Blog article
See all stories »

An article relating to this blog post on Finextra:

Massive Sony data breach leaves card details at risk

More than 70 million Sony PlayStation Network customers are being warned to watch out for scams after the Japanese electronics giant admitted its systems have been hacked and personal information - po...


See article

How Security savvy are Sony?

Yesterday (Wed) we had Sony being not very re-assuring, saying "While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained."

Now today (Thu) we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."

So on the one hand, why cause such consternation in the first place? On the other hand, there's no information regarding what encryption was being used.

Maybe we're only taking about Single DES or somesuch? Maybe they don't know what they mean by encryption? I've experienced instances where Companies I've been checking out didn't know the difference between hashing and encryption, and thought that MD-5 was encryption (and didn't know that it had been compromised).

Certainly the face that personal data including passwords appear to have been held in the clear, rather than be subject to a one-way hash, suggests that Sony weren't exactly at the cutting edge of Security practices?

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

So until more details are forthcoming, people will continue to wonder just how sophisticated it was? 

6294

Comments: (7)

Anthony Cossey
Anthony Cossey - Fixnetix ltd - London 28 April, 2011, 15:54Be the first to give this comment the thumbs up 0 likes

as a user of Sony's services i was too reading their slow ebb of information this week, being progressively shocked by facts such as passwords could be read by a hacker, thus were stored “in the clear”, the final nightmare of credit card numbers being obtained is again a fuzzy read between the lines “it should be ok” as the data “is encrypted somehow”. Perhaps the endless pages of the end user agreement required when you sign up should mention such facts, such as how Sony actually intend to protect your data on their systems, rather than all the “get out of jail free” statements of the usual end user agreements

Keith Appleyard
Keith Appleyard - available for hire - Bromley 29 April, 2011, 14:06Be the first to give this comment the thumbs up 0 likes

Now we have reports that perhaps the credit cards weren't all protected by strong encryption, and that the hackers have a database that includes 2.2 million credit card numbers, and that they are hoping to sell the credit card list for upwards of $100,000 (courtesy of NY Times & Trend Micro).

Keith Appleyard
Keith Appleyard - available for hire - Bromley 02 May, 2011, 15:02Be the first to give this comment the thumbs up 0 likes

Listening to the recording of the Sony press conference on Sunday, they eventually confirmed that the passwords were 'hashed' - but no details are forthcoming regarding what they were hashed with, or if they were salted, citing the need to keep some security details secret from the hackers.

They did announced that they are going to recruit a Corporate Information Security Officer - so presume they didn't employ one up to now?

Keith Appleyard
Keith Appleyard - available for hire - Bromley 03 May, 2011, 14:45Be the first to give this comment the thumbs up 0 likes

Sony disclose an earlier breach compromised 25 million accounts with Sony Online Entertainment.

In a statement, Sony said credit card details and other personal information such as names, home addresses, e-mail addresses, dates of birth, phone numbers and gender information had been pillaged.

Additionally, direct debit details of around 10,700 customers in Austria, Spain, the Netherlands and Germany were stolen, as were the credit or debit card details of some 12,700 non-US customers. Sony said that this data was taken from an outdated 2007 database which may no longer be usable.

If it was no longer usable, then why haven't they deleted it?

However, if it was me, then I'm still using the same Bank Account I was using in 2007, so that makes the Account still 'live' and holding funds, and with the rise of Debit Cards valid for 3/4 years, then who is to say that the 2007 records have expired yet?

Anyway, simply increment the Expiry Date, and for those transactions that don't even ask for the CVV Security Code, you're in business.

Keith Appleyard
Keith Appleyard - available for hire - Bromley 03 May, 2011, 14:56Be the first to give this comment the thumbs up 0 likes

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

John Dring
John Dring - Intel Network Services - Swindon 05 May, 2011, 07:26Be the first to give this comment the thumbs up 0 likes

I think the Sony disinformation was a complete mess.  It doesn't look they they were even attempting to be PCI compliant, and so the question is what will the industry do about that?  Probably nothing again, if Sony fall into the category of 'too big to touch'?  Sounds familiar.

A Finextra member
A Finextra member 07 June, 2011, 11:22Be the first to give this comment the thumbs up 0 likes

I understand at least 12 Sony sites have been compromised, sort of ongoing thing with imitators abounding.

Sony while great with the electronics, never struck me as very forward thinking when it came to the interwebs.

I'd expect Tepco #Fukishima type public information flow, if you know what I mean.

Keith Appleyard

Keith Appleyard

IT Consultant

available for hire

Member since

17 Aug 2007

Location

Bromley

Blog posts

60

Comments

111

More from Keith

This post is from a series of posts in the group:

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.


See all