Rumor – Hacker claims credit card information sent to Sony through PSN is unencrypted

If that is true…wow.

Is this meant to be shocking? Perhaps the unencrypted text file is a little concerning, but the tracking of the hardware use doesn’t surprise me one bit.

If that were true, wouldn’t millions of credit cards have been stolen and abused by now?

I can’t imagine that any company would treat peoples information with so little consideration. Except maybe Gawker.

I remember when hackers said there was no way Sony could detect custom firmware either. Do I have reason to believe them again?

So does this mean someone can make a CFW that steals your CC details? Or thieves can do this with or without OFW?

As long as they don’t have access to your PlayStation3, the server were your data is stored or start a man-in-the-middle attack it shouldn’t be a problem to send the credit card information unencrypted. It would just be an extra security measure. Enlight me if i am wrong.

Text file is really impressive(in a negative way obviously), but data tracking is normal.
I use a rechargable card for internet and psn, and i never charge more than 50€, so the max they can stole me is 50€.

@5 Yes, someone can make a CFW that grabs people’s credit card details if they’re on the machine.

Those using official firmware don’t really have anything to worry about, this is just a classic case of misinformation quickly disseminating. Credit card information is not sent to Sony unencrypted, it uses HTTPS to avoid interception much like any legitimate online transaction.

The info is only stored on your machine in plain text. When it’s sent to Sony, https is used (which is secure). Your details are only at risk if you install CFW on your machine that is designed to extract this information (i.e. be wary of dubious CFW, or just avoid it altogether).

This could be entirely fake there’s no actual proof at all and the comments on Ars are going into more details stating that that Sony do use HTTPS (which is encrypted) so this guy must have somehow sidestepped that level of encryption by using a hacked PS3 to intercept the traffic if this is at all true.

http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339256

http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339294

Argh cant edit my own post but anyway here is a better description of whats required
http://arstechnica.com/gaming/news/2011/02/report-psn-hacked-showing-stunning-lack-of-credit-card-security.ars?comments=1&start=80#comment-21339341

“For an attack to succeed:
- An attacker must persuade you to load a CFW that has a self-signed root certificate loaded on it
- the attacker must successfully poison the DNS cache of a DNS server that YOU use
- the attacker must then wait/hope/pray that you connect to the server he spoofed so that you can authenticate to him.

That, ladies and gentlemen, is a pretty tall order, though it’s by no means implausible. But it is the sort of issue that gets a lot of attention these days (and is a large part of the reason why certificate validation has become so visible in web browsers as of late.)

So if you’re not using a CFW, then you’re pretty safe. If you are, then you need to ensure that no other forged or crafted root CAs exist, and that you are using a relativity secure DNS server. In my opinion, any DNS server by a major ISP should be more than sufficient.”

So not much to worry about it seems after all.

Misleading. In practise, this most likely just for custom firmware/pirate users.

I heard a hacker claimed sony turned on the eye webcam so they can watch your jerk it to various female (and male for those of you that are —-) characters to figure out who was the hottest. The winner was laura croft. which is why we got the tomb raider hd remix, more jerkin it. it must be true, a hacker said so.

Sony really are fucking cretins.

Update from Arstechnica
A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3′s connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection. So far so good; this is all safe, and your web browser depends on the same mechanisms for online purchases.

The concern raised by the hackers is that custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers.

Such a scheme would be transparent to PSN users (except for any potential performance reduction caused by the proxying), and would give the attacker access to all the information that the PS3 sends to Sony. This information is shown to be extensive, but apart from the credit card data, probably not too sensitive or unreasonable.

As flaws go, the risks here are not substantial. There is no generalized ability for hackers to grab credit cards from PSN users; only those using specially devised custom firmwares would be at risk. Essentially the same risk could be faced by anyone downloading a pirated version of Windows: extra certificates could be added to those normally trusted, along with suitable DNS entries, to allow interception of any traffic destined for, say, amazon.com. In practice, the risk of either of these is slight, and in any case, trivially avoided: don’t use custom firmware.

I’ve often wondered about my eye camera being on and somehow signal being sent as I polish my magical wand..

It’s a https connection. The s stands for secure. There is only a problem if you are running CFW.

But let’s all be outraged about things we don’t really understand!

@16 you get a Kinect if you want to be spied on.

I see back_up has nothing to say about this. lol

@19 give him time hes tired after a good day trolling

If this is true slightly frightening though it is most likely being overblown.

19: cause there is not realy something to say.
the hackers also could have said: The PS3 does e commerce like every single e-commerce application/service on the whole planet.

if u install malware (cfw) on ur pc (ps3), ur cc info can get stolen.

oh, rly? intolerable!!11