

PSN Users Reporting Hundreds of Dollars Stolen From Them - cooldeal
http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/

======
ctide
Considering I got a call from Capitalone this morning saying my credit card
that I had on PSN was being used to buy gas in Connecticut, I think this is
probably a fairly legit article.

Certainly possible that it's purely coincidental, but seems unlikely.

~~~
scott_s
If I gave the same food to 75 million people, it's inevitable that some of
them will get sick in the next 24 hours. I actually think it's likely to be a
coincidence - it's too soon after the break-in.

~~~
hugh3
Also: if you're smart enough to steal 75 million credit card numbers, and
you've just stolen 75 million credit card numbers, I assume you're going to
think of some clever way to start defrauding 'em. Unless I'm missing some part
of this story (have the numbers been published somewhere already?), going out
and buying gas is the dumbest thing you could possibly do -- parking your own
car in front of a security camera and making a transaction which even Capital
One knows to flag as potentially fraudulent.

Come to think of it, though, what _is_ the sensible way to use some vast
number of credit card numbers to enrich yourself? I assume small-time credit
card thieves can get away with it because they're sufficiently small-time to
escape an in-depth investigation, but is there any way to untraceably pay
yourself?

~~~
dangrossman
If you're smart enough to steal 75 million credit card numbers, then you
already know about the forums where that information gets bought and sold. You
start selling the individual cards, not the whole data dump, and it's the
buyers that are starting to use those numbers to make purchases.

------
scott_s
Probably not related. Consider that 75 million users' information was
compromised. Given a sample size that large, it's highly likely that there
will be some people in that set who had their credit card compromised in a
completely unrelated way.

~~~
pudquick
Math for truth and justice!

Given the following:

"The Consumer Sentinel Network (CSN) is a secure online database of millions
of consumer complaints available only to law enforcement. In addition to
storing complaints to the FTC, the CSN also includes complaints filed with the
Internet Crime Complaint Center, Better Business Bureaus, Canada’s Phone
Busters, the U.S. Postal Inspection Service, the Identity Theft Assistance
Center, and the National Fraud Information Center, among others."

The CSN received 1.2 million complaints in 2008, 62400 of which were
specifically credit card fraud.

This means that of the approximately 170 million+ credit card owners in the
US, roughly 0.035% of them reported credit card fraud in such a way that CSN
saw it. There are likely many more cases that only get reported directly to
banks without reaching CSN.

0.035% of 70 million+ users? 24500 people. All of which, due to PSN being an
online service, have internet connectivity and are potential blog commenters.

Add to it that you're not going to remember the cases where people say "Nope,
I haven't experienced fraud.", you're only going to remember those where
people say "Money was stolen from me!"

Unless the reported incidence frequency is above the "normal" / average cases
of credit card fraud or someone reports fraud on a card that was proven only
to be used with PSN, I would hold off on blaming anyone quite so soon.

~~~
mithaler
Careful. Sony's figures for PSN user count are _worldwide_ , and a large
percentage of Sony's market is in Japan alone. The CSN appears to be USA and
Canada only.

~~~
wahnfrieden
FWIW, Japanese much less commonly have or use credit cards. It's one of the
reasons eBay failed while Yahoo Auctions succeeded in Japan, by not requiring
a credit card to list.

~~~
caf
Yep. If you're travelling to Japan, don't plan on using your credit card to
pay for accomodation - in my experience, you'll need wads of cash.

------
pkteison
Changing credit cards is a bit of a hassle because of recurring billing tied
to the account, one time I missed changing my trash bill over (easier to miss
because it wasn't monthly) so I'm hesitant to just change cards if I don't
absolutely have to. I wish there was some decent way to determine whether
expected likelihood of the card I had linked to PSN having fraud * hassle of
dealing with said fraud exceeds hassle of pre-emptively replacing card 'just
in case'. I'm presently erring on the default of 'wait and see' just because
it seems easier right now, but 'seems easier right now' is probably a poor
thing to base the decision on.

~~~
irons
The next time you replace a card (a shiny nickel says it'll happen before the
card naturally expires), keep a list of every place you had to update it
online. Takes the sting out of replacing it again in the future.

I'm holding off only because Mint loses its mind when I replace an American
Express card. God, I hate Mint. Time to dump them, too.

~~~
ZoFreX
One place: LastPass's "Fill Forms" entry for my debit card.

------
auxbuss
Just logged on to my PSN cc company and was met by:

Sony PlayStation Network Data Breach - Important Customer Information

You may have seen the recent news in relation to the Sony PlayStation Network
data breach. Please be reassured that The Co-operative Bank treats data
compromises extremely seriously. We do not believe at this time that enough
information has been compromised to put your account at risk and therefore do
not feel it necessary to block our customer's cards. We are however monitoring
the situation and working closely with the Industry and will advise our
customers if any further action needs to be taken.

~~~
teamonkey
Likewise, HSBC don't feel that cards need to be cancelled at this stage
either.

------
alecco
Ars Technica has more info:

[http://arstechnica.com/gaming/news/2011/04/ars-readers-
repor...](http://arstechnica.com/gaming/news/2011/04/ars-readers-report-
credit-card-fraud-blame-sony.ars)

------
hugh3
Quick question for those who know more about security than I do: what about
passwords? They haven't stolen unencrypted passwords, have they?

If I have the same username and password on another service, should I be
rushing off to change my password right now?

~~~
akeefer
Yes, it's a good idea to do that. They said that passwords were compromised;
I'm really hoping that was a simplification and they really meant to say that
"individually salted, hashed passwords have been stolen" but they didn't add
that qualification, so you should probably assume the worst.

~~~
aidenn0
Yeah, but if it's "individually salted md5 hashed passwords" then your
password is quite possibly compromised.

------
jmjerlecki
Here we go. I wonder if Sony has given GeoHot a call and asked him to work for
them yet. I'm curious how much this hurts Sony's bottom line in the long run.
Cross my fingers my 360 is still running strong.

~~~
marshray
Oooo I bet that's how they'll punish him. They'll trick him into signing a 5
year contract to be their director of PCI compliance and database
administration.

------
jshort
I would be more interested in a report from a credit card company involving a
spike in fraud that is linked to stolen data. This would be a much clearer
indication if it was a coincidence or not. I would also think that credit card
companies should make a statement if they did notice any increase in fraud as
it is such a large scale leak.

------
david2777
Does anyone know if Valve and Steam use the same servers as Playstation for
processing? I purchased Portal 2 through Valve on my PC a week before they
shut the network down and had my card stolen two days later (I didn't use the
card for weeks before and didn't use it after) so it seems like these might be
linked.

~~~
ZoFreX
Valve have said that Steam users have nothing to worry about regarding the PSN
leak. Furthermore it seems very unlikely that Steam and PSN would have much in
common (except for third-party payment processors) given that until very
recently, they were completely unrelated. There is no evidence that your card
was stolen due to using it on Steam, and I would advise against assuming
correlation is equivalent to causation.

Speaking from personal experience, your bank might not even tell you promptly
if someone else has your card details, they might just block all the
fraudulent transactions and not replace your card for six months.

------
nodata
I would like Sony to tell us why they have not co-ordinated with the credit
card issuers to issue replacement cards, or cover the cost of replacement
cards.

and a question: could the solution be as simple as changing the CVV on the
back of the cards?

~~~
ansy
First of all, there is no confirmed credit card theft. Credit card information
is held at a higher standard than generic personal information. PCI compliance
requires credit cards are encrypted and you are required to get regularly
audited. By no means is it perfect, but it's about as good as it gets with
securing data that's being thrown around constantly.

Second, Sony did tell credit card companies and they do know about this. I
called mine and the operator was well aware of of the data leak. They have
been monitoring all accounts from the beginning.

Third, while you can always get a new card number for free, credit card
companies tend not to issue new cards automatically. I've had it happen to me
once before where they gave me a new one without me asking.

tl;dr These authorized charges are likely coincidental; the CC companies are
well aware of the situation.

~~~
cube13
>Second, Sony did tell credit card companies and they do know about this. I
called mine and the operator was well aware of of the data leak. They have
been monitoring all accounts from the beginning.

Did Sony know about this, or did they see a pattern of cards getting flagged
that had PSN charges on them?

~~~
ansy
I just meant the credit card companies are well aware of what happened and
that credit card numbers might have been involved. They're monitoring accounts
accordingly and didn't seem to think canceling was necessary.

If the companies really believed the numbers were compromised they will send
out new cards automatically. Like I said, it's happened to me before. I didn't
have any suspicious activity or anything. But some company I did business with
reported a credit card breach so my bank just sent everyone in the breach new
cards with little letters telling them "you got owned, but no worries here's
your new card."

------
RobIsIT
What effect will this have on the PSN and on Sony as a whole?

If this happened to a smaller company, their ability to process would be taken
away and after their infrastructure was verified, they would be forced to pay
higher transaction rates.

------
guscost
We should be careful not to overreact to this news, but at the same time,
black hats have done considerable damage in the past by cracking personal
information and/or one password. It's not unreasonable to expect the same
problem to continue now, at least for a small fraction of users.

