Sony: PSN credit card details were encrypted

By Liam Tung on Apr 29, 2011 9:06 AM
Filed under Security

Passwords still a gold mine, says former black hat.

Sony has claimed that the credit details of its PlayStation Network customers were encrypted, a key fact it omitted in its initial disclosure about being hacked. 

“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” Patrick Seybold, Sony’s senior director of corporate communications said in a blog post Wednesday

He added that CVV2 data, the three digit code to verify an online purchaser has the card being used in an online transaction, was not stolen. 

While encryption did not cancel the risk of fraud posed to as many as 77 million PlayStation Network customers, it reduced it, and should have been revealed during the first admission, according to Graham Cluley, senior technology consultant at security vendor Sophos.

“Sony has once again missed an opportunity to reassure its customers,” he wrote.

“They should have said in the first announcement of the data loss that the credit card data was encrypted, and they should - in this latest communication - have provided details of the nature of the encryption that was used.”

Still, identity theft and secondary hacking of PlayStation Network users’ other accounts remained a risk. 

Seybold pointed out that the “personal data table”, which included names, passwords, birth dates, buying history, and billing addresses were not encrypted. 

“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information,” Seybold wrote. 

Sony also revealed that besides rebuilding its server infrastructure -- one of the reasons it gave last week for shutting down its network -- it had already begun moving network infrastructure to a “more secure” data centre.

“We are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway,” according to Seybold. 

Sony was also working on a new firmware update, which “will require all users to change their password once PlayStation Network is restored", expected to occur within a week.  

The company promised to find the culprits behind the alleged hack “no matter where in the world they might be located”. 

The most likely place to find those responsible would be somewhere in or near Russia, according to former black hat hacker and Wired security editor Kevin Poulson, who ruled out other usual suspects such as hacking collective Anonymous, Chinese hackers and recreational hackers. 

Poulson ruled the “For-Profit Cybertheif”, largely concentrated in Ukraine and Russia, as “probably guilty”. 

“These guys ... know databases like the backs of their hands — they dream in SQL.”

“Credit cards without the mag[netic] stripe data or CVV2 are among the least valuable commodities. But combined with the other data, the database is valuable indeed,” he wrote in a blog post on Thursday

“The passwords (which Sony evidently didn’t bother to hash)  could be a gold mine, because people have a tendency to use the same password everywhere; you can bet a big chunk of those 77 million PlayStation Network passwords will unlock everything from Facebook accounts to online banking.”

Follow us on Facebook and Twitter

Copyright © . All rights reserved.


Sony: PSN credit card details were encrypted
Top Stories
JB Hi-Fi enterprise services head departs in reshuffle
Retailer "streamlines management".
Synnex Australia wins MYOB distribution deal
First accounting software vendor to sell via distie cloud portal.
Sign up to receive CRN email bulletins
Meeting which tech founder would leave you most starstruck?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.