Sony's PSN Attacked Again! 93,000 Accounts Compromised!

[Velotix von Skruviktorrius]

The only stupid thing I recall them doing was......well......this...

They're good at getting people to look the other way. They've done stupid/assholish stuff multiple times, some I've discussed here before, only for many to go "lol it's a megacorp what do you expect" and I die a little inside. Contrary to popular belief, I do actually feel that most large corporations are not composed entirely of molten evil and devil-worshipping arseholes, instead actually being capable of basic human decency even on a large scale, which is never easy (see any political discussion ever).

(Just spotted this...)

@Velotix

This whole case doesn't mean Sony doesn't care about its customers. Up until last year, the PSN remained virtually untouched, so Sony obviously did something right in that area to protect its customers. I mean they threw a massive bitchfit over homebrew and jailbreak (evidently with good reason, because it is what resulted in this happening) and sued the person responsible for the jailbreak.

I recognise you're not an expert so let me explain. Up until now Sony's explosive reaction to the jailbreak has made no sense. Apparently they only bothered to implement one security system: a blanket lock on the PS3's innards, aka the master key. That's flimsy security at best, to only have one - admittedly strong until it's finally broken - line of defence. Now their reaction to the whole Geohot scenario makes much more sense. They've committed a major faux pas in the security world by hedging all their bets on the PS3/P master keys, forgoing encryption because they believed so strongly in their "uncrackable" master key. Lo and behold, eventually it gets cracked and shit hits the fan bigtime because Sony never had the common sense to implement basic and widespread security technologies, which they would easily have access to or get access to very quickly. Importantly, they've had over four years to fix this and they haven't. This implies that either they don't care or they're incredibly stupid, and I'm giving them the benefit of the doubt on the latter.

In retrospect, the whole thing reminds me of the Titanic and the claims about its unbreachable hulls. We know how that ended, too. History repeats itself...

[Conando]

Either way, Sony probably does owe everything at least something. Even if they didn't get credit card info stolen, their login info still was, which means they could still have their account hijacked and use to buy things, depending on whether they have virtual funds. I wouldn't expect it to go any further than one free download of some very specific item, though.

[Tornado]

Actually 10-digit.

The law firm would pocket 9-digits if they won, assuming the typical 30% commission applied.

[Scar]

They're good at getting people to look the other way. They've done stupid/assholish stuff multiple times, some I've discussed here before, only for many to go "lol it's a megacorp what do you expect" and I die a little inside. Contrary to popular belief, I do actually feel that most large corporations are not composed entirely of molten evil and devil-worshipping arseholes, instead actually being capable of basic human decency even on a large scale, which is never easy (see any political discussion ever).

(Just spotted this...)

Well a lot of companies are good at getting you to look the other way. Though admittedly some of the things Sony have done are hardly brilliant.

I recognise you're not an expert so let me explain. Up until now Sony's explosive reaction to the jailbreak has made no sense. Apparently they only bothered to implement one security system: a blanket lock on the PS3's innards, aka the master key. That's flimsy security at best, to only have one - admittedly strong until it's finally broken - line of defence. Now their reaction to the whole Geohot scenario makes much more sense. They've committed a major faux pas in the security world by hedging all their bets on the PS3/P master keys, forgoing encryption because they believed so strongly in their "uncrackable" master key. Lo and behold, eventually it gets cracked and shit hits the fan bigtime because Sony never had the common sense to implement basic and widespread security technologies, which they would easily have access to or get access to very quickly. Importantly, they've had over four years to fix this and they haven't. This implies that either they don't care or they're incredibly stupid, and I'm giving them the benefit of the doubt on the latter.

In retrospect, the whole thing reminds me of the Titanic and the claims about its unbreachable hulls. We know how that ended, too. History repeats itself...

I'd say its down to neither lack of concern, or stupidity.

Probably arrogance. That is one heck of a dim thing to do, but I think they were way too confident in their system to bother with anything else, just like the Titanic analogy you used. The Ship's engineers weren't stupid and they obviously did care about the lives of innocent people, but they were too arrogant to realise the flaw in their plans.

[Badnik Mechanic]

Either way, Sony probably does owe everything at least something. Even if they didn't get credit card info stolen, their login info still was, which means they could still have their account hijacked and use to buy things, depending on whether they have virtual funds. I wouldn't expect it to go any further than one free download of some very specific item, though.

They'll most likely do the following.

* Credit back any PSN+ downtime.

* Credit back any paid for service downtime (DC Universe Online, Netflix etx).

* Give everyone some kind of free game/item (mind you, as to what that will be... blimy if you already own it, what a slap that will be.)

As per United States law, they will most likely have to offer credit checking service (someone from the USA help me) due to the breach to all USA Citizens/account holders. But will likely only do that if the user claims for it.

As per EU regulations, there is likely to be a similar stance, but it won't get advertised and will be epically difficult for people to actually get.

After that... I don't know, you might get some form of extra compensation if you called/sent angry letters, but they won't do that for everyone who writes to them, thats for certain, otherwise, time to go down the street with the big glass doors that say "Law" on them.

Should they do more? Urm... well... for me, I'm not sure, so long as I get my PSN account back, I don't know if I could actually claim anything else, I had no card detail on there, and I decide to get a name change to the details I put on there, I don't think I would have a leg to stand on when it comes to claiming... I might get something extra if I kicked up enough fuss over them loosing my email to begin with. But that would most likely come to nothing.

After all that, should they do more? Well kinda hard to say, they've done all the need to do via the law, it's likely the law will come down on them with a few penalties, but as for if they 'should' (not could) do more to the current user base, really not sure on that one.

I can't see them turning around saying "All PSN+ users get their lost days back and an extra month free" and then say "All PS3 users currently signed up get 1 month PSN+ free" Giving PSN users a free download, what else could they do?

Edited April 27, 2011 by Hogfather

[Dobkeratops]

I could certainly do with a free 20€ on my PSN account to spend as I see fit in compensation for the troubles caused.

But we'll get Home tshirts instead.

[Badnik Mechanic]

But we'll get Home tshirts instead.

I vote they all be black, and with white glowing letters that say "I got hacked off in April 2011"

Edited April 27, 2011 by Hogfather

[SSJ Tenkachi]

Even though the hackers had stolen purchase/download history it still be would be a bit useless. Due to the fact that, how many users have bought and redeem DLC, Games, and etc? I don't know. What I do know is it is not a pretty sight.

Love the T-shirt idea though.

[SEGAMew]

I may be slightly hypocritical being an extremely biased against Sony person, but I don't see why people can't just enjoy PS3 offline instead of going "Oh I'm glad I'm a 360 user, go Xbox Live!"

But anyway, this is going to be one heckuva cleanup job. Also it will be pretty difficult to find the people responsible for these attacks One could very well cover their tracks/falsify their tracks as a bonafide hacker.

[Chris]

As per United States law, they will most likely have to offer credit checking service (someone from the USA help me) due to the breach to all USA Citizens/account holders. But will likely only do that if the user claims for it.

It's at the point now where banks are openly allowing the cancellation of credit cards and accounts due to Sony's blunder. My friend called up his bank today (Royal Bank of Canada) and when questioned as to why, he mentioned Sony and got the response "we're well aware, and we'll be sending you out a new credit card within five days."

This is why I use prepaid VISAs for all my online payments.

[Gamerguy21]

New Q&A

Q: Are you working with law enforcement on this matter?

A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?

A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?

A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What steps should I take at this point to help protect my personal data?

A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?

A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?

A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: Have all PlayStation Network and Qriocity users been notified of the situation?

A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

Q: What steps is Sony taking to protect my personal data in the future?

A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?

A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?

A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

One especially noteworthy bit is that Sony has finally confirmed what info was encrypted and what was not: credit card info is encrypted and personal info was not. I personally wish that it was all encrypted, but it's nice to know that CC info (which Sony still isn't 100% sure was taken or not) isn't going to be as easy for the hackers to use if they did indeed get it. Also, new firmware and mandatory password change confirmed.

Nice to see Sony answer these questions instead of just saying something along the lines of "We told you what was happening yesterday. PSN will be back up within a week. Thanks for waiting!" like all the older updates.

Edited April 28, 2011 by Gamerguy21

[Velotix von Skruviktorrius]

So basically the information about unencrypted data was blown well out of context and proportion making the last two pages of this thread pointless and me look like a total arse.

Perfect. Just perfect. XD

[Candescence]

Sony are lying through their goddamn teeth. We KNOW the hackers have made off with the credit card data and actually used it. I'm rather inclined to think that they're bullshitting about the credit card details being encrypted, as well. After all, why would they admit they fucked up that badly? It alone would do terrible things to their reputation.

Edited April 28, 2011 by Masaru Daimon

[Dobkeratops]

I have to wonder if relocating all the servers is part of a "fuck this shit, redo EVERYTHING" plan to appease investors or if they suspect someone working there might be involved to sell personal data to the Italian mafia.

[turbojet]

You should just look into getting a virtual card for online purchases. I have one, works like a mobile phone in the sense that you recharge it at the bank whenever you need to spend the money and that's it.

When Shopto got hacked I had it stolen and some nigerian prince or whatever tried to use it, the bank called, canceled the card and issued me a new one in less than 5 minutes. They also were kind enough to transfer the funds I still had there, all 45 cents of it.

Also lols @ Velotix's cancellation of his likely inexistent intent of getting the system. C'mon son, spare us the moral card ;P

There are PSN cards at Gamestop that allow one to buy stuff from the PSN without placing credit card information. I am sorry, but I never trusted Megacorps or even Banks with my money especially when it comes to online purchases. I never understood why people would have such blind faith and order anything online console or internet when there are hackers lurking about. I don't play that shit. If I can't physically look a fucker in the eye, then I am not giving him/her my information like credit cards. Maybe I have always been paranoid of new media, but I couldn't have been the only one who thoughtsomething like this was bound to happen and made sure his/her ass is in the clear.

@Masaru, I don't know what Sony did to you or if they raped your mother, but all you have as evidence to the contary is your own hatred towards the company. "We know"...uhh... know we don't unless you are one of the hackers or are associated with them. And Sony is in no position to lie dude.

Edited April 28, 2011 by turbojet

[Dobkeratops]

There are PSN cards at Gamestop that allow one to buy stuff from the PSN without placing credit card information. I am sorry, but I never trusted Megacorps or even Banks with my money especially when it comes to online purchases.

Cannot say about the situation in other countries, but here banks will cover for any fraud attempt on your savings. Don't see anything wrong with the method I took, as it didn't require me to register an account (hence it's completely independent) and I can add the exact amount needed right before the purchase, which is something you cannot do with prepaid PSN cards.

Works as a mastercard and as such I can use it on pretty much anything besides PSN, like online stores or even PayPal. If it gets compromised, I just have it cancelled and replace the details with the new one's.

[Badnik Mechanic]

Sony are lying through their goddamn teeth. We KNOW the hackers have made off with the credit card data and actually used it. I'm rather inclined to think that they're bullshitting about the credit card details being encrypted, as well. After all, why would they admit they fucked up that badly? It alone would do terrible things to their reputation.

Wait a second... Now I might be wrong about this since I don't keep tabs on every story to ever come out. But one thing I do remember about this "The card details are not encrypted issue."

When that story first broke a few months ago, a lot of people on here were quick to quote it and start slagging Sony off, it then turned out that the data was actually encrypted. But because the people who found it were using Custom Firmware their card data wasn't encrypted for that very reason, that they were using custom firmware.

Edit:

In fact you posted in that topic only 2 replies after it was mentioned. It was only vulreable if you were using a CFW.

Edited April 28, 2011 by Hogfather

[Dobkeratops]

When that story first broke a few months ago, a lot of people on here were quick to quote it and start slagging Sony off, it then turned out that the data was actually encrypted. But because the people who found it were using Custom Firmware their card data wasn't encrypted for that very reason, that they were using custom firmware.

The data on your own console isn't very secure. Because it doesn't need to - it's out of reach.

The only way someone could ever access that is if you're dumb enough to install a CFW that contains a trojan targeting it.

[PaddyFancy]

That makes me feel better. The credit card thing was worrying me but I guess not anymore, since I don't use CFW.

[Conando]

So, for some odd reason your credit card data isn't encrypted if you have custom firmware but not otherwise? Probably has to do with the exploit they have to use in order to access PSN, right?

[SEGAMew]

So if the credit card data was encrypted, then the perpetrators who made off with big wads of cash off of the credit card data are master code breakers and/or double agents between hacking and coding for Sony.

[Badnik Mechanic]

So if the credit card data was encrypted, then the perpetrators who made off with big wads of cash off of the credit card data are master code breakers and/or double agents between hacking and coding for Sony.

Or, the people who claim to have had data taken had CFW on their systems and are too ashamed to admit it.

[Chooch]

I would fucking laugh my ass off if that was the case.

Holy shit.

Edited April 28, 2011 by Chooch

[SchemingMinor]

Has anyone read this yet?

"Well, it also turns out that some people over at NGU found out that you could provide fake CC# info and the authenticity of the information was never checked as you were on Sony's private developer PSN network (essentially a network that Sony trusted). What happened next was extreme piracy of PSN content."

[Carbo]

Yeah I posted that earlier in the thread.

At some point in that Sony Q&A I smell massively reeking bullshit. Security can impossibly be that uptight if it's exposed 77 million users and I doubt that even a fraction of those who've got their credit cards extorted are even into homebrewing, because any person who's into the scene would know how obnoxiously stupid using a credit card on a hacked console would be.

Anyway we got ourselves our first lawsuit.

Edited April 28, 2011 by Carbo