Linked by Thom Holwerda on Tue 26th Apr 2011 22:06 UTC
Games After days and days of the Playstation Network being offline, Sony has announced it has taken the service down indefinitely. The cause is a lot more severe than previously thought: PSN has been systematically attacked, and personal information of all users has been stolen, possibly including credit card data. Sony is asking PSN users to keep close tabs on their credit card account statements. This has turned from a rather amusing slap on the wrist for Sony into a massive and truly epic security fail that could have tremendous consequences for millions and millions of people the world over.
Thread beginning with comment 471123
To read all comments associated with this story, please click here.
Comment by atsureki
by atsureki on Wed 27th Apr 2011 02:51 UTC
Member since:

we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.

They were storing passwords in cleartext?
Their security is beyond help.

I don't actually know which password of my rotation I gave them (and thus should be changing if I use it anywhere else right now), and of course there's no way to find out with the server simply rejecting all login attempts. Same with the credit card - I'm pretty sure all they have is an outdated debit card from a closed account, but it's possible I put in a different card once and don't remember. The uncertainty sucks, and Sony's not helping. They're acting precisely like they have something to be ashamed of (a given) and not at all like they're in control of the situation.

Hopefully, it will also be another nail in the coffin of the credit card, an inherently insecure and ridiculous concept that needs to die. People should learn to spend the money they have, not the money they may have.

Don't be ridiculous. Security and responsibility are two completely different issues, and credit cards absolutely win on the former. There's no reimbursement protection if someone steals your cash, and it's a lot harder to track counterfeit paper than electronic transactions. And I suppose I'll just get a USB cash scanner or mail a check if I ever want to buy DLC or get stuff from Amazon, which will of course be shipped to me by Pony Express.

Reply Score: 3

RE: Comment by atsureki
by timalot on Wed 27th Apr 2011 04:50 in reply to "Comment by atsureki"
timalot Member since:

They were storing passwords in cleartext?

If they are storing passwords in cleartext, not unheard of in proprietary systems, imagine the word list the hackers will have for future hacking, especially if tied to email addresses.

Simple way to take the power back, do your own hashing: use a real password, append some salt (ie domain name string) and pass it through a hashing method eg MD5 or SHA1. And use the output as your password for "Mega Corporation X's" service. By changing the salt for every service you generate unique passwords for each so hackers wont pwn you. And you need to only remember one password.

The passwordmaker extension for firefox does this, also available as a app for your phone.


Reply Parent Score: 1

RE[2]: Comment by atsureki
by vodoomoth on Wed 27th Apr 2011 08:45 in reply to "RE: Comment by atsureki"
vodoomoth Member since:

Excellent suggestion!

However, a problem (which is similar to the one I have solved by using secondary addresses provided by yahoo) remains: keeping track of those hashed-by-the-user passwords... Not to mention that entering such passwords might sometimes be a real PITA.

Reply Parent Score: 2

RE: Comment by atsureki
by somebody on Thu 28th Apr 2011 17:58 in reply to "Comment by atsureki"
somebody Member since:

no, as far as i understand only cfw (or console in debug mode, which cfw basically is) was posting creditinfo and rest in cleartext. as far as i remember that was one of cfw bugs.

Reply Parent Score: 2