Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

Another, eh?

[EveryNickIsTaken]

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

Re:Another, eh?

[ichigo 2.0]

I'm wondering when they will realize (zap) that they shouldn't be storing CC data at all.

Re:Another, eh?

[I'll Provide The War]

Isn't this the same company that got their game code stolen because they placed it on a machine connected to the Internet?

Re:Check your credit cards

[statusbar]

And how do we know that he is the one and only who did hack it? Or is it just someone who said he did?

--jeffk++

Re:Steam support is vapid

[shaitand]

You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

Re:Another, eh?

[Anonymous Coward]

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

If you are emailing Steam support..

[RealityThreek]

... don't you think everyone else is too? Is it really all that surprising that they are backlogged?

Re:Online game services

[Dachannien]

Three cheers for virtual credit card numbers.

Re:You need to store something for monthly billing

[RiscIt]

Reason to store Card Info: The customer WANTS them too. I'm sure by now you've come across an online store that ASKED if you wanted them to save it for next time. I use this with Dell and New Egg. If they don't ask then it's a problem, but for everyone else it's the CUSTOMER'S responsibility to make the decisions as to whether or not they trust the company.

Reason to be connected to the intarweb: They PROCESS the cards online (via authorize.net, for example).
I write e-commerce apps for a living. My usual policy (unless the clients demands something else) is to take the card numbers, save them encrypted in a database, wait until a store employee reviews their order to make sure it is okay to ship, charge the card (via authorize.net), ship it, close the order and delete the security code, expiration date, and all but the last 4 digits of the card number.

Thus if (god forbid) someone were to break in the only card numbers they would have access to are orders which have been placed but not shipped yet, and even those would be encrypted unless they also got the encryption key. It's quite likely that an order will be shipped within an hour of it being placed, so the risk involved is almost nothing.

There will always be risk involved, no matter how secure you build a system (or ignorantly THINK you have). Deciding whether or not to allow a company to save your card info is simply saying how much risk you are willing to take.