Considering I got a call from Capitalone this morning saying my credit card that I had on PSN was being used to buy gas in Connecticut, I think this is probably a fairly legit article.
Certainly possible that it's purely coincidental, but seems unlikely.
If I gave the same food to 75 million people, it's inevitable that some of them will get sick in the next 24 hours. I actually think it's likely to be a coincidence - it's too soon after the break-in.
Also: if you're smart enough to steal 75 million credit card numbers, and you've just stolen 75 million credit card numbers, I assume you're going to think of some clever way to start defrauding 'em. Unless I'm missing some part of this story (have the numbers been published somewhere already?), going out and buying gas is the dumbest thing you could possibly do -- parking your own car in front of a security camera and making a transaction which even Capital One knows to flag as potentially fraudulent.
Come to think of it, though, what is the sensible way to use some vast number of credit card numbers to enrich yourself? I assume small-time credit card thieves can get away with it because they're sufficiently small-time to escape an in-depth investigation, but is there any way to untraceably pay yourself?
If you're smart enough to steal 75 million credit card numbers, then you already know about the forums where that information gets bought and sold. You start selling the individual cards, not the whole data dump, and it's the buyers that are starting to use those numbers to make purchases.
> what is the sensible way to use some vast number of credit card numbers to enrich yourself?
Selling them. At 5$ a piece they will make 375 million dollars. People who buy them are then most likely to use them for this kind of purchase, where it might be hard to get caught.
Actually, buying gas is one of the few ways that you can immediately use a credit card without interacting with a preson and without having to give any info except possibly the zip code on the account.
I'd bet that it's not the person who stole the 75e6 credit cards that is buying gas, someone bought that number for $5 on some shady site.
Actually, I'd imagine it's one of most common ways people siphon money out of credit cards. Any self-service kiosk is probably one of the only ways to immediately turn a printed credit card into something tangible.
Why not steal the credit card numbers and sell them to various people instead of using them yourself? Or sell them in bulk to a group who then distributes them to anyone who's willing to pay?
going out and buying gas is the dumbest thing you could possibly do -- parking your own car in front of a security camera and making a transaction
You're assuming that the police care enough to actually investigate the crime. From my experience in web-based sales, the authorities don't seem terribly interested in pursuing cases of credit card fraud.
(If this weren't HN, I'd add something sarcastic about them being too busy hunting down speeders and feeling up travelers)
The people that stole the data likely won't be using the information first hand. They'll sell it off to the highest bidders. Credit card numbers aren't very expensive to buy online. Wasting it on a gas purchase in Connecticut isn't unreasonable.
It's been more than 24 hours - it's been at over a week since PSN went down due to this attack. That's when the intrusion happened, not once Sony released their announcement.
Actually it seems highly likely that it's purely coincidental, and I'm quite upset to see such fallacious reasoning on this website. You are a single data point, not to mention the inherent confirmation bias at play here.
Probably not related. Consider that 75 million users' information was compromised. Given a sample size that large, it's highly likely that there will be some people in that set who had their credit card compromised in a completely unrelated way.
"The Consumer Sentinel Network (CSN) is a secure online database of millions of consumer complaints available only to law enforcement. In addition to storing complaints to the FTC, the CSN also includes complaints filed with the Internet Crime Complaint Center, Better Business Bureaus, Canada’s Phone Busters, the U.S. Postal Inspection Service, the Identity Theft Assistance Center, and the National Fraud Information Center, among others."
The CSN received 1.2 million complaints in 2008, 62400 of which were specifically credit card fraud.
This means that of the approximately 170 million+ credit card owners in the US, roughly 0.035% of them reported credit card fraud in such a way that CSN saw it. There are likely many more cases that only get reported directly to banks without reaching CSN.
0.035% of 70 million+ users? 24500 people. All of which, due to PSN being an online service, have internet connectivity and are potential blog commenters.
Add to it that you're not going to remember the cases where people say "Nope, I haven't experienced fraud.", you're only going to remember those where people say "Money was stolen from me!"
Unless the reported incidence frequency is above the "normal" / average cases of credit card fraud or someone reports fraud on a card that was proven only to be used with PSN, I would hold off on blaming anyone quite so soon.
Careful. Sony's figures for PSN user count are worldwide, and a large percentage of Sony's market is in Japan alone. The CSN appears to be USA and Canada only.
FWIW, Japanese much less commonly have or use credit cards. It's one of the reasons eBay failed while Yahoo Auctions succeeded in Japan, by not requiring a credit card to list.
24500/year is about 500 per week. It's going to be slightly higher since the high-profile of this compromise means that lots of people will check their activity.
If you see unexplained or fraudulent activity in your account, it's natural to reach for an explanation and natural to attribute it (correctly or incorrectly) to the
PSN data breach.
OTOH, a good security mindset should probably assume that the attackers will use the ill-gotten data in some malevolent way, not just for lulz.
Make no mistake, I am concerned. I'm monitoring my account, and if Sony confirms they were stolen, I'm probably going to get a new card. (Which will be an enormous pain in the ass, but I also recently moved, so I can easily recall what recurring billing my card is tied to.)
Changing credit cards is a bit of a hassle because of recurring billing tied to the account, one time I missed changing my trash bill over (easier to miss because it wasn't monthly) so I'm hesitant to just change cards if I don't absolutely have to. I wish there was some decent way to determine whether expected likelihood of the card I had linked to PSN having fraud * hassle of dealing with said fraud exceeds hassle of pre-emptively replacing card 'just in case'. I'm presently erring on the default of 'wait and see' just because it seems easier right now, but 'seems easier right now' is probably a poor thing to base the decision on.
The next time you replace a card (a shiny nickel says it'll happen before the card naturally expires), keep a list of every place you had to update it online. Takes the sting out of replacing it again in the future.
I'm holding off only because Mint loses its mind when I replace an American Express card. God, I hate Mint. Time to dump them, too.
Just logged on to my PSN cc company and was met by:
Sony PlayStation Network Data Breach - Important Customer Information
You may have seen the recent news in relation to the Sony PlayStation Network data breach. Please be reassured that The Co-operative Bank treats data compromises extremely seriously. We do not believe at this time that enough information has been compromised to put your account at risk and therefore do not feel it necessary to block our customer's cards. We are however monitoring the situation and working closely with the Industry and will advise our customers if any further action needs to be taken.
Yes, it's a good idea to do that. They said that passwords were compromised; I'm really hoping that was a simplification and they really meant to say that "individually salted, hashed passwords have been stolen" but they didn't add that qualification, so you should probably assume the worst.
> If I have the same username and password on another service, should I be rushing off to change my password right now?
My answer to this question is completely unaffected by the potential data leak at Sony: Yes. Yes you should.
Do you know that all the places you use that password for hash it correctly? You seem to be unsure (as is everyone else) on whether or not Sony stores passwords in plaintext, so why risk it? The only way you'll find out for sure whether or not you are at risk is if one of your accounts is compromised, so rather than waiting to find out I would take preventative action now.
Personally, if I had a PSN account, I would do this immediately. Sony's announcement specifically stated that the hackers got email addresses, PSN usernames, and passwords (among other things). Assuming they properly salted and hashed all the passwords, then it should take a long time to crack them, but I wouldn't take my chances with that. Even big companies have been known to screw up basic things when it comes to security.
Here we go. I wonder if Sony has given GeoHot a call and asked him to work for them yet. I'm curious how much this hurts Sony's bottom line in the long run. Cross my fingers my 360 is still running strong.
Oooo I bet that's how they'll punish him. They'll trick him into signing a 5 year contract to be their director of PCI compliance and database administration.
I would be more interested in a report from a credit card company involving a spike in fraud that is linked to stolen data. This would be a much clearer indication if it was a coincidence or not. I would also think that credit card companies should make a statement if they did notice any increase in fraud as it is such a large scale leak.
Does anyone know if Valve and Steam use the same servers as Playstation for processing? I purchased Portal 2 through Valve on my PC a week before they shut the network down and had my card stolen two days later (I didn't use the card for weeks before and didn't use it after) so it seems like these might be linked.
Valve have said that Steam users have nothing to worry about regarding the PSN leak. Furthermore it seems very unlikely that Steam and PSN would have much in common (except for third-party payment processors) given that until very recently, they were completely unrelated. There is no evidence that your card was stolen due to using it on Steam, and I would advise against assuming correlation is equivalent to causation.
Speaking from personal experience, your bank might not even tell you promptly if someone else has your card details, they might just block all the fraudulent transactions and not replace your card for six months.
I would like Sony to tell us why they have not co-ordinated with the credit card issuers to issue replacement cards, or cover the cost of replacement cards.
and a question: could the solution be as simple as changing the CVV on the back of the cards?
Many payment processors (at least a couple of years ago) do not require the CCV #. Providing it merely gives you a discount on the transaction fee, since it reduces fraud.
First of all, there is no confirmed credit card theft. Credit card information is held at a higher standard than generic personal information. PCI compliance requires credit cards are encrypted and you are required to get regularly audited. By no means is it perfect, but it's about as good as it gets with securing data that's being thrown around constantly.
Second, Sony did tell credit card companies and they do know about this. I called mine and the operator was well aware of of the data leak. They have been monitoring all accounts from the beginning.
Third, while you can always get a new card number for free, credit card companies tend not to issue new cards automatically. I've had it happen to me once before where they gave me a new one without me asking.
tl;dr These authorized charges are likely coincidental; the CC companies are well aware of the situation.
>Second, Sony did tell credit card companies and they do know about this. I called mine and the operator was well aware of of the data leak. They have been monitoring all accounts from the beginning.
Did Sony know about this, or did they see a pattern of cards getting flagged that had PSN charges on them?
I just meant the credit card companies are well aware of what happened and that credit card numbers might have been involved. They're monitoring accounts accordingly and didn't seem to think canceling was necessary.
If the companies really believed the numbers were compromised they will send out new cards automatically. Like I said, it's happened to me before. I didn't have any suspicious activity or anything. But some company I did business with reported a credit card breach so my bank just sent everyone in the breach new cards with little letters telling them "you got owned, but no worries here's your new card."
While the prudent thing to do is to assume the credit card numbers were stolen, Sony hasn't confirmed that yet. Their only statement is that there is no evidence they were stolen.
What effect will this have on the PSN and on Sony as a whole?
If this happened to a smaller company, their ability to process would be taken away and after their infrastructure was verified, they would be forced to pay higher transaction rates.
We should be careful not to overreact to this news, but at the same time, black hats have done considerable damage in the past by cracking personal information and/or one password. It's not unreasonable to expect the same problem to continue now, at least for a small fraction of users.
Certainly possible that it's purely coincidental, but seems unlikely.