Community

I suppose the next logical question is where were the passwords - inside the package, or communicated separatately?

Nothing to do with Sony, but about 5 years ago I went to Tokyo to do a Systems/Security Audit on a Japanese subsidiary. Because I had to join a conference call back with the USA and I wanted to avoid paying extortionate hotel phone rates, I asked what time in the morning the Security Guard unlocked the premises?

Amused, the local staff showed me that in practice the 'yale-style' key to unlock the main door was buried in the soil of the cheese plant in the (public) foyer; the first person in each day simply unlocked the premises - and this gave access to the IT department including server room - with no intruder alarm and no CCTV.

Suffice to say the whole subsidiary was closed down within 60 days of my visit.

So - don't be surprised what might eventually emerge re Sony.

MaryAnn - I can't believe that this is the master list - because not a single one of the 10 largest retail stores in UK/France/Germany/Spain appear on this list.

MaryAnn - thanks for the list, but it appears to be a USA only list - so not surprised if Sony don't appear on it.

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

Well we've now got Sony admitting that they had a database that dates back to 2007 that was compromised.

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

Sony disclose an earlier breach compromised 25 million accounts with Sony Online Entertainment.

In a statement, Sony said credit card details and other personal information such as names, home addresses, e-mail addresses, dates of birth, phone numbers and gender information had been pillaged.

Additionally, direct debit details of around 10,700 customers in Austria, Spain, the Netherlands and Germany were stolen, as were the credit or debit card details of some 12,700 non-US customers. Sony said that this data was taken from an outdated 2007 database which may no longer be usable.

If it was no longer usable, then why haven't they deleted it?

However, if it was me, then I'm still using the same Bank Account I was using in 2007, so that makes the Account still 'live' and holding funds, and with the rise of Debit Cards valid for 3/4 years, then who is to say that the 2007 records have expired yet?

Anyway, simply increment the Expiry Date, and for those transactions that don't even ask for the CVV Security Code, you're in business.

Date of Birth & Mothers Maiden Name are so readily available than many years ago I stopped using them, when I realised that no-one was going to be going elsewhere to actually validate them, it didn't matter what values I gave.

So now I use a selection of Dates of Birth that are not really mine, and Mothers Maiden Names of my maiden Aunts; this gives me a few values of each to select from, but doesn't enable anyone to actually impersonate me with serious financial services such as Banking.

Listening to the recording of the Sony press conference on Sunday, they eventually confirmed that the passwords were 'hashed' - but no details are forthcoming regarding what they were hashed with, or if they were salted, citing the need to keep some security details secret from the hackers.

They did announced that they are going to recruit a Corporate Information Security Officer - so presume they didn't employ one up to now?

Now we have reports that perhaps the credit cards weren't all protected by strong encryption, and that the hackers have a database that includes 2.2 million credit card numbers, and that they are hoping to sell the credit card list for upwards of $100,000 (courtesy of NY Times & Trend Micro).