
Sony loses 12,700 credit card numbers - bjplink
http://www.joystiq.com/2011/05/02/sony-hit-with-second-attack-loses-12-700-credit-card-nu/
======
dotBen
_Sony has repeatedly stated that its PSN servers and SOE servers are not part
of the same network, so it remains unclear just how these two attacks are tied
together_

then Sony says:

 _"While the two systems are distinct and operated separately, given that they
are both under the SONY umbrella, there is some degree of architecture that
overlaps."_

This my friends is back-peddling 101. Also known as "Sony can't give a
straight answer on whether their PSN and SOE networks are connected or not"

~~~
derefr
"Overlapping architecture" is not the same thing as "same network." They might
just mean that the two networks are built out of the same brands of hardware
and same versions of the same software, which gives them similar vulnerability
profiles.

------
huntero
The scary part here is that this intrusion was only found because of a
security review due to the PSN intrusion. If that hadn't of happened, who
knows when/if they would have figured it out.

How often does this type of thing happen and no one has ANY idea?

~~~
lawnchair_larry
Speaking as a "security person", it is really difficult to get anyone to care
about security until it is too late. My estimate is that 999 or more of the
Fortune 1000 are either owned, or just really lucky.

------
cies
i never understand why we all so easily trust creditcards. i also do it.

a system that basically needs an attacker to just see'n'remember both sides of
your card (that you need to keep with you and not is safe) in order be able
pay with your money until the card gets disabled or expires.

i noticed in the US people use it to pay by phone, and shops tend to keep that
data for convenient repeat purchases.

i need a card for payments online and visits outside europe (especially visits
to the US). i'm glad that i have one for those occasions, but i cannot say i
think it is a safe system -- it is also constantly under attack.

in the netherlands there's a payment system that most-if-not-all webshops are
subscribing to. it redirect you from the shop to the internet banking app of
your own bank, there you pay (with some 2-factor kind of authentication),
after which you're redirected back. i cannot help feeling a lot safer. :)

~~~
daxelrod
In the US, at least, it's largely a matter of incentives.

By law, consumers are liable for at most $50 if their credit card info is used
fraudulently by someone else.

Credit card companies validate transactions against statistical models in an
attempt to head off anything suspicious. EDIT: Thanks for reminding me of
this, nialo.

But often, it's the merchants who bear the cost of a fraudulent transaction.
They have the least power to encourage more secure alternatives, because
everyone already expects to be able to buy online with a credit card.

Card companies in the US do have something similar to the system you mention
called 3-D Secure[1], but it hasn't gained wide traction. The interface is
implemented so badly and inconsistently that it looks like a phishing scam.
But more fundamentally, consumers have no incentive to use it, since it shifts
_more_ liability onto them.

[1] <http://en.wikipedia.org/wiki/3-D_Secure>

~~~
train_robber
This is now compulsory for all online transactions in India. Lot of people
complain about this saying its one extra step, but for me I don't mind losing
a bit of usability if it can add one extra safety net.

~~~
eli
I'd be fine with it, but the US implementation was truly awful.

------
Ideka
Oh, come on. It's not like Sony LOST them. I mean, they got copied, but Sony
still has them, right?

~~~
zacharycohn
I don't think anyone is particularly concerned about whether or not Sony still
has access to them. "Lost" in this case means "no longer has control of them."
They have a copy, but so does someone else.

~~~
alex_c
The op comment was presumably a joke on the theme of theft vs. copyright
infringement.

~~~
jberryman
obviously. yes. it was _obviously_ a joke.

------
tailrecursion
What's happened here is that Sony has discovered a previously undetected
attack that occurred in April. So this second attack is not as new as one
might think.

------
viraptor
> 12,700 non-US credit or debit card numbers and expiration dates [...]
> apparently from "an outdated database from 2007"

Fortunately that means ~100% of those numbers are expired by now. Can expired
numbers be used for anything evil?

~~~
Cushman
Credit cards expire, but frequently the number remains the same. It's quite
possible to just add four years to the expiration date and have a valid card.
You still wouldn't have CCV, of course.

~~~
mirkules
I was recently looking up some guidelines on storing credit card information,
and according to section 3.2 of the official PCI guidelines
([https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Q...](https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf)),
CCV is not allowed to be stored, along with PIN or Full Magnetic Stripe data.
Hopefully, Sony didn't do that or they will also face hefty fines in addition
to bad PR and lawsuits.

~~~
HelloBeautiful
Lows and rules don't apply to mega-corps like Sony, Amazon, Ebay/PayPal,
Google, Apple, etc. They all have no problem storing all this together with
address, SSN and everything else.

~~~
dschobel
You can't make allegations like that with zero supporting evidence. I mean you
_can_... but you'll look silly.

------
geophile
Sony has just never got the hang of digital. They used to have great radios,
TVs, and decent audio equipment. You young'uns probably don't remember the
Walkman but it was revolutionary. It was a highly portable cassette player,
basically the ipod of its day. It's been downhill for Sony since then. To wit:

\- Minidisc \- Memory stick \- The 2005 audio CDs with bonus rootkit \- PSN
breach \- SOE breach

~~~
kenver
There are a few negatives there for sure, but I think you're missing a couple
of the ups too. The playstation for example was very successful, and is often
credited as making gaming more popular and cool with 'normal' people.

They've messed up a few things, but they still make good consumer products. I
purchased a SONY TV and Blu Ray a year or two ago and I'm very happy with it.

They're clearly not perfect, but to say everything they've done since the
walkman has been a disaster isn't really fair.

~~~
cypherpunks
Oh come now. Their products mostly suck. Their support sucks. The Playstation,
they did okay on, only now it turns out that if you bought one, crooks have
your personal information. They cut corners on consumer security.

Their laptops have tremendous numbers of mechanical failures. Their eReaders
are slow, have glare, and have serious usability issues -- e.g. the page turn
buttons are located in a spot where you can't comfortably press them. They
bought Minolta, and ran it into the ground -- they've been promising a
successor to the a700 for close to 5 years now without being able to ship. The
lower-end cameras are innovative, but have serious, serious usability issues.
The Minolta 5D was a wonderful camera. The early Sony successors copied and
improved on it (a700 was the most usable camera ever made -- and the only one
with a useful auto mode). The current ones made a new, broken interface. The
support is gone -- warranty issues don't get fixed, and if you buy from Sony
direct, heaven help you if you want a return.

Your TV and Blu Ray aren't bad, but a bit overpriced and slightly lower
quality relative to the competition.

But that's not the point. 20 years ago, Sony was like Apple or Trader Joes.
You couldn't go wrong buying from them. The quality was spectacular. Sony
products didn't break. Today, you go wrong buying from them 95% of the time.
5% of their products are market-leading. They ship known defective products.
It's a very different company.

In terms of bringing gaming to the masses, you're thinking of the Nintendo,
first with the NES, and many years later with the Wii.

~~~
kenver
No I was definitely thinking of the PlayStation. The first playstation during
the 90s was often found in nightclubs and places you would never previously
have seen a console. They made it look cool to ordinary people.

The playstation 2 is still the most successful console with 150million units
sold ( [http://en.wikipedia.org/wiki/List_of_best-
selling_game_conso...](http://en.wikipedia.org/wiki/List_of_best-
selling_game_consoles) ). I'd say to get figures like that you need to have
had mainstream success.

I can't speak for all of their products, I only have a couple, but I've never
had a reason to complain.

I'm not apologising for them, they really have screwed up with this security
thing, but I think it's disingenuous to claim they've only made crap for the
past 20 years when there are some very obvious exceptions.

~~~
cypherpunks
You are correct -- there are a few exceptions, and the Playstation was
definitely one. Therein lies the difference:

1960-1985: Sony is the gold standard for quality

1995-2010: Sony makes crap, with a few exceptions

Out of context, this may seem like a small difference, but the difference is
huge. In the late 50s and early 60s, Sony did not ship a color TV for over a
decade because they weren't convinced they could get the quality good enough.
When they finally shipped in 1966, Trinitron had brighter pictures than the
competition, and the TV sets never broke. The things were expensive, but they
were built like a tank. Until the mid-90s or so, every Sony CRT had a full
metal cage. You paid a premium, but you got quality.

Today, the majority of Sony products shipped are overpriced lemons. The Sony
of yesteryear would never have shipped them.

~~~
tbob22
I think you are going a bit overboard, sure Sony may not be the Sony they were
in the 80s or 90s, but they do still make quality hardware.

The Playstation 3 is probably the most reliable console (hardware wise) out of
the current generation consoles, I have not had any issues with mine and
neither has anyone that I know personally, I can't say the same for the Xbox
360.

I bought a Sony Vaio Z 13" a few years ago and it has stood up to a lot
without any issues, sure it may be very light and feel a bit "plasticy" but it
is surprisingly tough.

Both of my brothers bought Sony LCD's a few years ago and they have not had
any issues.

A friend of mine works in the geek squad as a home theater installer and by
far the least reliable name brand TV's are made by Samsung, Sony is one of the
more reliable brands.

------
speleding
Update, 9:03PM EST: "This is NOT a second attack; new information has been
discovered as part of our ongoing investigation of the external intrusion in
April."

------
robotmachine
Can someone please remind me to only deal with Sony in cash from here on out?

If they 'lose' that it isn't my problem.

~~~
kmfrk
Time to pass around those redeemable voucher card Amazon affiliate links.

I think that's going to be the only way I'll by something from there.

------
kmfrk
Let this be a reminder to always check your monthly credit card statements.

------
kennymeyers
Just to clarify Sony was just clarifying the initial attack's results. This
isn't a second attack.

------
vipivip
What's going on Sony?

~~~
JonnieCache
They were forced to do an audit, and lo and behold, they'd been hacked and
hadn't noticed. The same thing would no doubt be true of most large
corporations.

~~~
shareme
I have a feeling there might be more, as they refused to participate in the US
Senate hearing..

------
MikeHo
Sort of off topic, but is there anyone else getting a lot of telemarketed
automated calls recently --- any correlation with the sony attack?

------
Almaviva
Credit card numbers were lost? Do they know that you can "take" data from
computers without destroying it?

~~~
potatolicious
Semantics. We all know what they meant, and the colloquial usage of "lost" is
valid here - (i.e., "lost" as in lost control. You can "lose control" of your
car without the steering wheel disappearing on you).

~~~
cube13
Or the hard drives were actually stolen.

