This morning, rumours are surfacing that our credit card details might be out there on the black market already. According to the New York Times, hackers are claiming to have 2.2 million sets of card details and are offering them for sale on internet message forums.
Their information seems to be sourced from a securities analyst called Kevin Stevens (although there are claims that several other researchers have backed up his claims) who says he was offered the details personally and also that the hackers have tried to sell the information back to Sony but were turned down. Apparently, the asking price for 2.2 million European credit card numbers is around $100,000.
PSX Scene, a site which seems to be dedicated to the hacking of PlayStation products, has some more information. They’d posted a transcript from an IRC chat and some screenshots taken from what they call “underground” forums.
Here’s the IRC transcript:
Discussion about #psnhack and possible speculation about the hackers being from Europe Logs – efnet – #ps3dev – 2011-04-26
trixter, people I know had a shell on the psn servers
did you know that sony didn’t disable the function that sets the psn server under maintenance ? The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack
Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack
@mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything
@the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers
@RiquezJP Well not properly securing your server breaks compliance as far as I know.
@RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.
Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date
No, I have not seen the DB so I can not verify that it is true
The most important piece of into there is the reference to CVV2 numbers, these are the 3 digit numbers on the reverse of a card which it had previously been assumed had not been taken. So, it seems that the sellers are at least claiming to have all information needed to use our cards for fraudulent transactions.
It’s important to stress that these reports have not been confirmed by Sony. In fact, they have been denied, albeit in a way with the traditional indemnifying phrases by Patrick Seybold:
To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
Whether you believe these claims or not is a personal judgement call but as ever, we advise you to be cautious with your personal information and security at all times, online or off.
theotheo
Just blocked my card. Don’t know if it’s true but better safe then sorry!
tatoemonkey
some people are just dispicable, cashing in on misery…………really if your life has been so shit that you feel other people deserve to be punished I feel sorry for them…..disgusted!
Kovacs
Could be true. Could be bogus. The thing is: Sony’s system has been found to be severely lacking in terms of encryption/security, so who knows what the hackers got? Sony might be saying “They didn’t get X” or “Y is encrypted” and they may honestly believe that, but the whole situation suggests they may not know themselves what the hell is going on and what the hackers actually have.
I genuinely wouldn’t be surprised if we see another update from Sony saying something along the lines of “Despite previously communicating otherwise, and due to an error on our part, we did in fact store customers’ CVV2 codes. This was a mistake and we now recommend all customers promptly cancel their cards.”
Seriously, would anything surprise you at this point?
theberzerka
I would be surprised that they’d admit it.
fattyuk
All this credit card stuff is rather funny! I haven’t been worried, and bloody well ain’t gonna worry!? anyone can find out you’re details it’s pretty easy! And if someone uses my bank, I phone up the fraud department at the bank, instant refund, new card.
Until that happens personally I don’t feel the need to cry and run around screaming! ” ZOMG they have my bank details ahhhhh Sony how cans you treat you’re consumers like this, I’m suing you I’m crying hellllppppp”
NobbyNobbs
Well either a) Sony have lied about holding CCV numbers, which they are not allowed to retain or b) its a scam by some fake hackers.
Just remember your credit card details may be encrypted by if they have lost the keys then the encryption isn’t worth jack.
Sony are a bit like a broken washing machine on full cycle at the moment. Lots of spin and wet drips everywhere.
Lymmusic
we will have entered our security numbers when 1st entering our cc details, but likely that was verified at that point, which resulted in a true value in the cvv valid table, so if future purchases were made on the same card the cvv doesn’t require verification, they just reference the cvv validity from the table. chances are if the hackers do decrypt the cc data they’ll get the cc number, the dates etc, and a cvv = true or false value, not the cvv itself.
either that or they’re in the shit…
herotoozero
LOL
info from an irc channel…
ruinereraser
Exactly my thoughts, it’s starting to be reported in tabloid style even on TSA now.
Awayze
IRC is where all the hackers meet.
piperf
All this security code business is the worrying part………it has made me wary about most places that want my card details (which i can’t give as i cancelled my previous just incase)….I found out yesterday that PLAY want this info now before they will let me order anything…..even if i am not using my card to putchase anything…….also been told by them that if i do nto store my card details with them my account gets cancelled….I am afraid SONY have made me cautious…..so PLAY nto getting used for a while…….
ruinereraser
The CVV is always required during online transaction, but only the first time – and it’s not stored on company server, but sent directly to the bank for card verification. Once the card is verified, you can use the saved deatils (which are only name/card no/exp date) for online shopping at that merchant.
That’s how it works in most places, some smaller companies only require cc card no and exp date, but they’re veryfing the transaction via normal shop card terminal or a telephone verification with the bank.
cc_star
It’s up to a retailer what info they take, the more info they take the more they secure themselves from chargebacks.
There is no requirement for a retailer to take security code or even an exp date, many/all do to protect themselves from losses caused by sending goods to people, and then having the bank contacting them to refund the money to the bank, because they’ve refunded the money to genuine customers as it was a fraudulent transaction.
The more info a retailer requires, the more secure the they are.
but yes, a retailer may use the CSC number the first time, and not in subsequent transactions because that initial transaction goes through the automated fraud checks more smoothly
cc_star
damn it, missed my closing /strong tag after the initial they
ruinereraser
I’m sure merchants can’t store CVV numbers on the server, as they wouldn’t pass ony security audit. It’s not only unsafe but also useless, as they don’t need the CVV in subsequent transactions if the card passed verification with CVV in the first place. It’s called Continous Authority and can be used with most credit cards on the market now, both Visa and Mastercard.
So if Sony indeed stored CVVs without the need and we learn it later on, this will be a major cockup on their side which can lead to fines and claims form both card companies and cardholders.
Flaming Turkeys
I’m gonna call bullpoop on this one, just because I want to :P its my old debit card details on the psn, so can they still take my money ? :/
ruinereraser
The main problem with debit cards is that you’re not that protected automatically as it comes with CCs. So if you’re worried about it, I’d suggest replacing it with a completely new card (new number etc) just to be safe and sound.