Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: choice-point screw-up and secure hashes

From: Atom Smasher <atom () smasher org>
Date: Sat, 19 Mar 2005 13:41:40 -0500 (EST)
On Sat, 19 Mar 2005, Kurt Seifried wrote:
Hashing SSN numbers and CC numbers doesn't matter unless you use a really huge salt that is stored seperately. Why? Not enough variation. A credit card number for example: 

4520 1234 1234 1234
except the first 4 digits (4520) are the bank code, so for example in canada if you guess 4520 as the first 4 digits that's a safe guess since it's a Visa from TD Canadatrust (one of the big 3 banks here). You're now down to 10^12 which isn't a very huge search space. The same goes for SSN's, they simply aren't long enough to be meaningful, in cannada our SIN number (same idea as your SSN) is only 9 digits long. That's a trivially shot search space. 
====================
that's certainly a valid critique, that had occurred to me. and i'm sure somewhere out there is a good way to do it.
To put it bluntly you basically can't store SSN/SIN/CC's in a "Secure" manner that obscures them significantly enough to prevent an attacker from brute forcing them unless you go to some extreme method, which companies won't do.
The sad part is there is NO (Zero, Nada, Zilch) incentive for companies to treat this data securely. Information for a hundred thousand people is stolen. So what? The company is not criminally liable in any way (I haven't heard of any laws yet). Civilly they're barely liable either. It'll be more of the same until we have laws with penalties for allowing theft of customer data. To bad insurance won't work, when a physical item is stolen it costs money to get a new one, and insurance companies won't pay out unless you took due care/diligence, OTOH if you steal all the electronic data (and even erase it) a company just restores from a backup and goes on with life. 
=================
agreed. it's beyond just being a technical problem, so just a technical solution is naive. there needs to be consequences when this type of data is compromised... having some executives make an appearance in DC and plead "please don't regulate us" isn't making the world more secure. 


--
        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

        "America may be the best country in the world, but that's
         kind of like being the valedictorian of summer school."
                -- Dennis Miller


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: