PSN Outage – Here’s what will have to be clarified

by: dermdaly

So PSN had an outage, and it is possible that all credit card details have been compromised. Sony have stated that credit card details, without CVV numbers may have been breached.

I’ve worked on a PCI compliant secure credit card store in the past, so I’ve some experience, and there’s a number of unanswered questions.

In a PCI compliant secure credit card store, you do not store credit card numbers in the clear – you must encrypt them. Encryption is easy (or rather, by standing on the shoulders of giants, it is) – Pretty much any platform offers you robust encryption libraries. The hard part is securing the key(s) used to encrypt/decrypt the data.

In the system I worked on, we used a dedicated hardware security module (HSM). This was a piece of hardware that was military grade – it never allowed the keys to leave the system, and had all sorts of physical tamper-proof capabilities. Basically it worked like this:

  1. The user supplies their credit card details
  2. The software asks the HSM to encrypt the data on its behalf
  3. The encrypted data gets stored
  4. When the system needs to use a credit card (i.e. take a payment), it supplies the encrypted data to the HSM and asks it to decrypt it
  5. The decrypted data is used to make the payment, and never stored

The security lies in the fact that the keys are secured, and cannot be obtained. If the database is compromised, the data is useless without a key; assuming you’ve used a large enough key, you’ll need a supercomputer to find it by brute force.

Sony have stated that all accounts have been compromised. This suggests a database dump as opposed to some ongoing “trace” to retrieve credit cards in the clear as they are being used. So here’s the questions I have

  1. Was a database dump stolen?
  2. Were the credit cards in the stolen data encrypted or in the clear?
  3. If they were in the clear, why?
  4. If they weren’t in the clear, has the key been compromised? If so, how?
  5. The same questions apply to users’ passwords

Of course, here’s another possibility:
The credit card data was encrypted and the key wasn’t compromised; Sony did everything right, but are using full disclosure to tell the worst case scenario. After all, a criminal with the resources to breach a major corporation may well have a supercomputer at their disposal.

Answering the above questions could put a lot of minds at rest.

You May Also Like

An Adventure with Siri Shortcuts

An Adventure with Siri Shortcuts

We’ve all had to make huge adjustments and sacrifices to our daily routine during the COVID-19 pandemic. Many things we do daily takes more time than it used to, queuing to buy bread in the local shop for example, or booking a time slot in the local gym in advance of...

read more
Mobile App Engagement during the COVID-19 pandemic

Mobile App Engagement during the COVID-19 pandemic

Mobile apps have been a real winner during the COVID-19 pandemic. An Airship study on the “State of Global Mobile Engagement 2020” looks at data from millions of active app users globally, comparing usage patterns from pre-pandemic behaviour to after the pandemic...

read more
The Success of Toyota’s App; FaceItDown

The Success of Toyota’s App; FaceItDown

The ingenious Toyota app, FaceItDown, has grown from strength to strength over the last number of years. We are very proud to be part of its success. What is FaceItDown and how does it work? FaceItDown is an iOS and Android app that rewards drivers for not touching...

read more

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *