Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Hardcoded Keys
From: "Avraham Schneider" <avri.schneider () gmail com>
Date: Fri, 5 Sep 2008 01:16:29 +0300

I believe it almost never happens.  As I understand the card association
rules, the merchant has to hang on to the data for refund purposes.
.
.
.
A few years ago I worked on a corporate credit-card processing system, and
I pushed for keeping a cryptographic hash of the credit card number, but
not the number itself.  That would have eliminated the need to encrypt
card numbers, and any basis for accusing a programer of stealing card numbers.

Alas, between card association rules, and the anti-fraud group wanting the
exact card number, my idea got discarded.
Why didn't you suggest encrypting card numbers, without storing the
decryption keys?
If the user wants a refund - he will have to type his password (which
will be the key) to decrypt the card number and the decrypted card
number will be sent to the processing gateway.
Since the user's password is not stored in the database, just the hash
of it, you don't risk an attacker getting access to all credit card
numbers if/once he hacks into your server...



On Thu, Sep 4, 2008 at 8:21 PM, Bruce Ediger <eballen1 () qwest net> wrote:

On Wed, 3 Sep 2008 16:31:25 +0700
"Samuel Beckett" <beckett.samuel () gmail com> wrote:
After the successful credit card transaction, certain credit card details
are then encrypted and stored within the database.

And then, on Thu, 4 Sep 2008, Shaun wrote:
There is your worst case. Game over.

Agreed.  Keeping card number/CVV2 (or CID, or CVC, whatever you call it)/
expiration date constitutes a real problem.

You process my transaction, you are done with my certain credit card
details the moment you get an auth or nack from your gateway. You as a
vendor should never see my credit card number to start with. You should
be passing my transaction to an originating bank. Alas, we know this
rarely happens.

I believe it almost never happens.  As I understand the card association
rules, the merchant has to hang on to the data for refund purposes.

I will grant you that Chase/Paymentech will do arbitrary refunds, but I
don't think that's the case for other payment processors (the "gateway"
you mention above).  In fact, I believe BillMatrix will only refund
a previously authorized and settled payment.  The merchant has to have
all the right data, otherwise BillMatrix will reject the refund.

A few years ago I worked on a corporate credit-card processing system, and
I pushed for keeping a cryptographic hash of the credit card number, but
not the number itself.  That would have eliminated the need to encrypt
card numbers, and any basis for accusing a programer of stealing card numbers.

Alas, between card association rules, and the anti-fraud group wanting the
exact card number, my idea got discarded.

Since we're on the topic of credit cards, why don't we hear more about
refund fraud?  As near as I can tell, that's the part of the system
that an insider could abuse the hell out of.  Most corporations have some
kind of internal accounting, so that making fake or fraudulent payments
really can only happen for a few dollars, and then only for a month, or
whatever the accounting period happens to be.  But refunds, that's another
story.  As of 2 years ago, Paymentech would do arbitrary refunds: they
didn't care if a corresponding payment had ever gotten authorized and
settled.  And corporations leave the decision about refunds up to
customer service reps in a lot of cases.  At the very least, there's little
to no accounting for the refunds.  A place ripe for a huge fraud to take
place, if you ask me.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]