[conspire] Security cautionary tale: Involves 'Steam' but could have been any of many others

Rick Moen rick at linuxmafia.com
Fri Jan 8 00:21:39 PST 2016


Quoting Paul Zander (paulz at ieee.org):

> I don't know about the Steam hack, but one part is plausible.  
> 
> AT&T (and other land-line phones) have a means to set up forwarding to
> another number.  That is how NoMoRobo.com works to block calls.

Yes indeed.  And _obviously_ someone who's found a way to grab your
credit card number is going to want to ensure that you are not
successfully telephoned by the lender to verify large or suspicious
charges.

However....

I eventually got bored enough to want to find something other than
Palmer's tall tale.  Here's what I found:



Date: Thu, 7 Jan 2016 23:56:56 -0800
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at lists.johnshopkins.edu
Subject: Re: Hacked!

Quoting Dave Palmer [snipped]:

> During the recent Steam winter sale (an online computer game distro
> company), they had a major security breach, and the web pages
> belonging to some people showed up on the computers of others,
> showing email address and credit card info. I think they got me.

Statement from Valve Corporation here: 
http://store.steampowered.com/news/19852/

  The content of these requests varied by page, but some pages included
  a Steam user's billing address, the last four digits of their Steam
  Guard phone number, their purchase history, the last two digits of 
  their credit card number, and/or their email address. 

If this is accurate, then that is not at all the same as giving out
entire credit card numbers.

They claim it was a caching glitch solely during the 90-minute period
between 11:50 PST and 13:20 PST on December 25th.

This also is _not_ a 'major security breach', and most definitely not a
compromise of the Steam Store Web site -- as described.

Of course, both this and any other company might also have undisclosed
security problems of other kinds.  Or it could be swamp gas, weather
balloons, or cosmic rays.

Someone might want to get around to telling them about code-signing and
other 20th Century marvels.




More information about the conspire mailing list