Report: Major PlayStation Security Exploit Lets Hackers Use Customer Credit Card Info Without Needing the Security Code

PS4 8.00 Update Error

We’ll file this one under the “major screw up” category, as it seems Sony has been left vulnerable for years now there has been an exploit that has potentially been costing consumers and allowing thieves to profit. Due to the nature of this PlayStation Security exploit, we won’t disclose how to actually do it since, y’know, it’s illegal. However we do hope this stirs up awareness for Sony, which according to a user who’s filed a claim, that the exploit is still not being acknowledged.

For gaming experience in the future, we’d recommend to check secure brands that issue safe games and care about the security of their customers.

[Update 2] We have decided to include the actually video and user who had decided to make this public finally since this isn’t something anyone can go out and do themselves as it requires a stolen PSN account. The video, which is about 15 minutes long shows the process of how hackers are able to commit fraud on stolen users account despite there being a security check for the users main account via CVV confirmation. We originally didn’t not want to include it for respect that it could do greater harm and per the request of some of the active scene members not wanting the video to garner attention as it’s harmful. Though Since it is public and the user does say they wish see this fixed we decided to include it.

What you are seeing here is a bypass of the accounts CVV code. Again, there are measures in place to prevent this if the user hasn’t set-up 2-steps or security answers, but due to the nature of the bug it allows hackers to exploit it by providing a false form of payment that makes the account default to the first provided payment upon adding funds that become available on family accounts.

[Update] We have included some examples near the bottom of the article that are highly supportive that the exploit published today is very real and has been going on for some time now for accounts that have been breached from scams or other means for people to get access to accounts. This does not affect the majority of users out there, especially if they have 2-step verification enabled. Though this is not to say this isn’t an issue that shouldn’t go unnoticed as in the examples supplied its clear it can be harmful to folks who aren’t informed as many of us on the internet.

Original Story

Basically, how the exploit operates is that typically, PSN requires all credit cards to supply them with their CVV security number. When you normally operate PSN this isn’t something the system usually requests, but when you log in from a different console it will ask you for the CVV number of the credit card on file (if you have one) before you can proceed to log-in.  However due to a very easy exploit, if a thief was to get their hands on someones PlayStation user’s account, they could potentially rack up victim’s credit cards without even knowing their CVV number as the process bypasses the requirement.

A screenshot from the released video showing how the exploit is done and what the end results in

“It isn’t an exploit with the consoles, it’s an exploit with the network” one modder told us in a private message. When we asked the original poster of the method as to why this exploit is only coming out today in the form of a YouTube video, their response was rather shocking in stating that Sony simply did not care unless it was made public. This exploit has allegedly been around roughly for five full years. The user had claimed that they had sent Sony the exploit in the past, via their own hacking disclosure program, hackerone. The user eventually ended up getting a response that informed them that the exploit served no security risk and was simply fraud. This email was from just today as you can read below.

An email response from an employee at Sony's HackerOne program

We strongly disagree with this reply from one of the employees at Sony’s HackerOne as this opens up breached users to a larger threat. It more of an oversight, but should have been something sent up to the correct department rather than brushed off as just a “fraud issue.”

And the problem only gets worse as this typically ends up leading to illegal account selling and consoles pre-loaded with the latest games and on the latest firmware, a piece of information confirmed to us by the modder we spoke to earlier. There are countless black markets out there (mostly out of the USA due to high gaming cost in other countries) that sell PSN accounts loaded with PS3, PS Vita, PSP, and PS4 games using this exploit, and if you search hard enough you can even find consoles being sold like this. Shops in Brazil, up to the point until Sony changed their account authentication and gamesharing process would sell modded PS4 pre-loaded with titles via modchips.  One other user familiar with the exploit informed us that the way sellers are doing this is that they are racking up credit card balances from one user, and applying it to three other PlayStation accounts that get placed on separate consoles to be sold; although they’ll eventually be banned if they ever go online.

For all intents and purposes, this is complete fraud, and one could argue borderline piracy since it involves the reselling of illegally obtained software and account selling which is definitely against PlayStation’s own Terms of Service (TOS).  This certainly has been something that the major players in the PlayStation 4 hacking scene have been pretty much against for the longest time. In fact, while the latest PS4 firmware is no doubt exploited behind closed doors, many hackers have vowed to never release an exploit that is achievable on the latest hardware due to mass piracy and online cheating.

We have reached out to Sony for a reply and will let you know if anything comes of this. For safety purposes, keep an eye out on all your finances as you never know when someone may steal your information. We highly suggest you activate the two-step verification on your PlayStation Account, whether you want to store credit info is entirely up to you. This certainly isn’t as big as a blunder as Sony’s infamous PSN hack that happened eight years ago where millions of potential credit cards were possibly stolen, though it is a pretty big exploit in the wrong hands.

If you need help setting up Two-Step verification you can do so from either a PlayStation console or from the official PlayStation Two-Step Guide webpage, along with additional security questions to help protect your account.

Minor Update:

We have searched for some potential cases and have actually found a very recent one that shows effects from someone most likely using this exploit, along with a good amount of other posts.


And this reddit post from 10 months back with a similar situation: Reddit

A Reddit Post from 7 month ago: Reddit 

Another one dating as far back as three years: Reddit

A couple of people on the official PlayStation Forums also, one here ,here, and here.

Source of image below: PlayStation Forums From Last April

A Gamefaqs post detailing the same situation here.

There are several others out there with the exact same scenario, which all pertain to the use of the Family management sub-account, something we didn’t want to originally state in the article due to it being a part of the exploit.

 

10 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
thwip71
thwip71
4 years ago

This is just Sony being Sony….they’ve been guilty of sh*t like this since the BMG days.

J.j. Barrington
J.j. Barrington
Reply to  thwip71
4 years ago

Try harder.

chavomorris
chavomorris
4 years ago

Again, use those Playstation network cards/wallet for purchases, never use your credit card on PSN.

chavomorris
chavomorris
4 years ago

Setting up Two-Step verification is important, and use those Playstation network cards/wallet or PayPal for purchases, never save your credit card info on PSN.

Danny DeMent
Danny DeMent
4 years ago

So this turned out to be a big nothingburger that’s easily stopped by both learning to recognize a phishing link and setting up two-step authentication.

It does suck for the people that fell victim to it, absolutely, but this is not the kind of widespread or crucial security issue y’all rushed out to make it appear to be.

J.j. Barrington
J.j. Barrington
4 years ago

Kinda hard to call this “major,” don’t you think? If anyone’s affected, the number is miniscule,

Ste B
Ste B
4 years ago

This article is poorly presented. Firstly, for this story to be meaningful, your account must already have been compromised. If you have common sense and exercise good personal security this won’t happen. Secondly, what the author describes as a “major exploit” is simply a convenience feature that allows purchases to be made without requiring the customer to input the Card Verification Value number from the back of the payment card. Many online stores offer the same option, including Amazon. Today the PlayStation Network provides a range of security measures that are optional, including two-factor verification and a PIN at checkout. Naturally, none of these measures will be effective if you chose not to enable them. The author then tries to bolster his case by pasting a bunch of random unauthorized account charges that demonstrate precisely nothing.

Top Games and Upcoming Releases