PSN Outage: Day 10.5 – Sony’s Press Conference and More

After a long and, for many, painful 11 days, Sony has held a long awaited press conference to explain what happened during the outage, whether or not credit cards were stolen, who all is involved in fixing this issue and when the network will be back up and running.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

There are a lot of people seeking answers from Sony over the infamous Sony PlayStation (PSN) outage that saw 70-77 million accounts compromised. Now, we are able to post up what was said during the conference. Pnoscker posted up what they heard in the conference:

Sony held its long awaited press conference tonight regarding the PSN hack and its future. As expected, there weren’t any concrete details regarding new security and it’s already been confirmed there are no new features as of now so what did we get?

Sony says they’re working on a much more sophisticated security system out of San Diego and have enlisted the FBI’s help in fixing the security problems. There remains no evidence that credit card numbers have been stolen but security codes have not been. Sony urges users to keep tabs on their credit card accounts though as they believe it was possible they were compromised by these sophisticated hackers.

PSN will be back up this week apparently and users will receive a free software gift which will be determined by which region they reside in. They gifts are unknown yet but all PSN users will receive one free month of PlayStation Plus.

These points were backed up by NBR which offered the following summary:

* There is still no evidence PlayStation Network (PSN) credit card data was obtained, but it cannot be ruled out
* Some PlayStation Network gaming services will come back online this week, with full service (including TV and movie downloads) resuming “mid May”
* The security breach, which prompted Sony to take the network offline, was the result of a “criminal cyber-attack” on a San Diego data centre.
* Selected software will be available under a welcome back programme
* Sony would create a Chief Information Security Officer position in response to hack
* Sony has called in the FBI to help investigate network intrusion

It’s interesting that Sony has said in the conference that the FBI was involved. This was known yesterday, but there are many more players involved including Congress, as well as the Department of Homeland Security. It’s a little puzzling why they only mentioned the FBI.

The point about when the network is coming back sometime this week has also been known. Some sources suggested it would be on Tuesday while other, more recent sources, say Wednesday. It was also known that it would be only a partial restoration of the network. What wasn’t known was when the full network was coming back (mid May). Sony is continuing to deny that anyone has illegally obtained credit card credentials, but they are saying that they can’t rule out that possibility. It was a more recent bit of news that the description of the attack was upgraded from an “external intrusion” to “criminal cyber-attack”, so this was a piece of repeating news. Neither description really says a whole lot about the attack, so it doesn’t necessarily mean a whole lot.

So, that leaves what is news in this conference. The news of one month free on PlayStation Plus is certainly welcome news. There is also some free software gifts to be handed out depending on region, but what they are is not known. The only other bit that is really new is the fact that they will be creating new position within the company: Chief Information Security Officer. Not really clear what that means precisely in these reports.

So, overall, a few denials, but many users will be getting what they were hoping for – compensation for the outage in the form of one free month on PlayStation Plus.

The question is, will this curb fears of stolen credit cards? Maybe, maybe not. More reports are surfacing from users alleging that their credit cards used for PSN are getting cleaned out by fraudsters. One report even goes to the trouble of obtaining a screen shot of the alleged incident. From VGN365:

For the past few weeks PSN users had been reporting that their credit card linked with their PSN account had been compromised and they have had to close it down. However, many had been skeptical if they were telling the truth. Now, however, a PlayStation Network user has stated he’s had $12,500 taken from his credit card; this time, though, the user has provided picture proof from their bank account that someone has indeed tried to take $12,500 from his card that was linked to his PSN card.

There’s been some debate over whether these are related to PSN or not. Some suggest the cards in question might have been stolen, but from a source other than PSN. Other’s accuse these people of falsifying these reports flat out while others suggest that stories like this might suggest that Sony may have been lying about the credit card aspect of the story. These stories, as many know by now, aren’t isolated incidences. ArsTechnica compiled a number of fraud stories that might suggest these credit cards are, in fact, out in the wild:

“My American Express card was compromised over the weekend,” one commenter stated. “This card sits in a drawer in my house for emergencies, but I did use it once on my PSP for an account. Luckily American Express is very good at notifying me immediately after the first fraudulent purchase.”

Another reader e-mailed with a similar story. “About two or three days ago, my bank notified me that I had gotten my own [credit card information] stolen, the one I use for my PSN account, and with it a ticket was purchased through a German airline for nearly $600,” she told Ars. “They are still looking into the fraud charge meaning that right now I have a negative $500 in my account, with no good chance that I’ll be getting that back any time soon.”

Another reader had a similar issue. “I had a call from my credit card company trying to verify a purchase which ended up being fraudulent. Same card I use on Sony’s network. They denied [the charge] and issued me a new card,” the reader commented. “Might be coincidence, but with the other security gaffes recently, I’m guessing not. Not sure what my opinion of Sony is right now and what my future is with them.”

Let’s keep this ball rolling! “I also had an attempted fraudulent charge on my American Express card, about $8,000 going to some Japanese store. This all happened about when PSN started having trouble, so I’m betting this had something to do with it,” another commenter said. “My advice: if you have your credit card info on PSN, watch your accounts like a hawk. I’m buying pre-paid cards from now on; you know, if I decide to ever spend money on PSN again.”

Here’s a response to a complaint of fraudulent charges in the comments. “Probably not a coincidence, I had the same thing happen this weekend. I got an Easter Sunday call from American Express about suspicious charges that began Saturday.”

ArsTechnica says that these are not the only cases they were informed of as well.

One bit of speculation revolves around the truth of the comments of the story. Sony said that the credit cards were encrypted. Meanwhile, there are reports of credit card fraud. Some have suggested that both could very well be true. Sony could have encrypted the data, but hackers might have been able to decrypt this and gained access to the cards. That aspect might be muted a bit thanks to Sony saying that there is no evidence that the cards have fallen in to the wrong hangs though.

Meanwhile, there are a few more government entities who are involved to report on. According to the Straight Times, Hong Kong is also asking questions about the 400,000 users who’s accounts may have been compromised:

Hong Kong Privacy Commissioner Allan Chiang said he was probing the breach and met with local Sony official Katsuhiko Murase who told him 400,000 Hong Kong PlayStation Network user accounts were involved.

Bloomberg is reporting that a number of European countries are joining the investigation of the PSN hack:

U.K., Irish and Italian information watchdogs said this week that they will investigate the hacking of Sony’s PlayStation Network after the company warned 77 million customers may have had their personal data stolen.

One more note, updates are being made about the conference on Martyn Williams twitter account. Here are some of the latest tweets about the conference: