This morning, rumours are surfacing that our credit card details might be out there on the black market already. According to the New York Times, hackers are claiming to have 2.2 million sets of card details and are offering them for sale on internet message forums.
Their information seems to be sourced from a securities analyst called Kevin Stevens (although there are claims that several other researchers have backed up his claims) who says he was offered the details personally and also that the hackers have tried to sell the information back to Sony but were turned down. Apparently, the asking price for 2.2 million European credit card numbers is around $100,000.
PSX Scene, a site which seems to be dedicated to the hacking of PlayStation products, has some more information. They’d posted a transcript from an IRC chat and some screenshots taken from what they call “underground” forums.
Here’s the IRC transcript:
Discussion about #psnhack and possible speculation about the hackers being from Europe Logs – efnet – #ps3dev – 2011-04-26
trixter, people I know had a shell on the psn servers
did you know that sony didn’t disable the function that sets the psn server under maintenance ?
The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack
Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack
@mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything
@the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers
@RiquezJP Well not properly securing your server breaks compliance as far as I know.
@RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.
Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date
No, I have not seen the DB so I can not verify that it is true
The most important piece of into there is the reference to CVV2 numbers, these are the 3 digit numbers on the reverse of a card which it had previously been assumed had not been taken. So, it seems that the sellers are at least claiming to have all information needed to use our cards for fraudulent transactions.
It’s important to stress that these reports have not been confirmed by Sony. In fact, they have been denied, albeit in a way with the traditional indemnifying phrases by Patrick Seybold:
To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
Whether you believe these claims or not is a personal judgement call but as ever, we advise you to be cautious with your personal information and security at all times, online or off.