PSN Status Update: Stolen Information Detailed, more

[crusher]

Good news, indeed.



Not really a PSX game per month is free and you keep it for as long as you are a PS+ member, if your subscription expires you won't be able to play the PSX game (same goes for the PSN games and some DLCs; other DLCs, the avatars, themes and discounted items you purchase are the exception to the rule) until you renew it. But still is a good chance to try the service.

Are you absolutely sure? I heard that you get to keep all avatars, themes and PSX games... Oh well the discounts are should be fun to check at least.

EDIT: Yeah you seem to be right... >__>

[damian]

http://bits.blogs.nytimes.com/2011/0...y-over-attack/
Thought everyone might be interested in reading this, looks like even congress is demanding answers, this could be bad news for sony.

[Inferno.]

So all we're getting is a month's free PSN+? Ew. I'd rather just have a game or two I can actually keep, not a few pieces of rubbish that I'll lose in a month's time.

[Tanthias]

So all we're getting is a month's free PSN+? Ew. I'd rather just have a game or two I can actually keep, not a few pieces of rubbish that I'll lose in a month's time.

It's more than you should have expected, in my opinion. But then, I figure the only ones with any "Right" to demand something would be Plus users, and even then only an extension for the time it was out.

[Cosmic]

Good God, Sony.

http://blog.us.playstation.com/2011/...city-services/

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system. UPDATE: While we do ask for CSC codes, we do not store them in our database.

How can this company be so incompetent that they forget how their own payment system works? In a PRESS RELEASE no less?

[Tanthias]

Did they forget, or did they simply word that wrongly? Perhaps they initially meant (at least it's how I read it originally) that they do not request it from those using the free services/unless you buy something from the store using it? And then decided to reword it to ensure people that they did not store it (don't you have to reinput said code every time you purchased something with a card? I recall a few pals actually complaining about that...) and clear up any confusion from those saying that it does ask for it whenever you purchase an item?

edit: Or I may be mistaken. Still, it's the impression I get from that. (Just to be clear, I read them as: First statement: "We do not ask for codes from free users/those that do not purchase items with the credit cards." Second statment: "We do ask for codes when you purchase something, but we do not store them.")

[Passionate Groin]

I only use pre-paid credit cards anyway, they are just a card that you load funds into (either from your account or by buying reload vouchers) they only have money on them when I inted to purchase something.

They are safe for online so maybe grab one instead of a real credit card.

[Cosmic]

Did they forget, or did they simply word that wrongly? Perhaps they initially meant (at least it's how I read it originally) that they do not request it from those using the free services/unless you buy something from the store using it? And then decided to reword it to ensure people that they did not store it (don't you have to reinput said code every time you purchased something with a card? I recall a few pals actually complaining about that...) and clear up any confusion from those saying that it does ask for it whenever you purchase an item?

edit: Or I may be mistaken. Still, it's the impression I get from that. (Just to be clear, I read them as: First statement: "We do not ask for codes from free users/those that do not purchase items with the credit cards." Second statment: "We do ask for codes when you purchase something, but we do not store them.")

If it genuinely was misworded, that's even more troubling, because Sony have (or SHOULD have) a legal team perusing every update before they release it. I don't see the wording being at fault here. It wouldn't make sense if they were simply referring to people who've signed up to PSN but never actually bought anything through the service. If that was the case, Sony wouldn't even have those users' credit card details to begin with. They flat out say they've never asked ANY PSN user for a card security code, then change their mind and admit that actually yes, they did. The fact is Sony are either incompetent, OR they know they've messed up big time and are doing everything they can to cover their hides, including spreading misinformation. Nothing they say can be trusted at this point.

And no, the worrying thing is I don't think they do require the security code for repeat purchases. You just add funds to the wallet and it goes through, which would suggest the code (or an ID tied to it) is being stored somewhere, whether it be on Sony's servers or the console itself...

[Tanthias]

Or it's just the communications guy. He's the only one making these posts (don't you think the legal team would be tied up with other things, currently, rather than reading everything on the blog?), no?

Honestly, I see this whole situation as follows:
1. Sony should have encrypted the user info. Do I think it would have helped if somebody wanted to get it? No. No system is unhackable, after all. And they could've grabbed the info and decrypted at their leisure anyway, no? Not to mention that the info that wasn't encrypted, as I understand (name, address, DOB, no? Am I forgetting something?), is something anybody can find fairly easily elsewhere.
2. Should Sony have increased security? Yeah, most likely. Do I think it would've helped? No. Again, somebody wanted in. They were going to get in no matter what.
3. Was it originally worded wrongly? Upon reading the guy's response to a comment:

As our friends at Destructoid pointed out, I was incorrect on the last point of the credit card question above. I want to make an important distinction: While we do ask for CCV codes, we do not store them in our database. It is transmitted to our payment processors for verification purposes only. Deep apologies for the confusion.

, he admits he made a mistake. Should the legal team have caught and rectified it beforehand? Yes, providing they're not tied up with other things. But I'd imagine that they ARE tied up with other things right now.

To be honest, I don't get why people are complaining more about PSN being hacked than they did when governments are

[Pickles]

Question, I used a credit card on PSN once, transfered funds and then deleted the card from it, do I need to request a new card? Or am I safe?

[Passionate Groin]

Your overreacting a bit i think, like she said it reads like this to me too (Just to be clear, I read them as: First statement: "We do not ask for codes from free users/those that do not purchase items with the credit cards." Second statment: "We do ask for codes when you purchase something, but we do not store them.")

i think they would have to log into your account from your actual PS3 in order to purchase something without the security code, if they just try and use the card number from a different machine they would need the security code, at least thats how Steam works.

[Cookie Monster]

If I were you, to be safe, I'd request a new one, Steve.

So all we're getting is a month's free PSN+? Ew. I'd rather just have a game or two I can actually keep, not a few pieces of rubbish that I'll lose in a month's time.

...

•Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
•All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.

...

I'd say you are going to get 30 days free PS+ and some "selected PlayStation entertainment content for free download".

[Cosmic]

Or it's just the communications guy. He's the only one making these posts (don't you think the legal team would be tied up with other things, currently, rather than reading everything on the blog?), no?

This isn't just some "guy on a blog" though. This is the primary method Sony has chosen to update its customers throughout this whole episode. Even if it is one guy he's still serving the role of a mouthpiece for the company, and when you're in as hot water as Sony is right now you certainly don't want lone employees speaking out of turn. He has someone telling him exactly what to say, right down to the very wording. Any official statement he or any other employee is allowed to make is thoroughly vetted before it's released into the wild. NOT having someone check these posts BEFORE they go out would be appallingly retarded at this point, especially since they know they're under scrutiny from not only the public but also global law enforcement agencies and are fully aware anything they say at this point can and will come back to bite them in the arse in court. No way in hell are they letting unapproved information get out.

Honestly, I see this whole situation as follows:
1. Sony should have encrypted the user info. Do I think it would have helped if somebody wanted to get it? No. No system is unhackable, after all. And they could've grabbed the info and decrypted at their leisure anyway, no?

"Welp, no point in locking my front door when I leave the house. If someone wants to break in they'll just find a way."

Not to mention that the info that wasn't encrypted, as I understand (name, address, DOB, no? Am I forgetting something?), is something anybody can find fairly easily elsewhere.

Can that information be obtained relatively easily? Sure it can. Usually though it doesn't come with passwords, security questions, usernames, e-mail addresses and possibly credit card information. Nor is it delivered in a handy database containing those details for every PSN account ever.

2. Should Sony have increased security? Yeah, most likely. Do I think it would've helped? No. Again, somebody wanted in. They were going to get in no matter what.

When you entrust a business with sensitive information it's perfectly right to expect they'll take reasonable steps to protect that data. The fact that Sony stored ANY personal details in an unencrypted database means they've opened themselves up for a world of hurt. There's a reason companies can be sued for negligence.

3. Was it originally worded wrongly? Upon reading the guy's response to a comment:

As our friends at Destructoid pointed out, I was incorrect on the last point of the credit card question above. I want to make an important distinction: While we do ask for CCV codes, we do not store them in our database. It is transmitted to our payment processors for verification purposes only. Deep apologies for the confusion.

, he admits he made a mistake. Should the legal team have caught and rectified it beforehand? Yes, providing they're not tied up with other things. But I'd imagine that they ARE tied up with other things right now.

So they'll allow that post to go out unchecked, but they gag their staff and wait for an entire week before alerting people that their information might have been compromised? Sorry, I don't buy it. Something's fishy here.

To be honest, I don't get why people are complaining more about PSN being hacked than they did when governments are

We do complain when governments have security breaches. We certainly do over here. The last British government lost an entire child benefit database containing millions of names, addresses, dates of birth, national insurance numbers, all that fun stuff because someone left a disc on a public train. I can't say how it works in other countries but it was big news over here for months, people were up in arms about it. I think you're just noticing the reaction to PSN more because, as gamers, we're seeing heavy discussion on all the websites we frequently visit in addition to the news and other normal media channels.

[Tanthias]

This isn't just some "guy on a blog" though. This is the primary method Sony has chosen to update its customers throughout this whole episode. Even if it is one guy he's still serving the role of a mouthpiece for the company, and when you're in as hot water as Sony is right now you certainly don't want lone employees speaking out of turn. He has someone telling him exactly what to say, right down to the very wording. Any official statement he or any other employee is allowed to make is thoroughly vetted before it's released into the wild. NOT having someone check these posts BEFORE they go out would be appallingly retarded at this point, especially since they know they're under scrutiny from not only the public but also global law enforcement agencies and are fully aware anything they say at this point can and will come back to bite them in the arse in court. No way in hell are they letting unapproved information get out.


"Welp, no point in locking my front door when I leave the house. If someone wants to break in they'll just find a way."


Can that information be obtained relatively easily? Sure it can. Usually though it doesn't come with passwords, security questions, usernames, e-mail addresses and possibly credit card information. Nor is it delivered in a handy database containing those details for every PSN account ever.


When you entrust a business with sensitive information it's perfectly right to expect they'll take reasonable steps to protect that data. The fact that Sony stored ANY personal details in an unencrypted database means they've opened themselves up for a world of hurt. There's a reason companies can be sued for negligence.


So they'll allow that post to go out unchecked, but they gag their staff and wait for an entire week before alerting people that their information might have been compromised? Sorry, I don't buy it. Something's fishy here.


We do complain when governments have security breaches. We certainly do over here. The last British government lost an entire child benefit database containing millions of names, addresses, dates of birth, national insurance numbers, all that fun stuff because someone left a disc on a public train. I can't say how it works in other countries but it was big news over here for months, people were up in arms about it. I think you're just noticing the reaction to PSN more because, as gamers, we're seeing heavy discussion on all the websites we frequently visit in addition to the news and other normal media channels.

Not exactly the analogy I'd use, but I see your point. I admit I should've worded that much better (10:32 AM here), as well. Although using your analogy, it'd be saying they had NO security AT ALL, (not even a firewall) no? Obviously not the case since it apparently took a while for said hacker to get in. It'd be more like "I'm not going to get a security system because they'll break in anyway.".

Really, the only reasons I put it like that are because of all the people saying "I'll just use Xbox LIVE, it's unhackable!" when it was hacked several years before (I mentioned earlier in the thread that, if what I read was correct, somebody actually got quite a bit of money off all the Live accounts back in 2007) and a lot of the complaints essentially wanting an unbreakable security (I believe quite a few used those exact words, though I may be wrong). (Like I said, I see your point even if I don't really think the analogy was an entirely accurate one.)

Not going to argue that it should've been encrypted, because, like I said, I agree there.

I still think they waited to confirm that at least some info had, without a doubt, been compromised. I could be wrong, and it wouldn't be the first time. I'd actually like to see proof either way.

Or it could just be that nobody where I lives really cares about such. When the government here was hacked and a bunch of SSN numbers stolen (perhaps I'm wrong and/or locating bad info (or thinking of a different hack all together), but a brief search says this occured in 2006.), nobody, and I mean NOBODY around here said a thing about it. Almost EVERYBODY around here is complaining about the PSN hack.

Overall, I do agree with you on most of it, but the way I'm reading it (again, 11 AM, haven't slept, so I'm likely misreading), it sounds like you're saying Sony's the only one at fault here. That's actually the main thing I'm really disagreeing with.

[Ivolt]

"Welp, no point in locking my front door when I leave the house. If someone wants to break in they'll just find a way."

It's really more like the doors were all locked, but everything wasn't bolted down. Analogies~

So they'll allow that post to go out unchecked, but they gag their staff and wait for an entire week before alerting people that their information might have been compromised? Sorry, I don't buy it. Something's fishy here.

And this is the point where things go from angry conjecture to massive paranoia. Which is likely what they were trying to avoid, as it's just good business sense.