Yesterday I felt pretty confident that the risks of identity/credit fraud following the Sony fiasco were fairly minimal. Today I’m eating a bit of crow. My credit card was definitely used for some nefarious purposes, and I mentioned it in to my boss, who mentioned it on Twitter, which got me a bunch of new followers and a few snarky replies.
Some people claimed I was jumping to conclusions. Other people said I should be mad at the hackers, not Sony. And I can’t say their answers were unfair; Twitter can only communicate in short bursts, so you lose some nuance and detail when expressing opinions. So let me get right to it here.
Back to the beginning.
At Shacknews, we all join a collective chat room while we’re on the clock, and we pass around our stories publicly so they can be checked by other writers while we work on other things. It’s a nice communal feeling. I had just polished off my last story (about the class action suit) and put it in the chat for a check, and then I went to flip through my RSS reader while I waited. I stumbled upon this Ars Technica story. It’s all second-hand, but I want to point out one particular bit:
“About two or three days ago, my bank notified me that I had gotten my own [credit card information] stolen, the one I use for my PSN account, and with it a ticket was purchased through a German airline for nearly $600,” she told Ars. “They are still looking into the fraud charge meaning that right now I have a negative $500 in my account, with no good chance that I’ll be getting that back any time soon.”
This prompted me to check my bank account, which I had been doing pretty regularly since this story broke. I wasn’t especially worried, but I wanted to keep an eye on things. Immediately I noticed my account was about $1,500 lower than it should’ve been. It was thanks to three identical transactions. For a little over $500, at a Giant Food, in Germany.
(A helpful tweet informed me that there are no Giant Foods in Germany, but I doubt it was actually at the grocery store. If I had to venture an uneducated guess, this was a sly method to get the actual money, rather than actually getting $500 worth of German groceries. I don’t think the victim above really had her card used for an airline ticket either.)
Now I’m all for benefit of the doubt, and I don’t want to jump to conclusions. But seeing a reader report that her PSN-associated credit card was charged in Germany for somewhere in the $500 range, and then finding that the exact same thing happened to me? That would be one hell of a coincidence.
I put a freeze on my account and a new card is being sent. I also changed all my passwords, and went through the hassle of making sure that my automatic bill payments are going through a different card for the time being. Once the transaction goes through, I can get the fraud department involved at my bank, and get my money back. Everything should work out, and I’m fortunate enough to have a little money in reserve so this doesn’t make me broke and destitute in the meantime.
I’m not upset with Sony because they were hacked. It happens, I understand that. My sarcastic “thanks Sony!” was over their reluctance to tell anyone what happened. If you’re a multinational corporation, you don’t pull your service, costing yourself and business partners hundreds of thousands of dollars, unless you absolutely have to. That’s the nuclear option. The last resort. Sony would never have taken such a drastic step if it didn’t know that this level of consumer theft was at least a possibility. And since it was a possibility, even if it was only a possibility, they should’ve told us.
I believe them when they say they didn’t know that user data was stolen until Monday. I just think they’re choosing their words carefully. They may not have known until then, but they had to have feared the worst. So the delay in informing customers was crossing their fingers and hoping for the best, and wasting valuable time when their customers could have been canceling their credit cards and stopping the fraud.
Now the latest from Sony is that credit cards were encrypted. Frankly, I don’t know enough about encryption or credit fraud to say what this means, and I’m not going to pretend to. I can only speak from what I know. What I know is that the card associated with my PSN account was the subject of fraud, in the precise same way that an Ars Technica reader’s PSN-associated card was the subject of fraud. How could that happen to encrypted cards? Don’t know.
Hackers hack. That’s what they do. If a rabid dog bites my wife’s arm and she dies because the EMTs didn’t take care of the wound, I’m going to be pretty upset with the EMTs for screwing up their job. I put a certain level of trust in the EMTs. I have no faith or trust in the rabid dog, so there’s no faith to be broken.
Onto happier subjects. One of my 1UP features went up today: When Gamers Give Back. It was kind of inspired by the Japanese charities that popped up. I wanted to do something related to that spirit but that wasn’t directly tied to it. I’m pretty happy with how it turned out, though perhaps I should’ve waited for a little closer to the holiday season when more of those charities would be active.
- What a boring couple of weeks for XBLM. Though I did try Outland today and it’s gorgeous, so I guess that buys them some goodwill.
- My inkling is that this Xbox deal is the reason Telltale pushed back Jurassic Park. I have absolutely no proof, of course.
- This story reads like a Senate hearing. What did you know and when?
- And the class-action suit story, which I referenced above.