Sony's PSN down "for a day or two"

[KallDrexx]

Is there any option to not use their servers? I'd rather handle my own database file but it seems the premium still requires you to store it online (and costs $12/year). Major gripe I have with KeyPass is the lack of a decent OS X client.

Yeah both free and premium store it on their servers (you still have offline access to your passwords though), so if you want to manage it on your own then it's probably not for you.  The convenience of not having to remember my dropbox credentials and having seamless syncing across all mobile and non-mobile devices makes it worth it for me.

[Lantyssa]

I use Password Safe.  It can be put it on a USB stick if you're willing to take the risk.  Rename the program something like 'format.exe' if you want a bit of psychological protection.

[Mrbloodworth]

It's amazing how quickly the class actions have been filed.

http://youtu.be/MeXQBHLIPcw

[CaptainNapkin]

Hackers Tried To Sell Credit Card Numbers Back To Sony

Several media outlets reported today that the PSN hackers have begun advertising their exploits on online forums. Looking to sell the information, which also includes customer names, passwords, and addresses, the hackers have priced the credit card database at $100,000 for 2.2 million credit card numbers, or about 4.5 cents for each one.

Ok, I was just watching my card activity but now I believe it's time to have Amex cancel/reissue a new card. I really dislike having to update all my accounts that need CC info attached.

[NiX]

Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.

Internet "Journalism" HOOOOOOOO!

[HaemishM]

$100k? If that's true, they are vastly undervaluing that information. I'm sure there are some Russian fellows who'd pay more than that for a part of that DB.

[Yegolev]

Cue Austin Powers reference.

[Rendakor]

Hackers Tried To Sell Credit Card Numbers Back To Sony

Several media outlets reported today that the PSN hackers have begun advertising their exploits on online forums. Looking to sell the information, which also includes customer names, passwords, and addresses, the hackers have priced the credit card database at $100,000 for 2.2 million credit card numbers, or about 4.5 cents for each one.

Ok, I was just watching my card activity but now I believe it's time to have Amex cancel/reissue a new card. I really dislike having to update all my accounts that need CC info attached.

Proof that Credit Cards really ARE worth less than WoW accounts on the black market. 

[NiX]

It doesn't even sound legit. Some guy at Trend Micro read on a forum they were thinking of trying to sell it? Really?

[Yegolev]

Pretty much, and I think the lowball confirms that they have nothing.

[UnSub]

I thought that lists of credit card numbers could go for a couple of dollars per entry, so 4.5c per record seems exceptionally low.

[Yegolev]

I suppose some good news is that I have a Keepass app installed and running on my Droid,  which is how I managed to log in and post this.

[koro]

This is a funny bit from that Playstation Blog Q&A:

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

The PS3's billing info screen:

The PSP's billing info screen:

 

[Paelos]

Wow, they really aren't making facepalms big enough for this.

[Mrbloodworth]

You are reading that wrong. You do not have to give ANY CC info when signing up, only when buying something.

Sign up is not the same as billing.

Also:

UPDATE: While we do ask for CCV codes, we do not store them in our database.

[stu]

The Q & A isn't exclusively about registration, although the blog dances around the fact nimbly. The question has nothing to do with registration. Why would they ask for credit card info to register?

[jakonovski]

Sony is really making me feel like trusting them with my cc info again. Not.

[Mrbloodworth]

The Q & A isn't exclusively about registration, although the blog dances around the fact nimbly. The question has nothing to do with registration. Why would they ask for credit card info to register?

Yes they are mixing things up. IIRCC, there is a section where you can set up a CC during registration, but its optional. I believe thats the screen shown. You do however have to enter CC info if you buy something if you do not set it up ahead of time.

[Amaron]

Sony is really making me feel like trusting them with my cc info again. Not.

Yea I wanted to pick up a PSP game last night and said fuck it.   Waited till the store opened this morning.   Good thing emulators exist for all the PSN exclusive shit.

[Mrbloodworth]

It looks like the beleaguered Sony finally caught a break. The company, which has struggled for over a week following a hacker attack that stole massive amounts of player information, says that it looks as though user credit card information remains secure and encrypted. It turns out that Sony had encrypted some personal info but not all of it.

Gamespot also reports that several financial companies, including MasterCard, WellsFargo and American Express, have witnessed "no unauthorized activity relating to Sony."

Sony's Patrick Seybold passed along the positive news: "The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

Sony's PlayStation Network is still offline while it's rebuilt with a higher level of security. The company saw its shares drop 4.5% today on the Tokyo exchange to $27.71.

Link.

[fuser]

And the other shoe drops

Dear valued SOE Customers,

We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday).

[Paelos]

 

[Lantyssa]

Less funny since I do have a credit card on file with SOE.  Also my retirement account (and a good number of other TRS employees) recently had its data stolen.

*sigh*

[cironian]

So, are there any Sony systems left that they haven't pushed the red button on?

[Yegolev]

If grunk was around we could ask him about FFXI.

[Soln]

this debacle now with SOE involved has done it for me.  Other than paying for utilities, AMZN and PayPal, we're not using any CC's online anymore.  And I've been working in EC for years.

[koro]

Thank goodness my old SOE account had a very long-since expired card with a vastly different number and security code, an old address, and both a password and a secret question I never use anymore.

I'll still probably scrub what little actually relevant info remains on it when it comes back up, like my name and email address.

[cironian]

credit card information from an "outdated database" from 2007 "may" have been stolen, which contains the credit card numbers and expiration dates of approximately 12,700 non-U.S. credit cards, as well as about 10,700 direct debit records of customers from Austria, Germany, Spain and the Netherlands.

Makes me feel almost glad that I had to have my credit card reissued with a different number since 2007 over an unrelated hack.

[01101010]

This is not leaving me with a great feeling about the future of Sony or SOE or my hope that PS:Next will ever be released. 

[KallDrexx]

this debacle now with SOE involved has done it for me.  Other than paying for utilities, AMZN and PayPal, we're not using any CC's online anymore.  And I've been working in EC for years.

Not really sure what the big deal with credit cards.  I mean yeah, using debit cards online is largely risky, but unless you have a credit card through a shitty bank, it's pretty easy to get fraudulent charges refuted and a new card issued (though it does suck until it's done).  It isn't exactly the end of the universe though.

I'm more worried about debit cards (since fraudulent charges are taken from your bank account until they finish their investigation) and how ridiculously easy it is to make payments for things online with a check (all you need is one voided check from someone to make a lot of fraudulent purchases).

Shit, PayPal should give you a much bigger scare, as they have a history of a lot of shady financial holds previously.

[bhodi]

One-use credit card numbers are becoming popular overseas. A friend Czech Republic has one. The way it works is this:

You go onto the CC website and you generate a number of single-use (or limited use) credit card numbers that are tied to your main CC number. Then, you simply use those numbers for your online transactions. When you run out, it's just a click or two to generate new ones. You can put in both the number of transactions they are vaild for as well as the credit limit for each.

It's more work, but at this point I'm seriously considering finding a US company who will issue me one. He also told me of his bank login which also had something I've never heard of before - they not only require your standard username and password through SSL (https), but they also mail you out a page of 50 or 60 one-use security codes. Each time you log in you burn a code and, when you get low, they mail you a new page. Basically, a crude-but-effective two-factor auth for additional security.

I also like ING's password system, in which you click on stuff instead of typing in a password. Much harder to sniff.

I'm also highly considering switching to keypass. Made the switch. I should have done it years ago, just too lazy.

[Minvaren]

With SOE being hit too, Sony appears to have reached clownshoes level of (in)competence here.

[Soln]

the problem for me with CC fraud is that while I'm not hugely worried about identity theft (although I know it could happen), I have a wife and kid, and I don't have the flexibility to suddenly manage a large fraud hit.  I don't know what to expect if my CC's are suddenly used and what the mean time might be for rescue, or what any long-term risks or whatever might be.  Basically, knowing just a little bit has convinced me it's just not worth it.  And frankly the uptake in hacks everywhere is boggling.

[Rasix]

Large fraud hit?  You call your card company, say the words "I didn't make this charge", and they go poof.  Shred the card and wait for your new one to arrive.  It's not like you ever have to pay it.

I use my card for absolutely everything.  I don't carry cash most of the time.  Checking account is for bills.  We've had one fraudulent charge in 10 years, and we live in the identity theft capitol of America.  Hell, the credit card calls us about charges they think might be fraud (mostly me buying shit late at night).

Maybe I'm just lucky, but I find the fraud risk completely manageable and easy to nullify in the case that it occurs.  

[tgr]

I haven't followed the PSN debacle too closely, but apparently this was presented today as new news:

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007.  The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.