Sony's PSN down "for a day or two"

[Ginaz]

Glad I've never bought anything from PSN or Box Live.  Now, if Steam ever gets hacked....

[brellium]

I've been kinda surprised over the anger on this.   This sort of thing has been happening on a large scale for a while now and people haven't even been paying attention really.   This probably isn't even close to the largest breach of it's kind.    Most companies just aren't very worried about protecting such data.    It would be nice if this snowballs into a big deal that would wake people up a bit at least.

That would be the TJX breach, storing credit card info is a big no no for Visa, and results in nice penalties.

[Samprimary]

Whence the anger? Simple, really: sony's not really inspired any faith; they're like an employee already on probation for multitudes of clownshoes events like the rootkit debacle.

That, and this is an event that causes an immediately visceral response: a customer feels they have trusted sony with their credit card information and as a direct result of using their product, which is now no longer available to them in the interim, they have to go through the hassle of contacting Experian, et al., and put themselves on fraud alert, get new cards, change all their passwords and security questions, and know that a massive operation now has a load of personal information about them that can be used to potentially access their information elsewhere or create opportunities for identity theft and dicking with accounts.

So, of course, people are going to be angry.

[schild]

Fuck. I just got linked to this thread. I made that identity theft thing also after an employee of a large UNNAMED consumer electronics company made that joke.

Mine is better. It's under funny pictures. The joker up there can't identify fonts. Or use photoshop. I'm not even sure he made it on a computer.

[Tale]

Sony's list of Fucking Awful Questions mentions that SOE was hacked too and they're investigating.

http://us.playstation.com/support/answer/index.htm?a_id=2356

8. Did SOE experience an attack due to the same reason?
SOE’s services are currently available, but they did experience a service interruption due to an external attack. An investigation is ongoing.

[01101010]

Sony's list of Fucking Awful Questions mentions that SOE was hacked too and they're investigating.

http://us.playstation.com/support/answer/index.htm?a_id=2356

8. Did SOE experience an attack due to the same reason?
SOE’s services are currently available, but they did experience a service interruption due to an external attack. An investigation is ongoing.

Oh jesus christ... 

[KallDrexx]

Fuck. I just got linked to this thread. I made that identity theft thing also after an employee of a large UNNAMED consumer electronics company made that joke.

Mine is better. It's under funny pictures. The joker up there can't identify fonts. Or use photoshop. I'm not even sure he made it on a computer.

My bad, I just saw one on the internet and linked it, didn't make it.

Seeing as they specifically mentioned that passwords may have been part of the information gained, I am leaning towards them storing them in plain text. Really sounds like the people at Sony thought they could follow security by obscurity because the PS3 is not a "computer".

I'm inclined to agree with you, but technically even if the passwords were salted and hashed properly, they would still have to report that your password was released because technically your password can be derived, it's just not practical unless you are dealing with accounts with stupid passwords.

*edit*
Btw, I strongly encourage everyone here that if your email was using the same password as your PSN account, change your email password, since your email was released in this hack.  When my mom passed away and we needed access to her bank accounts and such, once we were able to get into her email account (via attempting to answer security questions) it was scary how many important sites (banks, insurance, etc..) we were able to gain access to once we had access to the email account(even without looking through email archives), no password knowledge necessary for any of them once we had email access

[Nija]

It's a good thing that my identity was compromised over the trueprotein.com breach a few months back, so anything I have related to Sony or SOE or any of those fuckers has already been replaced.

This kind of shit happens to me yearly. I'm going to make it a point to exclusively use those virtual credit card numbers that are only good for one use. It'll probably save me a bunch of money because it's such a pain in the ass.

For those who don't know what I'm talking about, several different CC companies will generate one time use numbers to use that tie directly to your actual number. Without actually using your number. I've used these for years when buying stuff from shady places, but now I guess it seems like I have to use it everywhere.

I can't even buy fucking protein powder or $5 arcade games without having the information stolen at some point. Such a bummer.

[bhodi]

*edit*
Btw, I strongly encourage everyone here that if your email was using the same password as your PSN account, change your email password, since your email was released in this hack.  When my mom passed away and we needed access to her bank accounts and such, once we were able to get into her email account (via attempting to answer security questions) it was scary how many important sites (banks, insurance, etc..) we were able to gain access to once we had access to the email account(even without looking through email archives), no password knowledge necessary for any of them once we had email access

I also said this last page, too. That is the real danger, not CCs with no CVE code or expiration date info.

[Morfiend]

*edit*
Btw, I strongly encourage everyone here that if your email was using the same password as your PSN account, change your email password, since your email was released in this hack.  When my mom passed away and we needed access to her bank accounts and such, once we were able to get into her email account (via attempting to answer security questions) it was scary how many important sites (banks, insurance, etc..) we were able to gain access to once we had access to the email account(even without looking through email archives), no password knowledge necessary for any of them once we had email access

I also said this last page, too. That is the real danger, not CCs with no CVE code or expiration date info.

I agree. I tell all the not super tech savvy people in my life this on a regular basis. Your email password should be very strong, and unique. If some one gets this, they have almost everything.

[CharlieMopps]

http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/

Somewhere between 60-70 million credit card numbers stolen.

[Pennilenko]

Well good thing i have a great bank. I was surfing the boards this morning and saw this thread. So I checked my bank website and noticed that my checking account had a hold on it. They had flagged my account due to several out of state small purchases on the card. Their fraud prevention shut it down before anything major. It ended up being a couple hundred dollars of charges all together. My bank is canceling my debit card and refunding the false purchases.

A big screw you to Sony for not notifying people. All it says when you try to use the PSN network is down for maintenance.

I don't know for sure if this incident is tied to the PSN data theft. It is oddly within the same time span though.

[Amaron]

What really disgusts me about this most of all is I haven't received an email from Sony about this at all.  I'm curious if anyone has?

Also I saw this:

http://forums.station.sony.com/eq2/posts/list.m?topic_id=499510

Seems SoE thinks they didn't lose any info.

[CharlieMopps]

What should really make you mad is they stored all of this information in plain text. Awesome eh?

And they'll face no penalties what-so-ever I suspect.

[Pennilenko]

What should really make you mad is they stored all of this information in plain text. Awesome eh?

And they'll face no penalties what-so-ever I suspect.

There is certainly a penalty I wont ever purchase anything from Sony again. I don't need their games and products bad enough. Sure I will be sad to not purchase the next play station or buy anymore ps3 games, but i can definitely will myself to make good on not buying their shit.

[Rasix]

Luckily all of my family's financial stuff is using my wife's logins and email address.  Just in case, I changed my email address password.  This is why I typically use a throw away gmail account for any potentially dodgy website registration.

Nothing alarming on the credit card activity, except for my wife being left unattended in various shopping malls. 

[Amaron]

What should really make you mad is they stored all of this information in plain text. Awesome eh?

Even if it was properly salt/hashed they would have to act like it was plain text.   The reality is the avg user has a crappy password that is easily brute forced.  Frankly I bet Sony's security is no worse than nearly every other retail company I deal with.  I consider them all equally worthless so I was already disgusted over such a topic long ago.  I can't even count the number of times I've seen some dumbass system sending passwords in plaintext via EMAIL.

Not even emailing me to say "woops we fucked up" when it's already all over the place in the news is a new low though.

[Lantyssa]

Nothing alarming on the credit card activity, except for my wife being left unattended in various shopping malls. 

You should get a leash.

[koro]

And they'll face no penalties what-so-ever I suspect.

Japan will likely not give the first shit, which should surprise nobody. Depending on how outraged Congress gets (especially if CC info has for-sure been compromised) and if the current scuttlebutt over Apple gets anywhere, Sony may be in a bit of hot water in the US... but I wouldn't expect a lot. I could easily see the EU pretty much crucifying Sony over this though.

[Mrbloodworth]

Quite sure that little accept button you clicked removes all liability.

[bhodi]

What should really make you mad is they stored all of this information in plain text. Awesome eh?

And they'll face no penalties what-so-ever I suspect.

We don't know if it was plain text or not.

However, this falls under PCI, so expect them to pay visa and mastercard millions of dollars in fines at the very least. Trust me, if you get a PCI violation, your ass and wallet will ache for a long time. PCI doesn't fuck around, and any database that stores credit card info must be PCI compliant.

[Ratman_tf]

Quite sure that little accept button you clicked removes all liability.

Dunno. Contracts can be and have been contested.

[Mrbloodworth]

Quite sure that little accept button you clicked removes all liability.

Dunno. Contracts can be and have been contested.

They don't usually come out on the side of the user though.

[Ingmar]

Quite sure that little accept button you clicked removes all liability.

Dunno. Contracts can be and have been contested.

They don't usually come out on the side of the user though.

In the US. The EU is another kettle of fish.

[Yegolev]

So far no suspicious charges.  I do keep a fraud alert going on my accounts, though, so that's already done.  My mail account password is PROBABLY different from the PSN one... wondering if I can check this somehow or maybe just go ahead and generate a new mail password.

[CharlieMopps]

What should really make you mad is they stored all of this information in plain text. Awesome eh?

Even if it was properly salt/hashed they would have to act like it was plain text.   The reality is the avg user has a crappy password that is easily brute forced.  Frankly I bet Sony's security is no worse than nearly every other retail company I deal with.  I consider them all equally worthless so I was already disgusted over such a topic long ago.  I can't even count the number of times I've seen some dumbass system sending passwords in plaintext via EMAIL.

Not even emailing me to say "woops we fucked up" when it's already all over the place in the news is a new low though.

I can say that I've seen enough stuff to say that you have two options:
1. Don't do ANYTHING important on the web. Don't store any inforation you dont want getting out. (This is what I do)
2. Assume that the company you are doing business with hires random people off the street with no background check and no technical education, gives them full access to their entire username/password list and when working on an issue it is common for these people to write your username/password on a post-it note and stick it on their desk for easy reference. Also assume that the smarter employees get sick of all the post-it notes and eventually build an unsecure access database out on a share drive so everyone can store the accounts their working on and share them between each other and when asked "How do you know people aren't copying this DB and taking it home with them every day" they respond "Huh?" (I've actually seen this, pointed out that it was bad and was told by the VP of the company in question that it was "inside the firewall so not a big deal")

[Trippy]

3. Assume all your personal information is also being sent to various 3rd party services as well (see: Epsilon).

[NiX]

http://vgn365.com/2011/04/26/psn-users-reporting-hundred-of-dollars-stolen-from-them/

Somewhere between 60-70 million credit card numbers stolen.

Ok, Sony may be the cause of this, but come on. No one knows when the attack actually occurred or what they got and because 3 people have money taken from their debit accounts, it's their doing? I typically only use my debit card at retail locations and ATMs. Its been compromised 3 times in 4 months. I think fraudulent and suspicious attempts/transactions happen a lot more than you know. I only found out because my bank recently started offering chequing accounts so they're nuts about security.

Plus, anyone stupid enough to tie their debit account to an online profile deserves to have their money stolen.

[Mrbloodworth]

Plus, anyone stupid enough to tie their debit account to an online profile deserves to have their money stolen.

Do you mean Check cards too?

[CharlieMopps]

My 10yr boycott of Sony finally pays off. 

I'm kind of glad the whole froglok thing happened now, prolly saved me a lot of hassle and I wasted less of my like on that stupid game.

[Amaron]

Do you mean Check cards too?

I wouldn't say anyone deserves to get their money stolen for using a check card for online services.   I would call them an idiot though.

[HaemishM]

You do realize that debit cards, as fucked up as this might be, are the only way some people can actually use a goddamn credit card and the convenience that provides, right? You do realize that lots of things in our society require a credit card these days and won't accept pre-paid debit cards for such things? You do realize that those reloadable pre-paid credit cards are a HUGE fucking rip off and end up costing you more than if you just used your debit card, right? Because I'm sure you guys wouldn't get tunnel vision when talking about how people pay for things, completely forgetting that it isn't Joe Blow's use of a debit card that suddenly causes massive fraud, it's Sony's colossal security fuckup and banks idiotic "prove it" approach when discussing fraud with their customers.

[CharlieMopps]

Agreed. Sony should have to pay through the nose for this. I doubt they will unless congress really needs to distract us for the middle east for a while.

[Teleku]

Yeah, I pay for everything using my Debit Card only, online or anywhere else.  Its the only card info anybody would have.

Luckily, I haven't purchased anything from Sony's store in a long time, and I've had to get a new card in the last few months, so I'm safe there.  Looks like I need to change passwords on e-mails however.

[Mrbloodworth]

Do you mean Check cards too?

I wouldn't say anyone deserves to get their money stolen for using a check card for online services.   I would call them an idiot though.

Check cards are debit cards that are run like a credit card and feature a visa logo.