Over 2 Million PSN Credit Card Numbers Rumored To Be Up For Sale, Did Sony Use Strong Enough Encryption?
So we knew it would start but we aren’t sure we believe it. There are reports today about hackers openly shopping a database that reportedly contains over 2 million credit card numbers that were stolen in last week’s PlayStation Network theft. The reports originate from a tweet sent out earlier today by Trend Micro’s Kevin Stevens, who tweeted today that the hackers responsible for breaching the PSN’s security are willing to part with a large chunk of information if the price is right. He went on to add that Sony had been offered the chance to purchase the information back but declined (which was right choice by the way). This database is reported to contain complete user details including first name, last name, phone number, email address, email password, DOB, credit card number, expiry date and the security code (a.k.a CCV).
Now this is where its gets to be a bit fishy. I listed the pieces of info as they were reported. The problem with the list of information is that Sony NEVER had the email password or the CVC numbers for any of their users. This to me pretty much leads me to believe that this is a bunch of bull. Another thing that is a bit funny is that they are only selling 2.2 million numbers when the haul of numbers compromised should have been much larger considering PSN has 77 million users. People knock hackers but they aren’t idiots and even though the alleged data is supposedly being sold on the underground market, the real thieves have to know it’s just way too hot right now. The odds of the person wanting to purchase the CC numbers being law enforcement is very high and would quickly get them into hot water. If this is legit these guys must be pretty good because one thing nobody has ever disputed was that the credit card info was encrypted. Now unless Sony uses some weak ass encryption (which is possible) or our guys have some powerful ass encryption cracking gear I just don’t think they could have exposed the data this fast. Without a major system with some serious hardware it would take quite a while to crack the standard AES 256 encryption with a brute force attack, like longer than any of us will live. At the time of this posting, we had a question out to Sony asking exactly what level of encryption they had on the credit card tables. They have yet to respond.
So what are we to believe then? At this point, I think the smart thing to assume is that at least some if not all the credit card data may be in the wild. With that said though if the data is encrypted in any respectable manner then it’s pretty much worthless. So my question for Sony is what kind of encryption did you use? The fact that they keep saying the data is encrypted but haven’t yet revealed what kind concerns me. If they are using a high quality encryption algorithm then there is no real downside to telling us what kind since if it’s the good stuff it won’t make the hackers’ job any easier.