Close
Are you sure? Are you sure you want to report this comment? I understand, report it. Cancel

Sony: Credit card data was encrypted

Thu 28 Apr 2011 8:22am GMT / 4:22am EDT / 1:22am PDT
OnlinePublishing

But no encryption for personal data, as Sony provides new update on security breach

Sony Computer Entertainment

Sony Computer Entertainment is a Japanese videogame company specialising in a variety of areas in the...

playstation.com

Sony has claimed that credit card data stored on the PlayStation Network was encrypted and that there is still no evidence that credit card information has been stolen following last week's security breach of the online service.

Although on Tuesday Sony admitted that it could not rule out the possibility that credit card data had been taken, there is still no suggestion that the breach has been that serious.

The entire credit card table was encrypted and we have no evidence that credit card data was taken.

Sony

According to an update on the official PlayStation Blog, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken.

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

While Sony still cannot guarantee that credit card information, encrypted or otherwise, was not taken it continues to offer the same advice to customers: " If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."

The protection of credit card data could be the first positive news for Sony during the ongoing scandal, but the admission that personal data was not encrypted could still prove damaging.

This data has already been confirmed as compromised and would be of significant use to criminals in terms of identity theft and as an aid to phishing scams.

Yesterday it was revealed that the Information Commissioner's Office in the UK is to quiz Sony over its online security arrangements.

29 Comments

gi biz
;,pgc.eu

341 51 0.1
If their encryption key is as safe as the one they used in the PS3...

Posted:2 years ago

#1

Christopher Bowen
Owner, Gaming Bus

118 0 0.0
What type of encryption? Talk... technical to me, baby. What kind of encryption, Sony?

Posted:2 years ago

#2

Alasdair Gray
Junior Account Planner

9 0 0.0
Surely this information should be getting emailed to PSN customers, rather than just posted on their blog?

Posted:2 years ago

#3

Joe Winkler
trained retail salesman

162 1 0.0
@Alasdair: Agreed. Well that sounds like the damage is not that high.
But knowing, that some dude in some country can login with my account and do whatever he likes with it is sill an issue to me. Not to mention that this person has my private data as well.
In times of social networking we are all diaphanous to most companys. Thatīs why most spam mails and adverts always fit to your personal interests.
If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet.

@Alex: I checked my mails and did not receive any info from sony yet.

Edited 2 times. Last edit by Joe Winkler on 28th April 2011 10:43am

Posted:2 years ago

#4

James Poole
Managing Director

36 0 0.0
why would anyone in Sony's position not have the password details encrypted as well?

Posted:2 years ago

#5
Try to live on a digital desert island. Perhaps having a oldschool dialup is the way forward for the security concious?

Posted:2 years ago

#6

Alex Loffstadt
Community Manager

84 0 0.0
@Joe With your PSN settings have you set them to allow e-mail messages from PSN and have you checked your Spam Filter? :) I've received messages over the past couple of days but it may be dependent on your PSN region or the mails may be going out in batches... *Shrug*

Posted:2 years ago

#7
A friend I work with, discovered a bunch of illegal purchases on his credit card 2 days ago (bank has been notified, etc). He had a PSN account which included his CC details - he couldn't think of any other obvious source, never happened before, etc.

Posted:2 years ago

#8

Patrick Frost
QA Project Monitor

380 170 0.4
@Micheal - I think that's quite a long shot. Many people get their cards cloned by entirely real world means or having their identities stolen in by people sorting through their rubbish bins.

Have Sony not pointed out that even without the CSC that the cards can be used (as he illustrated with their own system!) ?

Posted:2 years ago

#9
I haven't had a single email from Sony to my PSN linked email address yet.

Posted:2 years ago

#10

Stuart Green
Studying BTEC Games Development

7 0 0.0
@Joe: I wonder which of my personal interests get me spammed with penis enlargement and Viagra products??

Posted:2 years ago

#11

gi biz
;,pgc.eu

341 51 0.1
@patrick: yup, apparently the most dangerous place where you can get you card cloned is in shops: modifying the POS (the owner is not necessairily aware) is one of the easiest way of collecting a lot of cards. Still, they should expect a lot of "false positives" at Sony, unless one can find the culprit the most obvious cause is the breach at Sony.

Posted:2 years ago

#12

Mikael William Bergene
Artist

1 0 0.0
It's interesting. I had two accounts, one for my current US residency and my old UK one. Only the email registered with the US one has been contacted regarding the issue.

Posted:2 years ago

#13

Philipp Nassau
Student - Business Administration (M. Sc.)

51 18 0.4
I'm sorry but after the PS3 Keys I don't trust any Sony encryption. These guys made way too many mistakes in the past to feel safe now. Considering that the system stores the whole information and automatized access to it happens in a few seconds I see no reason why they should expect it not to be breached after seeing to what extend the hackers could move inside the system.

Posted:2 years ago

#14

Geoff Spick
Editor/Writer

11 0 0.0
Sony must have known that a week ago, telling everyone back then would have saved a lot of grief (and me cancelling my card)

Posted:2 years ago

#15

Phil Blunt
indie developer

4 0 0.0
sounds like a lie to me, there are posts on the net from 3 months previous to this that suggests the data is not encrypted. sounds like they are trying to dodge the fail in their data protection act compliance.

can online gamers and digital distribution recover from this?

Posted:2 years ago

#16

James Poole
Managing Director

36 0 0.0
I have two PS3s, one UK and one US. Only the email address associated with the US one has been contacted.

Posted:2 years ago

#17
I didn't get an email until late in the evening last night, so it might be that Sony have a backlog of people to inform.

Posted:2 years ago

#18

Joe Winkler
trained retail salesman

162 1 0.0
@Stuart: Penis enlargement and Viagra are the classic spam mails, everyone receives nowadays (or at least if the email address exists for a few years). But in my case there are lots of spam mails (not to mention the viagra stuff;) that cover up with my personal intrests. Games and movies and other hobbys I prefer are mostly in the content.

Posted:2 years ago

#19

Brian Depaul
Editor/Owner

2 0 0.0
Its going to be interesting to see how they deal with this issue

Posted:2 years ago

#20

Paul Shirley
Programmers

165 131 0.8
@James Pool: "why would anyone in Sony's position not have the password details encrypted as well?"

Because the law only requires them to protect cc details. Everything else is a choice [EDIT] and we're assuming they chose not to protect the rest[/EDIT]

So far the public have not realised Sony [may] have done the absolute minimum required to avoid jail time and/or massive fines, rather than taking customer security seriously. It won't be pretty if they wake up and realise Sony chose not to protect all the data, protecting one database but not another is not an accident, it demonstrates a conscious choice was made.

Edited 1 times. Last edit by Paul Shirley on 28th April 2011 6:11pm

Posted:2 years ago

#21

James Prendergast
Research Chemist

730 410 0.6
@Joe.

I take issue with your implication that users are at fault for just trying to live their lives. I mean, how disingenuous is that? "If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet."

Let's continue the logical extent of that sort of argument: "Women who wear clothing that reveals their bodies in any way are asking to be abused. People who drive their cars are asking to be in an accident. People who ride trains or planes are asking to be bombed/hijacked." Also realising that it's not just people who have connectivity within their own home who have their identities/details stolen.... So eating out is a no-go. Having a bank or savings account is a no-go (banks have breaches too).

That's a seriously messed up worldview right there....

As for the "damage is not that high" comment. You basically nullify that with your next sentence... because your personal data is constant across multiple environments that you have no control over. Even if you, yourself, are not compromised by this. How many friends of yours on facebook, from your primary email address... here on GI.biz.... can or could be targeted by malicious phishing or malware hooks by interacting with what/who they believe is you? The damage isn't just to the people who had their account information stolen but their families, their finances and their acquaintances' finances and families.

That old work chestnut about "don't open files in emails unless they're from a trusted source" is out the window as soon as you're no longer sure who you can trust. Considering it's impossible to keep Antivirus up-to-date with the newest of the new releases of malware compromises of information like has happened here are just unreal in terms of how things could play out.

Edited 1 times. Last edit by James Prendergast on 28th April 2011 10:04pm

Posted:2 years ago

#22

Curt Sampson
Sofware Developer

564 278 0.5
Alasdair: I have personally verified that a message arrived at the e-mail address for one Japanese PSN account about four days after the breech, and one arrived at the e-mail address for a U.S. PSN account about six days after the breech. The large delays are annoying, but I"m wiling to cut Sony a bit of slack on this since they did have to send out some 75 million messages.

Posted:2 years ago

#23

Curt Sampson
Sofware Developer

564 278 0.5
"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."

That they never requested the CVC is outright wrong, I believe. I'm quite certain that I was a) asked for the CVC when I added a credit card to my PSN account recently, and b) was asked for it again (though not any other credit card information) when I first set up my PSP to use that account.

I quite believe that Sony's not storing it, of course, since that would normally be a breech of anybody's merchant account agreement. The CVC is supposed to be stored nowhere but in the credit card provider's database and written on the card itself (not on the magnetic stripe, though) so that it can act as evidence during initial card data entry that the person doing the entry is in possession of the physical card itself.

Posted:2 years ago

#24
@Curt: I'd cut Sony some slack for delays in sending out 75 (or is it 77?) million emails, but there is no excuse for them not bringing the issue to light sooner by means of a press release - something they did six days after the fact.

Posted:2 years ago

#25

Joe Winkler
trained retail salesman

162 1 0.0
@James Prendergast.
With the Statement "maybe the damage isnīt that high", I pointed at the fact that hackers AT LEAST didnīt get the whole credit card address.(wich doesnīt make it much better)
And your defenetly right about my "living in a cave prefents from evil" statement. Itīs just that everyone online is somehow in someway traced with his personal data anyway. So the least I know is that "they" know my interests (excluding Viagra) and where I live (éven if I didnīt post that anywhere).

The issue here is that sony just messed up big time, and those things shouldnīt happen. And yes, Iīm not happy about that either.

Edited 2 times. Last edit by Joe Winkler on 29th April 2011 8:58am

Posted:2 years ago

#26

Jim Webb
Executive Editor/Community Director

2,209 2,048 0.9
It doesn't take 4 days for Sony to send 75 million emails. I could push 24 million in 1 day on my own server using just the vBulletin forum software. And I'm willing to bet Sony's servers are a bit more powerful than my own and are using dedicated email software and dedicated email servers.

And even if it did take 4 days to send out all the Japanese emails you'd have 25% of them receive an email on day 1, 25% receive an email on day 2 and so on. Not all of them arrive on day 4.

Posted:2 years ago

#27

Jeff Wilson

46 0 0.0
I think I shall purchase a Sony Network Card from a High Street Gaming Store to get the points I need for the DLC until Sony have sorted this out. I was thinking of purchasing DLC online recently from Sony Network for my PS3 Slim, I am glad I did not. We have never had this problem with Amazon, Apple or Microsoft Xbox Live. They maintain secure sites, what can't Sony ?

Posted:2 years ago

#28

Reilly Davis

17 0 0.0
at most it would take an hour to send those mails its all dynamic its not like they have to manually type in all addresses and the most amusing spam i get is jessica alba is fat lol

Posted:2 years ago

#29

Login or register to post

Take part in the GamesIndustry community

Register now