Opinion// PlayStation Network & the Credit Card Theft Storm

Posted 18 Feb 2011 10:00 by
This article was originally published in February 2011. A follow-up is in preparation today - 27th April 2011

So, PSN has been hacked and your credit card details are being spewed across the Internet in plain text for all to read?

If you believe that self same Internet, that's the conclusion you'll have most likely reached by reading the stories reporting on the latest revelation about the inner workings of Sony's PS3.

The revelation was made in an IRC chat amongst a group of hackers discussing their investigations of the way the PS3 passed data between its self and the PSN servers. The relevant lines are 58-68 where "user2" is discussing the information sent to PSN that enables Sony to determine if a custom firmware (CFW) has been installed.

The text on line 67 looks like a standard HTTP query string that is the format used by browsers to pass the information from web forms to the servers that process them. These strings of characters are easily readable by human and machine alike if you understand how they are constructed.

Even if you don't know the exact ins and outs of the query string format, you can see the (fake) 16 digit credit card number "4558254723658741" in there as well as the holder's name, card expiry date and, most importantly, the 3 digit security code "214" from the back of the card.

So how can Sony be so foolish as to send these details, in what is quite obviously an easily readable format, across the Internet where anybody can intercept and read them?

As you may expect, the answer is "they aren't". The credit card details are never sent in plain text. They are sent using a secured protocol called HTTPS. You use this protocol all the time if you ever buy products online, for example if you buy a game from Amazon. The address bar of your browser goes yellow or green, the padlock symbol lights up or some other mechanism is used to show you that any information you enter is secure.

Without getting too technical, HTTPS uses a set of digital certificates to encrypt the data and to ensure the server is what it claims to be. Each certificate is signed by the next to form a chain that ends with a trusted certificate.

Your web browser software has a set of trusted certificates installed with it that are periodically updated and so does your PS3's firmware. Here we come to the source of the supposed problem.

So if this security is good enough for Amazon, what's the issue with the PSN? In this PDF released by the hacker group and hosted by PS3Crunch the issue is explained in simpler and more easily followed terms.

Even if a connection is SSL encrypted, companies are aware of the big risk behind custom CA files and it's possibilities.
The credit card information should ALWAYS be encrypted. In ANY case. At least the security code. SONY is only relying on
it's https connection. With all those CFWs spreading around, this is not secure anymore.
What they are saying is that if you install a custom firmware, the trusted certificates (referred to here as "CA files" where CA stands for Certificate Authority) can be replaced with ones that the creator of the firmware decides to include. The firmware can also be set up to send your details to any server, not just those run by Sony. With this combination, your credit card details could be sent anywhere on the Internet for anybody to use.

They are also saying that the details of the credit card should be encrypted before sending them over the HTTPS link, which is its self encrypted. This is overkill in my opinion. As part of my day job, I've written software that processes credit cards online using several systems from large well-known banks and we were never asked to do this.

Practically, the encryption keys would have to come from the server, which could be malicious, or use a trusted certificate, which could be a fake. In either way, there is no added security in encrypting the details before using HTTPS.

So what does this mean for you? Well, if you want to play with custom firmware, don't put your credit card details in. If you don't want to, carry on as normal. In the same way that if you want to use non-standard versions of your browser from dubious sources, don't use them to buy stuff online.

Essentially, this amounts to a storm in a teacup. If you just want to use your PS3 to play games and buy stuff on the PlayStation Store and have never installed a custom firmware then your credit card details are as safe and secure as they are when you shop online on your PC.

If you want to use custom firmware and tinker with your PS3 then you shouldn't put your credit card details into your system, but then you're unlikely to anyway.

The opinion expressed in this article is that of the author and does not reflect those of SPOnG.com except when it does.

Want to vent your gaming spleen? Send 900 words max of well thought-out, deeply analysed opinion and we may even run it. Send in 900 words of incisive but mostly brutally angry invective, and we almost certainly will.


Read More Like This


org.apache.jasper.JasperException: An exception occurred processing [components/general/forumThreadList.jsp] at line [56] 53: if( inlineComments != 0 ) 54: { 55: reqData.getApp().startProfiler("forumThreadList:thread.messages"); 56: messages = thread.messages(); 57: reqData.getApp().stopProfiler("forumThreadList:thread.messages"); 58: 59: reqData.getApp().startProfiler("forumThreadList:moddedMessages"); Stacktrace: