Trouble Thinking

June 15, 2011

May 3, 2011

SOE Also Hacked, Lovely. Seriously Though, Cancel Those Cards.

Filed under: News — Tags: , , , , , — Durandal @ 3:58 pm

Sony Online Entertainment, the division of Sony that’s in control of the Massively Multiplayer products, has also been hacked. So, now with this additional 25 million accounts hacked, we’re at 100 million people’s information stolen due to apparent neglect on the part of Sony.

Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems.  We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack.   Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password. (From their notice)

They’re also now confirming that at least hundreds of credit card numbers have been stolen.

And if you’re outside the US, good news!

Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.

Cancel your credit card if you’ve ever used it to pay for PSN or SOE content, change any passwords you have if you’ve used PSN or SOE content. Better safe than sorry.
Sony isn’t going to live this one down for a long time.

April 27, 2011

Are You on PSN? Might Want to Cancel Some Credit Cards…

Filed under: Game News — Tags: , , , , — Durandal @ 11:08 am

So, it’s been about a week of PSN being down.

This is an "Online Webcomic" called "Pennies Arcade" discussing the topic!

The story seems to be that at some point in mid-April, someone hacked the Playstation Network. In response, Sony just straight shut down PSN to deal with it. They didn’t tell anyone for a week why it was down, which is super nice of them. They’ve just recently announced that they hope to have it back up in about a week. Oh! Also, if you’ve ever bought anything on PSN, your credit card info, birthdate, and (presumably) secure password might have been stolen. But they don’t really know that’s true so they figure eeeeh they’ll let you deal with that as you will. And maybe not really tell you in any way, shape, or form! People are reporting that they’ve not received any sort of email notice even now of PSN being down, much less that they might have to get a new card number. They did put an update on their blog, though.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

Of course, Sony only recently released the PSP Go, a device that entirely depends on PSN for all of it’s content. Hope you didn’t buy one in the past week, because it’s a brick. And I mean, frankly, I guess I’d recommend not ever buying one because get this: PSN apparently isn’t that stable or secure a service!

I think this would rile a bit less if they hadn’t simply been mute for a week about it. They probably hoped it was something they could resolve in a weekend and then pretend was some sort of routine downtime.

Edit: I just saw a great write-up about this on Eurogamer.

The pull quote?

The whole notion that password details have been taken defies belief. There’s a reason that most internet sites can’t tell you what your own password is and can only reset it – it’s because the server itself doesn’t actually store it at all. Your chosen password is hashed when it’s first transmitted, and only this checksum is stored. When you enter your login, the password is hashed again and compared to what is on the system – if we have a match, you are granted access.

In short, there is no actual need whatsoever for your password to be stored server-side at all. Sony’s statement suggests that it was actually storing sensitive information in plain text format, which defies belief. The only other explanation is that hackers only got access to the hashes and may have compromised a small minority of passwords by running this data through something like a dictionary look-up. However, from the tone of Sony’s apology this does not appear to be the case.

Seriously, get your shit in order and avoid suspicious requests, people who use PSN. Name and address are enough for a clever fraud, much less the extra shit Sony may have unnecessarily made vulnerable.

%d bloggers like this: