Sony has tried to calm users by explaining that their PSN credit card info was encrypted, but it appears that this was no deterrent for the industrious hacker that hacked the network.
The hackers have now tried to sell the stolen data on online black market forums, and they say they have everyone's credit card numbers, including the CVV number that Sony says they did not even store.
The attackers also claim that they tried to sell the info back to Sony, but Sony refused to buy it back.
So it seems someone is telling the truth, someone else is not, or could both parties be telling the truth?
For the first claim made by the hackers, that they now have un-encrypted credit card numbers available for sale, this does not actually contradicts anything Sony have said so far. Sony says the credit card numbers are encrypted, which is standard industry practice. However, for Sony to use the numbers, they need to be able to decrypt them, and if the hackers have gotten deep enough into the PSN system, to observe the decryption sequence or to even use the system itself to decrypt the numbers before downloading them, then encryption is actually useless. And even if the hackers managed to only pull the encrypted data off the network, they could still have decrypted it themselves, if the encryption algorithm wasn't strong enough.
As for the second claim, that the hackers have the CVV numbers as well, this gets a little bit trickier. Under the industry standard PCI-DSS data security guidelines, CVV numbers cannot be stored, not even in encrypted form. But if the hackers have these numbers as they claim, then either Sony did not properly follow the PCI-DSS guidelines, which could get them into big trouble, or the hackers found some other way to intercept the numbers.
And as for Sony not buying back the data? Only Sony knows whether this has happened or not, and if they were offered the chance to re-secure user data, why they didn't feel the need to take up the hacker's offer.
The hackers have now tried to sell the stolen data on online black market forums, and they say they have everyone's credit card numbers, including the CVV number that Sony says they did not even store.
The attackers also claim that they tried to sell the info back to Sony, but Sony refused to buy it back.
So it seems someone is telling the truth, someone else is not, or could both parties be telling the truth?
For the first claim made by the hackers, that they now have un-encrypted credit card numbers available for sale, this does not actually contradicts anything Sony have said so far. Sony says the credit card numbers are encrypted, which is standard industry practice. However, for Sony to use the numbers, they need to be able to decrypt them, and if the hackers have gotten deep enough into the PSN system, to observe the decryption sequence or to even use the system itself to decrypt the numbers before downloading them, then encryption is actually useless. And even if the hackers managed to only pull the encrypted data off the network, they could still have decrypted it themselves, if the encryption algorithm wasn't strong enough.
As for the second claim, that the hackers have the CVV numbers as well, this gets a little bit trickier. Under the industry standard PCI-DSS data security guidelines, CVV numbers cannot be stored, not even in encrypted form. But if the hackers have these numbers as they claim, then either Sony did not properly follow the PCI-DSS guidelines, which could get them into big trouble, or the hackers found some other way to intercept the numbers.
And as for Sony not buying back the data? Only Sony knows whether this has happened or not, and if they were offered the chance to re-secure user data, why they didn't feel the need to take up the hacker's offer.