Opinion// PlayStation Network & the Credit Card Theft Storm

Posted 18 Feb 2011 10:00 by
This article was originally published in February 2011. A follow-up is in preparation today - 27th April 2011

So, PSN has been hacked and your credit card details are being spewed across the Internet in plain text for all to read?

If you believe that self same Internet, that's the conclusion you'll have most likely reached by reading the stories reporting on the latest revelation about the inner workings of Sony's PS3.

The revelation was made in an IRC chat amongst a group of hackers discussing their investigations of the way the PS3 passed data between its self and the PSN servers. The relevant lines are 58-68 where "user2" is discussing the information sent to PSN that enables Sony to determine if a custom firmware (CFW) has been installed.

The text on line 67 looks like a standard HTTP query string that is the format used by browsers to pass the information from web forms to the servers that process them. These strings of characters are easily readable by human and machine alike if you understand how they are constructed.

Even if you don't know the exact ins and outs of the query string format, you can see the (fake) 16 digit credit card number "4558254723658741" in there as well as the holder's name, card expiry date and, most importantly, the 3 digit security code "214" from the back of the card.

So how can Sony be so foolish as to send these details, in what is quite obviously an easily readable format, across the Internet where anybody can intercept and read them?

As you may expect, the answer is "they aren't". The credit card details are never sent in plain text. They are sent using a secured protocol called HTTPS. You use this protocol all the time if you ever buy products online, for example if you buy a game from Amazon. The address bar of your browser goes yellow or green, the padlock symbol lights up or some other mechanism is used to show you that any information you enter is secure.

Without getting too technical, HTTPS uses a set of digital certificates to encrypt the data and to ensure the server is what it claims to be. Each certificate is signed by the next to form a chain that ends with a trusted certificate.

Your web browser software has a set of trusted certificates installed with it that are periodically updated and so does your PS3's firmware. Here we come to the source of the supposed problem.

So if this security is good enough for Amazon, what's the issue with the PSN? In this PDF released by the hacker group and hosted by PS3Crunch the issue is explained in simpler and more easily followed terms.

Even if a connection is SSL encrypted, companies are aware of the big risk behind custom CA files and it's possibilities.
The credit card information should ALWAYS be encrypted. In ANY case. At least the security code. SONY is only relying on
it's https connection. With all those CFWs spreading around, this is not secure anymore.
What they are saying is that if you install a custom firmware, the trusted certificates (referred to here as "CA files" where CA stands for Certificate Authority) can be replaced with ones that the creator of the firmware decides to include. The firmware can also be set up to send your details to any server, not just those run by Sony. With this combination, your credit card details could be sent anywhere on the Internet for anybody to use.

They are also saying that the details of the credit card should be encrypted before sending them over the HTTPS link, which is its self encrypted. This is overkill in my opinion. As part of my day job, I've written software that processes credit cards online using several systems from large well-known banks and we were never asked to do this.

Practically, the encryption keys would have to come from the server, which could be malicious, or use a trusted certificate, which could be a fake. In either way, there is no added security in encrypting the details before using HTTPS.

So what does this mean for you? Well, if you want to play with custom firmware, don't put your credit card details in. If you don't want to, carry on as normal. In the same way that if you want to use non-standard versions of your browser from dubious sources, don't use them to buy stuff online.

Essentially, this amounts to a storm in a teacup. If you just want to use your PS3 to play games and buy stuff on the PlayStation Store and have never installed a custom firmware then your credit card details are as safe and secure as they are when you shop online on your PC.

If you want to use custom firmware and tinker with your PS3 then you shouldn't put your credit card details into your system, but then you're unlikely to anyway.

The opinion expressed in this article is that of the author and does not reflect those of SPOnG.com except when it does.

Want to vent your gaming spleen? Send 900 words max of well thought-out, deeply analysed opinion and we may even run it. Send in 900 words of incisive but mostly brutally angry invective, and we almost certainly will.

Companies:

Comments

haritori 21 Feb 2011 11:57
1/4
did you know that any visa debit based card you can replace the last 3 digits with 000 and it works!, not very secure is it..
config 21 Feb 2011 18:20
2/4
The 000 ending may well mean the card number passes the checksum test, but every online payment goes to the bank to check the account has funds (know as "auth" or "preauth") and passes a plethora of fraud checks.

At that point your "000" shinanigans will be righteously called out, to the tune of "invalid card number"
more comments below our sponsor's message
Guest 23 Feb 2011 15:32
3/4
Interesting comment by the author - just because you weren't asked to take extra security measures by any banks, doesn't mean it shouldn't have been done.
I program as well and quite a few companies either don't know, don't care, or are too cheap to go the extra mile. That's why standards like HTTPS are changed eventually, once someone cares enough to hack it to pieces.
tyrion 23 Feb 2011 20:27
4/4
Guest wrote:
Interesting comment by the author - just because you weren't asked to take extra security measures by any banks, doesn't mean it shouldn't have been done.

Sorry, that wasn't exactly well worded. The APIs don't support encrypting the card number or security code. It's impossible to do.

It's not like there is a variety of security levels that the banks and card clearing agencies are happy with, they demand the same level of security from everybody. It's just that there is no point in encrypting those details, for the reasons I mentioned in the article.

In order to encrypt the card details, you'd need to receive data from the server or pass data to the server so that both sides know how the encryption is happening. This already happens as part of the HTTPS protocol. However, if you can't trust an SSL certificate, then you can't trust any information passed over an HTTPS connection that is protected by it.

I think the hackers are thinking about storing the data at the server side, just like you should encrypt passwords in a database for example and not store the plaintext password.

Double encryption "over the wire" makes no sense. Lets face it, if they can fake a CA certificate, then they can fake the rest of it and still get to the plaintext version of the card details. After all, the card clearing agencies need to do this to authenticate the card.
Posting of new comments is now locked for this page.

Latest