Playstation Notwork - TTLG Forums

june gloom on 26/4/2011 at 21:58

Jesus. It's been down (http://www.destructoid.com/sony-playstation-network-still-down-deal-with-it-199568.phtml) six days and (http://arstechnica.com/gaming/news/2011/04/sony-admits-utter-psn-failure-your-personal-data-has-been-stolen.ars) Sony's just now saying "we think they swiped your credit card info."

This is some pretty serious stuff. I don't have a PS3 or a PSN account, but I can sympathize- whether we're on PC or console, these days most of us are on some big network of some sort, and it's times like these I do have a bit of concern over the welfare of my $700 Steam account (it's actually more than that, as it doesn't take into account price depreciation; that said, given how much I've gotten on sale, it's not that far off still.)

Al_B on 26/4/2011 at 22:15

Original Playstation (http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/) blog entry here. For me, the biggest thing that jumps out is the possibility that user passwords have been obtained. Assuming what they say is true, if credit card information was stolen then it didn't include the expiry date or CVV digits without which will make fraud much harder.

However, if they've been storing passwords in plain text or in a form that's reasonably easy to attack (e.g. MD5 without an obscured salt) then you can probably guarantee that some people use their passwords elsewhere and could be compromised in ways not related to PSN.

Of course, this is just speculation but the fact that Sony have appeared to be extremely reluctant to divulge any information about the situation isn't helping them at the moment.

Briareos H on 26/4/2011 at 22:20

holy shit even when he's posting short news Sterling makes me want to punch him in the face

SubJeff on 26/4/2011 at 22:44

Phew. Luckily for me the card I was using to fund the playstation wallet is now expired.

gunsmoke on 27/4/2011 at 00:16

What is Qriosity?

I know, cue ironic lols...

Shadowcat on 27/4/2011 at 05:48

So I guess they're saying they store credit card numbers and expiry dates as plain text. This is why I hate sites which 'helpfully' remember these details for you -- if a company as gigantic as Sony can't do it, how is one supposed to have any faith in smaller businesses?

Then again, other departments within Sony have displayed a remarkable ability to not give a fuck about their customers in the past, so I shouldn't be surprised.

Thirith on 27/4/2011 at 06:16

This is pretty bad... I hope that while it'll make Sony rethink some of the ways it deals with things but doesn't hobble them.

*goes to change a number of passwords*

Yakoob on 27/4/2011 at 08:46

Well, that's why I never let steam or any other online stores remember my CC info. It's not neccessarily that I dont trust what they are doing... but I don't trust what they are not. In this case, much better protection than is needed.

Also, hopefully they were smart enough to encryption all the crucial data (perhaps they did and perhaps thats why they said they're not sure if it was stolen, since they don't know if the hackers also got the decryption keys). Proper encrypting + salting is like user-database design 101 :rolleyes:

Matthew on 27/4/2011 at 10:37

Well, shit. It's days like this that make me glad my credit card has about £30 credit left on it. :(

Volitions Advocate on 27/4/2011 at 14:51

I think Al_B has the issue nailed here.

I am not very uber security when it comes to the internet. I share the same password across most of my accounts on the net, Mostly because i do not feel like keeping track of several different passwords that make not sense and just arbitrary strings of capitals and numbers mixed in.

not that I remember my PSN login, because i have it saved on my ps3, but i'm pretty sure its the same as my gmail account, cell phone billing, forums (oh noes!), basically everything but my online banking. So I suppose I should change my passwords to all of these things to something different.

mind you,, all they really have is my email address, but there's still risks there.