Valve has now confirmed that the hack of its Steam forums reported last week may have included the theft of credit card numbers. The company has emailed users saying that the intruders that defaced its forums also accessed a database which included “information including user names, hashed and salted passwords, game purchases, …
So, is this just "saved" credit card information? I always enter my CC details manually every time and untick the option to "save" the details for next time. Does this mean they don't have any of my credit card information, or do they also have historic credit card information?
The chances are that the CC transactions are batched up in some way, therefore there would be need to store the data on the customer's systems.
This is one of the big advantages of systems like verified by visa, the transaction is carried out by the payment processor, so the merchant's web site doesn't need to bother with all that sort of thing.
Verified by Visa has feck all to do with it; the system works thus:
1: Website/whatever displays "enter your card information"
2: When submitted the website verifies the basic form data (does it pass Luhn validation etc) and if so passes that information off to the card processor
3: The card processor contacts the bank and verifies the transaction
4: The card processor then sends a response back to the originating website to say whether the transaction was successful or not.
The only difference with VbV (well, 3D Secure) is that there's an additional step between 3 and 4 where the customer has to enter their 3D Secure username and password to verify that it's actually them making the transaction and it's not a stolen/cloned card.
The originating website should never HAVE to store the card information ... ever. Doing so requires a higher level of PCI compliance and occasional audits.
Valve _could_ hold the card data as they have a "remember my card number" type bit but odds are they probably just hold the last 4 digits - the card processing company will hold the full number in that case ... or at least one would hope that's how it's set up.
Bad but could be worse
Salted hashed passwords are useless to the attacker unless they know the salting algorithm, and even then only for replay attacks.
Likewise, if the credit card details are properly encrypted then they are again useless to the attacker.
Having said that, I agree that changing your password and keeping an eye on your credit card statement is fair & responsible advise rather than going "la la la nothing to worry about" or denying everything, so fair play to Valve there.
The salting algorithm, has to be in client service or a stored proc of the . e.g. If the salt was "steam2011%" + email address + password before hashing then the code to do this would have to be somewhere.
If thieves had access to the db and salting was done there (bad idea) then they know how it works. Even if it were done in the client service, who's to say that the jar and config files of that weren't also lifted when the database was?
Still haven't seen it clarified yet whether this applies to all Steam accounts, or just those linked to the forums. Any news, El Reg? My details have already been swiped once this year, twice if I count you lot. ;-)
Heh....love the last bit.
Since they haven't specifically said it's limited to those who have a forum account it's best to assume they got everyone's details and change your password and possibly get a new card issued if you let them keep your CC details.
While their communication has been decent the fact that they gave no indication on HOW the passwords were encrypted (beyond "hashed and salted") is annoying.
After-all, hashed and salted MD5 passwords are still basically useless in this GPGPU era.
but to reveal the exact method used would *greatly* help the people who now have that data, and would be really stupid.
they can throw all the horsepower they like computing MD5 collisions, but that would be pointless if valve used SHA-2. Giving hints would be a *bad idea*
>While their communication has been decent the fact that they gave no indication on HOW the
>passwords were encrypted (beyond "hashed and salted") is annoying.
Yes. Especially annoying to the hackers I would think.
But if they were using a decent encryption mechanism it shouldn't matter if the hackers know what it is or not.
What worries me is that they used crappy encryption and are now crossing their fingers that a weak bit of ambiguity is all that is between the hackers and discovering that they used ROT13 will hold.
Meanwhile the rest of us are also left in the dark as to how secure the encryption was which does not inspire confidence.
Valve already said that the credit card data was AES256 encrypted.
Why they didn't simply encrypt other sensible data (i.e. address, list of registered games) as well is beyond me. After all, not only credit card data can be used for identity theft.
You can't encrypt every field in the database because it renders it virtually useless for queries. e.g. user "fredblogs" wants to log in so the login service attempts to query "fredblogs". But how does the service do it unless it either has the key itself, or the db has a stored proc that enciphers "fredblogs" and does the search?
Either way you're not in a secure place. Handing the key out to all clients of the db is no more secure than the user id / password they already need to connect. Embedding the key in the database in a stored proc is not much use if someone is capable of lifting the db.
One can understand the cc info being encrypted since it is unlikely the database has any reason to ever see it, aside perhaps from the last 3 digits when giving users a hint during a purchase. I expect the encrypted data gets passed onto a separate transaction service which decrypts the key when making a purchase. But it's still possible to see how that wouldn't be a protection either. If someone got into the database of user ids, who's to say they didn't also get onto the transaction server? Saying AES is not an assurance without giving more info.
Fortunately they have a Paypal option, so you could buy without having to give over your credit card details. Not impressed with the other info that got snatched though.
For those who did opt to trust Steam with their credit cards details, I hope the encryption holds.
I did, and I'm not bothered
Trusting a company to hold your CC info is always a risk, but at least Steam have stored it encrypted.
Normally this type of attack is followed by a "whoops, we store your info unencrypted", despite (in the UK) this being a massive DPA no-no.
The CC I used to use with Steam expired just one week ago coincidently, but even if it hadn't any fraudulent use would be completely covered by the fact it is a CC.
Minor hassle, yes, but not the end of the world.
I'm glad we've moved on from ~10 years ago when it was basically just finger-crossing time.
There are an awful lot of Steam users who won't look at the forums - I usually only go there when I have a problem with a game. I shudder to think how many users have forum usernames and passwords the same as their Steam logins. Valve has at least put this alert in the auto-popup Update News within the Steam client, so everybody will see it on next login, but I can't help think that forcing a password reset for Steam itself would be a minor inconvenience compared to the hassle involved in reclaiming a hacked account - how many people actually use Steam Guard, I wonder.
At least they're acknowledging a problem; although the banner at the top of every forum didn't really give them many options, I suppose, as it was quite a visible hack.
"Still haven't seen it clarified yet whether this applies to all Steam accounts, or just those linked to the forums."
Seriously? This is your major worry here?
It's akin to saying, someone broke into my house, but only ransacked the kitchen, so since the kitchen doesn't apply to me, I'm not going to worry about it.
The fact that *anyone* got in *at all* should be a concern to you.
No it isn't. If you never use the forums, it's more akin to saying, someone broke into the house next door, but I'm not terribly worried as they have nothing to do with me.
You miss the point of that users comment! I have the same concern too. The reason he asks if those who have not used the forums have been compromised is obvious, he wants to know if his credit card details are at risk. Does not necessarily equate to the user having no concern that the server was hacked.
It is a natural question to want to know if you were personally affected.
My bank has a nice feature, if somebody uses your credit card, you immediately get an SMS telling you where and how much. Last year somebody used my card to buy AT&T telephone credit from Pennsylvania. Luckily it was a small amount, I immediately cancelled the card.
I still haven't received the email from them, so does that mean that only the accounts linked to the forum are affected?
What hope "the cloud"?
Not sure I care greatly
Visa et al require sites encrypt their CC info precisely so if the database is compromised the data is useless. I would also hope that the password + salt would make it very difficult to make use of the login credentials.
The best way to protect and clean up after these sorts of compromises is to:
1) Arrange your accounts into tiers
a) Forums and other accounts that expose little personal info, no financial data
b) Online merchants, game services, forums that may be of a more personal nature
c) Payment processing services like PayPal, Entropay etc.
d) Tax / social security / banks
2) For each tier pick user ids and passwords that are appropriate to the level of threat and the amount of damage if they are stolen. e.g. for forums register under an alias with a secondary email address and a fairly strong password. You can share passwords for throwaway stuff, but as you go higher up the tiers, where you are exposing your real email and id, make the password stronger and unique to each site, or at least only shared by a couple which are orthogonal.
A nonsense phrase that only you know is perfectly secure. For tier d) chances are that every site will implement its own 2nd level security so they're inherently unique.
3) Store your passwords in something like Password Safe. If an account is compromised review which other accounts share the same user id / email / password credentials and change them.
4) Don't worry too much. Worst case is probably a few phone calls to the bank. If your card got stolen then chances are that lots of other people's did as well.
Hold on a second you have a grammatical error here
...“information including user names, hashed and salted passwords, game..."
Should read “information including user names, hashed and powder sugared passwords, game..."
While I have respect for Valve informing us as soon as they could my respect for Gabe has been on a continual decline for the last few years.
Anyway as far as I am concerned, in my case I dont give a damn if they find my card info. The reason is because when it comes to online purchases I will go buy a prepaid card and use that unless what I am ordering is not feasible using one of those. In that case I watch my account like a hawk for a while.
Hope they dont break this though for all those who might stand to lose.
I'd also question the wisdom of storing billing information on the same server(s) as a public forum
Pretty sure I used Paypal
Need to check however, but I do not remember setting a card up
I'm a Valve/Steam customer and tbh I don't know if I have a card registered or not. Someone mentioned PayPal - I probably pay with that.
My problem is that I've been googling for a few minutes without turning up any Valve or Steam sites for me to login to. I'd be embarrassed if I wasn't fine blaming Google's ranking engine.
their website is http://store.steampowered.com/ or alternatively you could google steam+website
You could also click on the "your account" link in the top right hand of the Steam client. If the page it takes you to it doesn't show any associated credit cards on the right in the little box with the blue header, you don't have any.
It may be encrypted
But it depends how it was encrpyed and how the key was stored.
For example if the key is stored in configuration file for an app server then it is bad news. The best place would be in an HSM or similar.
You'd be suprised how many payment systems encrypt the data but keep the key in the clear.
I might be jumping the gun a bit, but if the hackers got in via the forums then I think it's a bit weak of Valve to have kept their forum server so close to the rest of their infrastructure. Their forums run vBulletin, which isn't open source but it's very common, so I would imagine getting hold of the source code to look for flaws would be no problem. Or worse still, it could turn out that Valve were running an old version of the forum with known security flaws.
Either way, for such an obvious vector, it's disappointing that it was possible for the hackers to use the forum as a springboard to get at the rest of their infrastructure, when really it should have been firewalled off on its own subnet and kept fully separate from servers hosting banking and personal information.
Why should we settle for only having our credit card data encrypted? Frankly, if someone stole my credit card details, with the law on my side, it's fairly painless to tell your credit card company "my card's been nicked, this stuff wasn't me, can I have a new card please?" ... It's then their problem to sort out the fraud with then little bit of inconvenience of a phone call to you.
Why then do we not demand that our e-mail, physical addresses and other such information is not also encrypted? Changing e-mail is an absolute pain the butt, likewise phone number or house. I think that everything that a company ever holds on a customer should always be encrypted. My name is as personal and valuable as my credit card details and everything possible should be done to protect it.
Use the Paypal option.
Who cares, where the hell is HL2, Ep3 Gabe!!!!!! 6-8 months my ass
Can't believe no-one's said this yet...!
Good news. I figured what that thing you just incinerated did. It was a morality core they installed after I flooded the Internet with user credit card details, to make me stop flooding the Internet Center with user credit card numbers.
Where are you now xbox fanboys?
I love it how everyone's come on here justifying why the credit card data can't be used for anything, but when the exact same thing happened to Sony everyone was up in arms and going ballistic about why the data was stolen in the first place. I guess xbox fanboys dont care about Valve...
People went ballistic about Sony because they stored the CC details in the clear, as plain text.
On the other hand, Valve salted and hashed the CC details. It's still ridiculous that they stored them apparently on the same server as their forum, though.
I hope the hackers don't find out I bought Duke Nukem forver....
I hope the HAckers dont find out I bought Duke Nukem forever....
why is this story run again?
You can see from G.Newalls posting on the steam forums that Valve confessed to having the CC database hacked and stolen
Still, with any luck, they'll track down said hacker and offer him a job......... and hope the German police dont stop him getting on the plane this time......
It's interesting how avoiding horrible DRM schemes has coincidentally done so well by me in terms of keeping my credit card details unhacked. I can only speculate that this might show something about the attitude toward their customers that sort of company has.
Suspect my CC details may have been on the Steam servers as I've bought stuff from them. May not be due to this but in last few days had a couple of on-line transactions declined and just had a call from my CC company to say that my card number is one that has been notified to them as one that may have been "obtained by fraudsters" and thus they need to block my cards and reissue them (only takes 5 - 7 working days to process). At least this happened 2 days after our main day Christmas shopping!