Hacker News new | past | comments | ask | show | jobs | submit login
Sony loses 12,700 credit card numbers (joystiq.com)
267 points by bjplink on May 2, 2011 | hide | past | favorite | 54 comments

Sony has repeatedly stated that its PSN servers and SOE servers are not part of the same network, so it remains unclear just how these two attacks are tied together

then Sony says:

"While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps."

This my friends is back-peddling 101. Also known as "Sony can't give a straight answer on whether their PSN and SOE networks are connected or not"

"Overlapping architecture" is not the same thing as "same network." They might just mean that the two networks are built out of the same brands of hardware and same versions of the same software, which gives them similar vulnerability profiles.

> Also known as "Sony can't give a straight answer on whether their PSN and SOE networks are connected or not"

Are you sure it's not just "Sony can't give a straight answer"?

Take your pick from:

* SOE Scandal

* PSN Scandal

* OtherOS removal

* GeoHot Scandal

* The BMG Rootkit Scandal

* The Master Key Scandal

And many, many more. I don't think they've been straight with their customers or the general public even once unless they've been caught out.

The scary part here is that this intrusion was only found because of a security review due to the PSN intrusion. If that hadn't of happened, who knows when/if they would have figured it out.

How often does this type of thing happen and no one has ANY idea?

Speaking as a "security person", it is really difficult to get anyone to care about security until it is too late. My estimate is that 999 or more of the Fortune 1000 are either owned, or just really lucky.


> They also came up with a rather amusing security technique known as "double-salting".

Sounds like someone heard about HMAC (http://en.wikipedia.org/wiki/HMAC) but didn't bother to read the details...

Why do you have the 'text file hidden away which contains hundreds of CC numbers' if you found that source, communicated the issue and saw that the issue was resolved?


The whole line of thinking here is very odd to me.

I mean, what good is evidence that you keep to prove you aren't lying if the evidence is never meant to be shown? And if it is meant to be shown you'd be committing a crime by doing it, which would be especially silly just to prove to someone you wouldn't make up such a mundane story.

Either way you should just delete that file. It serves no useful purpose (eg. you can't show it to me to prove you're not a liar) and despite all the good intentions you have shown in the past in getting the issue fixed you are likely committing a crime simply by keeping a copy of it around.

You are completely insane.

Why do you care if anyone thinks that you're making up stories? And if someone did accuse you of making up stories, what are you going to do? Decrypt and show them the file with hundreds of credit card numbers?

This is why well-meaning hackers end up with jail time whenever they're pulled over for a broken taillight.

It does do something, but it means if you find (or build) the Foo1 rainbow table you get all the passwords instead of just one. It's certainly a step above not hashing or not salting, and could even be a problem for the attacker if compromising the database does not mean they compromised the source code.

Not ideal, of course, but not the worst thing ever.

i never understand why we all so easily trust creditcards. i also do it.

a system that basically needs an attacker to just see'n'remember both sides of your card (that you need to keep with you and not is safe) in order be able pay with your money until the card gets disabled or expires.

i noticed in the US people use it to pay by phone, and shops tend to keep that data for convenient repeat purchases.

i need a card for payments online and visits outside europe (especially visits to the US). i'm glad that i have one for those occasions, but i cannot say i think it is a safe system -- it is also constantly under attack.

in the netherlands there's a payment system that most-if-not-all webshops are subscribing to. it redirect you from the shop to the internet banking app of your own bank, there you pay (with some 2-factor kind of authentication), after which you're redirected back. i cannot help feeling a lot safer. :)

In the US, at least, it's largely a matter of incentives.

By law, consumers are liable for at most $50 if their credit card info is used fraudulently by someone else.

Credit card companies validate transactions against statistical models in an attempt to head off anything suspicious. EDIT: Thanks for reminding me of this, nialo.

But often, it's the merchants who bear the cost of a fraudulent transaction. They have the least power to encourage more secure alternatives, because everyone already expects to be able to buy online with a credit card.

Card companies in the US do have something similar to the system you mention called 3-D Secure[1], but it hasn't gained wide traction. The interface is implemented so badly and inconsistently that it looks like a phishing scam. But more fundamentally, consumers have no incentive to use it, since it shifts more liability onto them.

[1] http://en.wikipedia.org/wiki/3-D_Secure

This is now compulsory for all online transactions in India. Lot of people complain about this saying its one extra step, but for me I don't mind losing a bit of usability if it can add one extra safety net.

I'd be fine with it, but the US implementation was truly awful.

It turns out that most of the security of credit cards takes place after the actual transaction. It's largely done by using software to look for transactions that look somehow wrong, or by reversing charges when you look at your bill at the end of the month and see an obviously incorrect charge.

The point is that the system has effectively figured out that they can't make a system that is both sufficiently secure and sufficiently convenient in just a card, so it instead accepts that numbers will be stolen and tries to minimize the damage.

In Sweden we have a system of one-time-use e-cards, for some cards (in my case Visa and Swedbank) where you cannot pay with your physical card online. You specify the amount that should be available, and by default it's valid only one month. Additionally it's easy to copy+paste. I find this solution easier than being redirected to my bank (which is sometimes also an option).

At least in the US, merchants typically get stuck with the bill for fraud. As a consumer, it's only a mild annoyance if my number is stolen.

Oh, come on. It's not like Sony LOST them. I mean, they got copied, but Sony still has them, right?

I don't think anyone is particularly concerned about whether or not Sony still has access to them. "Lost" in this case means "no longer has control of them." They have a copy, but so does someone else.

The op comment was presumably a joke on the theme of theft vs. copyright infringement.

obviously. yes. it was obviously a joke.

What's happened here is that Sony has discovered a previously undetected attack that occurred in April. So this second attack is not as new as one might think.

> 12,700 non-US credit or debit card numbers and expiration dates [...] apparently from "an outdated database from 2007"

Fortunately that means ~100% of those numbers are expired by now. Can expired numbers be used for anything evil?

Credit cards expire, but frequently the number remains the same. It's quite possible to just add four years to the expiration date and have a valid card. You still wouldn't have CCV, of course.

I was recently looking up some guidelines on storing credit card information, and according to section 3.2 of the official PCI guidelines (https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Q...), CCV is not allowed to be stored, along with PIN or Full Magnetic Stripe data. Hopefully, Sony didn't do that or they will also face hefty fines in addition to bad PR and lawsuits.

Disposaboy posted a mistakenly [dead] comment one hour before this:

> I don't personally know whether this is valid or not but there are comments on http://news.ycombinator.com/item?id=2502477 [URL repeated, may have triggered spam filter?] that suggest that in at least some cases it's possible to charge a credit card without the CVV.

Lows and rules don't apply to mega-corps like Sony, Amazon, Ebay/PayPal, Google, Apple, etc. They all have no problem storing all this together with address, SSN and everything else.

You can't make allegations like that with zero supporting evidence. I mean you can... but you'll look silly.

I suddenly begin thinking that there's a reason that my credit cards are worn down and have to be replaced once in a while.

Thanks for that info. So far I got a new number every time - but I'll have to pay attention in the future. Never knew it's allowed to recycle the number.

This may be most common with debit cards— as we've noticed before that debit card numbers frequently include your account number (http://news.ycombinator.com/item?id=1939699)

Often the numbers don't change on expired cards if the account is still active, and only the CCV and expire date are updated. Some purchases don't require CCV to be entered, and the new expiration date can be guessed (probably an interval of 2 years or whatever for different cards). I know this from experience when I had the expired card in my wallet, and had forgotten to switch out for the new one when making an online purchase.

Edit: cushman beat me to it

When I was testing someone else's payment system, I entered my card information with the incorrect expiration date. To my surprise, it happily accepted and I was charged. Not sure how common this is though.

It's up to your bank to decide whether expiration matters, and they can vary their opinion by payment channel - expired card is more likely to be ok for paying a bill than it is for ordering from a web store. The merchant has no reliable way to learn whether the card expiration is wrong - the protocol has a card expired message but in practice banks use it for other errors too, and accept charges that should have expiration errors.

I had an expired card tied to a monthly service plan -- it continued to function for the automatic charges until 1 full year after the expiration date.

Since some companies issue cards that are good for 4 years, I'd say many of those people have good reasons to worry.

Sony has just never got the hang of digital. They used to have great radios, TVs, and decent audio equipment. You young'uns probably don't remember the Walkman but it was revolutionary. It was a highly portable cassette player, basically the ipod of its day. It's been downhill for Sony since then. To wit:

- Minidisc - Memory stick - The 2005 audio CDs with bonus rootkit - PSN breach - SOE breach

There are a few negatives there for sure, but I think you're missing a couple of the ups too. The playstation for example was very successful, and is often credited as making gaming more popular and cool with 'normal' people.

They've messed up a few things, but they still make good consumer products. I purchased a SONY TV and Blu Ray a year or two ago and I'm very happy with it.

They're clearly not perfect, but to say everything they've done since the walkman has been a disaster isn't really fair.

Oh come now. Their products mostly suck. Their support sucks. The Playstation, they did okay on, only now it turns out that if you bought one, crooks have your personal information. They cut corners on consumer security.

Their laptops have tremendous numbers of mechanical failures. Their eReaders are slow, have glare, and have serious usability issues -- e.g. the page turn buttons are located in a spot where you can't comfortably press them. They bought Minolta, and ran it into the ground -- they've been promising a successor to the a700 for close to 5 years now without being able to ship. The lower-end cameras are innovative, but have serious, serious usability issues. The Minolta 5D was a wonderful camera. The early Sony successors copied and improved on it (a700 was the most usable camera ever made -- and the only one with a useful auto mode). The current ones made a new, broken interface. The support is gone -- warranty issues don't get fixed, and if you buy from Sony direct, heaven help you if you want a return.

Your TV and Blu Ray aren't bad, but a bit overpriced and slightly lower quality relative to the competition.

But that's not the point. 20 years ago, Sony was like Apple or Trader Joes. You couldn't go wrong buying from them. The quality was spectacular. Sony products didn't break. Today, you go wrong buying from them 95% of the time. 5% of their products are market-leading. They ship known defective products. It's a very different company.

In terms of bringing gaming to the masses, you're thinking of the Nintendo, first with the NES, and many years later with the Wii.

No I was definitely thinking of the PlayStation. The first playstation during the 90s was often found in nightclubs and places you would never previously have seen a console. They made it look cool to ordinary people.

The playstation 2 is still the most successful console with 150million units sold ( http://en.wikipedia.org/wiki/List_of_best-selling_game_conso... ). I'd say to get figures like that you need to have had mainstream success.

I can't speak for all of their products, I only have a couple, but I've never had a reason to complain.

I'm not apologising for them, they really have screwed up with this security thing, but I think it's disingenuous to claim they've only made crap for the past 20 years when there are some very obvious exceptions.

You are correct -- there are a few exceptions, and the Playstation was definitely one. Therein lies the difference:

1960-1985: Sony is the gold standard for quality

1995-2010: Sony makes crap, with a few exceptions

Out of context, this may seem like a small difference, but the difference is huge. In the late 50s and early 60s, Sony did not ship a color TV for over a decade because they weren't convinced they could get the quality good enough. When they finally shipped in 1966, Trinitron had brighter pictures than the competition, and the TV sets never broke. The things were expensive, but they were built like a tank. Until the mid-90s or so, every Sony CRT had a full metal cage. You paid a premium, but you got quality.

Today, the majority of Sony products shipped are overpriced lemons. The Sony of yesteryear would never have shipped them.

I think you are going a bit overboard, sure Sony may not be the Sony they were in the 80s or 90s, but they do still make quality hardware.

The Playstation 3 is probably the most reliable console (hardware wise) out of the current generation consoles, I have not had any issues with mine and neither has anyone that I know personally, I can't say the same for the Xbox 360.

I bought a Sony Vaio Z 13" a few years ago and it has stood up to a lot without any issues, sure it may be very light and feel a bit "plasticy" but it is surprisingly tough.

Both of my brothers bought Sony LCD's a few years ago and they have not had any issues.

A friend of mine works in the geek squad as a home theater installer and by far the least reliable name brand TV's are made by Samsung, Sony is one of the more reliable brands.

Update, 9:03PM EST: "This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April."

Can someone please remind me to only deal with Sony in cash from here on out?

If they 'lose' that it isn't my problem.

Time to pass around those redeemable voucher card Amazon affiliate links.

I think that's going to be the only way I'll by something from there.

I wonder if they could make rechargeable PSN gift cards. You could put money on it via PayPal, and the only thing Sony stores is how much money is on the card instead of actual credit card info.

Let this be a reminder to always check your monthly credit card statements.

Just to clarify Sony was just clarifying the initial attack's results. This isn't a second attack.

What's going on Sony?

They were forced to do an audit, and lo and behold, they'd been hacked and hadn't noticed. The same thing would no doubt be true of most large corporations.

I have a feeling there might be more, as they refused to participate in the US Senate hearing..

Sort of off topic, but is there anyone else getting a lot of telemarketed automated calls recently --- any correlation with the sony attack?

Credit card numbers were lost? Do they know that you can "take" data from computers without destroying it?

Semantics. We all know what they meant, and the colloquial usage of "lost" is valid here - (i.e., "lost" as in lost control. You can "lose control" of your car without the steering wheel disappearing on you).

Or the hard drives were actually stolen.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact