Friday, April 29, 2011
Your credit cards up for sale?
Have hackers put your credit cards up for sale? Sony are preparing to compensate you which doesn't bode well for us PSN users, even as Sony continues to struggle with bringing the PlayStation Network (PSN) back online, there are rumours that credit card numbers gleaned in the attack are already available for purchase. According to Kevin Stevens, senior threat researcher at Trend Micro, various parties are already offering sections of the database up for sale.
One unconfirmed report indicates that hackers, in a tremendous act of hubris (if little common sense) may have tried to sell the database back to Sony. Sony's Patrick Siebold stated that "there is no truth to the report that Sony was offered an opportunity to purchase the list... The entire credit card table was encrypted and we have no evidence that credit card data was taken.” Rumors, possibly begun by the thieves themselves, claim that the hackers were able to access the entire database; there's no information yet to prove or disprove such claims.
Selling the database doesn't mean the hackers have broken its encryption, only that they've found someone else willing to deal with the problem. Sony isn't treating the hack as an external-facing security issue. A new FAQ posted at the PSN blog addresses questions of recompensation. MMO subscribers will have access to "special events across our portfolio. We are also working on a “make good” plan for players of the PS3 versions of DC Universe Online and Free Realms."
Asked about other games / gamers, the company states: "We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online." Since the PSN network is a free service (apart from PlayStation Plus), gamers probably won't receive any form of cash-equivalent store credit—though we dare say it might go down well if they did. Free upgrades to PlayStation Plus, additional free product trials, or a percentage off one's next purchase seem to all be likely candidates.
The long-term impact on Sony's gaming network could still break either way. If Sony maintains an open dialog about what led to this problem, patches it quickly, and no credit card information was stolen, we daresay it'll fade from memory without too much trouble. Virtually everyone who owns a PS3 and uses it for gaming has a significant amount of cash sunk into the console. Absent immediate evidence of abuse, such customers will typically adopt a 'wait and see' position.
We suspect the company's greatest focus will be on preventing a repeat. Other companies have survived tremendous security failures that exposed customer financial data. A one-off--even a one-off this serious--won't necessarily hit the PS3's popularity all that badly. Sony, however, is in a perilous position. The system's critical security flaw has been widely covered. This PSN outage could fuel perceptions that the PSN network is unreliable. A second failure of the same type could make things worse for Sony than they might be for Microsoft under similar conditions.