Sophos Cloud Optix
Steam, the online empire of computer game behemoth Valve Corporation, has issued details of the hack it suffered last weekend:
Dear Steam Users and Steam Forum Users,
Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
Ouch. As an Australian journalist just asked me, “Why does this keep happening on such a large scale?”
I took that as a rhetorical question. Online merchants keep violating our faith and trust in their security; we keep letting them do it. We want what they are offering so much, or care about security sufficiently little, that we aren’t voting with our wallets when they get owned. Simple as that.
Indeed, one of the FAQs on gaming site Kotaku asks:
Who cares about my credit cards and passwords. Will Skyrim still unlock tonight?
Skyrim is the fifth game in Bethesda Software’s popular Elder Scrolls series. You could download it in advance, but it’s locked until the first minute after midnight on 11 November 2011.
To unlock and play it you need to use Steam’s online services. So if Steam’s game servers had been taken offline as a breach precaution, Skyrim’s launch would have been delayed.
Good news. A gamer chum from Sydney reports that he unlocked it fine, just moments after midnight New South Wales time (UTC+11).
(He successfully played it, in his words, “just for a short while, to check that it worked OK.” In other words, until 3am.)
OK, so you can play Skyrim after all. But are there other things you can do in the light of Steam’s advisory?
There are, and here are some suggestions:
* Change your Steam password, just in case. If you were using a weak password before, take this opportunity to choose a decent one.
* Keep an eye on your credit card statement and report any unexpected transactions.
* Consider not storing your credit card data on Steam’s servers. You don’t have to. You can choose to enter it every time you need it instead.
* Consider enabling Steam Guard. If you do, Steam will email you every time you (or someone else) logs in from someone else’s computer.
* Send an email to Steam asking why they encrypted credit card data and passwords, but apparently not the rest of its users’ personally identifiable information.
In fact, send an email to every company with whom you do business online, and ask them how much of the data they hold about you is encrypted.
The PCI (payment card industry) compliance rules say they have to encrypt credit card data, so they probably do.
But ask what they’re doing with the rest of the stuff they hold about you.
In my experience, many companies which are PCI compliant have treated that compliance merely as a box to tick. They have taken the whole issue of PCI compliance as a security destination to be reached, rather than an excellent starting map for their security journey.
That’s a pity, and a wasted opportunity to make things better for everyone.
Community pressure has persuaded many businesses to improve their password-handling code, adding salting-and-hashing where they ignored it before.
So let’s make a noise about the use of encryption in general, and see if we can’t improve things out there in the ecommerce cloud!
But… Steam is the cloud… there's no data risk in the cloud… clouds are steam#ERROR_circular_ref
I’m a massive Steam user, I have 300+ games and yes my card details are saved.
The 2 big things in this statement that are different to other breaches are
1: “Encrypted” yay a company that uses encryption.
2: Steam Guard, they wont be able to log in and my Steam registered email is a forward address to a completely unrelated account elsewhere using a different password so they wont be accessing my account any time soon.
Mind you if they do buy anything Ill have trouble telling the erroneous steam transactions from the genuine ones 😛
So Richard,
If you were left unaware of the incident, or were not yet aware, it sounds like you’re saying that you would be safe (I may be wrong on my assumption).
But think about this if the above were the case, your CC info is on file, along will your purchase history and your billing address. That is more than enough to get a hold of your phone number if necessary. At that point they could simply call you up and say something like ” Hi, is this Richard? Hi Richard, this is Scott Smith from Valve. I’m a billing representative and am calling to discuss an issue with a transaction you initiated for the purchase of (insert some game title from your purchase history, preferably the most recent). It seems that the transaction failed to complete and the funds were never received for your purchase. Oh? The funds were already debited from your account? That’s strange…Let me check if we have the correct information on file I have…(Scott reads off your billing address and username and possibly even the card type and expiration date and maybe even the last 4 of the card number (I know they say the cc data is encrypted, but PCI allows the first six and last 4 numbers to be unencrypted ((but most people don’t know that so now its assumed that the person on the phone already has access)))).
Oh, so that is the correct card we have on file? Well, let me process this through our system, it will be just a second….(here scott can start discussing things to enhance your relationship and rapport, maybe start discussing a new game coming out etc…) Hey Richard, I am about to process the card in our system, but we go through a security application that prevents me from using and seeing anything outside of the application, and because of security reasons, I cannot write down your credit card information. Could you provide me with your card number? I already have the card type and the expiration date. Don’t worry you won’t be charged or anything, this is just internal so that I can make sure the system knows that you paid already. … Hmm…It keeps erroring out…Shoot, I forgot, I need your CVV code as well, otherwise it wont let me get through. Ok, thanks, there it goes. By the way, your case number is VB45234-021 and my employee number is 715673. If you see any problems, you can reach me directly at (insert valves billing department phone number here along with an extension…to make matters worse, the person could have called Valve billing previously and got the name and extension of a random billing person and use their name instead to make things more legit). Thanks and have a great day!
—-
Sure, someone else could probably have done a better job with the above social engineering attempt. I mean, there are plenty of amazing talkers out there, many of them run the country…
And even if you yourself could detect the above BS, how many thousands and hundreds of thousands of people out there would be deceived? Or worse, how many grade school kids out there are using the parents card information…Those kids get the call and have no idea, all they know is that they want to play games…they skew the information and run to their parents to explain whats going on..parents are busy with whatever and they give the credit card to the kid…Or they get on the phone but rush things and ask questions with easy answers…not wanting to waste more time, they hand over the information.
I could go on and on and on…there are plenty of ways to do it…Anything can be done including caller ID spoofing…
PCI compliance is merely a step in a more secure direction, but really, its for protecting the banks from paying back all that money…throw it on the merchant in fees and penalties…
Take the TJMAXX incident as a good example: http://www.msnbc.msn.com/id/17871485/ns/technolog…
A compromise that large…and the company is still around…
Security is extremely important, in fact, it is just as important as the company itself. Security should not be a check box, it should be a radio button that can’t be unselected.
Very interesting – I never received the email warning you quoted in the article, nor are details posted on the Steam News board. Was this limited to a specific region? I decided to change my password, just to be safe. When I did, I got a message stating that "Steam cannot currently process your request. Please try again later." I also couldn't find an account setting that would prevent Steam from storing my payment info.
Luckily for me, I guess, Sony's picking up the tab for fraud protection on my credit cards after they were hacked earlier this year.
Paul:
Thanks for defining "PCI". I first came across the term in a mate's post a few days ago. I had no idea what he was referring to. From the context, and from some Googling, I managed to figure out that he was referring to the PCI Security Standards Council, after which I found the pcisecuritystandards.org website. Incredibly, there was no definition of the term "PCI" on the home page, so I gave up.
After reading your definition of the acronym, I went back to the website and found that they actually do define "PCI" on their glossary page.
Hey…I have to give them credit for even HAVING a glossary page.
It would help if they'd notified everyone by e-mail. Being a busy student, I haven't logged into Steam lately to play anything, and so did not see the notification of the breach.
If I hadn't heard about it on Twitter, I might not have known at all that I should consider changing my password or be particularly vigilant in the next couple months. Fortunately, I never store my credit card information anywhere.
Still, it's irresponsible of them to post a sign on the Steam wall and hope we read it instead of contacting users directly.
Why is it so hard for companies to get this right?
Given that Steam allow you to pay by either credit card or Paypal, wouldn't it make more sense to use your Paypal account to pay for games.
If a website allows payments via Paypal, I will always choose that and as long as you change your default payment type when going through Paypal to be your credit card, you're still paying by credit card but not giving away your card details.
I'm the same as other people here, I've not received an e-mail from Steam yet either telling me that there is a problem.
First I've heard of this too – I've got a total of one steam game installed, which I haven't played for months. No sign of any emails from them either. I'm assuming that there's a notice on their website? I don't think I've been there since I bought the game over a year ago..