28 July 2014

Please Engage Brain

Keith Appleyard - available for hire

60 | posts 254,487 | views 97 | comments

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.
A post relating to this item from Finextra:

Massive Sony data breach leaves card details at risk

27 April 2011  |  9438 views  |  0
More than 70 million Sony PlayStation Network customers are being warned to watch out for scams after the Japanese electronics giant admitted its systems have been hacked and personal information - po...

How Security savvy are Sony?

28 April 2011  |  5245 views  |  3

Yesterday (Wed) we had Sony being not very re-assuring, saying "While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained."

Now today (Thu) we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."

So on the one hand, why cause such consternation in the first place? On the other hand, there's no information regarding what encryption was being used.

Maybe we're only taking about Single DES or somesuch? Maybe they don't know what they mean by encryption? I've experienced instances where Companies I've been checking out didn't know the difference between hashing and encryption, and thought that MD-5 was encryption (and didn't know that it had been compromised).

Certainly the face that personal data including passwords appear to have been held in the clear, rather than be subject to a one-way hash, suggests that Sony weren't exactly at the cutting edge of Security practices?

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

So until more details are forthcoming, people will continue to wonder just how sophisticated it was? 

TagsSecurityRisk & regulation

Comments: (7)

Anthony Cossey - Fixnetix ltd - London | 28 April, 2011, 15:54

as a user of Sony's services i was too reading their slow ebb of information this week, being progressively shocked by facts such as passwords could be read by a hacker, thus were stored “in the clear”, the final nightmare of credit card numbers being obtained is again a fuzzy read between the lines “it should be ok” as the data “is encrypted somehow”. Perhaps the endless pages of the end user agreement required when you sign up should mention such facts, such as how Sony actually intend to protect your data on their systems, rather than all the “get out of jail free” statements of the usual end user agreements

Keith Appleyard - available for hire - Bromley | 29 April, 2011, 14:06

Now we have reports that perhaps the credit cards weren't all protected by strong encryption, and that the hackers have a database that includes 2.2 million credit card numbers, and that they are hoping to sell the credit card list for upwards of $100,000 (courtesy of NY Times & Trend Micro).

Keith Appleyard - available for hire - Bromley | 02 May, 2011, 15:02

Listening to the recording of the Sony press conference on Sunday, they eventually confirmed that the passwords were 'hashed' - but no details are forthcoming regarding what they were hashed with, or if they were salted, citing the need to keep some security details secret from the hackers.

They did announced that they are going to recruit a Corporate Information Security Officer - so presume they didn't employ one up to now?

Keith Appleyard - available for hire - Bromley | 03 May, 2011, 14:45

Sony disclose an earlier breach compromised 25 million accounts with Sony Online Entertainment.

In a statement, Sony said credit card details and other personal information such as names, home addresses, e-mail addresses, dates of birth, phone numbers and gender information had been pillaged.

Additionally, direct debit details of around 10,700 customers in Austria, Spain, the Netherlands and Germany were stolen, as were the credit or debit card details of some 12,700 non-US customers. Sony said that this data was taken from an outdated 2007 database which may no longer be usable.

If it was no longer usable, then why haven't they deleted it?

However, if it was me, then I'm still using the same Bank Account I was using in 2007, so that makes the Account still 'live' and holding funds, and with the rise of Debit Cards valid for 3/4 years, then who is to say that the 2007 records have expired yet?

Anyway, simply increment the Expiry Date, and for those transactions that don't even ask for the CVV Security Code, you're in business.

Keith Appleyard - available for hire - Bromley | 03 May, 2011, 14:56

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

John Dring - Intel Network Services - Swindon | 05 May, 2011, 07:26

I think the Sony disinformation was a complete mess.  It doesn't look they they were even attempting to be PCI compliant, and so the question is what will the industry do about that?  Probably nothing again, if Sony fall into the category of 'too big to touch'?  Sounds familiar.

Dean Procter - Transinteract - Sydney | 07 June, 2011, 11:22

I understand at least 12 Sony sites have been compromised, sort of ongoing thing with imitators abounding.

Sony while great with the electronics, never struck me as very forward thinking when it came to the interwebs.

I'd expect Tepco #Fukishima type public information flow, if you know what I mean.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Keith

Barclays On-line Banking deserves better error messages

02 January 2014  |  3606 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

RBS does have robust procedures

01 October 2013  |  2542 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupWhatever...

National Savings and Investments are rather too lethargic

17 April 2013  |  11151 views  |  0  |  Recommends 1 TagsSecurityMobile & onlineGroupWhatever...

RBS Internet Banking is not for the English

28 January 2013  |  4386 views  |  0  |  Recommends 0 TagsMobile & onlineGroupWhatever...

RBS don't seem to understand basic book-keeping rules

26 June 2012  |  5227 views  |  5  |  Recommends 2 TagsOnline bankingPaymentsGroupWhatever...
name

Keith Appleyard

job title

IT Consultant

company name

available for hire

member since

2008

location

Bromley

Summary profile See full profile »
Focussing on IT Strategy and Systems Architecture issues, primarily in the Payment Card Industry...

Keith's expertise

What Keith reads
Keith writes about

Who is commenting on Keith's posts

Ketharaman Swaminathan