Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Hardcoded Keys
From: Bruce Ediger <eballen1 () qwest net>
Date: Thu, 4 Sep 2008 11:21:13 -0600 (MDT)

On Wed, 3 Sep 2008 16:31:25 +0700
"Samuel Beckett" <beckett.samuel () gmail com> wrote:
After the successful credit card transaction, certain credit card details
are then encrypted and stored within the database.

And then, on Thu, 4 Sep 2008, Shaun wrote:
There is your worst case. Game over.

Agreed.  Keeping card number/CVV2 (or CID, or CVC, whatever you call it)/
expiration date constitutes a real problem.

You process my transaction, you are done with my certain credit card
details the moment you get an auth or nack from your gateway. You as a
vendor should never see my credit card number to start with. You should
be passing my transaction to an originating bank. Alas, we know this
rarely happens.

I believe it almost never happens.  As I understand the card association
rules, the merchant has to hang on to the data for refund purposes.

I will grant you that Chase/Paymentech will do arbitrary refunds, but I
don't think that's the case for other payment processors (the "gateway"
you mention above).  In fact, I believe BillMatrix will only refund
a previously authorized and settled payment.  The merchant has to have
all the right data, otherwise BillMatrix will reject the refund.

A few years ago I worked on a corporate credit-card processing system, and
I pushed for keeping a cryptographic hash of the credit card number, but
not the number itself.  That would have eliminated the need to encrypt
card numbers, and any basis for accusing a programer of stealing card numbers.

Alas, between card association rules, and the anti-fraud group wanting the
exact card number, my idea got discarded.

Since we're on the topic of credit cards, why don't we hear more about
refund fraud?  As near as I can tell, that's the part of the system
that an insider could abuse the hell out of.  Most corporations have some
kind of internal accounting, so that making fake or fraudulent payments
really can only happen for a few dollars, and then only for a month, or
whatever the accounting period happens to be.  But refunds, that's another
story.  As of 2 years ago, Paymentech would do arbitrary refunds: they
didn't care if a corresponding payment had ever gotten authorized and
settled.  And corporations leave the decision about refunds up to
customer service reps in a lot of cases.  At the very least, there's little
to no accounting for the refunds.  A place ripe for a huge fraud to take
place, if you ask me.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]