Sony now says that credit card info was encrypted. They <i>believe</i> that it wasn't stolen, and that decrypting it shouldn't be easy if it was, but they can't be sure. Other personal data, however, <u>were stolen</u> and <u>were not encrypted</u>, so watch out for identity theft such as people taking out loans in your name. However, I have also heard the opposite, that no data were stolen. The full scope of the intrusion seems to be unclear at the moment.
The following is only useful for U.S. citizens, but it's worth repeating for those who haven't seen it:<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a fraud alert on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.<!--QuoteEnd--></div><!--QuoteEEnd-->
I dunno what a credit report is, I have no clue about your credit system. But the fraud alert sounds like a really good idea.
That's crazy. A group/someone has data on peoples' credit cards from around the globe.
I did hear in an update that they didnt get the security / CVV numbers. Without those numbers the cards <i>should</i> be worthless.
I only wish I remembered the password I used on my PSN account and I don't even have a way to check until they bring it back online...<!--QuoteEnd--></div><!--QuoteEEnd-->
Surely the CVV is only 3 digits though? If they got, say, 1000 credit card numbers, they could just try all of them until they found one with the CVV "123". Statistically, any given number should work with 1-in-1000 cards. Also, you get three attempts before your card is locked, so even if they're brute-forcing the CVVs, they'll get into 3 bank accounts for every 1000 card numbers stolen. And they could have stolen hundreds of thousands of card numbers.
Or does it not work like that?
Its so very tempting to go all "LOLSONY", but I know I'd be pretty pissed if this happened to steam.
Most times you need someone's social security number to do real identity theft damage. If you were silly enough to put phone numbers and addresses onto PSN for the hell of it, just remember that someone calling to verify that you have an SSN is probably tricksy and false. DO NOT TRUST.
The equifax and experian websites are also for UK users.
A credit report tells you every line of credit you've had, it can also flag up bad credit associated with your address and who that person is, which around the Data Protection Act is a bit shaky but somehow they get away with it. It also tells you how bad or good your 'credit rating' is, so you can see how worthwhile it is going and applying for your credit card or mortgage, for example.
So if you get your credit report and it says "3 new applications made" and you've got a "Capital One" card setup on your credit report that you know nothing of, chances are, you've had your identity stolen. Simple stuff like that, it's pretty useful and if you're applying for stuff at any time, you should always check it before hand.
douchebagatronCustom member titleJoin Date: 2003-12-20Member: 24581Members, Constellation, Reinforced - Shadow
It's my understanding that to be able to accept credit card payments you don't actually store the card information at all, but you store a unique key that links to your credit card payment company, where they store the information in a much more secure way.
For them to be able to accept US credit cards, they can only store this unique key, which is useless to anyone except Sony. Also, there are yearly reviews where the credit card payment company checks to make sure you are following standards.
The only credit card information you should be able to store, i believe, is the last 4 digits of the number, and the name on the card, and the unique key created from it. I believe the CVV code and the card number are sent to the 3rd party company, and from that and some other information they create the unique key that is sent back to Sony, which is how you don't need to enter the CVV code every time, and then no one should be able to get it from Sony.
I could be wrong in what all this applies to, but I work at a software company and I heard something about this in passing from the billing side of the software. Can anyone else verify this?
They need to keep on record who, why and where payments come from, as a business point of view, only the last 4 or first 4 should be shown on a receipt or to another party at the company.
However if you store card information for recurring or as a 'saved' payment method, the company you have given the information to will have all of that stored because they have to recall upon that individually every time you pay for a new item. Otherwise your stored card is useless with 4 digits and you have to re-enter all the information again.
This is why I don't ever click on the "save my card information for next time" button.
EDIT: To add on CVV, date of birth, expiry aren't normally kept on record although they do get kept on record externally with companies that verify identity through the card.
Oh and I'd never believe a company who says "we believe it has not been stolen, if it has it's unusuable, but do check all your statements, monitor your accounts and change your cards". They've probably lied.
<!--quoteo(post=1843143:date=Apr 29 2011, 02:18 PM:name=Thaldarin)--><div class='quotetop'>QUOTE (Thaldarin @ Apr 29 2011, 02:18 PM) <a href="index.php?act=findpost&pid=1843143"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->The equifax and experian websites are also for UK users.
A credit report tells you every line of credit you've had, it can also flag up bad credit associated with your address and who that person is, which around the Data Protection Act is a bit shaky but somehow they get away with it. It also tells you how bad or good your 'credit rating' is, so you can see how worthwhile it is going and applying for your credit card or mortgage, for example.
So if you get your credit report and it says "3 new applications made" and you've got a "Capital One" card setup on your credit report that you know nothing of, chances are, you've had your identity stolen. Simple stuff like that, it's pretty useful and if you're applying for stuff at any time, you should always check it before hand.<!--QuoteEnd--></div><!--QuoteEEnd-->Don't use Experian. They are shady mofos.
I had to get a credit rating for my tenancy agreement and signed up for a free first-time trial. After I'd done this, I immediately cancelled it (otherwise they start billing you using the card info you provided or some small-print somesuch). Anyway, after cancelling via the website I was still getting emails and texts to my phone directly from them advertising their services. It still took 6 months and quite a few phonecalls to (supposedly) remove me from their records.
---
Regarding taking advice on encrypted credit card details from a company that has already had its encryption broken, I would follow your bank's advice. Mine currently reads:
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec--><b>Sony PlayStation Network Data Breach - Important Customer Information</b>
You may have seen the recent news in relation to the Sony PlayStation Network data breach. Please be reassured that [the bank] treats data compromises extremely seriously. We do not believe at this time that enough information has been compromised to put your account at risk and therefore do not feel it necessary to block our customer's cards. We are however monitoring the situation and working closely with the Industry and will advise our customers if any further action needs to be taken<!--QuoteEnd--></div><!--QuoteEEnd-->
Also, if you use the same email address/password combination for other services, such as work or social networking sites, CHANGE THEM NOW. Whoever has your details will likely use them to further mine your personal data: what easier way to do so than with a free pass to your Facebook account?
Sony Online Entertainment card detail has been confirmed to have card detail breached.
We received an e-mail first thing this morning informing us, and as Sony says, it's 25 million accounts which can be either solely SOE related and PSN related. Our own advice is we have been told cards should not need cancelling as customers should need to confirm any transactions (this is Halifax & Lloyds UK), however I'd take heed of the warning and cancel your card if you do have a SoE account, that's a definite.
Just to let everybody know, there is a new 3.61 system update as part of the phased restoration of the PSN. Currently US customers are available to log in and change their password, but still cannot log in this end in the UK.
I don't understand why they're having such trouble getting back up. Do they have to rewrite huge swaths of code that had gaping security holes or something?
There's no point in putting the network back up in its vulnerable state. Presumably it's not just a small bug that needs to be fixed. They also need to, for starters, <i>ENCRYPT SENSITIVE CUSTOMER DATA.</i>
I'm guessing they have rewritten large portions of their network not only serverside, but also clientside adjustments seem to have been made (theres an update duh!). They also seem very serious about not having this problem ever again, so I presume its locked down more than a maximum security prison.
Why it wasnt written like this in the first place is beyond me, but just glad to see the PSN is coming back finally.
<!--quoteo(post=1846383:date=May 15 2011, 05:27 PM:name=DiscoZombie)--><div class='quotetop'>QUOTE (DiscoZombie @ May 15 2011, 05:27 PM) <a href="index.php?act=findpost&pid=1846383"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->I don't understand why they're having such trouble getting back up. Do they have to rewrite huge swaths of code that had gaping security holes or something?<!--QuoteEnd--></div><!--QuoteEEnd-->
When it was mentioned on the news something was said about a total rewrite of the core system of the PSN
Comments
The following is only useful for U.S. citizens, but it's worth repeating for those who haven't seen it:<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec-->To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a fraud alert on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.<!--QuoteEnd--></div><!--QuoteEEnd-->
I dunno what a credit report is, I have no clue about your credit system. But the fraud alert sounds like a really good idea.
it's free, and from the government, unlike all those other slap######s
use it once a year, it's your entitlement
That's crazy. A group/someone has data on peoples' credit cards from around the globe.
I did hear in an update that they didnt get the security / CVV numbers. Without those numbers the cards <i>should</i> be worthless.
I only wish I remembered the password I used on my PSN account and I don't even have a way to check until they bring it back online...<!--QuoteEnd--></div><!--QuoteEEnd-->
Surely the CVV is only 3 digits though? If they got, say, 1000 credit card numbers, they could just try all of them until they found one with the CVV "123". Statistically, any given number should work with 1-in-1000 cards. Also, you get three attempts before your card is locked, so even if they're brute-forcing the CVVs, they'll get into 3 bank accounts for every 1000 card numbers stolen. And they could have stolen hundreds of thousands of card numbers.
Or does it not work like that?
Its so very tempting to go all "LOLSONY", but I know I'd be pretty pissed if this happened to steam.
but it's hearsay
A credit report tells you every line of credit you've had, it can also flag up bad credit associated with your address and who that person is, which around the Data Protection Act is a bit shaky but somehow they get away with it. It also tells you how bad or good your 'credit rating' is, so you can see how worthwhile it is going and applying for your credit card or mortgage, for example.
So if you get your credit report and it says "3 new applications made" and you've got a "Capital One" card setup on your credit report that you know nothing of, chances are, you've had your identity stolen. Simple stuff like that, it's pretty useful and if you're applying for stuff at any time, you should always check it before hand.
For them to be able to accept US credit cards, they can only store this unique key, which is useless to anyone except Sony. Also, there are yearly reviews where the credit card payment company checks to make sure you are following standards.
The only credit card information you should be able to store, i believe, is the last 4 digits of the number, and the name on the card, and the unique key created from it. I believe the CVV code and the card number are sent to the 3rd party company, and from that and some other information they create the unique key that is sent back to Sony, which is how you don't need to enter the CVV code every time, and then no one should be able to get it from Sony.
I could be wrong in what all this applies to, but I work at a software company and I heard something about this in passing from the billing side of the software. Can anyone else verify this?
They need to keep on record who, why and where payments come from, as a business point of view, only the last 4 or first 4 should be shown on a receipt or to another party at the company.
However if you store card information for recurring or as a 'saved' payment method, the company you have given the information to will have all of that stored because they have to recall upon that individually every time you pay for a new item. Otherwise your stored card is useless with 4 digits and you have to re-enter all the information again.
This is why I don't ever click on the "save my card information for next time" button.
EDIT: To add on CVV, date of birth, expiry aren't normally kept on record although they do get kept on record externally with companies that verify identity through the card.
Oh and I'd never believe a company who says "we believe it has not been stolen, if it has it's unusuable, but do check all your statements, monitor your accounts and change your cards". They've probably lied.
A credit report tells you every line of credit you've had, it can also flag up bad credit associated with your address and who that person is, which around the Data Protection Act is a bit shaky but somehow they get away with it. It also tells you how bad or good your 'credit rating' is, so you can see how worthwhile it is going and applying for your credit card or mortgage, for example.
So if you get your credit report and it says "3 new applications made" and you've got a "Capital One" card setup on your credit report that you know nothing of, chances are, you've had your identity stolen. Simple stuff like that, it's pretty useful and if you're applying for stuff at any time, you should always check it before hand.<!--QuoteEnd--></div><!--QuoteEEnd-->Don't use Experian. They are shady mofos.
I had to get a credit rating for my tenancy agreement and signed up for a free first-time trial. After I'd done this, I immediately cancelled it (otherwise they start billing you using the card info you provided or some small-print somesuch). Anyway, after cancelling via the website I was still getting emails and texts to my phone directly from them advertising their services. It still took 6 months and quite a few phonecalls to (supposedly) remove me from their records.
---
Regarding taking advice on encrypted credit card details from a company that has already had its encryption broken, I would follow your bank's advice. Mine currently reads:
<!--quoteo--><div class='quotetop'>QUOTE </div><div class='quotemain'><!--quotec--><b>Sony PlayStation Network Data Breach - Important Customer Information</b>
You may have seen the recent news in relation to the Sony PlayStation Network data breach. Please be reassured that [the bank] treats data compromises extremely seriously. We do not believe at this time that enough information has been compromised to put your account at risk and therefore do not feel it necessary to block our customer's cards. We are however monitoring the situation and working closely with the Industry and will advise our customers if any further action needs to be taken<!--QuoteEnd--></div><!--QuoteEEnd-->
Also, if you use the same email address/password combination for other services, such as work or social networking sites, CHANGE THEM NOW. Whoever has your details will likely use them to further mine your personal data: what easier way to do so than with a free pass to your Facebook account?
We received an e-mail first thing this morning informing us, and as Sony says, it's 25 million accounts which can be either solely SOE related and PSN related. Our own advice is we have been told cards should not need cancelling as customers should need to confirm any transactions (this is Halifax & Lloyds UK), however I'd take heed of the warning and cancel your card if you do have a SoE account, that's a definite.
they are starting to look clueless
¬_¬
I'm guessing they have rewritten large portions of their network not only serverside, but also clientside adjustments seem to have been made (theres an update duh!). They also seem very serious about not having this problem ever again, so I presume its locked down more than a maximum security prison.
Why it wasnt written like this in the first place is beyond me, but just glad to see the PSN is coming back finally.
When it was mentioned on the news something was said about a total rewrite of the core system of the PSN