Eight days after Sony took the PlayStation Network offline, rumors and misinformation continue to swirl around the unprecedented shutdown and massive data breach that affected an estimated 77 million users.
Security expert Kevin Stevens of TrendMicro tweeted today (April 28) that low-level cybercriminals using "carder" online forums were offering to sell a database of 2.2 million credit-card numbers taken during the PlayStation Network breach.
Independent security blogger Brian Krebs then posted screenshots of four hackers discussing the purported database in a chat room.
"xxx: format is: fname, lnams, address, zipcode, country, phone, email, email password, dob, ccnum, cvv2, exp date," wrote user "Sutekh" in one of the screenshots.
In plain English, that's the first name, last name, address, postal code, country, telephone number, email address, email password, date of birth, credit-card number, credit-card security code and credit-card expiration date attached to each of 2.2 million accounts — including "150k german ones," as Sutekh said in a different posting.
"Sony was supposedly offered a chance to buy the DB (database) back but didn't," tweeted Stevens.
Neither Stevens nor Krebs claimed to have seen the actual database being offered, and it almost sounds too good to be true. Why, for example, would Sony have the passwords to users' third-party email accounts, such as Yahoo or Gmail accounts?
Sony: Your credit card information is safe
For its part, Sony dribbled out a bit more information today.
In an FAQ posted on various PlayStation websites worldwide, the company said that "your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
(Qriocity is a separate entertainment-delivery network owned and run by Sony, which was also affected by the PlayStation Network breach.)
Sony also stated that, "The entire credit card table was encrypted and we have no evidence that credit card data was taken."
So either the hackers selling the database are lying about having credit card security codes, or Sony is not telling the truth about having them in the first place.
The latter scenario seems far less likely, as Sony would open itself to enormous lawsuits if it were found to be less than truthful about the breach — except that, as was reported yesterday, unencrypted credit card numbers with security codes are exactly what amateur hackers claimed to have found in PlayStation Network development channels two months ago.
Anecdotal evidence of credit card fraud against PlayStation Network users has been showing up on several websites.
"My bank called me to notify me of a suspicious transaction and they confirmed it was indeed a fraudulent withdrawal," a man calling himself Josh Webb emailed to the gaming site VGN365. "I’ve had to cancel my card and order a new one which the bank will transfer my previous account’s money into."
"The number of Ars Technica readers who have had issues with their credit cards in the past few days, and have commented, e-mailed, or Tweeted about the issue, is alarming," wrote Ben Kuchera on the tech blog Ars Technica. "We may be dealing with a coincidence in timing, but when your inbox is heavy with people saying they're fighting fraudulent credit card charges, it may be the first signs of fire somewhere in the smoke."
The first lawsuit
Kristopher Johns of Alabama filed a federal class-action suit against Sony on behalf of all PlayStation Network users on Wednesday in the Northern District of California.
The suit claims that Sony "failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency, failed to provide prompt and adequate warnings of security breaches, and unreasonably delayed in bringing the PSN service back on line." (The PlayStation Network service is still offline.)
It might be hard for Sony to refute those allegations. In its own FAQ today, the company admitted that "The personal data table … was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
In other words, once someone got into the restricted part of the network, all user data except credit card numbers was easily obtainable — more than enough information to set up identity thefts and spear-phishing scams en masse.
George Hotz, the 23-year-old New Jersey hacker sued by Sony for hacking the PlayStation 3, pointed out the inherent flaw in the PlayStation Network's security in a blog posting today. (He disavowed any connection to the data breach.)
"Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too," he wrote, referring to the PlayStation 3 console as the client. "So if they just put a trust boundary between the consumer and the client (can't trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?"
In other words, user authentication was done at the console level during routine logins. Consoles accessing the PlayStation Network were not individually verified, since Sony believed that retail consoles could not be modified to access the behind-the-scenes development channels of the PlayStation Network.
But the fact is that PlayStation 3 consoles could indeed be modified to do just that, which led February's amateurs to allegedly find the unencrypted user data — and which may have opened the way for the data breach.