Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Hardcoded Keys
From: Shaun <shaun () shaunc com>
Date: Thu, 04 Sep 2008 00:47:03 -0500

On Wed, 3 Sep 2008 16:31:25 +0700
"Samuel Beckett" <beckett.samuel () gmail com> wrote:

What would be the the worst case if you implement the following scenario for
a credit card transaction:
After the successful credit card transaction, certain credit card details
are then encrypted and stored within the database.

There is your worst case. Game over.

You process my transaction, you are done with my certain credit card
details the moment you get an auth or nack from your gateway. You as a
vendor should never see my credit card number to start with. You should
be passing my transaction to an originating bank. Alas, we know this
rarely happens.

So I grant the fact that you, the vendor, see (even if only briefly) my
credit card number. If you're hanging onto that in an "encrypted" format,
either you're doing so because you can also decrypt it later - in which
case, anyone else who gets ahold of your database can also decrypt it
later - or you're doing it for no reason at all. Both of these are bogus

Yes, it's handy to be able to login to your site 6 months from now and
buy something else without re-entering my credit card. No, as far as I'm
concerned, it's not worth saving 16 keystrokes for you to keep my shit
on file and have it go walking off on someone's laptop 2 years after I
did a single transaction with your business.

If I give you my credit card number, it is for one single transaction in
the here and now. If you want to store my credit card number, you do it
at the risk of showing up in the media in a few months, ala TJX, as some
bunch of incompetent assholes who couldn't keep my shit safe. 

Come to think of it, that happens just about every week and there never
seem to be any consequences, at least not here in the USA. Maybe we
should go into business together.


/old school idiot

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]