2.2 Million PSN users credit card details up for sale.

[WhiteandNeardy99]

I have a PS3, but I haven't actually bought anything from their online store.


Sort of glad I didn't

I just use PlayStation Network Cards.

Saves me from problems like this...

Amen, to that, I'm exactly the same.

 

[RhombusHatesYou]

As long as you watch your credit/debit reports for a couple of months to make sure there is no odd charges

And even should odd charges appear, unless PSN is the only place you've ever used your credit card, there's nothing to say that it was a result of the PSN breach.

 

[BGH122]

Those 3 digit codes are very, very hard to crack. It's not like cracking PC passwords, every time they try one of the 1000 combinations they have to do so by submitting it to the bank. Odds are that they'd find the card suspended for potential fraudulent activity (as most banks do in such a scenario) long before they correctly guessed the code.

Brute forcing a single CVC with a limited number of attempts is such a low order probability that it would only happen in circumstances best described as 'divine intervention' or 'the arsiest arsiness in the history of arse'.

Precisely, and unlike PC password hacking you have to wait for a response from a server every time you make another guess. But, CVCs are random numeric with nothing to allow for anything but brute force. Without CVCs they've got nothing.

True but as I showed up-page, you can brute-force it the other way if you have a pool of accounts that exceeds the number of possible CVC codes.

Of course, I did ignore probabilities and several obvious variables.

True, one could enter '111' for every CVC and 2,200,000E-3 would work if one follows naive probability theory (and why not, else this'll get far too complex). However, unless one has access to a botnet with 2,200,000 bots (and outside of Zeus/Russian Business Network I know of no botnet that could handle this) then one's IP will get flagged for fraud sooner than one could complete the process.

 

[RhombusHatesYou]

True, one could enter '111' for every CVC and 2,200,000E-3 would work if one follows naive probability theory (and why not, else this'll get far too complex).

Well, yeah, I didn't want to weigh in too much because I hate working probabilities and because the last time I went into detail about how something could be done I was banned from a forum for 'posting information that could be used to create WMDs'... and all I did was explain how hard it would be to create a nuclear weapon even if you had a shitpot of weapons grade plutonium (using nothing but publicly available information, no less). Fucking panic merchants...

However, unless one has access to a botnet with 2,200,000 bots (and outside of Zeus/Russian Business Network I know of no botnet that could handle this) then one's IP will get flagged for fraud sooner than one could complete the process.

Well, you could use more than 1 CC account per bot to make use of smaller botnets as long as you tried verification at different sites each time. Of course, the big problem with using a botnet for verification en masse would be that it's likely to make the verification servers either think they're being DDOSed or shit themselves under the added load.

 

[ChunkySaurus]

Well that explains why my credit card company canceled my card last week because it was "compromised". Apparently someone made a generic card with my number and started swiping it on the other side of the continent. At least I'm not alone here.