Sections

Rumor – Hacker claims credit card information sent to Sony through PSN is unencrypted

Thursday, 17th February 2011 17:07 GMT By Stephany Nunneley

A person claiming to have hacked into PlayStation Network has claimed that not only is credit card information sent to Sony through the system via an unencrypted text file, but the company can also keep track of all your actions on the system and keeps a record of it.

According to the post over on ArsTechnica, the hacker claims “all connected devices return values sent to Sony’s servers,” meaning it knows what controllers you have used to what USB devices have been plugged into it.

The hacker also claimed that all credit card information is sent to Sony via an unencrypted text file, meaning there is the potential for thieves to steal such valuable information.

Per the report, all information is stored online with Sony and updated every time a user turns on the system, with various sources claiming e-mails have even been sent to them by Sony, notifying them of their system being hacked before even logging into PSN.

You can read the full thing through the link, which also shows the different code files.

Thanks, Evil Avatar.

Latest

21 Comments

  1. Razor

    If that is true…wow.

    #1 4 years ago
  2. justiceblob

    Is this meant to be shocking? Perhaps the unencrypted text file is a little concerning, but the tracking of the hardware use doesn’t surprise me one bit.

    #2 4 years ago
  3. DSB

    If that were true, wouldn’t millions of credit cards have been stolen and abused by now?

    I can’t imagine that any company would treat peoples information with so little consideration. Except maybe Gawker.

    #3 4 years ago
  4. get2sammyb

    I remember when hackers said there was no way Sony could detect custom firmware either. Do I have reason to believe them again?

    #4 4 years ago
  5. Kaufer

    So does this mean someone can make a CFW that steals your CC details? Or thieves can do this with or without OFW?

    #5 4 years ago
  6. suntomic

    As long as they don’t have access to your PlayStation3, the server were your data is stored or start a man-in-the-middle attack it shouldn’t be a problem to send the credit card information unencrypted. It would just be an extra security measure. Enlight me if i am wrong. :)

    #6 4 years ago
  7. 2plus2equals5

    Text file is really impressive(in a negative way obviously), but data tracking is normal.
    I use a rechargable card for internet and psn, and i never charge more than 50€, so the max they can stole me is 50€.

    #7 4 years ago
  8. Aimless

    @5 Yes, someone can make a CFW that grabs people’s credit card details if they’re on the machine.

    Those using official firmware don’t really have anything to worry about, this is just a classic case of misinformation quickly disseminating. Credit card information is not sent to Sony unencrypted, it uses HTTPS to avoid interception much like any legitimate online transaction.

    #8 4 years ago
  9. lochnesssnowman

    The info is only stored on your machine in plain text. When it’s sent to Sony, https is used (which is secure). Your details are only at risk if you install CFW on your machine that is designed to extract this information (i.e. be wary of dubious CFW, or just avoid it altogether).

    #9 4 years ago
  10. rainer

    This could be entirely fake there’s no actual proof at all and the comments on Ars are going into more details stating that that Sony do use HTTPS (which is encrypted) so this guy must have somehow sidestepped that level of encryption by using a hacked PS3 to intercept the traffic if this is at all true.

    http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339256

    http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339294

    #10 4 years ago
  11. rainer

    Argh cant edit my own post but anyway here is a better description of whats required
    http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339341

    “For an attack to succeed:
    - An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
    - the attacker must successfully poison the DNS cache of a DNS server that YOU use
    - the attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.

    That, ladies and gentlemen, is a pretty tall order, though it’s by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)

    So if you’re not using a CFW, then you’re pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.”

    So not much to worry about it seems after all.

    #11 4 years ago
  12. Hakkiz

    Misleading. In practise, this most likely just for custom firmware/pirate users.

    #12 4 years ago
  13. Xanthene

    I heard a hacker claimed sony turned on the eye webcam so they can watch your jerk it to various female (and male for those of you that are —-) characters to figure out who was the hottest. The winner was laura croft. which is why we got the tomb raider hd remix, more jerkin it. it must be true, a hacker said so.

    #13 4 years ago
  14. Mike

    Sony really are fucking cretins.

    #14 4 years ago
  15. Kaufer

    Update from Arstechnica
    A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3′s connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection. So far so good; this is all safe, and your web browser depends on the same mechanisms for online purchases.

    The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

    Such a scheme would be transparent to PSN users (except for any potential performance reduction caused by the proxying), and would give the attacker access to all the information that the PS3 sends to Sony. This information is shown to be extensive, but apart from the credit card data, probably not too sensitive or unreasonable.

    As flaws go, the risks here are not substantial. There is no generalized ability for hackers to grab credit cards from PSN users; only those using specially devised custom firmwares would be at risk. Essentially the same risk could be faced by anyone downloading a pirated version of Windows: extra certificates could be added to those normally trusted, along with suitable DNS entries, to allow interception of any traffic destined for, say, amazon.com. In practice, the risk of either of these is slight, and in any case, trivially avoided: don’t use custom firmware.

    #15 4 years ago
  16. Dr.Ghettoblaster

    I’ve often wondered about my eye camera being on and somehow signal being sent as I polish my magical wand..

    #16 4 years ago
  17. Withnail

    It’s a https connection. The s stands for secure. There is only a problem if you are running CFW.

    But let’s all be outraged about things we don’t really understand!

    #17 4 years ago
  18. theevilaires

    @16 you get a Kinect if you want to be spied on.

    #18 4 years ago
  19. Maxey

    I see back_up has nothing to say about this. lol

    #19 4 years ago
  20. Caleb_LK

    @19 give him time hes tired after a good day trolling

    If this is true slightly frightening though it is most likely being overblown.

    #20 4 years ago
  21. mojo

    19: cause there is not realy something to say.
    the hackers also could have said: The PS3 does e commerce like every single e-commerce application/service on the whole planet.

    if u install malware (cfw) on ur pc (ps3), ur cc info can get stolen.

    oh, rly? intolerable!!11

    #21 4 years ago

Comments are now closed on this article.