Sony: PSN credit card details were encrypted

Passwords still a gold mine, says former black hat.

Sony has claimed that the credit details of its PlayStation Network customers were encrypted, a key fact it omitted in its initial disclosure about being hacked. 

“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” Patrick Seybold, Sony’s senior director of corporate communications said in a blog post Wednesday. 

He added that CVV2 data, the three digit code to verify an online purchaser has the card being used in an online transaction, was not stolen. 

While encryption did not cancel the risk of fraud posed to as many as 77 million PlayStation Network customers, it reduced it, and should have been revealed during the first admission, according to Graham Cluley, senior technology consultant at security vendor Sophos.

“Sony has once again missed an opportunity to reassure its customers,” he wrote.

“They should have said in the first announcement of the data loss that the credit card data was encrypted, and they should - in this latest communication - have provided details of the nature of the encryption that was used.”

Still, identity theft and secondary hacking of PlayStation Network users’ other accounts remained a risk. 

Seybold pointed out that the “personal data table”, which included names, passwords, birth dates, buying history, and billing addresses were not encrypted. 

“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information,” Seybold wrote. 

Sony also revealed that besides rebuilding its server infrastructure -- one of the reasons it gave last week for shutting down its network -- it had already begun moving network infrastructure to a “more secure” data centre.

“We are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway,” according to Seybold. 

Sony was also working on a new firmware update, which “will require all users to change their password once PlayStation Network is restored", expected to occur within a week.  

The company promised to find the culprits behind the alleged hack “no matter where in the world they might be located”. 

The most likely place to find those responsible would be somewhere in or near Russia, according to former black hat hacker and Wired security editor Kevin Poulson, who ruled out other usual suspects such as hacking collective Anonymous, Chinese hackers and recreational hackers. 

Poulson ruled the “For-Profit Cybertheif”, largely concentrated in Ukraine and Russia, as “probably guilty”. 

“These guys ... know databases like the backs of their hands — they dream in SQL.”

“Credit cards without the mag[netic] stripe data or CVV2 are among the least valuable commodities. But combined with the other data, the database is valuable indeed,” he wrote in a blog post on Thursday. 

“The passwords (which Sony evidently didn’t bother to hash)  could be a gold mine, because people have a tendency to use the same password everywhere; you can bet a big chunk of those 77 million PlayStation Network passwords will unlock everything from Facebook accounts to online banking.”