

PSN database with 2.2 million credit card details up for sale? - tlrobinson
http://www.neowin.net/news/psn-database-with-22-million-credit-card-details-up-for-sale

======
tlrobinson
The most baffling thing is the data apparently includes CVV2 numbers, which
are never supposed to be stored by merchants.

<http://en.wikipedia.org/wiki/Card_security_code>

~~~
elithrar
Did not Sony state they did _not_ store any CVV2 numbers?

~~~
Nate75Sanders
I'm in a bar, drunk, and this was my exact reaction. This is what I remember
reading on, I think, arstechnica. When will the lying stop?

------
wccrawford
Don't bother selling mine, guys. It's already cancelled.

And if Sony was responsible and contacted everyone, with big bold letters
saying their credit card info was stolen, the rest of them would be cancelled,
too.

Instead, they waited a week and a half before emailing, and then only said
that cards -might- have been taken and they couldn't tell for sure. The only
responsible thing would have been to assume they were and inform your
customers of such.

I've seen people saying that because it 'might' not have been stolen, and it's
a hassle to get a new card, they aren't going to bother and just wait to see
if any fraud happens.

Ugh.

Sony actually should do 1 step better and contact the credit card venders
directly and get them all invalidated. Just to be safe. It'll be bad PR, but
with all the other bad PR lately, it's a drop in the bucket and at least errs
on the side of safety for a change.

------
ra
About 3 or 4 days before the PSN went down, my credit card number was
compromised, and handful of small 'test' transactions were made from the
mainland US (according to my bank).

My bank spotted the fraudulent transactions and cancelled the card.

It might be a coincidence, but Sony did have that card number on my PSN
account.

I guess I'll find out one day when someone bit torrents the database.

------
elithrar
Similar to <http://news.ycombinator.com/item?id=2496317>

------
jrockway
I doubt someone would sell all 2.2 million at once, because it's very easy for
the banks to say "all the cards that have ever used playstation network are
compromised" and simply deactivate all of them all at once. UPDATE accounts
SET flagged = 1 WHERE id IN (SELECT id FROM accounts, transactions WHERE
transaction.merchant = 'PlayStation Network'). Done. All 2.2 million numbers
useless.

(This is a lot of customer service / re-issuing work, so it's probably a last
resort that the banks will only do when they're sure that they are not
deactivating non-compromised accounts. So if you are the people that broke
into Sony for this info, you are probably going to want to sell only a small
percentage of card numbers so that the banks' risk analysis does not decide on
the above strategy.)

