The cyber-security community and its shadowy cousin are abuzz today with rumours that hackers are offering to sell a database of 2.2 million credit card details stolen from Sony’s network.
The rumours seem to have originated with Trend Micro’s Kevin Stevens, who tweeted today that the hackers responsible for breaching the PSN’s security are willing to part with a chunk of the information so obtained – for a price.
He later added that Sony had been offered the chance to buy back the information, but declined.
Sony has denied this. Speaking to the New York Times, SCEA comms boss Patrick Seybold said:
”To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list.”
Seybold referred again to a Sony statement on the matter of credit card data encryption on PSN, made yesterday: “The entire credit card table was encrypted and we have no evidence that credit card data was taken.”
Sony has said that it could not rule out the possibility that hackers might have obtained credit card data.
Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients, told the NYT that it can’t be ruled out that credit card data was stolen by hackers last week.
“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” he said.
The database is said to include full user details for each card – first and surname; address; phone number; email address; email password; date of birth; and credit card number, expiry state and security code.
The inclusion of email password and card security code, neither of which are collected by Sony, lends some weight to the suggestion that this is a load of old bollocks.
In support, PSX-Scene has a chat log and several screenshots supposedly taken from hacker and credit card fraud communities.
The site echoed the rumour that Sony had been offered the chance to buy back the database.
The first attack
Meanwhile, an Australian man is claiming to be the first documented victim of PSN-gate related credit fraud.
ABC News reports the unfortunate PSN member found several small transactions on his statement following the security breach, in a pattern familiar to those who’ve been caught by scammers. Soon after, over AUD $2000 in charges hit the account.
If the activity is related to PSN-gate, the target of the purported fraud was lucky enough to score a stupid scammer, who purchased flights within Australia and hotel stays. There is little chance the beneficiary of these purchases will escape detection.