Linked by Thom Holwerda on Mon 2nd May 2011 22:27 UTC
Privacy, Security, Encryption "Nikkei.com on Monday reported that an online Sony gaming network has once again fallen victim to a cyberattack. This time, the attack may have exposed the credit card numbers of thousands of Sony customers from around the world. According to the report, over 12,700 customer credit card numbers were stolen during a breach of Sony’s online gaming network, Sony Online Entertainment. According to Nikkei.com, Sony discovered the possible attack on Sunday."
Order by: Score:
Quoth Nelson
by orestes on Mon 2nd May 2011 23:13 UTC
orestes
Member since:
2005-07-06

Ha-Ha!

Reply Score: 4

RE: Quoth Nelson
by WorknMan on Tue 3rd May 2011 00:57 UTC in reply to "Quoth Nelson"
WorknMan Member since:
2005-11-13

Ha-Ha!


Yeah, people getting their credit cards stolen... that's really f**king funny, isn't it?

Reply Score: 5

RE[2]: Quoth Nelson
by SANGEKi on Tue 3rd May 2011 01:21 UTC in reply to "RE: Quoth Nelson"
SANGEKi Member since:
2006-11-30

Yes, it actually is.

Reply Score: 1

RE[2]: Quoth Nelson
by orestes on Tue 3rd May 2011 01:31 UTC in reply to "RE: Quoth Nelson"
orestes Member since:
2005-07-06

Considering I'm likely one of them, and am definitely one of the ones affected by the PSN issues... yeah I absolutely reserve the right to laugh my ass off every time Sony gets kicked in the balls from here out. Just as I'll be rolling on the floor when these prick hackers end up in Federal PMITA prison.

Do what you can to protect your own interests from any fallout, then pull up a log and grab some marshmallows. This one will be burning for years down the line.

As for those of you who don't use Sony's services, I'd advise taking a good hard look at just how secure your own habits are. Never know who might get nailed next

Reply Score: 3

RE[2]: Quoth Nelson
by MORB on Tue 3rd May 2011 10:14 UTC in reply to "RE: Quoth Nelson"
MORB Member since:
2005-07-06

It's called schadenfreude. Plus we're talking about people who have chosen to purchase stuff form sony, that's funny in itself.

Reply Score: 2

RE[2]: Quoth Nelson
by somebody on Tue 3rd May 2011 17:07 UTC in reply to "RE: Quoth Nelson"
somebody Member since:
2005-07-07

lol, yes it is

using credit card online is the only funny way of suicide i can think of. one has to be braindead to do that

Reply Score: 0

Evidence says... Don't Trust Sony
by benali72 on Tue 3rd May 2011 03:14 UTC
benali72
Member since:
2008-05-03

I haven't trusted Sony since they shipped a rootkit with their CDs several years back. They have since verified my lack of trust in them with incidents like this. Too bad. They make fine products otherwise... but security is rather major. I don't buy Sony, period.

Reply Score: 8

Gone fishing Member since:
2006-02-22

I tend to agree, if Sony had put as much effort into preventing crackers compromising their systems as they have into controlling paying customers maybe they wouldn't be having this problem.

Possibly some of this DRM crap (for example the root kit) even opens new avenues of attack.

However, Sony's behaviour in no way justifies steeling bank account details etc - this is just criminal, I hope these criminals are apprehended, but Sony's management also thinks about its priorities and conduct.

Reply Score: 3

So much for credit cards being the problem
by smitty on Tue 3rd May 2011 04:23 UTC
smitty
Member since:
2005-10-13

They also lost debit card info and back account numbers this time.

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

Except debit card number is totally useless without the PIN code.

Reply Score: 3

daedliusswartz Member since:
2007-05-28

Does that apply to places like MacDonalds that allow Visa transactions under I think it's $100 without a PIN?

Reply Score: 1

avgalen Member since:
2010-09-23

No, it is how we are used to how the system works. In France there is very often a "no pin under 100 Euro" rule and that COULD work in The Netherlands as well. It is just common practice for companies that accept pin-transactions to use PIN-codes (as it should be)

Reply Score: 1

Calipso Member since:
2007-03-13

really? no pin needed for transactions under 100? weird. Wonder why they decided on that. Guess they don't think 99 is a lot for people to lose

Reply Score: 2

flypig Member since:
2005-07-13

really? no pin needed for transactions under 100? weird. Wonder why they decided on that. Guess they don't think 99 is a lot for people to lose


To be honest, I think it's the other way around: the shops don't think 99 is a lot for themselves to lose. My understanding is that (at least in the UK) shops can in some cases accept PIN-less credit/debit card transactions, but without a PIN the shop is liable if the card turns out to be counterfeit. In cases where a PIN is used, the bank is liable:

http://tinyurl.com/46n2j

Might be different elsewhere of course.

Reply Score: 1

vodoomoth Member since:
2010-03-30

I contend this: in each and every situation (except tolls on highways) where I have had to use my bank card, I have always entered the PIN code.

I repeat, **each and every time**: gas, groceries, post office, Internet payments, etc. Sometimes (when using an automaton) entering the code is the first task you do, i.e. even before selecting what you are buying. The typical cases I can think of are post office operations and gas stations.

So I don't know what part of France you are referring to, but I've never experienced it.

The only possibility I can see what you refer to being valid in France is when the card has no chip on it and a swipe is needed. These are ALWAYS foreign cards as all domestic cards I've ever seen had a chip, which mandates entering the code. Moreover, I've worked for years as a cashier in parkings, back when I was a student, and I have **never** swiped a card (like it's done with American Express cards). In ten years of living here, I have never swiped my own card either.

Reply Score: 2

sagum Member since:
2006-01-23

Visa is not a debit card. Visa is a credit card.

Actually, visa is a company that provides transaction technology for banks. Its no more your passport is a national security badge because it's been stamped.

Visa have debt and credit card technology that is licensed around the world for differing types of banks and their accounts they create.

I personally have both a Visa debt AND a visa credit card from two different banks.

Also Visa or any other debt cards do NOT require PIN numbers to be used online. You might have a online banking security for your bank that prompts for a select number, random order of your pin number and maybe also some characters from your online banking password etc but that can also be set up with a credit card.

Reply Score: 3

TheVendo Member since:
2010-12-10

Visa can be either a debit card or a credit card, the same for MasterCard. Only Visa Electron and Maestro are limited to debit card only.

Reply Score: 2

Alfman Member since:
2011-01-28

Thom Holwerda,

"Visa is not a debit card. Visa is a credit card. You can't use bank cards in The Netherlands without the PIN number. It's how the system works."

I'm no expert on the matter, but as far as I know in the US, Visa/MC actually do handle the processing for all the debit cards.

My debit card has a Visa logo.

I don't actually use it, legally speaking I have no rights against Visa or my bank if they permit fraudulent purchases against my debit card. With credit cards, US law places the burden of proof on them.

It may be different in other countries that don't embrace monopolies like the US.

Reply Score: 3

Soulbender Member since:
2005-08-18

It may be different in other countries that don't embrace monopolies like the US.


At least in Sweden, a debit card is usually "compatible with" Visa, Cirrus and Mastercard. This means you can use it at any outlet or ATM that accepts any of those cards, anywhere in the world.

Reply Score: 2

daedliusswartz Member since:
2007-05-28

I was asking not being a smartarse, as I do not know.

As far as I can tell, Visa is a company and brand that provides fund transfer facilities.

I know of many places where Visa and MasterCards are permitted with I guess, swipe and go transactions, and I wondered if that extended to debit cards.

Reply Score: 1

Lennie Member since:
2007-09-22

the Netherlands and a few other countries are actually a bit of a blissful exception to the rule, there are a lot of countries with different situations.

Luckily it will change now that the Netherlands has chip and pin.

Unfortunately this might not be for the better, but worse. As chip and pin was already broken in the UK [0] before the Dutch banks even had a look at it, I guess we'll have to see how it plays out.

[0] http://www.youtube.com/watch?v=PWnH_yblgTc

Edited 2011-05-03 11:25 UTC

Reply Score: 2

mahiyu Member since:
2010-08-06

I have a Visa debit card (my bank decided to switch from Maestro a few years ago for some reason) and it works in exactly the same way as a credit card, ie. PIN required in a shop, but not for online transactions.

Reply Score: 1

smitty Member since:
2005-10-13

Except debit card number is totally useless without the PIN code.

Are you sure they didn't also get the PIN #? Or a bank account # linked to the debit card? Because that was the impression i got.

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

In The Netherlands, your PIN number is a personal code. Not even your bank knows this number. In order to do ANY transaction , you need your bank card (swipe it) and then enter your PIN. The card alone is useless, the account number alone is useless, the PIN number alone is useless. You CANNOT perform ANY transaction without entering your PIN number. The system doesn't allow it. It's not optional.

For online transactions, Dutch banks have set up a system called iDEAL:

http://en.wikipedia.org/wiki/IDEAL

Reply Score: 2

smitty Member since:
2005-10-13

In The Netherlands, your PIN number is a personal code. Not even your bank knows this number. In order to do ANY transaction , you need your bank card (swipe it) and then enter your PIN. The card alone is useless, the account number alone is useless, the PIN number alone is useless. You CANNOT perform ANY transaction without entering your PIN number. The system doesn't allow it. It's not optional.

So in other words, they've solved the security problem by completely locking these cards out of any online transactions. I guess that's one way to solve the problem.

For clarification, that's not the way it's done in the US. The debit cards are able to piggyback on the credit card processing systems so that any place which accepts a Visa card can also accept debit. You still have to enter the PIN# for authorization and it still goes straight to your bank, though, so it is still "debit".

For online transactions, Dutch banks have set up a system called iDEAL:

http://en.wikipedia.org/wiki/IDEAL

Which is something entirely different and not what was being discussed.

Edited 2011-05-03 07:17 UTC

Reply Score: 2

Cody Evans Member since:
2009-08-14

Really? My debit card has never asked for a pin for any online transactions, not even when I purchased my netbook for over $300! My debit card from my bank operates just like a credit card. Maybe the difference is that it is also called a Check card and is linked to a checking account...

Reply Score: 2

bouhko Member since:
2010-06-24

"In The Netherlands, your PIN number is a personal code. Not even your bank knows this number. In order to do ANY transaction , you need your bank card (swipe it) and then enter your PIN. The card alone is useless, the account number alone is useless, the PIN number alone is useless. You CANNOT perform ANY transaction without entering your PIN number. The system doesn't allow it. It's not optional.

So in other words, they've solved the security problem by completely locking these cards out of any online transactions. I guess that's one way to solve the problem.
"
Actually not. In Switzerland, you have to use a card reader delivered by the bank for online transaction.
The E-commerce website redirects you to your bank.
Then you put your debit card in the card reader, put a number given by the bank website, put your pin and the card reader then calculate a new number that you enter back on the bank website and that's it. It works. It's secure because it's basically the same idea as public key cryptography.

Yeah really, it is possible to build a system that is secure for online purchasing. Unfortunately, with this system, the likes of Sony and Skype cannot retain your credit card and charge it automatically because you forgot that you entered it once on their website.

Reply Score: 1

mistersoft Member since:
2011-01-05

obviously, as others have now said, VISA (& MC) operate debit card facilities too. which in britain and ireland at least must operate in nigh on the same way as in the Netherlands - with 'chip and PIN' having almost fully taken over from signatures - although signatures are still allowed as a fallback - at least on some terminals they still are.

We (in UK/Ire) still don't have any nice (safe) system like your iDEAL system yet for online transactions however.

Some online commercial sites utilise Verified by Visa and MasterCard SecureCard as a welcome extra security step for sure, but they're still a minority as are domestic banks that utilise either transaction codecards or an electronic terminal equivalent that they send customers (I know AIB are one).

Most UK customers using most UK/other online retailers still have to (just)hand over the long card number, name on card and expiry date - that's it, no further checks!

I fully endorse what you've said before though, I also very much hope that these creditcard number thefts from Sony might expedite a long needed worldwide overhaul of online transactions. Especially Credit/Debit card. I'd love to see some more competitors to PayPal arise too!

Reply Score: 1

Ultimatebadass Member since:
2006-01-08

Not entirely. You can you your Visa Electron (which is a debit card) on PSN in the same way you can use a Visa CC (it has that 3 digit security code printed on the back too).

In my bank all you have to do to use one like that is log on to your user panel and change "internet transaction" limit on that card to whatever you like.

Edited 2011-05-03 07:09 UTC

Reply Score: 2

Soulbender Member since:
2005-08-18

Good thing a 4 digit PIN is so hard to break...

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

Good thing a 4 digit PIN is so hard to break...


And then you have my PIN code. Great. Without my bank card, you can't get anywhere with just the code.

So, you'd have to steal or find my bank card, then use a brute force tool combined with some method of verifying each and every possible combination using my card, and then, when you hit the proper code, go to an ATM and get all my money. Online banking would be useless since the bank could easily check where the money was transferred to and find you that way.

Since it's common sense to call your bank straight away in case of theft or loss of your card, you have a very small window of opportunity.

Reply Score: 1

Soulbender Member since:
2005-08-18

Yeah, my bad, I was thinking of the Chip & PIN stuff.

Reply Score: 2

Comment by kvarbanov
by kvarbanov on Tue 3rd May 2011 07:40 UTC
kvarbanov
Member since:
2008-06-16

Well, it depends on the account type you have with your bank, as well as the card type. If it's Visa Electron debit card, yes, you can use it online, but only if the vendor supports that type of payment and transactions, still however, you need to supply your PIN, otherwise it's a no-go.

Second option for better security is so called "virtual credit card" - designated only for electronic payments, it's tied with your base account. What you should do is just transfer money from the main account, whatever amount you wish, go to the website, do the payment, and you're done - no more overdrafts, etc - you have full control of what's happening. Certainly, if someone knows your virtual card number, it's still useless without the CVV code, just as well as if you have left no money in that account, which I usually do, so they can steal whatever they want. I have the option of authorizing payments only if I reply with text message from my mobile phone, too, so it's basically a two step verification if someone wants your money.
So, there are options.

Edited 2011-05-03 07:43 UTC

Reply Score: 2

RE: Comment by kvarbanov
by WereCatf on Tue 3rd May 2011 08:34 UTC in reply to "Comment by kvarbanov"
WereCatf Member since:
2006-02-15

Well, it depends on the account type you have with your bank, as well as the card type. If it's Visa Electron debit card, yes, you can use it online, but only if the vendor supports that type of payment and transactions, still however, you need to supply your PIN, otherwise it's a no-go.


I have one and that assertion is indeed incorrect. I've never had to use the PIN code when doing online transactions.

Reply Score: 3

Out of band authentication
by Alfman on Tue 3rd May 2011 08:40 UTC
Alfman
Member since:
2011-01-28

Authenticating purchases using static credit card is so stupid, it is unbelievable that we still do it that way.

I agree with kvarbanov that multi-factor/out of band authentication should be used, unfortunately most banks don't seem to genuinely care that credit card numbers by themselves are inherently insecure.


Anyways, posters here seem to be getting confused about pins being a requirement of using debit cards. My bank advertises that I can use my debit card anywhere visa is accepted, even shops only setup to accept "credit cards". This is because Visa handles both ends of the transaction, be it credit or debit.

http://www.ehow.com/facts_6146135_signature-based-debit-card-transa...

In certain grocery stores, the CC machine asks for a pin after I swipe my *credit* card to pay. Another older credit card never asks for a pin.

This leads me to believe that credit/debit and pin/signatures are in fact two independent variables.


I don't know if there are any real technical differences between the transaction types at all, or if the differences are merely a matter of policy?


Edit:
http://www.paymenow.com/html/debit_transactions.html
"Debit cards that have a VISA or MasterCard logo on them can be processed without entering a PIN code. These types of transactions are referred to as 'off-line' debit transactions. In this type of sale the merchant accepts a debit card the same way in which they would accept a normal credit card. The card is swiped through the terminal and the consumer signs the receipt. As far as the merchant is concerned there is no difference in the way a credit card or an off-line debit card is processed."

Edited 2011-05-03 08:45 UTC

Reply Score: 1

RE: Out of band authentication
by Thom_Holwerda on Tue 3rd May 2011 08:54 UTC in reply to "Out of band authentication"
Thom_Holwerda Member since:
2005-06-29

Anyways, posters here seem to be getting confused about pins being a requirement of using debit cards. My bank advertises that I can use my debit card anywhere visa is accepted, even shops only setup to accept "credit cards". This is because Visa handles both ends of the transaction, be it credit or debit.


It doesn't work like that here, luckily. Your bank card's payments (debit, PIN required) are handled by Interpay, the organisation that handles the backend. I do believe your bank card can be *compatible* with VISA/MasterCard, and that the backend is compatible with it also. All Dutch banks and virtually every shop/restaurant/etc. accepts bank card payments (swipe/enter pin/press ok).

However, here in The Netherlands, everything is done either in cash, or 'via PIN' (debit card/bank card), as we call it. Credit cards are mostly used when travelling outside of the EU - but even there it isn't necessary, as I was perfectly able to use my bank card at ATMs in Austin and Dallas, TX, 10 years ago.

Reply Score: 2

RE[2]: Out of band authentication
by Alfman on Tue 3rd May 2011 22:55 UTC in reply to "RE: Out of band authentication"
Alfman Member since:
2011-01-28

"However, here in The Netherlands, everything is done either in cash, or 'via PIN' (debit card/bank card), as we call it."


You keep saying this, and it may be true in your country, but I wouldn't be so positive that visa will always deny signature transactions with merchants outside of your country.


If what you are saying is accurate, I have no idea how you would use your debit card online. Obviously (or hopefully) you do not submit your personal pin on commercial websites.


In regards to the sony case, the loss of this information is very bad for both debit and credit cards.

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

If what you are saying is accurate, I have no idea how you would use your debit card online. Obviously (or hopefully) you do not submit your personal pin on commercial websites.


It's already been said in this comment thread:

http://en.wikipedia.org/wiki/IDEAL

Reply Score: 1

Alfman Member since:
2011-01-28

Thom Holwerda,

"It's already been said in this comment thread:"

Yes I know you stated that, but ideal appears to only be used in the netherlands.

From your link, ideal works when:
"# Merchant offers iDEAL as payment method
# Consumer selects iDEAL and selects his bank"

Didn't you state that your card did work in the US? This would mean that your card would still be of value to international thieves.

Reply Score: 1

First 2 words were enough
by stereotype on Tue 3rd May 2011 18:39 UTC
stereotype
Member since:
2007-04-06

The first 2 words of the headline were just enough to make my day: "Sony Suffers". No need to keep on reading...

Edited 2011-05-03 18:39 UTC

Reply Score: 1