PlayStation Security Exploit Allows Hackers With Access To An Account To Use Credit Card Info w/o Needing the CVV [UPDATE:It's probably nothing]

Wereroku · Jul 4, 2019

DrScissorsMD said:
Everyone saying "but they still need to hack into your account first, no big deal." While technically correct, it'd be a bit like living in a castle and saying "well, the front gates fallen off, but they've still got to jump the moat." It's an expected layer of additional security that is expected, especially since people had to start paying for PSPlus. You don't ignore the failure of one layer just because you've got a backup.

The issue is they are trying to call this an exploit. It's not it is a convenience feature. It saves you time from having to enter your cvv each time you order. Amazon does the same thing and probably MS as well. Ignoring the fact that someone has to get their login compromised for this to matter is a pretty big thing to ignore.

nib95 · Jul 4, 2019

So someone has to have access to my account to be able to use this? Also, my PSN requests the last few digits, expiry details and the CCV (I believe you can set it to require your password each time too), so presumably this exploit wouldn't work, or is only for certain regions or for certain set ups?

Either way, if there is an exploit they need to sort the shit out.

Rowsdower · Jul 4, 2019

What a sec. This is the exact same thing that occurs on Xbox. I have my credit card linked to my Microsoft account, and I just bought Paradox Soul to test (since it's cheap and on sale). I was never asked for the CVV/security code. The purchase went through with no issues. So if someone had my Microsoft account info, they could use my card with no issues.

This doesn't seem like an exploit then, but Sony and MS not requiring an extra step for purchases.

Wereroku · Jul 4, 2019

nib95 said:
So someone has to have access to my account to be able to use this? Also, my PSN requests the last few digits, expiry details and the CCV (I believe you can set it to require your password each time too), so presumably this exploit wouldn't work, or is only for certain regions or for certain set ups?

Either way, they need to sort this shit out.

There's nothing to sort out except adding a feature that requires ccv confirmation with each purchase.

nib95 · Jul 4, 2019

Wereroku said:
There's nothing to sort out except adding a feature that requires ccv confirmation with each purchase.

I already have that feature though. As well as the requirement for the re-entry of other card details too. Are these just user decided security or convenience features? Same as you get on Amazon, Apple etc?

All I want to know is, can someone buy something on my account without having to re-enter my relevant card details, even though I have it set up so they need to be re-entered?

Gallows Bat · Jul 4, 2019

Haven't hard a card attached since the hack. I just buy cards on amazon which get delivered instantly. Sonys network is a joke.

Rowsdower · Jul 4, 2019

nib95 said:
I already have that feature though. As well as the requirement for the re-entry of other card details too. Are these just user decided security or convenience features? Same as you get on Amazon, Apple etc?

All I want to know is, can someone buy something on my account without having to re-enter my relevant card details, even though I have it set up so they need to be re-entered.

No. If you don't add extra security, the default purchase option with a linked card/paypal on PSN or Xbox Live will not ask for the CVV/security code. The purchase will just go through. If you add the option that a CVV always has to be asked, then the hacker would need to get all your credit card details to do anything.

Daggoth · Jul 4, 2019

I've got the opposite problem. No matter how complex my password is, it'll say each time without fail when making a purchase (even free stuff!) "your last login was on a different console. Confirm your CC expiry and CVV"

Which I don't mind at all.

But unless this article's trying to say that the details can be extracted and used on other accounts, I'm not seeing the issue. Other vendors can store the CVV verification with the card info already? Or whatever the technical details are?

Wereroku · Jul 4, 2019

nib95 said:
I already have that feature though. As well as the requirement for the re-entry of other card details too. Are these just user decided security or convenience features? Same as you get on Amazon, Apple etc?

All I want to know is, can someone buy something on my account without having to re-enter my relevant card details, even though I have it set up so they need to be re-entered.

Basically if your account is compromised someone can add another account as a family member and give them authorization to purchase using your card. Basically this could be fixed by requiring a cvv be entered when you add a family account. However again this requires your account to be fully compromised and have no two factor setup.

nib95 · Jul 4, 2019

Rowsdower said:
No. If you don't add extra security, the default purchase option with a linked card/paypal on PSN or Xbox Live will not ask for the CVV/security code. The purchase will just go through. If you add the option that a CVV always has to be asked, then the hacker would need to get all your credit card details to do anything.

Ahh fair enough. So it works the same as Amazon then. Default is ticking the box that saves your card details for quicker future purchases (only when logged in), but you have the option for added security too (re-entry of card details, re-entry of password etc). Sort of seems like that's on the user, not really an exploit.

Wereroku · Jul 4, 2019

nib95 said:
Ahh fair enough. So it works the same as Amazon then. Default is ticking the box that saves your card details for quicker future purchases (only when logged in), but you have the option for added security too (re-entry of card details, re-entry of password etc). Sort of seems like that's on the user, not really an exploit.

The only issue is sony doesn't have the option to require reentry of card details. It's only reentry of password which isn't hard when your account is compromised. However I am pretty sure this same thing would work on all of the consoles.

TheThreadsThatBindUs · Jul 4, 2019

Saint of Killers said:
Good point about Amazon not asking for CVV. Shit, I can't recall the last time I put my CVV in there! But my guess is that people think Sony should ask for it on more transactions if not every one of them because of their history with lax security.

But people's opinion on such an arbitrary thing is neither a "hack", "bug" nor an "exploit" o r"security vulnerability" as is being presented here.

It will come down to Sony's policy on this. Every company is different.

nib95 · Jul 4, 2019

Wereroku said:
The only issue is sony doesn't have the option to require reentry of card details. It's only reentry of password which isn't hard when your account is compromised. However I am pretty sure this same thing would work on all of the consoles.

Mine requires the re-entry of at least the expiry dates and CCV, I think maybe even the last few digits of the card too, but I can't remember off hand.

thecaseace · Jul 4, 2019

Jahranimo said:
I hope no one actually keeps a payment method stored on their console...right????

Surely nobody does as any security concious platform holder would keep these details in the cloud?

Dave. · Jul 4, 2019

TheGhost said:
Well fuck, getting up out of bed and deleting that shit now. Figure out what I'll do about it in the morning

So to be clear: You have hackers with access to your PSN account which has saved payment method of credit card details, they know your 2FA code. Can log in whenever they want, play your games, delete your Gjallarhorns or whatever. But not make purchases - previously this hasn't bothered you at all, because "well, I'm safe because the hackers don't know my card's CVV. Don't need to do anything about this situation ever". But now, it's red alert all hands on deck?

gogosox82 · Jul 4, 2019

DrScissorsMD said:
Everyone saying "but they still need to hack into your account first, no big deal." While technically correct, it'd be a bit like living in a castle and saying "well, the front gates fallen off, but they've still got to jump the moat." It's an expected layer of additional security that is expected, especially since people had to start paying for PSPlus. You don't ignore the failure of one layer just because you've got a backup.

Expect its not an exploit which is how its being framed. It a convenience feature so you don't have to put in your cvv every time you buy something. To claim its a bug when every major online retailer does this is disingenuous as hell

FIREKNIGHT2029 · Jul 4, 2019

Not an issue for me. I use Paypal on PSN not my credit card

cmdrshepard · Jul 4, 2019

Rowsdower said:
What a sec. This is the exact same thing that occurs on Xbox. I have my credit card linked to my Microsoft account, and I just bought Paradox Soul to test (since it's cheap and on sale). I was never asked for the CVV/security code. The purchase went through with no issues. So if someone had my Microsoft account info, they could use my card with no issues.

This doesn't seem like an exploit then, but Sony and MS not requiring an extra step for purchases.

That is not the issue. The issue is that if i somehow obtained access to your login credentials to your xbox/PSN account right? I try to sign into your account on MY xbox or PS4 and i go to the store and attempt to purchase something with your stored CC. The default security feature is that because this is the first time signed into your account on my xbox/PS4 and the first time attempting to purchase something from this console, it should ask for the CCV (at a minimum - sometimes it asks for the whole CC details again) of the stored card as a security measure.

I have personally had this happened when i moved from my PS4 base to my Pro and same for my One to my X.

gogosox82 said:
Expect its not an exploit which is how its being framed. It a convenience feature so you don't have to put in your cvv every time you buy something. To claim its a bug when every major online retailer does this is disingenuous as hell

Right it is convenience feature when you are purchasing from your home console. It is a security issue when it is not being prompted when your account is being logged into and attempting to make a purchase from a PS4 you have not purchased content from before...

Kemono · Jul 4, 2019

gogosox82 said:
Expect its not an exploit which is how its being framed. It a convenience feature so you don't have to put in your cvv every time you buy something. To claim its a bug when every major online retailer does this is disingenuous as hell

Sure but the arrogant sony narrative has to come from somewhere...

ShaiKhulud · Jul 4, 2019

What a clickbait. Same 'exploit' could be done at almost every online retail store.

It wouldn't hurt for PSN to add a 'ask CCV' feature, but it's hardly a problem or a major security risk. Especially when hacker needs to hack your entire account first.

Deleted member 11626 · Jul 4, 2019

Where does all that PSN revenue go? And why wouldn't you have 2FA turned on at this point?

cmdrshepard · Jul 4, 2019

ShaiKhulud said:
What a clickbait. Same 'exploit' could be done at almost every online retail store.

It wouldn't hurt for PSN to add a 'ask CCV' feature, but it's hardly a problem or a major security risk. Especially when hacker needs to hack your entire account first.

Actually many of the major online marketplaces do checks at multiple levels including whether you are shipping to an unfamiliar address or accessing the site from the country you normally access from and do prompt if you attempt to pay by stored card.

It is not a "major" security risk as you have said as they need access to the account first but it can act as an easy double punch if your account is ever compromised as you find out your account is compromised and potentially your credit card has started raking up charges. You can't chargeback as Sony's default stance is generally to close the account, meaning you loose access to all online and digital licences/purchases, meaning you have to deal with Sony Support to reverse the charges... who have a shaky record at best in regards to that.

mugurumakensei · Jul 4, 2019

ShaiKhulud said:
What a clickbait. Same 'exploit' could be done at almost every online retail store.

It wouldn't hurt for PSN to add a 'ask CCV' feature, but it's hardly a problem or a major security risk. Especially when hacker needs to hack your entire account first.

Amazon will prompt for CVV when shipping to a new address as will most retailers.

Sony is allowing someone on another PS console to bypass the CVV check on purchases that's supposed to be there.

TheThreadsThatBindUs · Jul 4, 2019

Rowsdower said:
No. If you don't add extra security, the default purchase option with a linked card/paypal on PSN or Xbox Live will not ask for the CVV/security code. The purchase will just go through. If you add the option that a CVV always has to be asked, then the hacker would need to get all your credit card details to do anything.

So why is this thread still open?

Jaxar · Jul 4, 2019

henhowc said:
As an aside is Sony the one who will ban your account if you do a chargeback/dispute a cc charge? 🤔

I could be wrong but I think doing chargebacks will get you banned across many different services, not just the PSN.

Syriel · Jul 4, 2019

Rowsdower said:
What a sec. This is the exact same thing that occurs on Xbox. I have my credit card linked to my Microsoft account, and I just bought Paradox Soul to test (since it's cheap and on sale). I was never asked for the CVV/security code. The purchase went through with no issues. So if someone had my Microsoft account info, they could use my card with no issues.

This doesn't seem like an exploit then, but Sony and MS not requiring an extra step for purchases.

nib95 said:
Ahh fair enough. So it works the same as Amazon then. Default is ticking the box that saves your card details for quicker future purchases (only when logged in), but you have the option for added security too (re-entry of card details, re-entry of password etc). Sort of seems like that's on the user, not really an exploit.

ShaiKhulud said:
What a clickbait. Same 'exploit' could be done at almost every online retail store.

It wouldn't hurt for PSN to add a 'ask CCV' feature, but it's hardly a problem or a major security risk. Especially when hacker needs to hack your entire account first.

According to the report in the OP, the "exploit" is the ability to use the card for purchases on another account, on a new system.

Deleted member 5028 · Jul 4, 2019

Themaddestgamer said:
Yea. Im a little confused here. Read thread title, than the OP, than followed the link and read that.

So they have to know your PSN login info? That is the problem in the first place.

Since no one but me knows this info Im assuming Im safe? This feels like someone hitting the panic button for the wrong reason unless I am misunderstanding.

Edit. I understand now after looking at post history..

Trying to put some kind of fanboy spin on this is just sad. If you're gonna accuse the OP of some partisan shit then do it already.

This is just dumb, and shows a complete lack of care from Sony in customer service. We've seen how they give no shits with refunds, and I imagine if someone was affected by this exploit they'd only ever get a PSN wallet credit.

cmdrshepard · Jul 4, 2019

There is a lot of either mis-communication or general misunderstanding of the actual issue here and it is frustrating to see that this has essentially turned into another Sony defence and Sony attack arguments in what could have been a good general discussion about how gaming companies keep our details safe and protect consumers against different security issues. Go through and read the thread please to see that this is a security issue and that action should be taken by Sony and by anyone else that this could be potentially happening with (whether that is MS, Nintendo, Steam, Epic etc....). Surely we as consumers should expect any and all companies to protect our details and have systems in place to protect us and these accounts that we have invested time (saves, trophies/achievements) and money (purchases for digital content/subscriptions) into.

Irrotational · Jul 4, 2019

adj_noun said:
2FA FTW

This is my psn password!? How did you hack it!?

Sidewinder · Jul 4, 2019

I'll take the Spyro Trilogy for free, thank you Sony!

Haven't used a credit card on PSN since 2011, but this doesn't sound really horrible at all.

henhowc · Jul 4, 2019

Probably should add this part in the OP since they are purposely vague in describing the exploit so people (myself included) aren't understanding what is being exploited since everything described in the first few paragraphs sounds pretty normal for online shopping.

There are several others out there with the exact same scenario, which all pertain to the use of the Family management sub-account, something we didn't want to originally state in the article due to it being a part of the exploit.

It sounds like probably something like you hack someone's master account. Create sub-accounts and are able to use those sub-accounts to make purchases without the cvv?

Kyuur · Jul 4, 2019

They shouldn't be storing any CVVs according to security standards anyways. If your credit card allows purchases without the cvv that feels like it's on them.

gogosox82 · Jul 4, 2019

cmdrshepard said:
Right it is convenience feature when you are purchasing from your home console. It is a security issue when it is not being prompted when your account is being logged into and attempting to make a purchase from a PS4 you have not purchased content from before...

Right but even the article admits most people will not be affected by this especially if you have 2fa enabled (which everyone should btw) and have a cc saved (probably shouldn't have it saved especially after Sony hack in 2011). So its a security issue that is only going to effect people who leave their accounts vulnerable. So should Sony fix this security issue? Yes. Is it a breach, hack, exploit, etc? No. My only concern would be how its happening but the article was so vague on that part its hard to tell what they were referring to. You could't really discern it from normal online shopping.

Vroadstar · Jul 4, 2019

cmdrshepard said:
There is a lot of either mis-communication or general misunderstanding of the actual issue here and it is frustrating to see that this has essentially turned into another Sony defence and Sony attack arguments in what could have been a good general discussion about how gaming companies keep our details safe and protect consumers against different security issues. Go through and read the thread please to see that this is a security issue and that action should be taken by Sony and by anyone else that this could be potentially happening with (whether that is MS, Nintendo, Steam, Epic etc....). Surely we as consumers should expect any and all companies to protect our details and have systems in place to protect us and these accounts that we have invested time (saves, trophies/achievements) and money (purchases for digital content/subscriptions) into.

I think if you someone started a thread that's not clear, to begin with, that requires a title changed at that, it will obviously lead to confusion and misunderstanding. Plus checking the post history of OP comes across as creating F.U.D. for console brand he rarely if ever comments on.

I mean you seem like level headed, yet here you are calling people "Sony defence and Sony attack arguments". Is that really necessary?

As you yourself said, this is not exclusive to Sony but can also happen to MS, Nintendo, Steam, Epic etc. yet the thread title says "Major Playstation Security Exploit" seems like OP is expecting a reaction from people (which already happened here) like 2011 incident happening all over again.

Benny Del Toro · Jul 4, 2019

I think thread title should be changed again since, as others have pointed out, it is not really an exploit that disables the CCV request but a convenience feature so that you would not put in your CCV everytime you want to purchase something from the store and (again) as others have said that is present in other systems.

There will be some who will not read past "Major Playstation Security Exploit..." and then quickly leave drive by comments without knowing that, in order for this to be possible, your account would have already been compromised in the first place.

YuSuzzune · Jul 4, 2019

Since the big outage I learned to never leave your credit card info stored online, on PSN or other services. Even on Amazon I insert my cc info only when I purchase something to remove it immediately after.

Velg · Jul 4, 2019

I need some help understanding what this is. Is it that:

- Players have figured out how to use other player's credit cards to buy games on their own accounts.

Or is it
- Players who have access to other accounts can buy games on those accounts and use said games on their personal accounts.

Because if it's 2 then I don't really see the issue. If your account has been hacked already, you got bigger issues than the CCV thing

gofreak · Jul 4, 2019

Kyuur said:
They shouldn't be storing any CVVs according to security standards anyways. If your credit card allows purchases without the cvv that feels like it's on them.

They're probably not.

When you take a CVV on a first payment, you exchange it with a card issuer for a token to use in subsequent transactions. The CVV is not stored.

Refreshing of the token is down to card issuer policies.

The merchant (Sony) could also force a refresh if it detects fraud on its end. And perhaps they should do so, or do so more robustly, if it detects a machine change or whatnot.

However, Sony is right in this instance that it's a matter of fraud rather than account security. At some point the system has to accept you as an authorised user, and there's no exploit or vulnerability here with regard to the user authentication side.

If you wish Sony to be more paranoid than they are about what an authorised user can do, then be more paranoid yourself - don't allow it to store payment data.

edit - side note, I'd be curious to know if Amazon forces a token refresh - cvv re-entry - upon purchase of digital goods from a new machine, as opposed to upon delivery to a new address.

edit 2 - re-reading the description, it sound like Sony does intend to refresh payment tokens when it detects a new machine, but that the cvv re-entry for this can be bypassed. Irrespective of whether the token refresh is required by the card issuer in these circumstances, if Sony intends to do it they should probably make sure it works properly! But unless card issuer policy requires that refresh in these circumstances, this is a failure of their own extra paranoia rather than a standards breach.

henhowc · Jul 4, 2019

Velg said:
I need some help understanding what this is. Is it that:

- Players have figured out how to use other player's credit cards to buy games on their own accounts.

Or is it
- Players who have access to other accounts can buy games on those accounts and use said games on their personal accounts.

Because if it's 2 then I don't really see the issue. If your account has been hacked already, you got bigger issues than the CCV thing

It seems to involve something with sub accounts but they are purposely vague about it.

Deleted member 1003 · Jul 4, 2019

Amazon hasn't ask for my CCV in, well, I order so much I am never asked. So, this sounds like clickbait by the website and OP not understanding what they are posting exactly.

cmdrshepard · Jul 4, 2019

Vroadstar said:
I think if you someone started a thread that's not clear, to begin with, that requires a title changed at that, it will obviously lead to confusion and misunderstanding. Plus checking the post history of OP comes across as creating F.U.D. for console brand he rarely if ever comments on.

I mean you seem like level headed, yet here you are calling people "Sony defence and Sony attack arguments". Is that really necessary?

As you yourself said, this is not exclusive to Sony but can also happen to MS, Nintendo, Steam, Epic etc. yet the thread title says "Major Playstation Security Exploit" seems like OP is expecting a reaction from people (which already happened here) like 2011 incident happening all over again.

Sure - I appreciate your response and I agree with it. I was generalising about the attack and defence forces dismissively and I apologise.

Absolutely the title before the change made this out to be red alert Sony Havk 2011 2.0 which it most certainly is not but many people are simply hand waving it away without looking at the actual content of the OP regardless of whatever intention of the author may or may not have been.

I just feeel this is why we don't have nice things as they seems to be minimal discussion in good faith.

mugurumakensei · Jul 4, 2019

InsaneTiger said:
Amazon hasn't ask for my CCV in, well, I order so much I am never asked. So, this sounds like clickbait by the website and OP not understanding what they are posting exactly.

Again, Amazon would prompt for CVV if you shipped to a new address.

Again, the proper PS console buying experience after logging in from a new console is to prompt for CVV regardless of any other settings. There's an exploit to bypass that.

Madao · Jul 4, 2019

this is the moment where i thank the heavens i only used prepaid cards with my PSN accounts.

nib95 · Jul 4, 2019

mugurumakensei said:
Again, Amazon would prompt for CVV if you shipped to a new address.

Again, the proper PS console buying experience after logging in from a new console is to prompt for CVV regardless of any other settings. There's an exploit to bypass that.

This simply isn't true. I have posted to multiple new addresses on Amazon without it ever asking me to re-enter the CCV (eg sending gifts to friends, family etc). Like with PSN, it must be some sort of setting you have to tick or choose.

darkwing · Jul 4, 2019

isn't having a cracked PSN login to use the exploit a bigger issue here?

Deleted member 1003 · Jul 4, 2019

mugurumakensei said:
Again, Amazon would prompt for CVV if you shipped to a new address.

Again, the proper PS console buying experience after logging in from a new console is to prompt for CVV regardless of any other settings. There's an exploit to bypass that.

I've shipped to new addresses before and never been asked. Let's be honest, this, security gap, is not exclusive to Sony.

If you're account is already hacked, you have bigger problems than a CCV code.

Foxnull · Jul 4, 2019

After 2011 I haven't saved a payment method in my Playstation account and I probably never will.

MilesQ · Jul 4, 2019

Doesn't seem like an exploit, it's pretty much standard across all online stores that you don't have to enter your CVV any more. They want that extra hurdle in the way of you making an impulsive purchase/your kid buying hundreds of dollars worth of in game junk.

ProstatePuncher · Jul 4, 2019

This is the absolute weakest "exploit" on the planet. I could make a purchase via a new web browser and it wouldn't prompt me for the CVV number. Am I now a hackerman?

mugurumakensei · Jul 4, 2019

InsaneTiger said:
I've shipped to new addresses before and never been asked. Let's be honest, this, security gap, is not exclusive to Sony.

If you're account is already hacked, you have bigger problems than a CCV code.

No, every single time I've added a new address I've had to re-enter my credit card the first time it's used for that address.

PlayStation Security Exploit Allows Hackers With Access To An Account To Use Credit Card Info w/o Needing the CVV [UPDATE:It's probably nothing]

Contains No Misinformation on Philly Cheesesteaks

Prophet of Truth - The Wise Ones

Contains No Misinformation on Philly Cheesesteaks

Prophet of Truth - The Wise Ones

Contains No Misinformation on Philly Cheesesteaks

Contains No Misinformation on Philly Cheesesteaks

▲ Legend ▲

User requested account closure

Elizabeth, I’m coming to join you!

User requested account closure

Prophet of Truth

Self-requested ban

User requested account closure

Elizabeth, I’m coming to join you!

One Winged Slayer

Contains No Misinformation on Philly Cheesesteaks

User requested account closure

Alt-Account

Elizabeth, I’m coming to join you!