PSN hacked, CFW on PlayStation 3 Could Reveal Credit Card Info – Report

What a shocker! Some anonymous PS3 hacker is claiming to have decrypted nearly 100% of the traffic transferred over proxies, http and https to and from the PSN. The decrypted data includes sensitive information like credit card data, PSN credentials, Personal information, et cetera. Here is the full research:

According to hacker, even if a connection is SSL encrypted, companies are aware of the big risk behind custom CA files and it’s possibilities. SONY seems not to care about those known vulnerabilities. It is a big company and a HUGE network. With huge we mean a magnitude of hundreds and even thousands: the PSN utilizes thousands of servers, handled by a very small group of administrators and quality assurance people. The IP ranges and domains of these servers are retrievable by anyone, cause this is how the Internet works ! It is all public data and information !

An example is the credit card information and the login authentication itself. Take a look at the traffic:

creditCard.paymentMethodId=CC_COMPANY&
creditCard.holderName=EXAMPLENAME&
creditCard.cardNumber=1234567890123456&
creditCard.expireYear=2012&creditCard.expireMonth=2&
creditCard.securityCode=123&
creditCard.address.address1=EXAMPLESTREET%2024%20&creditCard.address.city=EXAMPLECITY%20&
creditCard.address.province=EXAMPLEREGION%20&
creditCard.address.postalCode=12345%20

The credit card information should ALWAYS be encrypted. In ANY case. At least the security code. SONY is only relying on it’s https connection. With all those CFWs spreading around, this is not secure anymore. Same goes for the user details:

serviceid=IV0001-NPXS01001_00&
loginid=example@mail.com&
password=examplepassword&
first=true&
consoleid=EXAMPLEID123

Such sensitive data can now be captured by anyone who builds his own custom firmware with custom certificates. There are enough n00b-friendly tools by now. Means, little scriptkiddies can spread their little CFWs and phish user data. As many of these people are using a third party DNS, they are a potential victim of phishing. At the beginning of the PS3 launch, this user data was even transferred over http !

The PlayStation Network agreement states that SONY is allowed to collect nearly any data that is connected with your privacy.It is clear, that SONY won’t tell you WHAT they are collecting in the TOS etc., as many people would never accept that TOS.

A few month ago we noticed the TOS silently beeing updated without a new user agreement request. It was about that you have the right to contact a “Data Protection Officer” at SCEE, who can can give you details about what data is collected. So we phoned SCEE. Beeing forwarded to many people, it turned out that there is no so called “Data Protection Officer”.

Funny right? Shortly after this call, the clause was removed from the TOS. SONY itself told us, that they do not know, what we are talking about regarding this Officer. They told us, that there was never such a position inside SONY, neither a phone number. Even the address was non existing ! Still it is an impudence what huge amounts of data they are collecting. One example is an information list which is transfered everytime you login the PSN as well as at some random time. A few short quotes:

<info category=”76″>TFT-TV</info><info category=”77″>

This is a string sent to SONY which includes your TV model. The list is long and contains a lot more like information about attached USB devices, your home network, your playtime behaviour, installed games, apps, homebrews or their so called “circumvention devices” and so on. Details about your Home network, statistics etc.

“Sony is the biggest spy ever… they collect so much data. All connected devices return values sent to Sony’s servers,” the hacker said. He claims that Sony knows what controllers you’re using, what USB devices are plugged in, what sort of television you’re using – everything. Here’s another section of the chat log:

  • user2: another funny function i found is regarding psn downloads
  • user2: its when a pkg game is requested from the store
  • user2: in the url itself you can define if you get the game free or not. requires some modification in hashes and so on tho
  • user3: ..
  • user2: is like
  • user8: :D
  • user3: my god
  • user2: drm:off

That’s not all: your credit card information is apparently being sent as an unencrypted text file. This is how the code is being sent to Sony:

creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber= 45581234567812345678&creditCard.expireYear=2012&creditCard.expireMonth= 2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.

This information is allegedly being stored online and is updated every time you turn on your system. We’ve been receiving reports from various sources that e-mails are being sent to those with hacked firmware even before they log back into the PlayStation Network, which is even more evidence that Sony is grabbing information from your system just from being connected to your wireless network.

Generally, the PS3′s connection to PSN is protected by SSL and the identity of the remote server is verified using a list of certificates stored on each PlayStation 3 console. The credit card and other sensitive information is sent over this SSL connection. But, according to hackers, CFW could easily subvert this system. However, he has just claimed and not demonstrated to compromise PSN.

In addition to this, he claims to have developed a function which will enable to get all the games, DLC, you name it at the PSN Store for free. You can read all the chat logs where the hacker and other persons named as user1, user2, user3 etc are discussing aboutcircumventing PSN access.

About ipodrohan

Rohan Sood, I am 14 years old. I am all about Technology and Gadgets! I am currently at New Delhi, India. Future plans are going to USA and working at one of the awesomest companies APPLE Inc. As you might know, “TECHNOLOGY” is present everywhere. Let’s together understand this word and make the World a better place. I believe in “Sharing KNOWLEDGE”. I created this Blog to share as much Knowledge as possible. I hope you find my Blog interesting and self-sufficient. I will keep you UP-TO-DATE about the Technology News around the Globe!

Posted on February 20, 2011, in Gadgets, News, Playstation and tagged , , , , , , , , , . Bookmark the permalink. 1 Comment.

  1. I’d come to agree with you on this. Which is not something I typically do! I enjoy reading a post that will make people think. Also, thanks for allowing me to comment!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: