Sony has claimed that credit card data stored on the PlayStation Network was encrypted and that there is still no evidence that credit card information has been stolen following last week's security breach of the online service.
Although on Tuesday Sony admitted that it could not rule out the possibility that credit card data had been taken, there is still no suggestion that the breach has been that serious.
The entire credit card table was encrypted and we have no evidence that credit card data was taken.

Sony

According to an update on the official PlayStation Blog, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
While Sony still cannot guarantee that credit card information, encrypted or otherwise, was not taken it continues to offer the same advice to customers: " If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
The protection of credit card data could be the first positive news for Sony during the ongoing scandal, but the admission that personal data was not encrypted could still prove damaging.
This data has already been confirmed as compromised and would be of significant use to criminals in terms of identity theft and as an aid to phishing scams.
Yesterday it was revealed that the Information Commissioner's Office in the UK is to quiz Sony over its online security arrangements.

http://www.gamesindustry.biz/article...-was-encrypted
...

In the aftermath of Sony's PlayStation Network breach, security expert LogRhythm has warned that organisations do not place enough importance on user data, and a culture of "inherited apathy" can exist towards valuable personal information.
This week Sony admitted that over 75 million PlayStation Network accounts have been compromised, with the platform holder unable to determine whether credit card details have been stolen.
And today it admitted that personal information including user's email address, passwords and online IDs were not encrypted.
Bearing in mind that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

Martin Landless, LogRhythm

"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless, technical director of international markets at LogRhythm toldGamesIndustry.biz.
"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."
While the current focus is on the violation of the PlayStation Network, Landless questioned whether the perpetrators were able to access other classified Sony information.
"What other systems did they access during that period? Is there a possibility that intellectual property has been compromised such as new specifications for PlayStation 4?"
He also pointed out that the majority of hacks are committed by internal staff, not outside forces.
"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?
"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."
Sony has been criticised for not informing users sooner that their details had been compromised. Landless said that the company may not have been aware of the scale of the attacks and should now monitor security in real-time to improve reaction times.
"There is a very good chance it was unaware of the scale of the problem. Many organisations have a poor understanding of what is happening across their IT infrastructure, making it difficult to identify security incidents when they occur and the root causes responsible.
"There is often too much focus on the traditional security products that attempt to build a fence around the IT estate," he added. "Repeated high profile incidents of data loss have proven that these solutions are not infallible and are not enough to ensure network security.
"Sony needs to accept the inevitability of data breaches and take new courses of action to prevent similar incidents. It is now essential that systems are in place that can recognise breaches in real-time so that appropriate action can be taken immediately. Sony needs to automate and centralise the collection and analysis of 100 percent of its data logs, so that any aberration can be detected and investigated as it occurs."

http://www.gamesindustry.biz/article...ards-user-data
...

After only one week of trailing the 3DS the PSP is once again the best-selling hardware platform in Japan, as Nintendo DS titles take the number one and two spots in the software charts.
The PSP has been the only major format affected by supply problems since the Japanese earthquake disaster, with websiteAndriasang suggesting that the system is still selling out quickly as new stock arrives.
As a result this week sales more than doubled to 49,427 - including 265 sales for the PSPgo. The 3DS though continued its slow decent, shedding another 5,000 unit sales for a total of 23,038.
The PlayStation 3 also saw a drop in sales, of around 3,000 units, to 22,265. Combined sales for the Nintendo DS family of consoles stood at 13,561, while the Wii slipped a few hundred to 7,866.
The top-selling software title of the week was DS hardware bundle Battle & Get! Pokémon Typing DS, which comes packaged with a full QWERTY keyboard. The game includes a number of Pokémon themed mini-games aimed at teaching typing skills - a surprisingly common spin-off concept in Japan that has previous encompassed franchises such as Street Fighter and The House of the Dead.
Battle & Get! sold 59,363 units on its debut, below the 100,000 minimum usually expected for a number one title in Japan - although the higher unit price will have compensated for this to a degree.
The second-highest new entry of the week was a new DS tie-in to anime Detective Conan at number six, with the Namco Bandai title selling 19,786 units over the course of the week.
Spike's new action title GachiTora! Sold 13,560 units at number seven, while Zipper Interactive's SOCOM 4 (aka SOCOM: Special Forces) debuted at number eight with 12,613 units sold. This is a much higher initial chart position than the game earned in its recent UK release.
Rounding out the charts is hardcore 2D shooter Otomedius Excellent from Konami on the Xbox 360, with 10,502 units sold.


http://www.gamesindustry.biz/article...again-in-japan ...

Unless you're some sort of internet surfing ninja, the PlayStation Network news has been hard to avoid. Sony's online platform provides online gaming, new video game, movie and music content to millions - and it has been hit hard by nefarious hackers.

While we can all live without playing online for a few days, the PSN hacking fallout may have bigger repercussions. Earlier this week Sony issued achilling official statement confirming that the personal information of its users had been compromised as a result of the illegal "intrusion".




It admitted, much to consumers' horror: "We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID".

While there is no evidence at this time that any credit card data was used fraudulently, the possibility cannot be ruled out. If you have provided your credit card data through PlayStation Network or Qriocity, an "abundance of caution" is advised.

Sony has said it hopes to restore PlayStation Network services within a week - but the question is... will you go back?

With the service and personal details compromised on such a broad and fundamental level will you be able to once again place your sensitive information in Sony's hands after being burned? Are you thinking it might be time to jump ship and join Xbox Live? Or are you confident that Sony will be able to address the security issues once and for all and are happy to forgive, forget, and go on enjoying the PlayStation Network's multiplayer gaming and content offerings?

As ever, let us know your thoughts in the comments section below...

http://www.computerandvideogames.com...VG-General-RSS ...

...

The recent attacks and subsequent user information breach is evidence that internet fraudsters are now increasingly targeting social and other such networks because of their softer security measures compared to banks and online retailers.

That's according to data protection expert and Open University lecturer Blaine Price, who told BBC that networks such as Sony's PSN are forced to sacrifice security in favour of usability.




"Any lock can be picked," said Price, adding, "There's always a trade off in security between usability - being able to get at what you want, and making it secure.

"Your online banking site is much more sophisticated," he went on to explain, making it a more strenuous process for users to get their details, but is more secure because of it.

"A bank would usually use two-factor authentication, where you've not just got a password. It would be a real pain if every time you want to start up a game you had to scan your thumb, type in 15 digits and pull out a card reader.

"Any time you're just using a user ID and password, it's going to be a risk," said Price.

David Emm, a senior security researcher for Kaspersky Labs, chimed in with age-old advice - don't use the same passwords for all your site/network accounts. "The weakest link is always the individual," said Emm, noting peoples' tendency to use the same password across the internet to make logins easier to remember.

"Clearly, trying to undermine a bank's security is a lot of effort. Whereas if you go after an individual, it's not going to be noticed, it's going to be easier to do."

Meanwhile, the Information Commissioner's Office's (ICO) David Smith questions companies need to collect such extensive amounts of personal data. "It's a very important data protection principle that you shouldn't collect excessive information or keep it longer than is necessary.

"The question about, for example, why an organisation asks for a specific date of birth, as opposed to an age band, is at the centre of our work," he said.

http://www.computerandvideogames.com...VG-General-RSS ...

Anyone else wake up this morning with an icky feeling in their stomach?

Stupid, really. No-one died, there was no physical damage. I'm still here, you're still here. I'm sure your mum's fine.

And yet such a wave of immediate vulnerability, combined with a crash of breathtaking, stomach-crippling naivety... it was almost bleak.

The non-gaming world still hasn't fully grasped it yet, but it's one hell of a scary day to be a tech-savvy citizen. Our very way of life has been attacked, and consciously acknowledged or not, we are reeling.




The immediate and vicious communal ire, unsurprisingly and to a large degree deservedly, has been directed at Sony. These are, after all, the personal and financial details with which over 70 million consumers - roughly the population of the entire UK - confidently entrusted the platform holder.

It seemed a simple deal: we'll give you oodles of cash for brilliant content, you take our money with a grin. Oh, and don't be frivolous with our entire online identity. Cool?

Overnight, that unspoken contract (or, indeed, that contracted contract, depending on the inevitable litigious tussle) has been eroded with a single, crushing phrase: "An unauthorized person has obtained the following information." I still feel slightly winded after reading it.

Sony may tell us that it's received no reports of credit card fraud from PSN users, but that will be shallow comfort to an uneasy, woozy consumer base. Under its guard, the safety apparatus has been ripped off our personal wealth - in some cases, the very funds that will bedrock our future livelihood. Some degree of inflated panic is entirely condonable.

But to lay the blame solely at Sony's feet is to do injustice to the guile, deviousness and frightening perspicacity with which the PlayStation Network has been invaded. And, moreover, to the rabid motivation that has driven it.

It is a fact that there may have been vulnerabilities in Sony's security that were overlooked. They should be independently investigated - and Sony fully held to account for any proven wisp of negligence.

But in fairness, the platform holder has been doing battle with a far greater force than a mere deficiency-seeking drone, out to wheedle its weak spots; it has been dealing with the rapacious human will of a fanatical foe.

It has, to all intents and purposes, been turned on by a technological terrorist - one without the malevolence for bloodshed or tragedy, but a terrorist nonetheless. Our cosy reliance on Sony's steel walls has been splintered; our trust in the system spooked.




Thankfully - and I'm typing with fingers crossed and rabbit foot firmly attached - the perpetrator who shattered PSN's previously impenetrable digital fortress is more likely to be a spliff-in-mum's-garage nerd than a hardened, profit-seeking criminal. A nerd like the unfortunate Gary McKinnon, who - perspective alert! - allegedly snuck behind the digital perimeters of NASA and the US Navy, Army and Air Force in 2001. From his mum's computer. Just to check on UFOs.

Like McKinnon, PSN's nemesis is likely hyper-intelligent and, no doubt, not exactly a darling of high society.

The fact that a full week has passed since the PSN attack without any reported credit card fraud is reason for us all to relax at least a little - and to suggest that the end-game for Sony's public enemy no.1 was to expose, rather than embezzle; to win, rather than wound.

But what kept them ticking? Whoever successfully 'intruded' (Sony's Carry On euphemism does bring some light relief to proceedings, don't you think?) PSN last week was a demonstrable zealot; fixated on leaving Sony red-faced, and bringing its establishment crashing down.

If I were a betting man, and I'm not (or at least, I can't afford to be whilst my VISA lies legs akimbo to the criminal underworld), I'd put 50,000 MS Points on why I think PS3 was targeted in such a furious manner: Simply, because Sony beat the hackers.

Not only did its console lay non-moddable for years - the Batmobile of gaming next to Nintendo and Microsoft's relative Robin Reliants - but when Sony's Blu-ray beast was finally jailbroken, the company hit back. Hard.

It took the livewire king of the community, one George Hotz, and neutered him explicitly and unrelentingly, right in front of his acolytes. 'GeoHot' and Sony may have settled out of court, but Hotz's passive-aggressive, tail-whipped final rallying whispers to his fans were an embarrassment; a lobotomised whimper compared to the "fudge-packer" grandstanding heentertained us with at his height.




One Flew Over The Cuckoo's Nest analogies rush into view: The establishment had won, and made a clear example of the rebels' bloodied hero - all the while sending out a very clear message: 'Do not f*ck with us. Do not try and outwit us. Do not challenge our rule." So that's exactly what somebody in the hacking community decided to do, bigger and bolder than ever before.

Now it is Sony, not Hotz, which finds itself with its pants around its ankles; whilst a rebelliously-minded networking genius probably sits shaking, stunned at his own lawlessness ...

The devastating attack on the PlayStation Network (PSN) is yet another illustration of how technology-savvy criminals are determined to get their hands on our personal information.
As gamers rued the missed opportunity for online play over the holiday weekend, hackers were able to embark on an Easter hunt around the PSN, picking up small clues which could lead to a bigger prize: card fraud and identity theft.
The hack, which has led to the network being unavailable for over a week, has left observers wondering if a company as vast and seemingly advanced as Sony can get hit, who out there is safe?
The answer, according to experts, is no-one - and something similar will almost certainly happen again.
"We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs.
Continue reading the main story “Start Quote
End Quote Blaine Price Open University
He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information.
Soft targets
Because of the need to be widely accessible and easy-to-use, networks like PSN are seen as being more vulnerable to attack than banks or big retailers.
"Any lock can be picked," said Blaine Price, senior lecturer in computing at the Open University and an expert in data protection.
"The reason is that there's always a trade off in security between usability - being able to get at what you want to get at, and making it secure.
"Your online banking site is much more sophisticated."
Setting up a PSN account involves a lengthy and sometimes frustrating process of entering personal data - usually on a games controller. But this is a one time inconvenience, as data is saved by the network so that next time around it only takes a few steps.
A more secure option would seriously hinder this process, Mr Price argues.
"A bank would usually use two-factor authentication, where you've not just got a password.
Other gaming networks, such as Microsoft's Xbox Live, could be vulnerable, experts claim.
"It would be a real pain if every time you want to start up a game you had to scan your thumb, type in 15 digits and pull out a card reader.
"Any time you're just using a user ID and password, it's going to be a risk."
For networks like the PSN, or indeed, any system which encourages its users to share lots of data, this poses a massive problem.
Bombarded with countless passwords for a multitude of web services, users are prone to keeping the same or similar details for all.
Discovering the password on one account can often lead to clues about someone's online banking credentials, a far less difficult approach than attempting to hack the bank itself.
"The weakest link is always the individual," said David Emm.
"Clearly, trying to undermine a bank's security is a lot of effort. Whereas if you go after an individual, it's not going to be noticed, it's going to be easier to do."
Data minimisation
As news of the PSN breach emerged, the list of exposed details proved as serious as it was lengthy. Customers' names, date-of-birth, addresses and, Sony fears, their financial details were all compromised.
A more cautious observer would argue that an obvious method of preventing personal information from being taken is to simply never share it, but this is unworkable for people wanting to make use of the latest technology.
There is an on-going debate over how just how much information is necessary for the safe and secure running of a service, and how much simply bolsters the company's marketing opportunities.
At the forefront of this debate is the Information Commissioner's Office (ICO), which said that as well as investigating whether Sony has adequate security measures in place, it will be taking a close look at exactly what data the company collected and why.
"Data minimisation is a security measure in itself," deputy information commissioner David Smith told the BBC.
"It's a very important data protection principle that you shouldn't collect excessive information or keep it longer than is necessary.
"The question about, for example, why an organisation asks for a specific date of birth, as opposed to an age band, is at the centre of our work."
In the mean time, Sony will be working to rebuild its network as securely as possible. For consumers however, worries will remain over the vulnerability of a system that they had previously trusted.
Other services too will be reviewing their own arrangements and seeking to assure customers that their details are safe.
Mr Price from the OU believes that networks must take a more open, transparent approach to security, sharing details about methods used so they can be peer-tested.
"The best thing for security is openness, believe it or not," ...