lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cd51a8c60809041516g34df2b92r9df87456a278231@mail.gmail.com>
Date: Fri, 5 Sep 2008 01:16:29 +0300
From: "Avraham Schneider" <avri.schneider@...il.com>
To: "Bruce Ediger" <eballen1@...st.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hardcoded Keys

> I believe it almost never happens.  As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.
.
.
.
> A few years ago I worked on a corporate credit-card processing system, and
> I pushed for keeping a cryptographic hash of the credit card number, but
> not the number itself.  That would have eliminated the need to encrypt
> card numbers, and any basis for accusing a programer of stealing card numbers.
>
> Alas, between card association rules, and the anti-fraud group wanting the
> exact card number, my idea got discarded.
Why didn't you suggest encrypting card numbers, without storing the
decryption keys?
If the user wants a refund - he will have to type his password (which
will be the key) to decrypt the card number and the decrypted card
number will be sent to the processing gateway.
Since the user's password is not stored in the database, just the hash
of it, you don't risk an attacker getting access to all credit card
numbers if/once he hacks into your server...



On Thu, Sep 4, 2008 at 8:21 PM, Bruce Ediger <eballen1@...st.net> wrote:
>
>> On Wed, 3 Sep 2008 16:31:25 +0700
>> "Samuel Beckett" <beckett.samuel@...il.com> wrote:
>>> After the successful credit card transaction, certain credit card details
>>> are then encrypted and stored within the database.
>
> And then, on Thu, 4 Sep 2008, Shaun wrote:
>> There is your worst case. Game over.
>
> Agreed.  Keeping card number/CVV2 (or CID, or CVC, whatever you call it)/
> expiration date constitutes a real problem.
>
>> You process my transaction, you are done with my certain credit card
>> details the moment you get an auth or nack from your gateway. You as a
>> vendor should never see my credit card number to start with. You should
>> be passing my transaction to an originating bank. Alas, we know this
>> rarely happens.
>
> I believe it almost never happens.  As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.
>
> I will grant you that Chase/Paymentech will do arbitrary refunds, but I
> don't think that's the case for other payment processors (the "gateway"
> you mention above).  In fact, I believe BillMatrix will only refund
> a previously authorized and settled payment.  The merchant has to have
> all the right data, otherwise BillMatrix will reject the refund.
>
> A few years ago I worked on a corporate credit-card processing system, and
> I pushed for keeping a cryptographic hash of the credit card number, but
> not the number itself.  That would have eliminated the need to encrypt
> card numbers, and any basis for accusing a programer of stealing card numbers.
>
> Alas, between card association rules, and the anti-fraud group wanting the
> exact card number, my idea got discarded.
>
> Since we're on the topic of credit cards, why don't we hear more about
> refund fraud?  As near as I can tell, that's the part of the system
> that an insider could abuse the hell out of.  Most corporations have some
> kind of internal accounting, so that making fake or fraudulent payments
> really can only happen for a few dollars, and then only for a month, or
> whatever the accounting period happens to be.  But refunds, that's another
> story.  As of 2 years ago, Paymentech would do arbitrary refunds: they
> didn't care if a corresponding payment had ever gotten authorized and
> settled.  And corporations leave the decision about refunds up to
> customer service reps in a lot of cases.  At the very least, there's little
> to no accounting for the refunds.  A place ripe for a huge fraud to take
> place, if you ask me.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ