Online Gaming Networks: The New Front in Identity Theft Fight

Credit card processing servers. Poorly secured corporate networks. Point-of-sale terminals in gas stations and stores. These are just some of the more common systems infiltrated and corrupted by hackers looking to gain valuable credit card data to make counterfeit credit cards. But as common as they are, these hacks are already falling by the wayside, getting passed over in favor of, believe it or not, video game networks.

As video game systems become increasingly interactive, and their platforms powerful enough to handle not only gaming, but also other entertainment features like film and music, hackers have taken note of the confluence of young people and lots of credit card information on those networks. What better way to gain access to this potention credit card and personal info goldmine than by penetrating these still relatively loosely guarded networks? Just ask Sony, who since late April has been dealing with the fallout from a hack of its Playstation Network containing user names, passwords, addresses and credit card info.

It was April 20th of this year when Playstation Network users first noticed they were not able to log on to the system. By April 22 Sony admitted the network suffered a non-gaming outside “intrusion”, but it was not until nearly a full week later that they announced user personal information may have been stolen, though hedged with a carefully-worded “we have no evidence to support this” caveat. In a statement on their website, Sony itemized the data lost:

We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate.... It is also possible that your profile data, including...billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

In all, the Sony Playstation Network hack compromised some 77 million accounts, with 10 million credit card numbers. While this makes the PSN theft considerably smaller than the retail corporate network breaches at TJ Maxx and others that netted hundreds of million of credit card numbers, it is still an astounding number in absolute terms. Imagine every resident of New York and Boston having their credit card information stolen - and you would still be about 50,000 short.

The PSN hack may have been just the first of the new front in the battle with credit card thieves. With multiplayer online gaming poised to grow dramatically over the coming years, hackers will undoubtedly target massive multiplayer online games more, putting even greater pressure on the gaming companies to protect customer data and comply with the Payment Card Industry (PCI) Data Security Standards (DSS).

Was Sony itself PCI-DSS compliant? That question is still hotly debated. Sony itself claims it was. The data breached was encrypted, they say, and the lack of CSC numbers - those three or four-digit security codes found on credit cards -makes them harder to use. In any case, they have established a second line of defense in form of a disclaimer reading, verbatim:

"We exclude liability for loss of data or unauthorized access to your data, Sony Online Network account or Sony Online Network wallet and for damage caused to your software or hardware as a result of using or accessing Sony Online Network."

Disclaimers notwithstanding, a class action lawsuit has already been filed in Northern California accusing the company of failing to “take reasonable care to protect, encrypt, and secure the private and sensitive data of its users which led to the intrusion that caused over 70 million customers the loss of their personal and private information.” Capitalizing on the news of the lawsuit, and reports  that Sony’s servers apparently ran on outdated, unpatched and unfirewalled software, the group claiming credit for the PSN hack put out a press release (an honest-to-goodness one) accusing Sony of clearly violating PCI. 

Whether Sony was or was not PCI compliant will take months to sort out. Either way, however, the damage is real. According to the well-known security expert Brian Krebs, whom we have previously quoted in our blog, hackers have already been shopping around a database of 2 million accounts, including card numbers, ostensibly taken from the PSN victims. Sony’s reputation is suffering, and will likely cost them more than few customers.

The lesson to all businesses should be to double and triple check their PCI compliance standards - just follow Fraud Fighter’s handy guide. Even if you are not a multimillion transnational corporation and just a humble corner cafe, your responsibility to follow PCI is just the same. And the losses both financial and reputational may be just as devastating.

 Finally, let us not forget the ultimate consequence of this breach. More fake credit cards will undoubtedly be created using the hacked info, adding to an already large amount in circulation. Many of those will certainly wind up used at humble corner cafes, as well as large chain stores, where the only thing standing between the fraudster and the merchandise they are about to carry away will be the cashier. Who hopefully will be properly trained and smart enough to slide both the card and the driver’s license ID of the buyer under a counterfeit-detector UV light, to make sure they’re not just using Playstation money.