back to article Valve says credit card data taken

Valve has now confirmed that the hack of its Steam forums reported last week may have included the theft of credit card numbers. The company has emailed users saying that the intruders that defaced its forums also accessed a database which included “information including user names, hashed and salted passwords, game purchases, …

COMMENTS

This topic is closed for new posts.
Facepalm

Clarification

So, is this just "saved" credit card information? I always enter my CC details manually every time and untick the option to "save" the details for next time. Does this mean they don't have any of my credit card information, or do they also have historic credit card information?

2
0
Anonymous Coward

Hmm...

The chances are that the CC transactions are batched up in some way, therefore there would be need to store the data on the customer's systems.

This is one of the big advantages of systems like verified by visa, the transaction is carried out by the payment processor, so the merchant's web site doesn't need to bother with all that sort of thing.

0
2

Ummm whut?

Verified by Visa has feck all to do with it; the system works thus:

1: Website/whatever displays "enter your card information"

2: When submitted the website verifies the basic form data (does it pass Luhn validation etc) and if so passes that information off to the card processor

3: The card processor contacts the bank and verifies the transaction

4: The card processor then sends a response back to the originating website to say whether the transaction was successful or not.

The only difference with VbV (well, 3D Secure) is that there's an additional step between 3 and 4 where the customer has to enter their 3D Secure username and password to verify that it's actually them making the transaction and it's not a stolen/cloned card.

The originating website should never HAVE to store the card information ... ever. Doing so requires a higher level of PCI compliance and occasional audits.

Valve _could_ hold the card data as they have a "remember my card number" type bit but odds are they probably just hold the last 4 digits - the card processing company will hold the full number in that case ... or at least one would hope that's how it's set up.

2
0

Bad but could be worse

Salted hashed passwords are useless to the attacker unless they know the salting algorithm, and even then only for replay attacks.

Likewise, if the credit card details are properly encrypted then they are again useless to the attacker.

Having said that, I agree that changing your password and keeping an eye on your credit card statement is fair & responsible advise rather than going "la la la nothing to worry about" or denying everything, so fair play to Valve there.

6
0
Silver badge

Problem is

The salting algorithm, has to be in client service or a stored proc of the . e.g. If the salt was "steam2011%" + email address + password before hashing then the code to do this would have to be somewhere.

If thieves had access to the db and salting was done there (bad idea) then they know how it works. Even if it were done in the client service, who's to say that the jar and config files of that weren't also lifted when the database was?

0
2

Still haven't seen it clarified yet whether this applies to all Steam accounts, or just those linked to the forums. Any news, El Reg? My details have already been swiped once this year, twice if I count you lot. ;-)

4
0
Thumb Up

Heh....love the last bit.

3
0
Bronze badge

Since they haven't specifically said it's limited to those who have a forum account it's best to assume they got everyone's details and change your password and possibly get a new card issued if you let them keep your CC details.

0
1
Anonymous Coward

While their communication has been decent the fact that they gave no indication on HOW the passwords were encrypted (beyond "hashed and salted") is annoying.

After-all, hashed and salted MD5 passwords are still basically useless in this GPGPU era.

0
6

indeed,

but to reveal the exact method used would *greatly* help the people who now have that data, and would be really stupid.

they can throw all the horsepower they like computing MD5 collisions, but that would be pointless if valve used SHA-2. Giving hints would be a *bad idea*

10
0
Silver badge
Facepalm

>While their communication has been decent the fact that they gave no indication on HOW the

>passwords were encrypted (beyond "hashed and salted") is annoying.

Yes. Especially annoying to the hackers I would think.

5
0
Anonymous Coward

Good point

But if they were using a decent encryption mechanism it shouldn't matter if the hackers know what it is or not.

What worries me is that they used crappy encryption and are now crossing their fingers that a weak bit of ambiguity is all that is between the hackers and discovering that they used ROT13 will hold.

Meanwhile the rest of us are also left in the dark as to how secure the encryption was which does not inspire confidence.

0
4

AES256

Valve already said that the credit card data was AES256 encrypted.

Why they didn't simply encrypt other sensible data (i.e. address, list of registered games) as well is beyond me. After all, not only credit card data can be used for identity theft.

1
1
Silver badge

AES256

You can't encrypt every field in the database because it renders it virtually useless for queries. e.g. user "fredblogs" wants to log in so the login service attempts to query "fredblogs". But how does the service do it unless it either has the key itself, or the db has a stored proc that enciphers "fredblogs" and does the search?

Either way you're not in a secure place. Handing the key out to all clients of the db is no more secure than the user id / password they already need to connect. Embedding the key in the database in a stored proc is not much use if someone is capable of lifting the db.

One can understand the cc info being encrypted since it is unlikely the database has any reason to ever see it, aside perhaps from the last 3 digits when giving users a hint during a purchase. I expect the encrypted data gets passed onto a separate transaction service which decrypts the key when making a purchase. But it's still possible to see how that wouldn't be a protection either. If someone got into the database of user ids, who's to say they didn't also get onto the transaction server? Saying AES is not an assurance without giving more info.

0
0

Paypal Option...

Fortunately they have a Paypal option, so you could buy without having to give over your credit card details. Not impressed with the other info that got snatched though.

For those who did opt to trust Steam with their credit cards details, I hope the encryption holds.

1
1

I did, and I'm not bothered

Trusting a company to hold your CC info is always a risk, but at least Steam have stored it encrypted.

Normally this type of attack is followed by a "whoops, we store your info unencrypted", despite (in the UK) this being a massive DPA no-no.

The CC I used to use with Steam expired just one week ago coincidently, but even if it hadn't any fraudulent use would be completely covered by the fact it is a CC.

Minor hassle, yes, but not the end of the world.

I'm glad we've moved on from ~10 years ago when it was basically just finger-crossing time.

0
0
Anonymous Coward

There are an awful lot of Steam users who won't look at the forums - I usually only go there when I have a problem with a game. I shudder to think how many users have forum usernames and passwords the same as their Steam logins. Valve has at least put this alert in the auto-popup Update News within the Steam client, so everybody will see it on next login, but I can't help think that forcing a password reset for Steam itself would be a minor inconvenience compared to the hassle involved in reclaiming a hacked account - how many people actually use Steam Guard, I wonder.

At least they're acknowledging a problem; although the banner at the top of every forum didn't really give them many options, I suppose, as it was quite a visible hack.

1
1
Silver badge

"Still haven't seen it clarified yet whether this applies to all Steam accounts, or just those linked to the forums."

Seriously? This is your major worry here?

It's akin to saying, someone broke into my house, but only ransacked the kitchen, so since the kitchen doesn't apply to me, I'm not going to worry about it.

The fact that *anyone* got in *at all* should be a concern to you.

1
7
Anonymous Coward

No.

No it isn't. If you never use the forums, it's more akin to saying, someone broke into the house next door, but I'm not terribly worried as they have nothing to do with me.

1
0

John,

You miss the point of that users comment! I have the same concern too. The reason he asks if those who have not used the forums have been compromised is obvious, he wants to know if his credit card details are at risk. Does not necessarily equate to the user having no concern that the server was hacked.

It is a natural question to want to know if you were personally affected.

My bank has a nice feature, if somebody uses your credit card, you immediately get an SMS telling you where and how much. Last year somebody used my card to buy AT&T telephone credit from Pennsylvania. Luckily it was a small amount, I immediately cancelled the card.

1
0
Anonymous Coward

I still haven't received the email from them, so does that mean that only the accounts linked to the forum are affected?

0
0
Silver badge
FAIL

Not impressed

What hope "the cloud"?

0
0
Silver badge

Not sure I care greatly

Visa et al require sites encrypt their CC info precisely so if the database is compromised the data is useless. I would also hope that the password + salt would make it very difficult to make use of the login credentials.

The best way to protect and clean up after these sorts of compromises is to:

1) Arrange your accounts into tiers

a) Forums and other accounts that expose little personal info, no financial data

b) Online merchants, game services, forums that may be of a more personal nature

c) Payment processing services like PayPal, Entropay etc.

d) Tax / social security / banks

2) For each tier pick user ids and passwords that are appropriate to the level of threat and the amount of damage if they are stolen. e.g. for forums register under an alias with a secondary email address and a fairly strong password. You can share passwords for throwaway stuff, but as you go higher up the tiers, where you are exposing your real email and id, make the password stronger and unique to each site, or at least only shared by a couple which are orthogonal.

A nonsense phrase that only you know is perfectly secure. For tier d) chances are that every site will implement its own 2nd level security so they're inherently unique.

3) Store your passwords in something like Password Safe. If an account is compromised review which other accounts share the same user id / email / password credentials and change them.

4) Don't worry too much. Worst case is probably a few phone calls to the bank. If your card got stolen then chances are that lots of other people's did as well.

0
0
Joke

Hold on a second you have a grammatical error here

...“information including user names, hashed and salted passwords, game..."

Should read “information including user names, hashed and powder sugared passwords, game..."

While I have respect for Valve informing us as soon as they could my respect for Gabe has been on a continual decline for the last few years.

Anyway as far as I am concerned, in my case I dont give a damn if they find my card info. The reason is because when it comes to online purchases I will go buy a prepaid card and use that unless what I am ordering is not feasible using one of those. In that case I watch my account like a hawk for a while.

Hope they dont break this though for all those who might stand to lose.

0
2

I'd also question the wisdom of storing billing information on the same server(s) as a public forum

0
0
MJI
Silver badge

Pretty sure I used Paypal

Need to check however, but I do not remember setting a card up

0
0

I'm a Valve/Steam customer and tbh I don't know if I have a card registered or not. Someone mentioned PayPal - I probably pay with that.

My problem is that I've been googling for a few minutes without turning up any Valve or Steam sites for me to login to. I'd be embarrassed if I wasn't fine blaming Google's ranking engine.

0
0
Bronze badge

their website is http://store.steampowered.com/ or alternatively you could google steam+website

You could also click on the "your account" link in the top right hand of the Steam client. If the page it takes you to it doesn't show any associated credit cards on the right in the little box with the blue header, you don't have any.

0
0
Anonymous Coward

It may be encrypted

But it depends how it was encrpyed and how the key was stored.

For example if the key is stored in configuration file for an app server then it is bad news. The best place would be in an HSM or similar.

You'd be suprised how many payment systems encrypt the data but keep the key in the clear.

0
1

I might be jumping the gun a bit, but if the hackers got in via the forums then I think it's a bit weak of Valve to have kept their forum server so close to the rest of their infrastructure. Their forums run vBulletin, which isn't open source but it's very common, so I would imagine getting hold of the source code to look for flaws would be no problem. Or worse still, it could turn out that Valve were running an old version of the forum with known security flaws.

Either way, for such an obvious vector, it's disappointing that it was possible for the hackers to use the forum as a springboard to get at the rest of their infrastructure, when really it should have been firewalled off on its own subnet and kept fully separate from servers hosting banking and personal information.

0
1
Unhappy

Why should we settle for only having our credit card data encrypted? Frankly, if someone stole my credit card details, with the law on my side, it's fairly painless to tell your credit card company "my card's been nicked, this stuff wasn't me, can I have a new card please?" ... It's then their problem to sort out the fraud with then little bit of inconvenience of a phone call to you.

Why then do we not demand that our e-mail, physical addresses and other such information is not also encrypted? Changing e-mail is an absolute pain the butt, likewise phone number or house. I think that everything that a company ever holds on a customer should always be encrypted. My name is as personal and valuable as my credit card details and everything possible should be done to protect it.

0
1
Happy

Hi guys

Use the Paypal option.

0
2
Coat

Who cares, where the hell is HL2, Ep3 Gabe!!!!!! 6-8 months my ass

0
1
Mushroom

Can't believe no-one's said this yet...!

Good news. I figured what that thing you just incinerated did. It was a morality core they installed after I flooded the Internet with user credit card details, to make me stop flooding the Internet Center with user credit card numbers.

0
0
Devil

Where are you now xbox fanboys?

I love it how everyone's come on here justifying why the credit card data can't be used for anything, but when the exact same thing happened to Sony everyone was up in arms and going ballistic about why the data was stolen in the first place. I guess xbox fanboys dont care about Valve...

0
2
Bronze badge

People went ballistic about Sony because they stored the CC details in the clear, as plain text.

On the other hand, Valve salted and hashed the CC details. It's still ridiculous that they stored them apparently on the same server as their forum, though.

0
0

Oh S*&T

I hope the hackers don't find out I bought Duke Nukem forver....

0
0

Oh S*&T

I hope the HAckers dont find out I bought Duke Nukem forever....

0
0
Silver badge
FAIL

ermmmmmmm

why is this story run again?

You can see from G.Newalls posting on the steam forums that Valve confessed to having the CC database hacked and stolen

Still, with any luck, they'll track down said hacker and offer him a job......... and hope the German police dont stop him getting on the plane this time......

0
0
Silver badge

It's interesting how avoiding horrible DRM schemes has coincidentally done so well by me in terms of keeping my credit card details unhacked. I can only speculate that this might show something about the attitude toward their customers that sort of company has.

0
0
Anonymous Coward

Suspect my CC details may have been on the Steam servers as I've bought stuff from them. May not be due to this but in last few days had a couple of on-line transactions declined and just had a call from my CC company to say that my card number is one that has been notified to them as one that may have been "obtained by fraudsters" and thus they need to block my cards and reissue them (only takes 5 - 7 working days to process). At least this happened 2 days after our main day Christmas shopping!

0
0
This topic is closed for new posts.

Forums