Rumors are flying that credit cards obtained during last week’s Sony PlayStation Network data breach are up for sale to the highest bidder in the on-line underworld. It was only yesterday that Sony had offered a FAQ on the issue and revealed the use of encryption on credit card data.
So are the rumors just that, rumors? Or is something else going on here?
“It is Not a Rumor”
At nytimes.com, senior researcher Kevin Stevens with Trend Micro had this to say:
Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.
Mashable.com noted that Stevens had also twitted, “It is not a rumor, it was a conversation on a criminal forum. I never saw the DB so I can’t verify if it is real.”
I don’t doubt Stevens but can we extend our trust to the hackers? Could it be that they’re trying to pull a fast one while Sony mulls giving out more details? On the one hand, they are criminals. On the other, I do know that most such forums use the “eBay system” where reputation is paramount to making a successful sale today and in the future (they are criminals after all, so transactions can’t be easy without a degree of artificial trust).
Consider what this implies for Sony, though. First off, it would mean that Sony lied because it publicly denied that the three-digit security code for credit cards was stolen — because they were never asked for. You can’t save what you don’t have. The rumors run against this.
Second, it would mean that one of the worst encryption programs in the history of computing would have been used, seeing how the hackers managed to crack it in two weeks. I know how Sony has a penchant for creating their own stuff, but I doubt that they did so in this case. (Of course, there is the possibility that either the encryption key or a password fell into the hacker’s hands. It’s quite unlikely though).
You’ve also got to consider the possibility that the above is partly truth and partly fiction. The screenshot of such a conversation on krebsonsecurity.com, for example, shows that neither of them are actually holders of the data. So, it could be that most of the conversation is based on truth with a little embellishment (the CVV2) added in.
I still can’t get over the fact, though, that Sony would lie to the world about the theft of credit card numbers. I mean, the truth on that will get out eventually, via fraudulent charges, so it doesn’t make sense that the Japanese company would just set itself up for lawsuits and government investigations (it’s a big profile company).
My feeling is that all of this stuff is a rumor.