Steam Hacked, Credit Card Numbers Taken

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

Online game services

[stratjakt]

WTG.. Next stop, gametap.

Re:

[Jarjarthejedi]

Times like these make me glad that I rarely pay using a credit card for online things. I bought CS:S from a physical store using physical money and so I'm not at risk at all. Sometimes convenience is less important than security...

Re:

[mctk]

Meh. They probably had security cameras watching you. I had an illegitimate which I put up for adoption, which I adopted myself under a false name, whom I raised to adolescence which is when I hired him to steal a copy of CS:S from his friend Mikey who also bought CS:S from a store using cash.

Re:

[CelticWhisper]

Now THAT's dedication. Did you manually crack the CD-Key algorithm in the garage behind your house a la "A Beautiful Mind?"

Re:Online game services

[Dachannien]

Three cheers for virtual credit card numbers.

Re:

[Anonymous Coward]

I dont know about you guys, but sounds to me like this Hacker found himself a Garbage file - Valve wouldnt have said anything but one of the main Valve admins was planning on sinking 12 virtual oiltankers in the Half-Life fleet using a virus they happened to be storing in that Garbage file - so now they need to catch the kid to find the source, and then silence the Hackers by framing them for the virus!

Jeez, this is like what, a 13 year old dupe? GG editors!

Re:

[stanmann]

Dude, the Gibson hacked you.

Figures

[HolyCrapSCOsux]

This is why I like my valves to be ball, gate, or ECC83 and EL34

Re:

[Anonymous Coward]

Being American, I prefer the good ol' 6L6-GC. And, like the interwebs, they are called "Tubes" not valves.

Re:

[Random Destruction]

They're also called valves. They're electricity valves. It's a pretty common term.

Those that pirated HL2 and other Steam games

[Travoltus]

and didn't go pay to play it online, are laughing their butts off right now.

Another, eh?

[EveryNickIsTaken]

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

Re:Another, eh?

[EveryNickIsTaken]

Realize, even. Grammar police, set phasers to stun.

Re:Another, eh?

[Anonymous Coward]

You morons! HE WAS CORRECTING HIMSELF!

Go get some sleep and/or stimulant of your choice.

Re:

[slyborg]

AC, stand and be recognized. +1 Funny if I had it for ya.

Re:

[ichigo 2.0]

I'm wondering when they will realize (zap) that they shouldn't be storing CC data at all.

You need to store something for monthly billing.

[khasim]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Yes, I know. Some of the notifications go out over email. So? Dump the necessary email info to a USB stick and WALK that over to a different computer.

Re:You need to store something for monthly billing

[Ford Prefect]

The issue is that the machine doing the billing must NOT be connected to the Internet.

Who says it was even Valve's machine that was compromised? 1UP.com [1up.com]:

Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:You need to store something for monthly billing

[Anonymous Coward]

That's not even needed, really. Put a nice, hardened firewall (ala IPCop) between the computers on a network and let the information be passed out but not in. If that makes sense.

Internet-->Firewall-->Processingserver-->Firewall- ->Firewall-->"Billing" Server

The only open INCOMING port on "Billing" is the port that records billing information; the only outgoing port is the one that tells the processing server to send mail to such and such.

Also, use end-to-end encryption!

Re:

[Falladir]

Under the present system, you need the CC numbers for billing, but wouldn't it be better if the consumer instructed the CC company to periodically make a payment to a certain account, rather than the consumer providing the vendor with the information needed to extract money?

There's no reason for vendors and service providers to deal so directly with the CC company.

Re:

[RiscIt]

Reason to store Card Info: The customer WANTS them too. I'm sure by now you've come across an online store that ASKED if you wanted them to save it for next time. I use this with Dell and New Egg. If they don't ask then it's a problem, but for everyone else it's the CUSTOMER'S responsibility to make the decisions as to whether or not they trust the company.

Reason to be connected to the intarweb: They PROCESS the cards online (via authorize.net, for example).
I write e-commerce apps for a living. My usua

Re:

[I'll Provide The War]

Isn't this the same company that got their game code stolen because they placed it on a machine connected to the Internet?

Re:Another, eh?

[Anonymous Coward]

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

Re:Another, eh?

[Sigma 7]

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number?

Placing an order online is a 3-step process. Select the items you want, enter your billing information, and place the order - and one of these can be skipped by "remembering" the billing information.

The proposed system will make it a 4-step process: Select the items, obtain your billing information, enter your billing information, and place the order - and none of these can really by skipped. It's a matter of personal taste on what you prefer, but most people go for convenience rather than security.

The implementation could easily handle this by having credit card numbers "linked" to a primary account, as there's at least 10 trillion possible combinations for credit cards from a single institution. No information on if it will work in practise, but given that most people aren't good with numbers, it would probably boost CS calls. ...

Re:

[vux984]

3 step? 4 step? No thank you. I want one-click! Why doesn't someone figure that out and patent it, he could make millions!

Re:

[MtlDty]

This process exists already. Its called Verified By Visa, or MasterCard SecureCode. In both cases the merchant site redirects you to the acquiring bank, gets you to enter a secure password, and returns a unique 'Cardholder Authentication Verification Value'.

Obviously this is currently an optional process, requiring you to sign up to the VBV or SecureCode service - but its becoming more mandatory.

No similar process exists for recurring transactions (or continuous authority as its sometimes known). This is o

Re:

[TheCRAIGGERS]

You missed the point. This whole process was a way to keep the actual credit card numbers out of the hands of the seller, not an added level of security.

Re:

[!coward]

While you're not entirely wrong, I think you've also misunderstood what he was trying to explain.

I've used Verified by VISA a number of times now (and have dealt with a number of on-line merchants which will only accept payment through it) and it's really quite simple. First of all, you need to tell your bank (I did it through its on-line banking interface) that you want to enable VFV on a given card.

Now, the way it's implemented in my country (don't know if it differs on other countries) is: you then stipu

Credit card information?

[Reason58]

It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

Re:

[BAILOPAN]

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve

Re:

[megamerican]

How could they require the last four digits of a credit card number to recover lost steam accounts when you don't need a CC to use steam? You can activate a new steam account without purchasing something through steam. One only needs a valid CD-Key and e-mail address. I have always been under the impression that Steam wasn't keeping peoples CC numbers. I thought they received a receipt of the purchase from the CC company. On a related note, I had to have a steam accounts password reset because someone I le

Re:Credit card information?

[tlhIngan]

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

Reports are all over the map - Valve's official statement says it's only cybercafe owners who are affected (Valve has their credit card information for billing purposes - looks like Valve licenses their games by the hour). And they claim it's the third party host that's afflicted who manages the cybercafe program, and that steam itself wasn't hacked.

Where the whole story lies, is somewhere in-between.

What I don't get is this:

It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

What does a California bill have to do with a company based in Washington? (Valve was formed out of some people from Microsoft). They may have to alert CA residents, I suppose?

I dont excuse them, but no-steam has a point...

[sethstorm]

That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve games without Steam (it's pretty horrible software)... These guys go a step further and brag about it. Our HL community has a very anti-"no steam" policy; you simply won't get support if you're running it.

By the looks of things, keeping these people in the cold isn't exactly going to help much either. Not every place has a regular connection that runs these games,

Re:

[BAILOPAN]

Supporting pirated game copies is a violation of the SDK license Valve gives us. At best, it's simply unprofessional to cater to people who haven't paid for the game and expect equal support on outdated/cracked versions.

Interview with the "HACKER"

[ToasterMonkey]

The way "hacker" is used in the media and on slashdot always makes me laugh. This "hacker" seems to be affiliated with the Free Nation Foundation group in some way. Maybe the interview is a hoax too, lets face it, you can believe everything or nothing you read on the internet. Either way, I feel there are some very troubled and delusional kids out there that need help getting away from their computers for a while to play baseball or do something constructive. Read the interview, then go to the forums at

Re:

[nbehary]

I was wondering about that.....was going to reply to an earlier post that Steam should do like Nintendo does with the VC, you enter everything every time. Then I remembered Steam does do that. It's easy to forget tho.....steam doesn't fail to connect in the middle of a transaction often. It's a good thing, but annoys the hell out of me with the VC sometimes.

(and Steam and the VC are the only online CC purchases i've made in years.....i usually avoid it.)

 

My CC details were "leaked" by Steam

[Contact]

Coincidentally, I'm currently fighting a running battle with Steam support to reclaim a hacked Steam account. After about five messages back and forth, it has finally emerged that the person actually stole my account by "reclaiming" it from Steam, after providing my steam account number, and my credit card details.

I don't have any spyware on this machine - I checked with SpyBot and Ad-Aware. I surf using Opera, I read mail using Eudora, and internet security is part of my job. I am at a loss as to how any

This is major news.

[imbaczek]

How is this not worthy of showing the whole summary is beyond me.

Oh and I sincerely hope that this kid gets his share of gulag.

Re:

[Opportunist]

If he sits there with the dimwit who thought it's a bright idea to store CC info on a publically accessable server, fine with me.

Re:

[account_deleted]

Comment removed based on user account deletion

Check your credit cards

[Cerberus7]

I got a call today from Discover that the card I used to purchase some Steam games was used in several stores in the last two days, racking up over $1500 in charges. I've been trying to figure out how they got my number, and this seems a possible candidate. If you're a Steam customer, beware!

Re:

[casings]

the hacker claims not to be doing this to gain access to credit card information, but rather to bring valve into bad light.

at least thats what he says here: http://emp.damage-web.net/viewtopic.php?p=62590 [damage-web.net]

Re:

[statusbar]

And how do we know that he is the one and only who did hack it? Or is it just someone who said he did?

--jeffk++

Re:

[casings]

he's the one taking responsibility for it, as well as providing the proof. Who can be certain? I was just referring to direct quotes from the guy.

Re:

[GeorgR.]

i am assuming this only applies to people who bought/download their stuff right off steam. Since i got my steam account with the purchase of a game in a 3rd party store...i dont even think/remember that steam has my CC information.

Wii points?

[lpangelrob]

So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers? (Important note: I don't have a Wii yet, so I'm not sure of the technical details of how Wii Points work.)

Re:

[Ahnteis]

No. Wii points can be purchased online with the Wii itself. Wii points (and xbox live points, etc) are just a way of guaranteeing that you will spend a minimum of X dollars at a certain store, AND that you will want to buy MORE points to use up the "left over" points you likely have.

Re:

[grumbel]

### So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers?

I think the main reasons for "Wii Points" and similar systems are that one can do micro payment that way easily and that in some countries credit cards aren't very widespread, especially when it comes to younger audiences, so using only credit cards would lock a lot of users out of the system. Then there is of course the evil reason: You can spend your "Wii Points"-money on XBoxLive, while you could do

Re:Wii points?

[VertigoAce]

I think there are two main motivations for the point systems. The first is that credit card companies have a per transaction fee that is around $0.25 - $0.35. This is really significant when you want to have multiple transactions around $1 - $2 each. By having you purchase points in increments of at least $5, they only pay the transaction fee once for a series of transactions. Apple does something similar with iTunes: they collect somewhere between one and three days worth of purchases and submit them together as a single transaction, hoping you buy more than just a single $0.99 track (I've never used iTunes, so this is a summary of what I've read about its behavior).

The other reason for the points system is to be able to set a single global price for content. I can post a piece of content for 800 points and tell people about that without having to convert it to a whole bunch of other currencies. Microsoft then sells points at some constant exchange rate for each country. This keeps content prices from fluctuating everywhere outside the US (compared to making the content $10 USD and having the exchange rate vary).

Steam support is vapid

[spyrochaete]

Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

Here is my first email to Steam:

I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
http://emp.damage-web.net/viewtopic.php?p=62590 [damage-web.net]

Is this true? Do I need to cancel my credit card? Please advise ASAP!

And here is my second one, posted this morning:

Do I really need to tell you that this urgent question is time-sensitive?

http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk [digg.com]

As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.

I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

Re:Steam support is vapid

[shaitand]

You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

Re:

[spyrochaete]

Different login name, and I've been checking my CC online invoice often since hearing of this incident. Plus my bank put my card on hold when I bought a CD and then made a charitable donation online in rapid succession, until they called me 30 minutes later to verify I had made those purchases. I have faith in my bank.

If you are emailing Steam support..

[RealityThreek]

... don't you think everyone else is too? Is it really all that surprising that they are backlogged?

Re:

[spyrochaete]

That's what public statements are for. Regardless, the least they could have done was reply saying "We are currently investigating and will get back to you."

Re:

[Omeger]

You should only worry if you're a person who has a Cyber Cafe, because those are the numbers that were lost and they were already informed of this.

Re:

[spyrochaete]

Thanks. I actually found this information shortly after commenting on /. on Steam's forums, but it was a reply by a regional Steam administrator to a poorly titled post by an ordinary user. Hardly a professional or exhaustive means of easing the minds of over a million subscribers.

Re:

[n3tcat]

they probably have one person responding to emails. another person is answering phones. everyone else is busy trying to figure out what information got stolen, how it got stolen, and how to keep it from being stolen again.

Re:

[ShadowsHawk]

If you have more than one available card, you may want to call the CC company and tell them that you'd like a new card issued. They will cancel the existing card and you'll have the new card in a couple of days. My card appears to be clean, but I had a new card issued as a precaution.

Re:

[spyrochaete]

Thanks for the advice. I'm keeping a close watch on my online invoice but I'll take further action if required.

overdrawn, lol.

[iPodUser]

My account that I used to buy the game is overdrawn, the joke's on him!

(That and I just switched banks so the account will be inactive in a matter of days)

Call me old-fashioned...

[313373_bot]

...but I never liked the concept behind "Steam", "X-Box Live", or any other "service" you have to subscribe (i.e., submit your credit card information and pay over and over) in order to enjoy the games (or any other software) you have already purchased.

Re:

[the linux geek]

You realize Steam is free, right?

Re:

[hansamurai]

Because Steam has relatively unobtrusive DRM, compared to WGA which regularly accuses you of pirating Windows. But DRM is DRM, so I understand your point.

Re:

[heinousjay]

Steam is free as in you don't pay for it. That's how so.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[313373_bot]

Thanks for the information, I wasn't aware that there isn't a monthly fee. Nevertheless they are keeping some information then, at least to (re-)activate the games, and perhaps to sell you additional stuff. Do you have to log on the service each time you want to play, or just to reinstall? In any case, as another poster said, it feels a lot like WGA.

Re:

[Ahnteis]

There's an offline mode I believe, but generally you just stay logged in to the service and play your games. I much prefer it to dealing with swapping CD/DVDs every time I want to play, and I don't have to deal with things like Starforce, or hacked .exe files from people I have no reason to trust.

Re:

[tlhIngan]

There's an offline mode I believe, but generally you just stay logged in to the service and play your games. I much prefer it to dealing with swapping CD/DVDs every time I want to play, and I don't have to deal with things like Starforce, or hacked .exe files from people I have no reason to trust.

Yes, there's an offline mode, I've used it. It's quite nice - though it does delay startup by about 30 seconds while it tries to log into your account. The only thing is that you have to be offline when you start u

Re:

[Ahnteis]

There are no subscriptions that I'm aware of on Steam currently. You pay once, download as many times as needed.
(Unless you want a new game, then you have to pay a whole new price!)

Here's the full *original* screenshot

[TubeSteak]

http://i17.tinypic.com/2e0irza.jpg [tinypic.com]

The pic in TFA only shows the left half of the picture.

Re:

[cgenman]

Valve has "a stunning" 9 million dollars in the bank? Stunning? That's suprisingly low for a company that has made two of the most successful (or at least hyped) games of all time. That's probably about 1 year of operating capital for them.

This hacker isn't earning himself much respect.

Remember, he's at:

Maddoxx@no-steam.org

All I can say is

[Lord Kano]

pwn3d

I have always had serious issues with giving my credit card number to any high profile service like Steam primarily because I don't like "virtual" purchases, I like to have physical tangible objects in return for my money but this is just another reason for me.

LK

Another day in CC paradise

[Opportunist]

Yes, I know, the CC companies will prolly cover it. But why is this necessary?

I see that the companies need the CC info for billing. That's ok. Why, though, does this info have to reside on a server that is accessable through the 'net? Of course, you have to register online. Ok. How about transfering that data once a day to a server which is usually NOT accessable from anything connected through the net save those 5 minutes the transfer takes, and only from the machine that has to dump the info? Banks use a

Re:

[Detritus]

You don't have to fall back to off-line batch processing. Another approach is to install an intermediate system that only allows the passage of messages in very limited and strictly defined formats. Anything else gets logged, discarded and triggers an alarm.

Yet another reason...

[anlprb]

You should not run your corporate networks over people's private computers. You are giving them the door and the location, it is a matter of time before they have the key. There is a reason that the telephone polls are on the public right of way. It makes it a crime to tamper with it. Once you put something on my land without a legal easement, it is mine to do with as I please. Even with a legal easement, I can still cause damage, I may just have to pay for it. You still lost service. Note to load "s

Re:

[LordSnooty]

I spent three minutes wondering why someone would want to hold an American Idol-style vote on public rights of way. "Poles" not "polls"

Domestic Terrorism?

[malevolentjelly]

I would be really worried if I were that kid. If he's in any country with an extradition treaty, I'm pretty sure he'll get nailed by the authorities. Our post 9/11-government is pretty sensitive to electronic criminals like this.

I know being a l33t h4x0r is all about bragging about your crap, but honestly-- even claiming to have done this is very dangerous if you're not in the third world.

Why do online sites need to store CC#s at all?

[illegalcortex]

Some people have said that this may inaccurate since Steam requires that you enter a CC# at every purchase. In any case, I have to wonder why we don't have better technology than just storing CC#s. For purchases that happen instantaneously online, this would seem to be avoidable.

1. You enter your CC# on a company's website
   
2. Company sends CC# to credit card validation service
   
3. On successful transaction, the CC company uses its private key to encrypt a small message containing the cardholders name, address and CC# along with the billing companies name and address or other account info. It then sends that encrypted result back to the billing company. The billing company throws away the credit card number (except maybe the last four digits for easy identification purposes) and stores only this encrypted form.
   
4. Later, when the billing company wants to charge the customer again, it sends that encrypted form to the CC company instead.
   
5. The CC company accepts it and decrypts it using the private key, thus allowing payment only to the billing company listed in the file
   

Any obvious glaring errors? Any idea if this has already been proposed and shot down in the past? The data is never going to be truly secure. Someone is always going to get hacked. So it seems this might be a good way to minimize the amount of valuables lying around.

Re:

[spyrochaete]

If the company providing the goods or service to the end user gets broken into, wouldn't it be possible for the malicious party to charge huge fees to the victims' authenticated credit cards using valid private keys?

Re:

[Dr_Barnowl]

Well, yes, but they can only make charges that get paid to the company they hacked, not to their own merchant account.

Because of the way that public key crypto works, you can be assured of the sender of a particular piece of information. If you have someone's private key, you can pretend to be that entity, sure. But the CC company would associate that key and content signed with it with that merchant account only, and would instantly detect requests to pay into another account. In fact, it would be unnecess

Re:

[illegalcortex]

Just to add to the other reply, I'd like to note I wasn't proposing each of the companies that sent charges to the CC# should have their own public/private keys. That would be nice, but quite a hassle to administer. I just mean that the message content will include the company name and address before it is encrypted and sent back by the CC#. That way (like the other poster said), if someone stole that encrypted message and tried to send it back in, only the original company will be credited, not the thie

Re:

[spyrochaete]

This pretty much nullifies the motivation for stealing and resending the encrypted message.

Indeed, and I think this is a great idea, but it still doesn't nullify the motivation for "proof-of-concept" mischief such as this Steam case.

Re:

[illegalcortex]

Well, the Steam thing turns out to be inaccurate (they put an update at the bottom of the linked story).

But if it had been true, the theft of credit card data would definitely have moved it out of the "mischief" category.

Re:

[Gunstick]

even better:
1) you click on checkout
2) the company directs you to the card processor
3) you enter your CC there
4) the card processor tells the company if it's valid
5) you get your goods

The internet shop NEVER sees the CC number
Instead of 1000 shops needing security you only need to secure a couple of processors, typically your bank or similar.
The shop even does not really need to have any SSL ...

Re:

[whizzter]

Because people would become confused and suspect foul play if you're directed to an unknown processor. (I personally do not know the names of any commercial processors on the net. but it's not my bank).

There's 2 other options.
1: Using links directly to your bank, where you could log in. This is actually used by my personal bank but i find it very scary. (Because by using devious tricks of javascript and co i could be entering login info to my bank account that somebody could steal. Not good.
2: Temporary int

Re:

[illegalcortex]

This breaks for recurring charges or automatic bill payments. That's kind of the whole point the system I proposed.

Re:

[c0d3h4x0r]

Any obvious glaring errors?

Yeah -- the credit-card system as-is is so entrenched that you'll never get all the disparate parties involved to agree to throw it out and adopt something new all at the same time.

Banks, the banking backbone network, credit reporting mechanisms, ATM machines, point-of-sale hardware, retails... they would all have to throw away their existing systems and software/hardware investments and move to the new system, and they would have to do it altogether in concert for it all to work

Re:

[illegalcortex]

I think you're assuming something that I didn't propose. I didn't say they should scrap the existing process and replace it with this. If you notice, the first bit of my process is the existing system of sending a regular CC# in. My system just adds functionality that companies can take advantage of. They could even have an extra little safety seal on their page for this system.

Right now, companies are having to pay a lot for security to try to avoid these attacks. Then when they get broken into, they

Re:

[illegalcortex]

Right, but I think you missed the point of my post. Some companies need to do recurring charges (WoW, for example). The other example is storing the card as a convenience, which really is very nice as long as you have some level of confidence in the site.

1337

[kbox]

The 'hacker' uses windows and IE... As if being a scummy theif wasn't bad enough.

Good

[Trogre]

Well, not good for the people who had their credit card numbers taken, but the sooner these web-based DRM schemes are exposed and discredited the better. Valve made a *big* mistake by making HL2 require an open connection to Steam before letting you play. Sure, they've tacked on a bit of content delivery but that's not its main purpose.

Re:

[Broken scope]

Actually you only need it on their once. Offline mode has been working rather well for a while now.

Re:

[Broken scope]

FUCK I used their wrong. That should be there.

Turns out...

[PixelScuba]

The password was gaben.

Hummm

[A_Non_Moose]

Is Gabe using Outlook, again? Shame, shame, shame, figured he'd learn the first time.

I guess HL3 will be delayed again because of hackers. Damn those hackers!

Makes you wonder if Valve has a S.T.A.L.K.E.R.

Looks like the "hacker" is full of crap

[Talgrath]

He hacked into a website, but it wasn't Steam itself but a third party site (the article linked itself has this correction at the bottom); at least that's the official line from Valve.

Re:

[Alphager]

"B-b-b-but the source is a pseudonymous hacker with an axe to grind! Why would he lie?"

*head explodes*

The source is a pseudonymous hacker with an axe to grind who released Account-data, certificates and several internal listings. Of course, he could have faked those listings, but they seem extremely accurate.

Re:It's an unconfirmed claim you Irish fools

[caramelcarrot]

http://forums.steampowered.com/forums/showthread.p hp?t=554840 [steampowered.com]

"There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:

[caramelcarrot]

Fully securing a game is very hard without DRM built in to the hardware or moving all the computation to the server side (expensive). It's unfair to compare client security (impossible) with server security (possible)

Re:

[skwang]

Citibank's credit cards allow users to create a similar "virtual credit card" number. I've used it for my online shopping/transactions. Unfortunately I didn't get the CC before I signed up for steam (sigh).