point here anyway. My point though that the article, for me, has been a help (in kicking me up the arse) still stands. I mean it’s better to prevent my card being used than go through the hassle of fraud claims is it not?

      • The other pain in the arse of this is that now I’m going to have to memorise my new card number. I had the other one down to a point where I didn’t need it to use it online.

      • It certainly isn’t going to do any harm to cancel your card and get a new one, and if it puts your mind at ease then it’s a wise move. And I’m sure you’ll memorise the new card number in no time! :-)

      • TSA credibility -100.

      • Wow, what an interesting insight. A solid statement with a strong reinforcement. And look, you’ve replied to a thread with a reply with no context absolutely to what has been said, or at least without attempt to link the two meaningfully, so it’s at the top and everyone can see what clever, witty things you have to say. Well done.

      • oh darn this is getting kinda rubbish for ps3 owners

      • 1.1 MILL

    • Title says ‘claim’ which means it isn’t fact. Plus I’m sure you’d all kick up a stink if it were trueand weren’t aware of it. Why are some of you being arseholes? They’re passing on important information.

      • Thank you crawfail I tried to say that, but from the response I got, failed.

      • They’re passing on important information? That’s the point, this is not important information. As CVV details aren’t stored on PSN this can only be nonsense. Don’t get me wrong, of course I understand that TSA has to report on this saga, but it would be nice to have some of the crap filtered out.

      • But they apparently have our card details which is very important news. It not like TSA are making things up. Why is everyone so touchy lately?
        It doesnt matter if some guy had my details but was missing the expiry date, I’d sure as shit want to know either way if there was a possibility my details were out there.

        Just because it’s video games it doesn’t make it any less important.

      • But we knew that they had our details before this was written. This article adds nothing of any importance whatsoever.

    • This post should be posted with the clear title: Absolute bollocks, as the information discussed isn’t even COLLECTED by Sony.

      TAKE SOME RESPONSIBILITY, journo/bloggers!

      Just because you post something as rumour doesn’t mean some people won’t take it as truth — if it’s obviously bollocks, it’s your responsibility to do at least a half second of thought before posting it.

      • 1) the article is sourced to other sites and is just passing info on to people, like me who actualy has a concern that my bank details are out in the void for anyone to get their hands on.
        2) even if it isnt true but they have everything but the CCV and you aren’t concerned about that thn you’re an idiot.
        3) if, like many people, you use this site exclusively I’m sure this news is very important and welcome.

        As an aside,slagging off the quality of the article, the writer or the site it’s on is not constructive criticism. Stop being nobs.

      • to respond to each point:

        1) Rumormongering is not an ‘article’. it’s just passing on obviously false information.

        2) credit card info was encrypted. Obviously, i don’t want people getting my cc info. But just because i don’t want people getting my cc info doesn’t mean I think obviously incorrect bollocks should be spread.

        3) This is NOT news. what part of that do you not get? if i say ‘i heard the US is going to war with Canada tomorrow’ and you posted this as serious possible truth on a blog, you’d be an idiot. It’s not news, it’s obvious bollocks. As is this ‘article’.

      • PS — the very fact that so many people are defending this article is exactly why it shouldn’t be posted. obvious bollocks… ANYONE can claim to have/want/sell anything online. How many internet trolls out there just want to get people like you riled up? That’s all that’s happening now — people that don’t know all the details here rumours and get worked up about it.

      • Read the third word of the article. There wasn’t any point where this article was stated as cold hard fact.
        While the issue is still in the air Im sure many people appreciate all the information they can get. Plus although Sony say the details were encrypted, people that have had bank accounts compromised following their cock up would suggest otherwise and to take anyones word as gospel right now would is not the best idea.

        Writing this article off as being outright bollocks is a little obtuse given the fact that we don’t know everything.

  2. could be a con. if not though then i hope everyone has cancelled their card.

    • It’s not too much hassle to cancel a card though really. Better safe than sorry.

      • yeah, did mine when i found out. Sensible course of action. You just never know.

  3. The utter, low-life shits…

  4. I hope someone pays very good money for my CC Info. It’s invalid!

  5. I’m not certain, but as far as I know.. the CVV2 numbers are not stored in the PSN database. I heard something about Sony just storing the ID for the creditcard information.. and via a connection with the creditcard company database they verify everything.
    I’m not certain if this is true, maybe someone with some more knowledge can confirm this? Or not.

    • I was just thinking something similar… Pretty sure I remember reading something in the past couple of days stating that the hackers couldn’t have the CVV2 number as Sony have never asked for it for anything on the PSN. Just trying to find it, could have been a BBC article or something.

      If that is the case I would be very skeptical about this claim to having CC data – and these people may well have shot themselves in the foot.

    • From Visa’s website:
      When you give a merchant your CVV2 code at checkout, that information is sent electronically to the card-issuing bank for verification and authorization. If a person attempts to use your card number but cannot provide a 3-digit security code, or if the number is returned as invalid, the merchant will cancel the transaction. For security purposes, merchants are prohibited from storing this number.

    • Thanks. I think that verifies it. Unless Sony is doing something very illegal. =P

  6. i call bs on this. from reading earlier posts about breaking the encryption its fair to say this is a fake claim

    • My knowledge about breaking this kind of encryption.
      Step 1: Figure out how it was encrypted.
      Step 2: Encrypt a random string in the same way (in this case.. string containing x amount of numbers? Not certain.)
      Step 3: Compare the result with the encrypted stuff you’ve ‘stolen’.

      Doing this with 2.2 mil records sounds like a very, very slow and burdensome process, even when automated with some kind of super computer.
      Correct me if I’m wrong btw.

      • Working out the algorithm is the tough bit, I believe.
        I may be stating the obvious here.

      • Given the fact that many of the encrypting algorithms use huge prime numbers to even begin the encrypting it’s not a quick task. Sole finding of the correct number is next to impossible (there is good money in selling those). Given the fact that a huge number of people already canceled their cards I wouldn’t even bother trying to decrypt the table.

    • Although that doesn’t mean that they’re selling decripted stuff. I’m pretty certain people are willing to buy encrypted stuff aswell.
      I forgot to mention that finding out how it was encrypted is also a very slow, trial/error like process. Probably the hardest part.

      • i read that it could take years to break the encryption. and as stated above the CVV2 number is not stored by sony anywhere on the system. this means that the claim is bs whoever says that they have them is a glory seeker

    • To be fair, Sony doesn’t have the best track record when it comes to secure encryption. Hell, they could have made the same mistake as they did with the PS3…

      But yeah, I’m pretty sure this is fake, I don’t remember giving Sony my CCV.

  7. It’s difficult to know who to trust.

    • Hint – don’t trust the rumour mongers.

  8. I can claim I’ve got te card details as well. *adopts Wheatley voice*
    “I’ve got them over here. I can’t show you them if you’re looking, turn around”

  9. i smell scaremongering bull.

  10. Sony do ask for the CVV, don’t they? On your first purchase so they can take money for each subsequent transaction.

    If they’ve been storing it…

    • If they’ve been storiung it , ! OMG !
      The Information Comisioner will get £500,000 !

    • In this official statement they excluded the code when saying credit card information could be obtained. That doesn’t say anything regardig if they were storing it or not… so… as you say…

      “If they’ve been storing it…”, I really hope SONY makes an official statement clearing this.

      • erm correct me if im wrong but doesnt steam, paypal, game webby and play.com all store the exact same information as i actually cant remember if i need to enter my 3 digit number with all those places, maybe i do with game but not sure

      • Amazon, hmv and the list can continue, you only enter the CVV once :/

      • It is not mandatory for online retailers to require CSC numbers, those transactions which are processed with one are put under less fraud scrutiny within bank processing systems

      • I would guess that once you’ve used the card with the CCV2, they assume that all subsequent purchases are legit and don’t require it.

        Hopefully they’re not storing that info, for Sony’s sake. If they had, that would mean Sony had broken their Merchants Agreement (a kind of ToS :P) with card providers and there would be a fair chance of PSN transactions being blocked for a while. Not only that, fines start at $10000 and go up in terms of severity…

        Note: IANAL, might be wrong about any/all of this.

    • The hackers did say something that Sony “is the biggest spy”, This gives us the idea that Sony were actually keeping the CVV.
      I’m 99.99% sure that Sony have asked me for my CVV number at least twice. Sony are screwed.

Comments are now closed for this post.