Friday 29 April 2011

PlayStation Network credit card details were encrypted

Sony has revealed that credit card details held on its PlayStation Network were stored in securely encrypted files.

The news offers some hope to users worried about their personal data after the online system was hacked.

Sony had previously warned that card numbers and expiry dates may have been among the stolen data.

However, other information, including dates of birth and home addresses, did not have the same level of protection.

The full extent of the security breach was revealed on Monday, following a week-long investigation by Sony.

The company said that up to 77 million PlayStation Network members may have had their personal information taken during an "external intrusion".

The FBI confirmed that it was now involved and had been in contact with Sony in the United States.

One of the main concerns for users has been the issue of card security.

In a question and answer blog, posted on the PlayStation website, the company said: "The entire credit card table was encrypted and we have no evidence that credit card data was taken.

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

The company has not revealed the type or strength of protection given to credit card information, and Graham Cluley from security firm Sophos warned that "encryption" could mean almost anything.

"Some are as weak as tissue paper, and others can take millions of years to crack," he said.

"For instance, you could have an encryption that made every 'A' a 'D', every 'B' an 'E' etc, but that would be trivial to crack."
Unusual transactions

Sony suggested that users should keep a close eye on their financial statements and alert their card issuer about any unusual transactions.

That advice was echoed by Visa Europe, the company behind the Visa payment system. It explained that if card data was found to have been stolen and used to make unauthorised payments, users would not have to pick up the bill.

"Cardholders who are innocent victims of fraud will get their money back, subject to the terms and conditions of their bank," it said in a statement.

PlayStation Network members were urged not to cancel their cards at this stage.

A spokesman for Barclaycard said that such action was unnecessary until it was known if card numbers had fallen into the wrong hands.

If that proved to be the case, Sony would need to hand over the information to the UK Payments Administration - the umbrella body that oversees financial transactions including bank transfers and card payments.

The card numbers would then be identified and passed to relevant banks who could block them from use or elevate the level of monitoring for unusual activity.

No comments:

Post a Comment