2.2 Million PSN users credit card details up for sale.

[Treblaine]

On the security code issue, how much damage could they do with just my card number but without security code? 3-4 digit code can't be that hard to crack.

10,000 (10^4) possible codes from a 4 digit numeric code, 1679616 (36^4) for a 4 digit alphanumeric code. No software package for handling credit card transactions is going to let you sit there and fire away that many attempts at the CVC and with a realtime connection to the CC companies' verification servers, you can bet that after a set number of failed attempts they suspend they suspend the card.

Well visa cards have a 3 digit code numeric, that's 1000 combinations.

2'200'000/1000 = 2200

I'm a bit rusty on my probability maths but it tried to use all 2.2 million card numbers and tried a random code for each one till they were suspended, most would be suspended but some would be broken through!

Also, do ALL transactions need the security code?

Could this basis be used the phish the security codes possibly with a spoofed bank message. I wouldn't fall for that but how many others would?

 

[MightyMole]

It should probably be pointed out, as it was in the other thread on this, that some of the information that the "hackers" claim to have wasn't included in the things that PSN asks for, so this whole "selling the cards" thing is likely bogus.

Yes, people are claiming to have them. To quote the other thread, I can put a "Moon for Sale" entry on Craid's list, but it doesn't make it true.

I think Destructoid already proved they did ask for this.

http://www.destructoid.com/sony-didn-t-need-your-cc-security-code-except-it-did--199973.phtml

Doesn't mean the people selling CCNs aren't bogus, doesn't mean that Sony still has the CCV in their databases, but it does prove that they lied, again...

 

[BGH122]

On the security code issue, how much damage could they do with just my card number but without security code? 3-4 digit code can't be that hard to crack.

Those 3 digit codes are very, very hard to crack. It's not like cracking PC passwords, every time they try one of the 1000 combinations they have to do so by submitting it to the bank. Odds are that they'd find the card suspended for potential fraudulent activity (as most banks do in such a scenario) long before they correctly guessed the code.

 

[RhombusHatesYou]

I'm a bit rusty on my probability maths but it tried to use all 2.2 million card numbers and tried a random code for each one till they were suspended, most would be suspended but some would be broken through!

With the limited number of combinations you'd probably have more luck pulling a 3 digit code out of a psuedo-random number generator (PRNG) and using it for all 2.2 million accounts would probably have a better success rate. Take those cards outs of the pool, repeat the process as many times as possible (each time with a new PRNG derived number) until all cards are either verified or suspended.

Mathematically, assuming 5 rounds before all cards were exhausted:

2200 verified cards in the 1st round
2197 verified cards in the 2nd round
2195 verified cards in the 3rd round
2193 verified cards in the 4th round
2191 verified cards in the 5th round


for a grand total of 10976 (just under 0.5% of all the cards) verified cards (and taking a total of 10978026 verification attempts all up). Not too shabby, when you think about it. If you could get $500 out of even half those cards you'd be sitting on $2744000, which isn't pocket change for most people.

The problem would be cycling all 2.2 million accounts in a way that didn't take several lifetimes or create suspicious data traffic patterns... which would be pretty much impossible without a MASSIVE botnet.

Also, do ALL transactions need the security code?

Far as I know, yes.

Could this basis be used the phish the security codes possibly with a spoofed bank message. I wouldn't fall for that but how many others would?

Now you're thinking... and you're right. The more personal information you have on someone the easier it is to get even more out of them. You'd probably get more CVCs/CSCs using other collected information and fronting as a bank or whatever and in a much shorter time if you attempted email scamming the 2.2 million account holders... but you'd want some seriously automated processes to handle all that.

 

[RhombusHatesYou]

Those 3 digit codes are very, very hard to crack. It's not like cracking PC passwords, every time they try one of the 1000 combinations they have to do so by submitting it to the bank. Odds are that they'd find the card suspended for potential fraudulent activity (as most banks do in such a scenario) long before they correctly guessed the code.

Brute forcing a single CVC with a limited number of attempts is such a low order probability that it would only happen in circumstances best described as 'divine intervention' or 'the arsiest arsiness in the history of arse'.

 

[RhombusHatesYou]

I can put a "Moon for Sale" entry on Craid's list, but it doesn't make it true.

It doesn't? Well that's fucking $50 wasted.

 

[Treblaine]

I'm a bit rusty on my probability maths but it tried to use all 2.2 million card numbers and tried a random code for each one till they were suspended, most would be suspended but some would be broken through!

With the limited number of combinations you'd probably have more luck pulling a 3 digit code out of a psuedo-random number generator (PRNG) and using it for all 2.2 million accounts would probably have a better success rate. Take those cards outs of the pool, repeat the process as many times as possible (each time with a new PRNG derived number) until all cards are either verified or suspended.

Mathematically, assuming 5 rounds before all cards were exhausted:

2200 verified cards in the 1st round
2197 verified cards in the 2nd round
2195 verified cards in the 3rd round
2193 verified cards in the 4th round
2191 verified cards in the 5th round

for a grand total of 10976 (just under 0.5% of all the cards) verified cards. Not too shabby, when you think about it. If you could get $500 out of even half those cards you'd be sitting on $2744000, which isn't pocket change for most people.

The problem would be cycling all 2.2 million accounts in a way that didn't take several lifetimes or create suspicious data traffic patterns... which would be pretty much impossible without a MASSIVE botnet.

Also, do ALL transactions need the security code?

Far as I know, yes.

Could this basis be used the phish the security codes possibly with a spoofed bank message. I wouldn't fall for that but how many others would?

Now you're thinking... and you're right. The more personal information you have on someone the easier it is to get even more out of them. You'd probably get more CVCs/CSCs using other collected information and fronting as a bank or whatever and in a much shorter time if you attempted email scamming the 2.2 million account holders... but you'd want some seriously automated processes to handle all that.

So this information IS valuable even without corresponding security codes.

I believe the term for phisihing when you have a lot of details on someone is actually called "Spear Phishing" as unlike the fishing metaphor where you spam messages blindly and widely, here you hunt them down and hit them with just the right thing. I wonder if these card details are matched with user data.

Hmm, but what IS this information.

Sony claims there is "no evidence" the card details were stolen and they were encrypted anyway. What if these details have been grabebd encrypted and they are on sale to anyone who can decrypt them.

Actually, what if this is a trap?

What if these "card details from PSN" are a plant by the authorities or even Sony herself to root out any buyers. It would make for good publicity, they may not catch the people who actually broke in but will catch someone interested on making a killing with it.

This could even be just another scammer trying to scam the scammers, it's an encrypted file full of porn or something and hopes to be off with the down payment before anyone notices. I'm inclined to believe this the most, it just seems like something that so many would try to do considering what's been in the news.

 

[RhombusHatesYou]

So this information IS valuable even without corresponding security codes.

The personal information is way more valuable to shady persons than an encrypted file full of credit card numbers. Personal information is always valuable to someone, which is why data mining is a growth industry.

Sony claims there is "no evidence" the card details were stolen and they were encrypted anyway. What if these details have been grabebd encrypted and they are on sale to anyone who can decrypt them.

If the files were encrypted at the level most financial institutions require then the chances of anyone being able to decrypt them without the correct decryption key before they die of old age are... rather remote. People who say 'any encryption can be broken' really need to read up on modern encryption systems..

 

[Ickorus]

Yeah, enjoy the entire £1 on my card, good luck with that.

Still, i'll go have a chat with my bank in case I run into a reasonable sum of money in the future.

 

[Treblaine]

So this information IS valuable even without corresponding security codes.

The personal information is way more valuable to shady persons than an encrypted file full of credit card numbers. Personal information is always valuable to someone, which is why data mining is a growth industry.

Sony claims there is "no evidence" the card details were stolen and they were encrypted anyway. What if these details have been grabebd encrypted and they are on sale to anyone who can decrypt them.

If the files were encrypted at the level most financial institutions require then the chances of anyone being able to decrypt them without the correct decryption key before they die of old age are... rather remote. People who say 'any encryption can be broken' really need to read up on modern encryption systems..

Hmm, well you know those chat logs are going around that claim they have pretty low level encryption WITHIN the network. You know, small volume files with only short key.

 

[cerberus118]

Eh, Kotaku. Judging from the exaggerated headline conflicting at some point with the actual story, I call bull on this one.

I'm with you on this one. I haven't heard of anything like this many people leaving PS3 and from those I've talked to, few are planning on it. I would guess this is leaked info from Sony as an expected loss of people using the PS3.

 

[RhombusHatesYou]

Hmm, well you know those chat logs are going around that claim they have pretty low level encryption WITHIN the network. You know, small volume files with only short key.

Yeah, just read through the fucking thing...

Thing is, the only bit they talk about credit cards is where they're saying custom firmware from unknown sources is bad because it would be very easy for someone to slip in some code that will steal your CC info because your own console's security is compromised. Most of the rest of the log is them talking about how poorly secured the PSN itself is and all the exploits they've found.

Anyway, the method of snaffling CC details with dodgy custom firmware (CFW) isn't breaking encryption. It's actually an effective method for avoiding having to deal with encrypted data at all.

 

[BGH122]

Those 3 digit codes are very, very hard to crack. It's not like cracking PC passwords, every time they try one of the 1000 combinations they have to do so by submitting it to the bank. Odds are that they'd find the card suspended for potential fraudulent activity (as most banks do in such a scenario) long before they correctly guessed the code.

Brute forcing a single CVC with a limited number of attempts is such a low order probability that it would only happen in circumstances best described as 'divine intervention' or 'the arsiest arsiness in the history of arse'.

Precisely, and unlike PC password hacking you have to wait for a response from a server every time you make another guess. But, CVCs are random numeric with nothing to allow for anything but brute force. Without CVCs they've got nothing.

 

[Paragon Fury]

I've seen this story already, its' almost certainly BS.

For one, your CC information was/is stored on separate, encrypted server, not the one that got hacked into. And from what we know, no one cracked into the encrypted server, so that is strike one.

Strike two is the claim to have the security code, which would be almost impossible, because the PSN rarely (if ever) asked for it, and there is basically no service on the planet that stores it; they all delete it of their own will for security measure, or companies like VISA and Mastercard make companies delete it.

Strike three is the boasting/letting outsiders about it; it not something anyone smart enough to steal the information would do. That would just cause people to take measures to prevent fraud, making it so that you wasted your time getting the info in the first place.

 

[Neo10101]

Poor poor PSN

 

[Squarez]

If Sony had ANY evidence that card details had been stolen, they would tell their members IMMEDIATELY, so that they can change their details or whatever. Anyone one thinks otherwise is, quite frankly, an idiot.

 

[AmayaOnnaOtaku]

As a precaution I cancelled my card and got a new one. The bank said they are busy sending out new cards and putting fraud watches on accounts thanks to Sony's epic fail

 

[Treblaine]

Strike two is the claim to have the security code, which would be almost impossible, because the PSN rarely (if ever) asked for it, and there is basically no service on the planet that stores it; they all delete it of their own will for security measure, or companies like VISA and Mastercard make companies delete it.

I don't know about you but I have bought many things on PSN as well as Steam, Amazon and so on after I had made a previous order with my card details saved from last time. Never does it ask me to re-enter by security code.

Either it deletes ALL my card details and I have to enter them all in again, or it leaves just a tick box to check to finalise.

So either it has saved my security code or a heck of a lot of transactions do not need it.

So what the hell is going. The security code, that code next to your signature on the back of the card right?

 

[Paragon Fury]

Strike two is the claim to have the security code, which would be almost impossible, because the PSN rarely (if ever) asked for it, and there is basically no service on the planet that stores it; they all delete it of their own will for security measure, or companies like VISA and Mastercard make companies delete it.

I don't know about you but I have bought many things on PSN as well as Steam, Amazon and so on after I had made a previous order with my card details saved from last time. Never does it ask me to re-enter by security code.

Either it deletes ALL my card details and I have to enter them all in again, or it leaves just a tick box to check to finalise.

So either it has saved my security code or a heck of a lot of transactions do not need it.

So what the hell is going. The security code, that code next to your signature on the back of the card right?

It doesn't need it every time because it used to verify that the card is real, and that you're really the one using it.

It doesn't ask for the Security Code again because it doesn't need to if the card was/still is legitimate. Thats why Amazon, Steam etc. don't ask for it multiple times so long as the original user is the one using the card.

Now, unless these hackers then somehow log into your Steam/Amazon/XBL account etc., they won't be able to use your CC without the Security Code, which wasn't stored anywhere on PSN. The only real danger would be someone trying to use your CC on PSN under your name, but since PSN is down right now, they can't do that. And Sony would have had to suffer a severe lobotomy of some kind in order to not require everyone on PSN to re-confirm or change their info upon its re-launch.

As long as you watch your credit/debit reports for a couple of months to make sure there is no odd charges, there really isn't anything to worry about, other than maybe a shit ton of spam in your in-box for a while.

 

[RhombusHatesYou]

Those 3 digit codes are very, very hard to crack. It's not like cracking PC passwords, every time they try one of the 1000 combinations they have to do so by submitting it to the bank. Odds are that they'd find the card suspended for potential fraudulent activity (as most banks do in such a scenario) long before they correctly guessed the code.

Brute forcing a single CVC with a limited number of attempts is such a low order probability that it would only happen in circumstances best described as 'divine intervention' or 'the arsiest arsiness in the history of arse'.

Precisely, and unlike PC password hacking you have to wait for a response from a server every time you make another guess. But, CVCs are random numeric with nothing to allow for anything but brute force. Without CVCs they've got nothing.

True but as I showed up-page, you can brute-force it the other way if you have a pool of accounts that exceeds the number of possible CVC codes.

Of course, I did ignore probabilities and several obvious variables.