Sony says credit card details *were* encrypted, but questions still remain

Filed Under: Data loss, Law & order

Credit cardSony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.

Sony reassured users of the PlayStation Network that "all credit card information stored in our systems is encrypted", but underlined that it cannot rule out the possibility that the credit card data was stolen.

The fact that encryption was being used on the credit card data is to be welcomed - as it reduces the chances of stolen information being used for fraud.

Credit card details were encrypted

However, there still remains the question about just how strong the encryption is that Sony used on the credit card data.

Sony signSony has once again missed an opportunity to reassure its customers. They should have said in the first announcement of the data loss that the credit card data was encrypted, and they should - in this latest communication - have provided details of the nature of the encryption that was used.

No-one outside of Sony knows how feasible it would be to decrypt the credit card information if it had been accessed by the hackers.

Maybe they'll post more information tomorrow. If I were a user of the PlayStation Network I` wouldn't be enjoying waiting for the answers..

Meanwhile, don't forget that we do know that the personal information of the PlayStation Network's customers was not encrypted - which means that hackers may have accessed your name, address, email address, birthday, password, and so on.

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

Not sophisticated enough it seems.

Learn more on the PlayStation Network's blog.

And don't forget, you are strongly recommended to change your passwords elsewhere on the net, if you were using your PlayStation Network password on other sites.

, , , , , ,

You might like

4 Responses to Sony says credit card details *were* encrypted, but questions still remain

  1. Andre · 1276 days ago

    Gee Graham, it sure is nice to be able to sit at a desk and snipe others when in fact you don't have a clue as to what really transpired in this whole scenario.

    First off, perhaps Sony is not releasing as much information as they'd like to because it could jeopardize the ongoing investigation.

    Second, no matter how sophisticated any technology is, it's going to get breached.

    Your blog posts on this subject are only making you and Sophos look bad. So how about you find something constructive to say about the matter.

    Here's some examples:
    1. Sony did an excellent job in taking down their system immediately as soon as they realized there was a breach. How many companies would have done the same in the face of the massive amount of lost revenues?
    2. Sony's communications to their customers has been exemplary. They've told me exactly what I need to know in order to make an informed decision as a paying customer.
    3. Again, at the risk of lost revenue, the opted to re-design their infrastructure to make sure this does not happen again. How many companies can you think of that are willing to go to these lengths?
    4. They encrypted the credit card information. The question of how strong the encryption is moot so long as it buys me and the other Sony customers enough time to have my credit card cancelled before it can be used by the attackers.

    • Hi Andre

      Did you see where I said:

      "although inconvenienced, game players should be grateful that Sony appears to want to make sure it's done the job properly and that any vulnerabilities are fixed."

      and

      "Sony is doing a good job on its blog of reassuring players that they are working on securing and bringing back the network"

      See my initial post on the subject here: http://nakedsecurity.sophos.com/2011/04/25/playst...

      I'm not sure that mentioning the credit card data was encrypted earlier would have jeopardised the investigation (it would surely have been a reassurance to many), and I don't see how giving some indication of the nature of the encryption would be any bad thing.

      Anyway, I appreciate your comments - and I hope you and other PSN customers do not get exploited in any way because of the hack.

  2. Robert Vipperman · 1276 days ago

    This is little comfort or solace from Sony that the credit card data is not at risk. I personally never saved credit card data on the PSN, but have used it via the PSN Store for past purchases, so I do not know if I am affected or not at this point.

  3. Philip G · 1276 days ago

    Where the passwords hashed? You don't encrypt passwords; that's dump. So Sony is right in that passwords weren't encrypted--encryption implies decryption. However, hashing? Passwords should be hashed--inability to decrypt. But there's no info on that.

    People are saying passwords were stored in plain text -- but from Sony's comments, that's not exactly clear. It's very common to store all your personal information in plain text, and hash the passwords. Credit card info has to be encrypted in order to allow decryption for future purchases.

    Can we get some real forensic info as to how their data really was stored?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.