Valve Security Breach--Pros and Cons of Pre-Emptive Card Cancellation?

[Frylock]

For the first time that I know of, a company that has my debit card information has had a massive security breach. Hackers now have hold of all of Valve’s customers’ credit card info. (And the info they have for me is a debit card backed by MasterCard.) The info is encrypted, but I don’t imagine that makes it particularly inaccessible. They’re hackers, and hackers are magic.

I now have two plans of action placed prominently in my mind:

A. Cancel the relevant card* immediately.

B. Wait to see if any illegitimate charages are made. As soon as I see this happen, cancel the card, and tell the bank those charges aren’t mine.

A is the simplest thing to do–but a fairly serious hassle (no debit card for a week or so…) undertaken to stave off an event with a probability I don’t know how to estimate.

B only makes sense, though, if by telling my bank the charges aren’t mine I thereby initiate a process that will get the money back to me in a short while–and also only makes sense if the probability of my card info actually being used is pretty small. I don’t know what the truth of the matter is concerning either of these questions.

So what should I do, and why? Do charges on debit cards backed by credit card companies get to be reversed if an investigation shows I didn’t authorize those charges? Is the probability of unencrypting the info low or high? Is the probability that my unencrypted info will actually be used for purchases low or high?

[Mr.Kobayashi]

According to Forbes, great panic is not warranted, just B-like vigilance. The biggest danger is if you have the same passwords for linked email/Steam forums/Steam account. I thought we were over this annoying hacker shit.

[Dr.Girlfriend]

I would call your bank and ask them what they think you should do. Where I work we tell people to keep a close eye on their statements and to call us immediately if something looks wrong. But if the person calling is really worried about it we go ahead and block their card for them.

[SCSimmons]

Mr.Kobayashi:

The biggest danger is if you have the same passwords for linked email/Steam forums/Steam account. I thought we were over this annoying hacker shit.

Sheesh. For some idiot reason, my Steam account was not only linked to my GMail account, but used the same password. :smack: Not anymore …

[gotpasswords]

Chances are good that your bank already knows about this and is in the midst of deciding if it warrants issuing a new card. For now, my hunch is they won’t. As I understand this particular incident, encrypted card info was stolen and it’s not believed that the encryption keys were stolen, so it’s just a lot of gibberish. This is exactly why industry standards require card information to be encrypted.

A few months ago, a crafts store chain had a problem with skimmers on their POS terminals. No sooner had I heard about it on the evening news, my bank had sent me a new debit card as it was easy for them to check recent history and see that I’d been shopping there. In comparison to what happened with Steam, the terminals were compromised and set up to record every card swipe, so the crooks were getting plain-text card data.

[Senegoid]

Tutorial on how password and PIN encryption is kept secure, or not:

Note also that among the many encryption strategies, there are those cases where you encrypt something that never ever needs to be decrypted and therefore there are no decryption keys saved at all.

Particular cases in point: Passwords, PIN’s, and secret access codes of that sort.

When you establish your password or PIN, it is encrypted and the encrypted text is stored. The decryption key, if indeed there ever was one, is discarded. Short of brute force, it is substantially impossible EVER to recover the original password.

When you later log in, you are asked to type your password. What you type is encrypted (yes, the encryption key is stored somewhere, but that does not necessarily imply that a decryption key exists) – then the encrypted text of what you just typed is compared with the encrypted text stored in your profile. If they match, you are allowed to sign in.

Note that nowhere in the above process is it ever necessary to decrypt an encrypted password.

Of course, if your machine is infected with a keylogger, your raw password could be captured that way. But a massive heist of stored data from the server is unlikely to be useable IF the data is actually recorded in a suitably secure way.

Note all those places you could log in (on-line e-mail, bank and utility companies, amazon, paypal, etc.) that have a link you can click on to recover a lost password. And note that SOME of these places, when you click that link, will send you an e-mail with your un-encrypted password. That’s a danger sign! It means your password is actually being stored somehow (even if it’s encrypted) that it could be unencrypted to recover the original.

Other sites, if you click on the recover-password link, will auto-generate a brand new password and mail that to you. You can log in with that (often, they are set up to work once only, and you must promptly set up a new password of your own choice). These are the sites that are likely encrypting your password irreversibly, so that they cannot tell you what your password was. If that is what they are actually doing, I feel those sites are much more secure.

[SCSimmons]

Senegoid:

Short of brute force, it is substantially impossible EVER to recover the original password.

Yes, but brute-forcing is a viable strategy when you have the actual password file. It won’t help you much unless you can locate a connected account on another site that uses the same ID and password, of course–but my user ID on Steam was my gmail address and the password was my gmail password, which left me pretty vulnerable. It was a fairly weak password that I use on a lot of unimportant accounts around the web (including the SDMB, as it happens)–but I’d forgotten that I’d used it for gmail back when gmail wasn’t an important account. Now, though, it’s my Google Apps account–reader, google+, google docs, etc., plus I use gmail instead of my ISP e-mail account for some of my business notifications; I should have changed to one that was more secure (and unique–passwords shouldn’t be shared between any crucial accounts) long ago.

In theory, someone could brute-force this password, guess my ID, and hack a fair number of my message board accounts around the Net, and make embarrassing posts under my ID. If that happens, I’ll change those passwords and apologize. They could no longer hack my gmail with this info, potentially then hacking my American Express account (by requesting a password reset on it, which info would be sent to my gmail address, as that’s the address AmEx has). Consequences of that foul-up would obviously be a bit more dire …

[SmellMyWort]

The fact that this is a debit card and not a credit card would cause me to be a little more pre-emptive. I’d still call the bank and ask them what to do, but keep in mind that someone draining your checking account is a lot bigger hassle than someone making charges on your credit card. If you decide to get a new card, at least you can plan for it and take out a wad of cash to get you through the week.

[control-z]

Great, they have my debit card and I don’t tend to keep a big balance in there. Don’t know if that’s good or bad (overdrafts.)