Is it time for Sony to start throwing people under the bus?
They've already started; their customers.
Now, some people would prefer we keep our customer information "safe". Well Safety isn't what we do here at Sony Entertainment. So we dangled your bank info over a pit of hot lava, filled with fire resistant sharks that shoot bullets out of their gills. And we dared someone to come steal it. Turns out that sharks have a hard time looking up, so your information is gone now. The important thing is, we learned that sharks make terrible guard animals. But they make great Hobo disposals! Cave Johnson, we're done here.
I'm way less of an expert on actual enterprise security, since I don't have any job experience doing security for a large company. I'm taking a class, that's all. That said:
My impression of it comes from two sort of laws about the way the world works:
First, there is a necessary tradeoff between security and convenience. You often have to sacrifice some security to gain convenience, and you have to sacrifice some convenience to gain security. Better security solutions, in general, make you sacrifice less of one to get the other.
Second, information security is a sort of arms race. There are well understood best practices for designing systems to make them harder to breach. There are also additional creative design measures you can undertake, where you have some threats and some usability goals in mind, you HOPE you have thought of all of the threats, and you implement it and try your luck. Last, there are organizational safeguards you can implement where you assume some of your security will fail at some point, and design policies and procedures and audit controls so the impact of a security breach is minimal.
Here's some information that may be new to the thread, since I work in the credit card processing industry. (Any opinions in this post are my own, and may or may not be the opinions of my employer.) When a company (like Sony) signs a contract for a merchant account, part of that contract binds them to Visa and Mastercard's policies and procedures. There are some Payment Card Industry (PCI) security standards that all merchants are required to follow, and the merchant account agreement necessarily requires the merchant to agree to some significant fines and penalties if they don't follow these security standards, and that failure results in a breach.
If I understand correctly, that agreement also empowers the card associations to do on-site forensic audits to confirm compliance. Because there was a security breach, we can safely assume one of these audits is being done by a security firm hired by the card associations, not by Sony. As I understand the fines, if Sony is found to be in compliance with all of these best practices, but the breach still happened, they wouldn't be considered responsible for the breach and wouldn't be fined. If the audit finds that they were not in compliance, they could be facing some HUGE fines from the card associations, which they would be contractually obligated to pay because they signed a merchant account contract.
I think the easiest way to see these requirements is https://www.pcisecuritystandards.org/security_standards/documents.php. The site requires you to accept some license agreement to get the PDF, but if you feel comfortable doing that, you can download and read the 75-page PDF.
If Sony's corporate compliance folks are competent, we should assume that every requirement on that list was being followed. Yet a breach happened anyway. If they weren't compliant, this could be very bad for Sony.
mspencer on
MEMBER OF THE PARANOIA GM GUILD
XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
If Sony's corporate compliance folks are competent, we should assume that every requirement on that list was being followed. Yet a breach happened anyway. If they weren't compliant, this could be very bad for Sony.
I don't want to sound lazy, but would it be safe to assume that the whole "known vulnerability that they were unaware of" thing precludes this? It seems like being aware of known vulnerabilities and acting to counter them would be pretty high on that list.
Yup debit cards is a much bigger problem than credit cards.
...
On another note, and as much as I like to LOLSony, how do you even detect this kind of intrusion?
I mean, to what extent is this their fuckup, I would have NO IDEA if someone 'hacked into my network'?
Is this stuff epically difficult to deal with or have Sony just been careless?
I was thinking the same thing. How safe is online in general if someone really wants at the stuff. I guess this isnt as uncommon as people would like to think is something one of my Websecurity friends was explaining to me, he then named off a list of instances ive never even heard of, most recently some bank or something. Its kinda freaky.
I don't understand, how is Sony going to announce that they'll give all those SOE customers copies of Fat Princess to compensate? Isn't it PS3 only?
Actually there's a PSP version as well.
Have they actually announced that? I haven't seen anything.
Oh right, the PSP. But still, that's not a PC! Anyway they haven't announced it yet, I'm just betting it will be. It was basically Sony's baby, like Castle Crashers was on 360 for a long time, so I'm just assuming it'll be the free download to everyone in english speaking countries. That or a Home shirt.
Yup debit cards is a much bigger problem than credit cards.
...
On another note, and as much as I like to LOLSony, how do you even detect this kind of intrusion?
I mean, to what extent is this their fuckup, I would have NO IDEA if someone 'hacked into my network'?
Is this stuff epically difficult to deal with or have Sony just been careless?
I was thinking the same thing. How safe is online in general if someone really wants at the stuff. I guess this isnt as uncommon as people would like to think is something one of my Websecurity friends was explaining to me, he then named off a list of instances ive never even heard of, most recently some bank or something. Its kinda freaky.
If you are hit by a known vulnerability while in possession of personally identifiable information and credit card numbers, I am pretty certain that any court in the US will find you legally negligent. While breaches happen relatively frequently, they happen due to poor security. I think several people have been saying that there's never been a sizable CC breach by a company that was found PCI compliant at the time (though I haven't actually researched that factoid by myself).
With regards to whether or not you would have any idea if someone hacked into your network, two things:
(1) You are (presumably) not a professional computer security expert, nor are you a corporation who should be reasonably expected to have hired such, and
(2) I am pretty much certain that if you google "How do I know if someone hacked into my network", you will find a lot of viable answers in very short order.
Do I have anything to worry about if the last SOE game I subbed to was EQ2 like 5 years ago? Our CC info has of course changed by then, and I would assume that they wouldn't even still have my info. Or would they?
Foolish Chaos on
0
Options
VanguardBut now the dream is over. And the insect is awake.Registered User, __BANNED USERSregular
edited May 2011
Per Visa Chief Enterprise Risk Officer, Ellen Richey, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Do I have anything to worry about if the last SOE game I subbed to was EQ2 like 5 years ago? Our CC info has of course changed by then, and I would assume that they wouldn't even still have my info. Or would they?
Of course they still have info. I haven't played EQ1 in many years but a couple months back when they gave everyone a free couple weeks I downloaded it and logged on like nothing ever changed. If your CC has changed then I doubt there's much to worry about, but they'll still probably have your address and stuff if that's the same.
Per Visa Chief Enterprise Risk Officer, Ellen Richey, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Thanks, I was really hoping someone had that quote lying around. I've been trying to decide whether or not to wade through the last 100 pages or so of this stuff to see if I could find a citation.
Do I have anything to worry about if the last SOE game I subbed to was EQ2 like 5 years ago? Our CC info has of course changed by then, and I would assume that they wouldn't even still have my info. Or would they?
Of course they still have info. I haven't played EQ1 in many years but a couple months back when they gave everyone a free couple weeks I downloaded it and logged on like nothing ever changed. If your CC has changed then I doubt there's much to worry about, but they'll still probably have your address and stuff if that's the same.
The list of stuff that has been compromised:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password
Although if you had a PSN account, most of that might have been compromised already.
Do I have anything to worry about if the last SOE game I subbed to was EQ2 like 5 years ago? Our CC info has of course changed by then, and I would assume that they wouldn't even still have my info. Or would they?
Of course they still have info. I haven't played EQ1 in many years but a couple months back when they gave everyone a free couple weeks I downloaded it and logged on like nothing ever changed. If your CC has changed then I doubt there's much to worry about, but they'll still probably have your address and stuff if that's the same.
The list of stuff that has been compromised:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password
Although if you had a PSN account, most of that might have been compromised already.
Oh thank God. I've inexplicably been wearing a tutu since a week or so ago and now it makes sense - my gender was compromised.
Drez on
Switch: SW-7690-2320-9238Steam/PSN/Xbox: Drezdar
0
Options
VanguardBut now the dream is over. And the insect is awake.Registered User, __BANNED USERSregular
edited May 2011
This is just getting worse and worse. I'm very glad I jumped ship after the PS2 and only own a DS these days.
Vanguard on
0
Options
Kevin CristI make the devil hit his kneesand say the 'our father'Registered Userregular
edited May 2011
hmm.. I don't remember if I played a SoE game in 2007. Though I did give DCOnline a try at launch. I canceled the DCO account a while ago though.
And here I though I could be just a spectator in this.
hmm.. I don't remember if I played a SoE game in 2007. Though I did give DCOnline a try at launch. I canceled the DCO account a while ago though.
And here I though I could be just a spectator in this.
This is what I've been thinking. I set up a PSN account when I bought a PS3 in december but never bought anything on it, only with the intent to in the future, but never had time for the system. And I played DCO for about 5 weeks, enough to get charged for a month's subscription, then cancelled it.
hmm.. I don't remember if I played a SoE game in 2007. Though I did give DCOnline a try at launch. I canceled the DCO account a while ago though.
And here I though I could be just a spectator in this.
This is what I've been thinking. I set up a PSN account when I bought a PS3 in december but never bought anything on it, only with the intent to in the future, but never had time for the system. And I played DCO for about 5 weeks, enough to get charged for a month's subscription, then cancelled it.
It's just really streets behind, Sony.
They wouldn't still have CC info though after canceling a sub in Jan though.
....Right?
Cause I really don't want to have to set everything back up next week if I need to get a new one.
hmm.. I don't remember if I played a SoE game in 2007. Though I did give DCOnline a try at launch. I canceled the DCO account a while ago though.
And here I though I could be just a spectator in this.
This is what I've been thinking. I set up a PSN account when I bought a PS3 in december but never bought anything on it, only with the intent to in the future, but never had time for the system. And I played DCO for about 5 weeks, enough to get charged for a month's subscription, then cancelled it.
It's just really streets behind, Sony.
They wouldn't still have CC info though after canceling a sub in Jan though.
....Right?
Cause I really don't want to have to set everything back up next week if I need to get a new one.
Considering all the new revelations coming out practically hourly, I wouldn't take any chances.
Wait, is the thread title saying credit cards were stolen from PSN users, or SOE users?
Can we get an answer to this question? It's kind of important, I reckon.
And ruin the sensationalism and fear-mongering? Psh!
...or you could read the OP, and see that it was SOE users from 2007. No fearmongering, we're factmongering here.
That, and the fact that it's specific to Spain, Germany, Austria, etc. seems like critical info. A blanket statement like the one in the thread title is pretty dire, and bound to give people (at least me) the wrong idea.
Wait, is the thread title saying credit cards were stolen from PSN users, or SOE users?
Can we get an answer to this question? It's kind of important, I reckon.
And ruin the sensationalism and fear-mongering? Psh!
...or you could read the OP, and see that it was SOE users from 2007. No fearmongering, we're factmongering here.
That, and the fact that it's specific to Spain, Germany, Austria, etc. seems like critical info. A blanket statement like the one in the thread title is pretty dire, and bound to give people (at least me) the wrong idea.
I'd love to include more info in the thread title, but I only get so many characters and we keep getting new news.
cloudeagle on
Switch: 3947-4890-9293
0
Options
AegeriTiny wee bacteriumsPlateau of LengRegistered Userregular
As fucking stupid as it seems, it's actually a rock solid business move.
No it's not, because Sony are NEVER getting my personal details of any sort ever again after this. In fact I am making sure my Xbox live doesn't even have my personal details or credit card information anymore. To me what is a "Rock Solid Business Move" by my definition is when you get caught with your pants down around your ankles and your dick out by a hacker, you tell your fucking customers. You don't wait six god damned days before you say "Oh um, btw we totally got hacked and someone stole all your shit. Sorry!". I have had to cancel credit cards (with my previous New Zealand bank, so at a personal cost to me over the phone ringing them from Australia), change passwords on just about every site I can think of (as I don't know what password off hand my PSN used) and make sure my personal details aren't going to be used maliciously.
I mean I am *super* pissed off about this. If they think a free month of a shitty service I don't want will placate me, they are dead wrong.
As fucking stupid as it seems, it's actually a rock solid business move.
No it's not, because Sony are NEVER getting my personal details of any sort ever again after this. In fact I am making sure my Xbox live doesn't even have my personal details or credit card information anymore. To me what is a "Rock Solid Business Move" by my definition is when you get caught with your pants down around your ankles and your dick out by a hacker, you tell your fucking customers. You don't wait six god damned days before you say "Oh um, btw we totally got hacked and someone stole all your shit. Sorry!". I have had to cancel credit cards (with my previous New Zealand bank, so at a personal cost to me over the phone ringing them from Australia), change passwords on just about every site I can think of (as I don't know what password off hand my PSN used) and make sure my personal details aren't going to be used maliciously.
I mean I am *super* pissed off about this. If they think a free month of a shitty service I don't want will placate me, they are dead wrong.
On the bright side, at least you aren't living in New Zealand any more.
But seriously, I absolutely agree. They done fucked up, and their response is to try to hook us on a shitty subscription service? They need to actually try to make up for their repeated mistakes here (for instance, I've been without a credit card for around 5 days now, and I make all of my purchases with a credit card. How do you put a dollar value on the inconvenience that has caused me?), and they aren't even making an admission of guilt yet.
Wait, is the thread title saying credit cards were stolen from PSN users, or SOE users?
Can we get an answer to this question? It's kind of important, I reckon.
And ruin the sensationalism and fear-mongering? Psh!
It's really hard to be sensationalist here. Even if we wanted to, Sony keep outdoing us.
I mean this SOE news is a pretty big deal, even if the credit cards are all outdated. Particularly since it happened before the PSN attack, and we're just now finding out about it.
You can't remove credit card data from your Live Account as far as I know, so you're screwed on that front.
Yes you can. Just log in on xbox.com.
As far as this news... jesus. You know, at this point I'm hoping Sony at least apologizes to it's customers. I know if this happened on Microsoft's side I'd be ridiculously mad. The fact they don't even know what's going on with their systems is just horrible.
Posts
They've already started; their customers.
Now, some people would prefer we keep our customer information "safe". Well Safety isn't what we do here at Sony Entertainment. So we dangled your bank info over a pit of hot lava, filled with fire resistant sharks that shoot bullets out of their gills. And we dared someone to come steal it. Turns out that sharks have a hard time looking up, so your information is gone now. The important thing is, we learned that sharks make terrible guard animals. But they make great Hobo disposals! Cave Johnson, we're done here.
I have of course never been to Rome.
No idea if it's related, but it seems awfully coincidental.
My impression of it comes from two sort of laws about the way the world works:
First, there is a necessary tradeoff between security and convenience. You often have to sacrifice some security to gain convenience, and you have to sacrifice some convenience to gain security. Better security solutions, in general, make you sacrifice less of one to get the other.
Second, information security is a sort of arms race. There are well understood best practices for designing systems to make them harder to breach. There are also additional creative design measures you can undertake, where you have some threats and some usability goals in mind, you HOPE you have thought of all of the threats, and you implement it and try your luck. Last, there are organizational safeguards you can implement where you assume some of your security will fail at some point, and design policies and procedures and audit controls so the impact of a security breach is minimal.
Here's some information that may be new to the thread, since I work in the credit card processing industry. (Any opinions in this post are my own, and may or may not be the opinions of my employer.) When a company (like Sony) signs a contract for a merchant account, part of that contract binds them to Visa and Mastercard's policies and procedures. There are some Payment Card Industry (PCI) security standards that all merchants are required to follow, and the merchant account agreement necessarily requires the merchant to agree to some significant fines and penalties if they don't follow these security standards, and that failure results in a breach.
If I understand correctly, that agreement also empowers the card associations to do on-site forensic audits to confirm compliance. Because there was a security breach, we can safely assume one of these audits is being done by a security firm hired by the card associations, not by Sony. As I understand the fines, if Sony is found to be in compliance with all of these best practices, but the breach still happened, they wouldn't be considered responsible for the breach and wouldn't be fined. If the audit finds that they were not in compliance, they could be facing some HUGE fines from the card associations, which they would be contractually obligated to pay because they signed a merchant account contract.
I think the easiest way to see these requirements is https://www.pcisecuritystandards.org/security_standards/documents.php. The site requires you to accept some license agreement to get the PDF, but if you feel comfortable doing that, you can download and read the 75-page PDF.
If Sony's corporate compliance folks are competent, we should assume that every requirement on that list was being followed. Yet a breach happened anyway. If they weren't compliant, this could be very bad for Sony.
XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
Actually there's a PSP version as well.
Have they actually announced that? I haven't seen anything.
Zeboyd Games Development Blog
Steam ID : rwb36, Twitter : Werezompire, Facebook : Zeboyd Games
I don't want to sound lazy, but would it be safe to assume that the whole "known vulnerability that they were unaware of" thing precludes this? It seems like being aware of known vulnerabilities and acting to counter them would be pretty high on that list.
I was thinking the same thing. How safe is online in general if someone really wants at the stuff. I guess this isnt as uncommon as people would like to think is something one of my Websecurity friends was explaining to me, he then named off a list of instances ive never even heard of, most recently some bank or something. Its kinda freaky.
Oh right, the PSP. But still, that's not a PC! Anyway they haven't announced it yet, I'm just betting it will be. It was basically Sony's baby, like Castle Crashers was on 360 for a long time, so I'm just assuming it'll be the free download to everyone in english speaking countries. That or a Home shirt.
If you are hit by a known vulnerability while in possession of personally identifiable information and credit card numbers, I am pretty certain that any court in the US will find you legally negligent. While breaches happen relatively frequently, they happen due to poor security. I think several people have been saying that there's never been a sizable CC breach by a company that was found PCI compliant at the time (though I haven't actually researched that factoid by myself).
With regards to whether or not you would have any idea if someone hacked into your network, two things:
(1) You are (presumably) not a professional computer security expert, nor are you a corporation who should be reasonably expected to have hired such, and
(2) I am pretty much certain that if you google "How do I know if someone hacked into my network", you will find a lot of viable answers in very short order.
Of course they still have info. I haven't played EQ1 in many years but a couple months back when they gave everyone a free couple weeks I downloaded it and logged on like nothing ever changed. If your CC has changed then I doubt there's much to worry about, but they'll still probably have your address and stuff if that's the same.
Thanks, I was really hoping someone had that quote lying around. I've been trying to decide whether or not to wade through the last 100 pages or so of this stuff to see if I could find a citation.
The list of stuff that has been compromised:
name
address
e-mail address
birthdate
gender
phone number
login name
hashed password
Although if you had a PSN account, most of that might have been compromised already.
25 MILLION more accounts hacked
This isn't good for Sony
Steam
Oh thank God. I've inexplicably been wearing a tutu since a week or so ago and now it makes sense - my gender was compromised.
And here I though I could be just a spectator in this.
Steam: YOU FACE JARAXXUS| Twitch.tv: CainLoveless
Both.
This is what I've been thinking. I set up a PSN account when I bought a PS3 in december but never bought anything on it, only with the intent to in the future, but never had time for the system. And I played DCO for about 5 weeks, enough to get charged for a month's subscription, then cancelled it.
It's just really streets behind, Sony.
Both.
They wouldn't still have CC info though after canceling a sub in Jan though.
....Right?
Cause I really don't want to have to set everything back up next week if I need to get a new one.
Can we get an answer to this question? It's kind of important, I reckon.
Considering all the new revelations coming out practically hourly, I wouldn't take any chances.
And ruin the sensationalism and fear-mongering? Psh!
...or you could read the OP, and see that it was SOE users from 2007. No fearmongering, we're factmongering here.
That, and the fact that it's specific to Spain, Germany, Austria, etc. seems like critical info. A blanket statement like the one in the thread title is pretty dire, and bound to give people (at least me) the wrong idea.
I'd love to include more info in the thread title, but I only get so many characters and we keep getting new news.
I mean I am *super* pissed off about this. If they think a free month of a shitty service I don't want will placate me, they are dead wrong.
On the bright side, at least you aren't living in New Zealand any more.
But seriously, I absolutely agree. They done fucked up, and their response is to try to hook us on a shitty subscription service? They need to actually try to make up for their repeated mistakes here (for instance, I've been without a credit card for around 5 days now, and I make all of my purchases with a credit card. How do you put a dollar value on the inconvenience that has caused me?), and they aren't even making an admission of guilt yet.
It's really hard to be sensationalist here. Even if we wanted to, Sony keep outdoing us.
I mean this SOE news is a pretty big deal, even if the credit cards are all outdated. Particularly since it happened before the PSN attack, and we're just now finding out about it.
Yes you can. Just log in on xbox.com.
As far as this news... jesus. You know, at this point I'm hoping Sony at least apologizes to it's customers. I know if this happened on Microsoft's side I'd be ridiculously mad. The fact they don't even know what's going on with their systems is just horrible.