Linked by Thom Holwerda on Tue 26th Apr 2011 22:06 UTC
Games After days and days of the Playstation Network being offline, Sony has announced it has taken the service down indefinitely. The cause is a lot more severe than previously thought: PSN has been systematically attacked, and personal information of all users has been stolen, possibly including credit card data. Sony is asking PSN users to keep close tabs on their credit card account statements. This has turned from a rather amusing slap on the wrist for Sony into a massive and truly epic security fail that could have tremendous consequences for millions and millions of people the world over.
Thread beginning with comment 471197
To view parent comment, click here.
To read all comments associated with this story, please click here.
talaf
Member since:
2008-11-19

Actually banking terminals are supposed to fault when tampered with, and afair they do have some crypto identifying them to the banks network. That said, couple years ago British scientists played tetris on one such terminal and further demonstrated a relay attack (when you think you're paying for one stuff but you're in fact paying for a simultaneous transaction in a nearby location).

These are still very impractictal to implement though. There's heavy crypto involved in this, with time constraints limiting the timeframe on which someone would use your unlocked private key. I'd say you're far more susceptible to theft of the card and PIN than a bogus terminal. All in all the "real world" debit card system is pretty sound, the internet part certainly could use some work.

Paypal and such systems are actually a fine answer. Zero-locked accounts you have to fill with some exact amount for payments are probably the best thing you can do beyond never paying anything on the internet.

Reply Parent Score: 1

Neolander Member since:
2010-03-08

Sadly, paypal is not zero-locked, though it has the advantage of displaying the amount you're going to pay on the login page.

About physical terminals, I wonder... Instead of messing with an existing one, couldn't the attacker just build something which looks like a card reader, behaves like a card reader, but in fact only saves credit card information and PIN in a way that the hacker can later make a copy of the card whose PIN he has extracted and use it ?

Reply Parent Score: 1