16 comments

[ 5.9 ms ] story [ 46.8 ms ] thread
That 2.2mil number is most certainly only a small subset. 77 million total accounts, but only 2.2 attached to a card?

Doesn't sound right to me.

PSN was free, so most wouldn't have cards attached. The 77 million figure will also be inflated because a lot of people had multiple accounts. 2.2M doesn't seem too unreasonable.
Doesn't sound real far off. You don't need a credit card to use PSN and I can absolutely believe a lot of parents not wanting to give their kid access to a credit card.
This comment struck me as strange:

“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” said Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients."

I am by no means a security expert (let alone novice) - though I know what words like "salt" and "hash" mean - and this seems to my layman ears like a gross distortion of the threat. If their encryption was approached properly, Mr. Solnik's comment makes no sense at all; don't the crackers just have a huge database of gobbledygook (assuming Sony approached their encryption intelligently)?

This is not a rhetorical comment - I would be interested to hear from our resident HN security gurus on the actual threat to Sony customers.

I'm no expert, but Sony must be able to decrypt the card information in order to use it to process payments. So even if the card numbers were encrypted, it's possible hackers could obtain the passkey for decrypting the data, if it was also stored on a compromised server. (Generally speaking. I don't know what happened here.)
You don't hash credit card numbers because doing so would mean you would need the user to input the credit card number again upon a purchase which defeats the whole purpose of keeping the number around in the first place. If it's encrypted on the server it must also be able to be decrypted at some point (on some Sony server) to be able to process the transaction, so it all depends on how deep the hackers got.
If anyone is interested in some of the background of what happened:

"The Sony PS3 console was hacked, or more appropriately "jailbroken", by iPhone hacker, Geohot. He managed to reverse engineer his own PlayStation 3 to run homebrew applications on it. He then later released the method to the public through his site, geohot.com. Sony responded with a lawsuit and demanded social media sites, including YouTube,[citation needed] to hand over IP addresses of people who visited Geohot's social pages and videos.

PayPal has granted Sony access to Geohot's PayPal account,[citation needed] and the judge of the case granted Sony permission to view the IP addresses of everyone who visited geohot.com."

http://en.wikipedia.org/wiki/George_Hotz#Sony_lawsuit

... This is related to the hacking of the PSN database, not being able to run homebrew software on the PS3. It's likely that whoever hacked the PSN accounts was encouraged to do so by Sony's heavy handed crackdown on geohot, but the two are not directly related.
I definitely think these two cases are related, however I haven't seen any hard evidence yet. Have I missed something?
No, I don't think you missed anything, I haven't seen any evidence. In thinking it though, you may not be considering a case where Sony had all kinds of problems, and these things both happened independently.
Are you working for Sony? Seriously this case has so much to do with it. Suing Geohot was one thing, but asking for IP addresses to people who viewed the youtube video? And it actually went through in court? Sony asked for it, and they got it.
The Geohot case is, as far as we know at this point, completely unrelated to the current situation.

It's possible the case served as motivation, or that they used his code, but that's only tangentially related. From the information we have, all we know is that a weakness in PSN's security was exploited to access customer information. Geohot has stated that he is not involved, and if he were, it would be a breach of his settlement contract with Sony.

$1 on each credit card. Just like they did in Superman 3.
Anyone else find it a little surreal when the New York Times is reporting "... and we called this hacker guy, and he hangs out on IRC with these other hacker dudes, and one of em was saying, like, 'yeah they totally DLed the shit outta that database with 2.2M CCs ' ..." ?
According to the Ponemon Institute's study last year, the average cost of a data breach that results from a criminal attack is $318 per compromised record. Even if we only count the 2.2 million credit card numbers supposedly stolen, that's ~$700 million. And Sony has already lost over $10 million in revenue due to the outage.

All the articles circulating recently have counted all 77 million PSN user accounts in their calculations of the breach's cost, which comes out to $24 billion... lol