Sicherheitsexperten berichten via Twitter davon, dass Hacker eine Datenbank mit den Kreditkartendaten von Sony-Kunden zum Verkauf anbieten. (Bild: Screenshot)
Es handelt sich um eine dreistellige Zahlenfolge, die auf der Rückseite der Karte aufgedruckt ist. Damit soll sichergestellt werden, dass die Kreditkarte auch wirklich dem Nutzer gehört und nicht jemand anderem. Sony hatte bereits erklärt, dass es keine Anzeichen dafür gibt, dass die Kreditkartendaten der Nutzer von den Eindringlingen ins Playsation Network ausgelesen wurden. Ausschließen will Sony das aber nicht. Laut Sony hätten die Diebe nur das Ablaufdatum der Karte erbeuten können, nicht die Prüfnummer.
Bei den Hackern könnte es such um Trittbretfahrer handeln. Die Sicherheitsexperten konnten die Datenbank noch nicht auf Echtheit prüfen. Jedoch mehren sich laut Cnet.com die Berichte von Nutzern, die unerlaubte Abbuchungen von ihrer Kreditkarte bemerkten. Sollte die Datenbank echt sein, könnten die Hacker durch Phishing-Attacken an die Prüfnummern gelangen sein. Sony warnte bereits, dass die Täter versuchen könnten durch gefälschte E-Mails oder Briefe den Nutzern weitere Daten zu entlocken. Der Zentrale Kreditausschuss, ein Zusammenschluss führender deutscher Bankenvereine, erklärte, würden betroffene Nutzer aber nicht für die durch den Missbrauch der Kartendaten entstandenen Schäden haften. Playstation Network Nutzer sollten nun folgendes beachten.
Sony macht Fortschritte bei der Wiederherstellung des Playstation Network. Wie der Konzern auf einem Blog erklärt, kann ein Großteil der Daten wiederhergestellt werden. Playstation Network Nutzer müssen sich also keine sorgen um Verlust von Spielständen und erworbenen Trophäen machen. Zudem prüft der Konzern, wie er die Nutzer des Dienstes für den Ausfall entschädigen kann.
auf psx-scene gibt es einen interessanten bericht zu dem thema:
Point #1: — They admit that PSN „personal data“ was NOT encrypted!
Since the simple PLAINTEXT „personal data table“, did contain your „email address“, „birthdate“, „real name“, „password“, and even tho Sony claims the „credit card“ table was encrypted, most people sadly use the same password on multiple other accounts, so it would be very easy for a hacker to login into a matching email, or paypal, or bank account, and discover the missing bits of info needed like full credit or bank account numbers by going thru all your outside personal info, thanks to Sony giving him your „password“ in plaintext!
Point #2 — Now we know why it is taking so long to restore the PSN network!
So they are not just rebuilding the network, by updating the server software, they are moving to a whole new location, but this just opens up more questions! — What was wrong with the old location? — Was the “
external intrusion“ just simply someone walking in and looking like a techie-person, and copying the data removing the need to break any security?
Rumor: We are in for big update, DLC wise, Game patch wise, firmware!
Reports are coming in from many mainstream blogs that a new firmware update will be released in May 2011 and that it will FORCE you to re-verify your complete PSN account, and you MUST create a new PASSWORD, and you WILL have to UPDATE to this new secure PS3 firmware if you wish to enjoy in the FUTURE newly released games!
There is also rumors that all licensed game developers are being shipped new SDK’s, and that they are being forced to re-compile all the DLC addon’s, and all their game patchs, before Sony will even think of turning on the new PSN network!
We Told You So! — Seems Everyone Knew But Sony!
[user12] I also know that the server that does the x-i-5 tickets is a bit more tight about the ciphers than any other system in sonyland [user12] if sony is watching this channel they should know that running an older version of apache on a redhat server with known vulnerabilities is not wise, especially when that server freely reports its version and its the auth server [user2] its not old version, they just didnt update the banner [user12] I consider apache 2.2.15 old [user2] which server [user12] it also has known vulnerabilities [user12] auth.np.ac.playstation.net [user2] ya the displayed version u see via banner is not the real version [user12] unless they updated it in the last couple weeks [user12] I doubt that since its not trivial to change that [user12] its a bit more invasive than just setting it to Prod like they do on their other servers [user11] you know, watching this conversation makes me think about whether it was a good idea after all to buy a couple of games from psn using a visa card [user2] its just backported security patches [user11] i did remove all my info after downloading the games though [user12] that is just psn not the store [user12] they are running linux 2.6.9-2.6.24 on that box too [user12] that too is old [user2] lol @ buying on store [user11] yes, but their general attitude towards security just seems…ugh [user2] sony wont misuse the info i bet xD [user2] but just prevent using cfw’s of unknown ppl [user2] even better from ALL ppl [user2] make ur own lol [user12] so I doubt that they are spoofing the network stack on that box as well [user12] my guess is that it really is undermaintained “it works why change anything” [user2] could be [user12] sony really should update that stuff to something more current [user2] ya [user2] but imagine [user2] psn == 45 environments [user2] and for example [user2] every env has 50 subdomains [user2] to external machines [user2] its rly rly huge [user2] who wants to do this xD [user2] ppl r lazy [user2] wont change
So there you have it all in a nutshell, the system was totally unsecure, and fully outdated, and Sony was just being infact lazy in doing anything about it!
Attached below is the full (nicknames-have-been-removed) IRC log from „Feb. 16th, 2011“ that talks about how wide-open the PSN servers are!
So was the „credit card“ table really encrypted?
Rumors are following thru various underground „credit card“ trading forums, and on the new #psnhack twitter list that a large section of the PSN database containing complete personal details along with over 2.2million working credit card numbers with the much-needed CVV2 code are being offer up for sale to the highest-bidder, after the „hackers“ tried to sell the DB back to Sony for a price, but they of course didn’t answer!
Discussion about #psnhack and possible speculation about the hackers being from Europe Logs – efnet – #ps3dev – 2011-04-26
<Mathieulh>trixter, people I know had a shell on the psn servers
<Mathieulh>did you know that sony didn’t disable the function that sets the psn server under maintenance ?
The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs #psnhack
Sony was supposedly offered a chance to buy the DB back but didn’t #psnhack
@mikkohypponen That is what is going around on some underground forums. The DB contains pretty much everything
@the_pc_doc That is what I thought but the guys selling it say that they have CVV2 numbers
@RiquezJP Well not properly securing your server breaks compliance as far as I know.
@RangerRick Yeah, this information about the CVV2 numbers could be bogus. The guys selling the DB could just be making it up.
Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date
No, I have not seen the DB so I can not verify that it is true
Sony wiederspricht der Veröffentlichung …