Steam Hacked, Credit Card Numbers Taken 141
An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"
Another, eh? (Score:4, Insightful)
Re:Another, eh? (Score:3, Insightful)
Re:Another, eh? (Score:2, Insightful)
Re:Check your credit cards (Score:3, Insightful)
--jeffk++
Re:Steam support is vapid (Score:5, Insightful)
Re:Another, eh? (Score:4, Insightful)
The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).
This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.
Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.
There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.
If you are emailing Steam support.. (Score:3, Insightful)
Re:Online game services (Score:4, Insightful)
Re:You need to store something for monthly billing (Score:2, Insightful)
Reason to be connected to the intarweb: They PROCESS the cards online (via authorize.net, for example).
I write e-commerce apps for a living. My usual policy (unless the clients demands something else) is to take the card numbers, save them encrypted in a database, wait until a store employee reviews their order to make sure it is okay to ship, charge the card (via authorize.net), ship it, close the order and delete the security code, expiration date, and all but the last 4 digits of the card number.
Thus if (god forbid) someone were to break in the only card numbers they would have access to are orders which have been placed but not shipped yet, and even those would be encrypted unless they also got the encryption key. It's quite likely that an order will be shipped within an hour of it being placed, so the risk involved is almost nothing.
There will always be risk involved, no matter how secure you build a system (or ignorantly THINK you have). Deciding whether or not to allow a company to save your card info is simply saying how much risk you are willing to take.