I have not been following it closely, but somehow someone hacked into Sony’s PlayStation database and grabbed over a million (?) credit card numbers, PINs, all kinds of stuff. I seem to recall there was another such case recently.
**Why hasn’t such a large compromise endangered the entire credit card industry?
**
How can anyone trust a credit card number when a significant number of them are bogus? What sort of compromise would cause the system to collapse?
Merchants trust them because it is simply a cost of doing business.
For instance, in a B&M (Brick and Mortar) store, when you price an item you add in things like, utilities, payroll, profit and shrinkage. In other words in a B&M store you EXPECT people to steal from you and pass that cost on to your customers.
With a credit card the same example holds up. This is why places like Walgreens don’t require a signature on most purchases under $50.00. If you were to dispute the transaction, Walgreens would lose, as it has no signature.
But the cost of getting the signature and the time involved etc, is less than the amount of chargebacks they have.
Another example, I was the asst controller at a hotel and in the last five years we had THREE chargebacks. that’s a ridiculously low amount, but for some reason people disputing credit card fraud at that hotel was low. So it made no sense to have a high level of credit card clearance.
The more scrutiny a credit card is subject to the higher the cost to the merchant, but it also means the longer it takes to process them, but you get more security in case of fraud.
So why pay for something that’s not needed.
Merchants simply have to take credit cards in this day and age. They would lose too much business. If it’s a fraudulent and they get an approval from the credit card people, they get paid anyway and the bank absorbs the loss.
So if I work at ACME company and Mr Coyote uses a credit card he stole as long as I, as a merchant, verify the signature, and get an approval code it is the BANK that is the loser not the merchant.
Of course the bank merely takes the loss and ups the charges at its bank to cover the loss.
Is there any concrete evidence of presicely how the hackers were able to get in? Was it another IE exploit again?
There is currently no evidence that clear text credit card numbers have been stolen. Sony claim the credit card data was encrypted, although the exact encryption used is not given. Assuming a reasonable level of competence, there is little to no chance the the data will be useful for credit card fraud. However the personal details were not encrypted, so some worrying level of information has leaked. Whether it is enough to be useful to commit some other fraud on its own is also doubtful, but that it has been stolen remains worrying. In combination with additional information it could start to become a problem.
The actual attack mechanism hasn’t been revealed. However what it won’t be is anything to do with web browsers. This was an attack on a provider, not on a user. The Sony site doesn’t use browsers, it might provide data to a browser, but that simply means that Sony could compromise you, not the other way around. Provider sites had their own set of potential vulnerabilities.
However there are now accusations that a DDOS (distributed denial of service) attack that occurred at the same time, and may have been used to both disable parts of the network services and distract system admins enough to allow the breach to be effected, was instigated by Anonymous, possibly in reprisal for Sony’s action against a Playstation hacker. Sony now claim that there have been files found on the systems placed there by the attackers naming Anonymous.
Huffington Post had a great article recently about the fight in Washington over CC swipe fees. It was mainly about the depressing political and lobbying aspects of the fight, but I was shocked by what a racket this is for the CC companies. The cost of any fraudulent purchase made is totally on their shoulders, they have to buy the expensive equipment themselves, they and their customers are ultimately the ones who pay for a cardholder’s “reward points,” …It’s mindboggling.
Anonymous has denied responsibility.
http://news.yahoo.com/s/nm/20110505/tc_nm/us_sony_anonymous
I’m inclined to believe them. Stealing credit card info isn’t really their MO. They like to steal info and distribute it to publicly humiliate or distress.
I could believe it’s someone affiliated with Anonymous, but not them directly.