PlayStation Security Exploit Allows Hackers With Access To An Account To Use Credit Card Info w/o Needing the CVV [UPDATE:It's probably nothing]

Ascenion

Member
Oct 25, 2017
3,492
Charlotte NC
I mean if you’re still putting your credit card on PSN after that hack shit in 2011, I don’t know what to tell you. There’s a reason PSN cards are the best selling video game item of amazon consistently.
 

SecondNature

Member
Oct 25, 2017
7,957
If Sony knew this, they deserve to get sued. Would this explain why so many people get charged without their knowledge
 

Volimar

volunteer forum janitor
Member
Oct 25, 2017
14,938
Official Staff Communication
Updated thread title to add information.
 
Oct 25, 2017
12,053
Like how is this still a problem. I don't want to be told "well this is what you get for putting in information to make a transaction." Like come on.
 

Mercenary09

Banned
Oct 27, 2017
2,395
I mean if someone hacks my amazon account they could make purchases without my security code as well. This is such a non issue story.
 

nolifebr

Member
Sep 1, 2018
2,812
Curitiba/BR
If this needs a hacked account with a credit card registered, what's the big security exploit if the hacker will already have access to the credit card data anyway?
 

cmdrshepard

The Fallen
Oct 30, 2017
628
I know everyone here is saying just put on 2FA and everything is ok but the more severe implication is that this exploit has been known for 5 years and Sony has most certainly not had 2FA that whole time. Also the other concerning aspect is that Sony has been made aware of this at some point and basically seems to see it as a non-issue or at least not an issue that they are responsible to fix.

If this needs a hacked account with a credit card registered, what's the big security exploit if the hacker will already have access to the credit card data anyway?
The person who accesses a compromised account does not have access to any CC data, just as you would not if you try to access the stored CC data of your own account (Except for a few digits that are there to tell you which card is stored).

As stated normal protocol is when you log in to a new PS4/computer with your PSN and attempt to purchase something with a stored CC, it should ask for the CCV number before using said card for the purchase. This article is saying that there is an exploit for the past 5 years where if an account is compromised with a stored CC, there was a way to log in to a PS4 and purchase something without being prompted by the security layer asking to verify the CCV.
 
Last edited:

sjackso3

Member
Oct 30, 2017
144
Houston
I mean if you’re still putting your credit card on PSN after that hack shit in 2011, I don’t know what to tell you. There’s a reason PSN cards are the best selling video game item of amazon consistently.
This. Never again with Sony. The continued issues with taking care of their security is mind boggling.
 

ducktape

Member
Oct 25, 2017
5,392
So this needs a hacked account to work anyway? I have the 2 step verification thing on my account
 

Rowsdower

Avenger
Oct 27, 2017
2,939
Yea so the issue seems to be that when purchasing something on the console itself with a linked credit card, you are never asked for the security code to the card. Just the password, which if someone had your info, they would know.
Oddly enough, the web store does ask for the code when making a purchase with a linked card.

This is a big oversight on Sony's part.
 

Neonep

Member
Oct 25, 2017
2,520
Good thing I've never used credit card or anything tied to my account for PSN purchases.


This is why I love buying PSN Wallet credit from store lol.
Same. I still don’t know why people still give the credit card info on PSN. After all the things that have happened over the years you would think people would learn and be smarter.
 
Nov 30, 2017
1,563
Yes. It is not something open, as everyone might expect after reading the title of the story.
Yea. Im a little confused here. Read thread title, than the OP, than followed the link and read that.

So they have to know your PSN login info? That is the problem in the first place.

Since no one but me knows this info Im assuming Im safe? This feels like someone hitting the panic button for the wrong reason unless I am misunderstanding.

Edit. I understand now after looking at post history..
 
Last edited:

Wulfer

Member
Oct 29, 2017
268
Sony is proving the digital future and themselves are not a good mix! What happened to all the newly created multiplayer online funds that were supposed to go toward security???
 
Last edited:
Oct 25, 2017
12,053
Since no one but me knows this info Im assuming Im safe? This feels like someone hitting the panic button for the wrong reason unless I am misunderstanding.
The problem isn't the hacker already having access to your account, it's the fact that if the information is there, this exploit can bypass another layer of security that would've been in place even if they did have account access.
 

B1ggRandall

Member
Oct 27, 2017
550
Sony got a big problem on its hands!!! I can tell you a lot of NBA 2K content creators have been hack.The hackers call Sony and give info to get those accounts.So many are switching to XB1 for NBA 2K20.
 

VHS

Alt account
Banned
May 8, 2019
834
If we have a paypal account attached instead of a CC directly is it okay?
 

Syriel

Member
Dec 13, 2017
7,320
As stated normal protocol is when you log in to a new PS4/computer with your PSN and attempt to purchase something with a stored CC, it should ask for the CCV number before using said card for the purchase. This article is saying that there is an exploit for the past 5 years where if an account is compromised with a stored CC, there was a way to log in to a PS4 and purchase something without being prompted by the security layer asking to verify the CCV.
I would bet that Sony is not doing a check on a family account purchases using the primary account's payment method.

Don't have a PS4 to test it out, but most likely scenario is something like the following:
  1. Get account username/password.
  2. Verify payment method is on account.
  3. Create linked sub account(s).
  4. Log on to new machine with sub account.
  5. Max out purchases.
 

Abdiel

Member
Oct 28, 2017
206
If you treat your psn account like you should with Fucking any online account these days, and have two factor authentication, then this is irrelevant.

People reacting to this like this is a way bigger deal than it is, it's kinda dumb, yes, but it's not some huge security gap... They would have had to already completely compromised your account.

2fa squashes this from ever being an issue.
 

Lethologica

Member
Oct 27, 2017
908
After 2011, why would anyone ever store any important info on a Sony related service? At this point Sony's ineptitude when it comes to security on their console is legendary.
 

Godzilla24

Member
Nov 12, 2017
2,686
This continues to be a huge problem from Sony. I mentioned this in another thread one time but was accused of concern trolling.
 

Mesoian

Member
Oct 28, 2017
10,696
Do not put your credit card info into PSN.

For any reason.

Claps in between all that.
 

RivalGT

Member
Dec 13, 2017
1,630
I mainly use paypal, trying to use a CC with PSN is not easy, as it some times wont let you use them for some reason. I either PSN cards off amazon, or just use my paypal.
 

Jaxar

Member
Oct 25, 2017
1,749
Australia
" However due to a very easy exploit, if a thief was to get their hands on another PlayStation user’s account, they could potentially rack up victim’s credit cards without even knowing their CVV number as the bug bypasses the requirement, allowing users to buy content from another account. "

I don't quite get it. So they have to gain access to your account but then how do they access your CC details to purchase things from another account?

Also at this point everyone should be using 2FA on ALL of their accounts across all platforms. Account theft is seriously way too common to risk not using the added protection provided and it only takes a few minutes to set up.
 

Slime

Member
Oct 25, 2017
2,844
I've used a reloadable prepaid card for all my online purchases ever since the 2011 PSN hack, and once again it's looking like that was a good idea.
 

nolifebr

Member
Sep 1, 2018
2,812
Curitiba/BR
I would bet that Sony is not doing a check on a family account purchases using the primary account's payment method.

Don't have a PS4 to test it out, but most likely scenario is something like the following:
  1. Get account username/password.
  2. Verify payment method is on account.
  3. Create linked sub account(s).
  4. Log on to new machine with sub account.
  5. Max out purchases.
That might explain how some kids spend a thousand bucks on FIFA and Fortnite sometimes.
 
Oct 26, 2017
5,628
United Kingdom
Considering you need to have access to a person's account, this is being misrepresented.

It isn't an exploit, it's there by design to allow fewer barriers for legit users to make purchases.

It's the same as on Amazon and many other websites that let you use your credit card. In fact very few will ask you to input your CVV number for EVERY transaction.

I'm not sure what is being reported here.
 
Oct 26, 2017
5,628
United Kingdom
Nintendo's eshop never asks for CVV too, but I don't think that's the problem. Thing is on PSN they use the card to buy content for OTHER accounts.
That's not true. You cannot do that.

You use a card to make purchases on the account tied to YOUR PS4. For someone to do it, they either need your PSN account details or to log-on to an account on your physical PS4 -- in your own home... at which point you have bigger problems if strangers are doing that.
 
Oct 27, 2017
579
Considering you need to have access to a person's account, this is being misrepresented.

It isn't an exploit, it's there by design to allow fewer barriers for legit users to make purchases.

It's the same as on Amazon and many other websites that let you use your credit card. In fact very few will ask you to input your CVV number for EVERY transaction.

I'm not sure what is being reported here.
Good point about Amazon not asking for CVV. Shit, I can't recall the last time I put my CVV in there! But my guess is that people think Sony should ask for it on more transactions if not every one of them because of their history with lax security.
 

Wereroku

Member
Oct 27, 2017
1,156
Well this is a super misleading article and thread. This isn't a hack or exploit. This is just a feature of a card saved in a psn account. It requires a compromised account to use. Xbox would probably be just as susceptible.
 

gogosox82

Member
Oct 25, 2017
3,200
So if they have access to your account and you have a cc stored they can use it? Well yeah of course they can do that. Turn on 2fa and don't store a cc. Problem solved.
 

DrScissorsMD

Member
Jan 19, 2019
533
Everyone saying “but they still need to hack into your account first, no big deal.” While technically correct, it’d be a bit like living in a castle and saying “well, the front gates fallen off, but they’ve still got to jump the moat.” It’s an expected layer of additional security that is expected, especially since people had to start paying for PSPlus. You don’t ignore the failure of one layer just because you’ve got a backup.
 

henhowc

Member
Oct 26, 2017
17,116
Los Angeles, CA
I mean if you’re gonna harp on Sony for this a whole bunch of online retailers don’t require you to enter the cvv again once your card info is initially entered and saved no?

As an aside is Sony the one who will ban your account if you do a chargeback/dispute a cc charge? 🤔