Remember, after the recent earthquake and tsunami in Japan, those stories about wallets filled with money being found and turned-in to the authorities, still stuffed with cash? That’s one positive aspect of Japanese culture, but does it also make them too trusting? Sony’s loss of first 77 million customer records and now another 24.6 million suggests that may be the case. A society with low crime rates and comic book criminals screams of unsophistication, which was confirmed for me this week when I heard from a reader who is a payment system auditor. He looks inside Japanese institutions and often doesn’t like what he sees.
“For whatever reason (low crime rate, maybe?),” my reader says, “the Japanese cannot seem to get their heads around the fact that unencrypted cardholder data sitting on servers in unsecured areas and being transmitted across public networks is a bit of a risk. Every other country in Asia has grasped this easy concept, but not Japan. I have tried many times to explain why this is bad but am usually met with blank looks and checking of watches.
“I could remote desktop right now to a Windows 2000 server in a facility in Japan with a public IP (user-name Administrator, no password) which contains hundreds of thousands of .csv files with full PAN, CSV, name, address etc. I notified the facility in question about this two years ago, by the way, and they have never done anything about it.”
This is Bob again. From my own experience with Windows systems I can’t imagine such exposed servers having not been repeatedly explored by bad guys over the past two years. That information isn’t just vulnerable, it is gone.
But it isn’t just the Japanese who are at fault. A short survey of some of my U.S. admin friends showed there are plenty of unsecured or under-secured payment servers running in this country, too, though none I know of without passwords. I don’t want to name too many names, but if your organization is handling funds on old unsupported Windows 2000 servers you are probably in trouble.
Now back to Sony. With now over 100 million accounts exposed, Sony finally sent lame duck exec Kaz Hirai out to take one for the team and apologize. Hirai offered — just as I predicted — a month of free service. What now? Lawyers will sue, Sony will fix their systems, and gamers once again will game. But while Sony may escape large economic losses from the current problems plaguing its various networks, there is one group that will continue to be rightly upset with the electronics giant — credit card companies like MasterCard and Visa.
The credit card companies have published standards for the management of customer data. These standards are a good combination of requirements and best practices. Anyone who does a significant amount of credit card-based business is required to meet these standards, which Sony appears to have ignored. Independent audits are required. To enforce the credit card company rules there are fines and the death penalty — being cut off.
Since Sony processes credit card transactions — and even offers its own credit cards as you’d know if, like me, you obsessively watch Jeopardy — they are going to be under a very uncomfortable microscope very soon.
The auditors are coming. Worst case they might tell Sony to buzz-off — to refuse Sony’s credit card charges for those 100+ million accounts. Then something really interesting stuff might happen.
Sony might not care.
If Sony is busted by Visa or Mastercard, Discover or American Express, all that probably means is they’ll have to hire a middle man — usually a big bank — to do the credit card transactions for them. Different servers in a different data center would handle the money and all would once again be right with the world, though at the cost of an extra service charge to Sony.
But what if Sony chose a different path? What if Sony cut a payment deal with, say PayPal, instead?
It’s a tempting gambit. PayPal would like nothing more than to pick up those 100 million accounts. They’d pay Sony for them, turning a loss into a gain and a loss of face into an industry transition.
PayPal has been looking for a chance to kick the credit card companies down a peg, grabbing some business.
I can almost hear the phones ringing in Tokyo….
Why wouldn’t Sony be using PayPal as their merchant bank and gateway for credit card payments as well as PayPal payments? PayPal can handle both and our theory here is that Sony has to pay someone to do it for them now instead of being able to do it themselves.
Theres also no reason this has to be an exclusive. Plenty of places will accept both PayPal and credit cards. I’m sure that would make the relationship more attractive to PayPal, of course.
It is amazing that they were storing credit card numbers in the clear like that.
Based on situations that I would still not be permitted to discuss …
Japan IT Inc moves “forward” in lock step to the tune of a central “authoritative testing institute.”
If the fix, configuration, variation or practice has not been “blessed and published” by the testing institute, NO ONE WILL TOUCH IT.
“I could remote desktop right now to a Windows 2000 server in a facility in Japan with a public IP (user-name Administrator, no password)”
You can’t login via RDP if you haven’t set a password. At least not on Windows 7.
You can in fact login via RDP in recent versions of Windows if you haven’t set a password.
Server 2008 R2 http://i.imgur.com/rnlep.png
Why would PayPal want to touch this?
The Credit Card companies have a big advantage: They don’t work with cash. Instead, they simply work with accounts. Merchant took a fraudulent charge? Simply do a chargeback. The credit card company pays no cash and by law, the consumer’s account is also adjusted. No actual cash changes hands. Just a few twiddling of numbers inside a computer.
PayPal is different. You have an actual account with money tied to your PayPal account. A fraudulent PayPal charge, and there’s actual money that’s missing. Money someone is going to have to put back. That somebody isn’t going to be the merchant, but PayPal.
Right now, no actual money has been lost (except by some stores). The credit card companies have marked these accounts as closed, and whatever fraudulent charges appear on their customer bills will be removed. Fraudulent purchases will be charged back to the merchants who assume fraud losses are just a part of taking credit cards on line.
If this was PayPal, there would be millions of dollars missing from customer accounts, and each customer would have to fight PayPal to get it back. In the end, PayPal will be out millions (maybe billions) of dollars and their customers would be furious even if they did get their money back in the end.
It’s one thing to see a $10,000 charge on your credit card you know will be removed in three months. It’s another thing to wait the same three months for PayPal to put that money back into your account.
This is why *we* don’t want PayPal involved. PayPal wants to be involved fro the transactional money machine aspects, but I suspect that renewals at any company that uses PayPal exclusively would decline precipitously, so I suppose the problem (from the consumer’s perspective) would be self-correcting. Of course, they (PayPal) might be forced to change their policies to be more credit-card like with regards to fraud if that were to happen. I only know that I would be outside looking in as long as PayPal were involved.
Agreed. PayPal’s system is very closed in that they require login validation on THEIR servers. They would never allow a transaction or subscription to clear without first getting authorization from the user to *their* servers. SONY would be bypassed altogether.
If SONY wanted to cut a special deal with PayPal to alter that, I doubt PayPal would take the risk. 100 million accounts isn’t chump change, but PayPal isn’t hurting either or that desperate.
My PayPal account is hooked into my credit card, no cash loss from me if something goes wrong. So not sure what you are worried about there.
PayPal and Sony? What an intriguing match-up. I think you’re onto something there,
What the heck is going on over there at Sony, thats crazy dude.
http://www.real-privacy.es.tc
That’s very nice, but how do you know what all is really being installed on your computer along with the purported privacy function? Any such software could include a little module that logs keystrokes whenever it detects that you’re filling in a form with something that looks like a credit card number. Then after three months or so, send a copy of the log off to an obscure server, delete the log on your computer, and even delete the software module that did the dirty deed.
[…] Over at I, Cringely there is a post up looking at credit card security rules, Japanese society, and how Sony might get themselves out of this mess. Sony cannot start running again until they lock down all this customer data, and it sounds like they have been slack on that so far so they have a lot of work to do. […]
[…] I, Cringely: Remember, after the recent earthquake and tsunami in Japan, those stories about wallets filled […]
With credit card transactions you, the holder of the credit card are the product being sold to the Merchant (like Sony) who pays Mastercard and Visa for the privilege of taking your money. Sony as a merchant is the customer of the credit card provider. Can the card provider even afford to cut off a merchant such as Sony who pays them their transaction fees for each card they process?
If the big credit card companies cut Sony off, then they know that someone else will have to process those, and that Sony can’t afford not to take credit cards. So they will get the business one way or the other. Directly through Sony or through a middle-man.
Cutting Sony off isn’t risky at all.
Well, I’m going to be pretty angry if my cc on the playstation network was compromised.
1. Sony had not properly secured it’s customer’s data.
2. Sony went out of it way to aggravate hackers, pursuing them aggressively, until the bear turned and mauled them.
3. Sony management is clueless and must be revitalized.
Does that mean we shouldn’t go after terrorists, for fear of aggravating them?
Interesting question . . . .
Another (all he did was jailbreak the ps3):
https://www.guardian.co.uk/technology/gamesblog/2011/jan/13/sony-suing-ps3-hackers
I wasn’t familiar with the details before, but this is the lawsuit which started it all:
https://www.informationweek.com/news/security/attacks/229000603
Another:
https://www.pcworld.com/article/220740/police_raid_ps3_hackers_home_hacker_retaliates_sony_sues.html
Actually it means that you should be prepared for a counter attack before you attack.
100 million accounts (read that again, ON HUNDRED MILLION ACCOUNTS) were compromised, and you’re still speaking hypothetically? Of course your information was compromised, too. Act accordingly.
But they didn’t say any North American cc were compromised . . . though who am I kidding, that doesn’t mean anything.
I like Japanese culture it has the best insight to personal responsibility for all endeavors -Woodworking Tea drinking Clothing repair.
But by its superiority of understanding of the individual art it has a Superiority Complex that says all must be superior and thus no error is possible! We make the best CTR TV, best HiFi, best Cars etc. So when mistakes are found ownership of an error is impossible, and till a failure no amount of pointing out points of weakness possible, but when found a profuse apology will suffice.
Well its not sufficient – a good kick up the ass is needed. For the nuclear clean up and lax data security. But I believe that its impossible for them to change their character. So we’ll have to suffer more!
(I may add that there is a similar problem with the Muslim)
PayPal is not an option in their society especially a USA option.
“[…] but if your organization is handling funds on old unsupported Windows 2000 servers you are probably in trouble.”
Hell, if you’re using Windows at all, you’re in big trouble. Never have I seen such a stubborn group of so-called intelligent people ignoring the obvious and deliberately choosing the path of greatest risk.
Cheap boxes with a crappy OS don’t make for anything I want running in my company, and no truly intelligent Admin would stand for it.
That tells us all we need to know about the IQ of the rubes at Sony and thousands of other companies.
Nice post with some interesting thoughts…
“Remember, after the recent earthquake and tsunami in Japan”?
What “earthquake and tsunami”? All we heard about from Bob and the rest of the media was about a massive nuclear accident. Maybe they missed telling us about the main news…
PayPal does not require a person to have an account in order to handle a payment transaction to a credit card. I would not be at all surprised to hear they are pursuing Sony and others.
[…] question of confidence in Sony, SOE, SCEA, et al., in holding our personal data. Should Sony, as Cringley and Lum suggest, outsource the whole thing to the likes of PayPal or PlaySpan? (PlaySpan is now […]
Why don’t the credit card companies create one time use numbers? They could provide a software program that, upon a user entering their ID and a pass phrase, generates a very large number and puts it into the clipboard. The user could then paste the number into a vendor’s web page and complete the purchase.
Once the special number is processed by the credit card company, it can’t be used again. The vendor can hoard the numbers all they want, but they are no longer valid.
The number format could also include a date stamp limiting it’s duration and other security features. It could be as large as needed because the user isn’t going to have to type it.
A similar system could be implemented in hardware for physical store transactions.
You can already do this at every credit card website I know of. Do a search for “Virtual Account Number”.
Thanks for the tip! My card company doesn’t offer it yet, but I’m going to request they do.
Just today I checked my CC account online and found four fraudulent charges over the last two weeks. I have a Sony PSN account, although it’s free and I don’t recall ever giving them my CC number. The timing may just be a coincidence. On the other hand, even free accounts occasionally require a CC number and it’s possible I put it in and forgot about it.
In any case, if you have done credit card business with Sony, definitely keep an eye on charges in your CC account.
In the same way that Visa launched “verified by Visa” payment system similar to Paypal, I wonder why Paypal doesn’t launch its own competing credit card?
Just a thought.
All this talk about credit cards reminds me of the story about the situation in the distant future: a time traveler from the 20th century pulls out his wallet and offers Mastercard and is told “Mastercard went out of business centuries ago.” So he tried his Visa card and was told the same thing. Same story with American Express “out of business long ago”. Out of desperation, he pulls out his Discover card and is told “sorry, we don’t accept Discover”.
Yes, Sony’s products and services have been going downhill steadily since the dotcom haydays just over 10 years ago, where I remember strolling through giant Sony Stores filled with shining gadgets, and Sony has to turn that around. But the problem here is not with the Cloud but the people handling it. The problem is with the credit card culture. Why should any merchant keep your actual CC number at all except that they want to keep charging (the subscription New World) and that people are lazy? The minute I find out my CC info is compromised it will be canceled, and another card will take its place. What is so important about a card that will make anyone hold on to it even after its info was stolen, unless one has tons of outstanding balance on it and/or accumulated miles? (Both of which can be transferred to a new card.) I’d trust fill-as-you-go paycards before I trust Pay Pal. I cannot help but think all this is invariably linked to the “credit crisis” – somehow our “credit history” and electronic papers is worth more than our personal worth or real cash. So what if you use the same card on a dozen online merchants? Change them. Or do you prefer staying up nights worrying about possible fraudulent charges to come for months and months?
The cult at the end of the world : the terrifying story of the Aum doomsday cult, from the subways of Tokyo to the nuclear arsenals of Russia / David E. Kaplan & Andrew Marshall.
Excellent reading for another look into the mind of Japanese society’s expectation of orderliness. Easily as scary as the unsecured credit card / personal information unconcern.
Interesting. In response to Genda, someone will pick up the the slack, Soney is just too big like you said not to have someone step up and handle it.
Can you imagine the panic if it wasn’t scheduled? How many sprained ankles or broken limbs caused by the semi-panicked stampede would be acceptable in the “drill”?
We’re in a globalized economy, and it takes 10,000 hours of instruction and practice to be world class at anything. I’m not saying you can’t make home schooling work, but it’s a lot of work – probably more than a full time job. If you’re also a writer, or doing housework, then you may not have the time to make it work. Then the kids get a few hours (or less) classroom a day, and the rest of the time they are out playing on the street. Nothing wrong with that pe se, but it’s a competitive world.
Thanks for the good writeup. It if truth be told used to be a enjoyment account it. Glance complicated to far brought agreeable from you! By the way, how can we be in contact?
What is a credit settlement…
[…]I, Cringely » Blog Archive » Til death do us part: Sony and the credit card companies – Cringely on technology[…]…
payment merchant…
[…]I, Cringely » Blog Archive » Til death do us part: Sony and the credit card companies – Cringely on technology[…]…
hacking money…
[…]I, Cringely » Blog Archive » Til death do us part: Sony and the credit card companies – Cringely on technology[…]…
annonce maroc…
[…]I, Cringely » Blog Archive » Til death do us part: Sony and the credit card companies – Cringely on technology[…]…
escorts in marble arch…
[…]I, Cringely » Blog Archive Til death do us part: Sony and the credit card companies – Cringely on technology[…]…
All captcha jobs and Software for speed and using multiple ID’s are available at very Low and Affordable rates,Typeit,Protypers,Megatypers,captcha2cash,qlinkgroup,kolotibablo,Adwords,Facebook Coupon,advertising…
[…]I, Cringely » Blog Archive Til death do us part: Sony and the credit card companies – I, Cringely – Cringely on technology[…]…
This is a topic which is close to my heart… Best wishes!
Exactly where are your contact details though?
Asking questions are genuinely fastidious thing if you are not understanding anything
completely, but this paragraph offers pleasant understanding yet.
revidox…
[…]Til death do us part: Sony and the credit card companies[…]…