This morning, rumours are surfacing that our credit card details might be out there on the black market already. According to the New York Times, hackers are claiming to have 2.2 million sets of card details and are offering them for sale on internet message forums.
Their information seems to be sourced from a securities analyst called Kevin Stevens (although there are claims that several other researchers have backed up his claims) who says he was offered the details personally and also that the hackers have tried to sell the information back to Sony but were turned down. Apparently, the asking price for 2.2 million European credit card numbers is around $100,000.
PSX Scene, a site which seems to be dedicated to the hacking of PlayStation products, has some more information. They’d posted a transcript from an IRC chat and some screenshots taken from what they call “underground” forums.
Here’s the IRC transcript:
Discussion about #psnhack and possible speculation about the hackers being from Europe Logs – efnet – #ps3dev – 2011-04-26
trixter, people I know had a shell on the psn servers
did you know that sony didn’t disable the function that sets the psn server under maintenance ? The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack
Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack
@mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything
@the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers
@RiquezJP Well not properly securing your server breaks compliance as far as I know.
@RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.
Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date
No, I have not seen the DB so I can not verify that it is true
The most important piece of into there is the reference to CVV2 numbers, these are the 3 digit numbers on the reverse of a card which it had previously been assumed had not been taken. So, it seems that the sellers are at least claiming to have all information needed to use our cards for fraudulent transactions.
It’s important to stress that these reports have not been confirmed by Sony. In fact, they have been denied, albeit in a way with the traditional indemnifying phrases by Patrick Seybold:
To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
Whether you believe these claims or not is a personal judgement call but as ever, we advise you to be cautious with your personal information and security at all times, online or off.
david
I wish this site and other would stop milking the fcuk out of this story now. Sony has said the cards were encrypted so there is no need to believe some trash posted on some site.
Please stop now.
theotheo
I am great full for the information spread here. Encryption has been failing a lot at Sony lately. Anyone with enough CPU power will be able to crack the encryption sooner of later. If it’s later and you think you’re safe, you’ll be sorry. If you don’t care about this kind of news, don’t respond.
david
well if thats the case then we might as well keep reporting this and other security issues every single day since a collective of users can crack anything given time*cpu power. So given your great advice I should just become a hermit and put my money under the bed.
Look this story is getting milked for nothing more than hits and its time we moved on. As for your comment, “If you don’t care about this kind of news, don’t respond.” – I care enough to post that its shabby journalism scrapping the bottom of the barrel.
colossalblue
unfortunately, David, we have a responsibility to provide the news on issues that our readers are keen to read about. As new things come up, we report on them. That’s what we do.
Our reader figures for these stories prove that it’s an issue people are incredibly keen to read everything they can about so we would be selling our readers short if we pretended it’s not happening, no matter how tedious you’re finding it.
If it’s any consolation, we’re all pretty sick of the story too, but it is still a huge story and we’re in the business of reporting on huge stories.
fattyuk
This isn’t news it’s rubbish?
Almost as good as the story yesterday about gay characters in ign or sum bull crap about it. Which I noticed that story got pulled within 20mimutes.
I thought this site was better than posting real bad rumour “story’s”
david
colossalblue, yeah I understand. Thanks for you reply.
JesseDeya
I understand your point colassalblue, but what we expect of TSA is some moderation in the way you report these stories. This one was far to ambiguous and implies that you, the author, tends to believe the IRC chat over official statements from Sony, some thing any educated individual would find ludicrous.
We’re not talking about sneaking some CGI into a game trailer here, we’re talking about the biggest security breach Sony have ever faced… they are NOT going to lie about storing CVV2 data, and have already publicly stated exactly that. The very least you could have done in this artlcle is re-iterate this fact (something TSA have previously reported on). As others have said, creating undue panic by ‘reporting’ on something thar is highly likely to be complete bollocks is far from responsible.
Mick939
At least i was told, i wasn’t when it happened with shopto and was subject to fraud and money stolen. Perhaps you could of run that story, being as you endorse shopto so much…
Tanzil
and so the rumors continue
Mick939
Hmm, how things change, the last time i took part it an ‘external intrusion’ i had to hand over my credit card details.
cam the man
Just glad I’ve got fraud insurance protecting my card.
jediryan123
remember when TSA was nob free? Back in the day of stabbings, haircuts and rain
colmshan1990
There does seem to be a member of two apparently trying to be banned…
colmshan1990
Doh! Member or two…
bunimomike
If they have 2 million credit card details (with CVV numbers) then much like stabbing a knife into a bag of cocaine to test it out, surely the seller has offered ten randomly chosen card details for potential buyers to “enjoy”? Just like on TV, no? :-P
hazelam
if this is true, whoever these hackers are they’ve just gone from doing something pretty illegal, to seriously frakking illegal.
The Lone Steven
Those Ducking bar stewards!Since Sony now know about it,can’t they track the IPs of certain users on that or contact the host of that site and order them to shut it down? Hopefully,all of those detail are now invaild and will backfire in the hacker’s face.
GTRsannin
But what are they going to do with a bunch of CC details or bank details after a week when people have shut down their accounts and so on???