Re: Hardcoded Keys

["Avraham Schneider" <avri.schneider () gmail com>]

> I believe it almost never happens.  As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.
.
.
.
> A few years ago I worked on a corporate credit-card processing system, and
> I pushed for keeping a cryptographic hash of the credit card number, but
> not the number itself.  That would have eliminated the need to encrypt
> card numbers, and any basis for accusing a programer of stealing card numbers.
>
> Alas, between card association rules, and the anti-fraud group wanting the
> exact card number, my idea got discarded.
Why didn't you suggest encrypting card numbers, without storing the
decryption keys?
If the user wants a refund - he will have to type his password (which
will be the key) to decrypt the card number and the decrypted card
number will be sent to the processing gateway.
Since the user's password is not stored in the database, just the hash
of it, you don't risk an attacker getting access to all credit card
numbers if/once he hacks into your server...



On Thu, Sep 4, 2008 at 8:21 PM, Bruce Ediger <eballen1 () qwest net> wrote:
> > On Wed, 3 Sep 2008 16:31:25 +0700
> > "Samuel Beckett" <beckett.samuel () gmail com> wrote:
> > > After the successful credit card transaction, certain credit card details
> > > are then encrypted and stored within the database.
>
> And then, on Thu, 4 Sep 2008, Shaun wrote:
> > There is your worst case. Game over.
>
> Agreed.  Keeping card number/CVV2 (or CID, or CVC, whatever you call it)/
> expiration date constitutes a real problem.
>
> > You process my transaction, you are done with my certain credit card
> > details the moment you get an auth or nack from your gateway. You as a
> > vendor should never see my credit card number to start with. You should
> > be passing my transaction to an originating bank. Alas, we know this
> > rarely happens.
>
> I believe it almost never happens.  As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.
>
> I will grant you that Chase/Paymentech will do arbitrary refunds, but I
> don't think that's the case for other payment processors (the "gateway"
> you mention above).  In fact, I believe BillMatrix will only refund
> a previously authorized and settled payment.  The merchant has to have
> all the right data, otherwise BillMatrix will reject the refund.
>
> A few years ago I worked on a corporate credit-card processing system, and
> I pushed for keeping a cryptographic hash of the credit card number, but
> not the number itself.  That would have eliminated the need to encrypt
> card numbers, and any basis for accusing a programer of stealing card numbers.
>
> Alas, between card association rules, and the anti-fraud group wanting the
> exact card number, my idea got discarded.
>
> Since we're on the topic of credit cards, why don't we hear more about
> refund fraud?  As near as I can tell, that's the part of the system
> that an insider could abuse the hell out of.  Most corporations have some
> kind of internal accounting, so that making fake or fraudulent payments
> really can only happen for a few dollars, and then only for a month, or
> whatever the accounting period happens to be.  But refunds, that's another
> story.  As of 2 years ago, Paymentech would do arbitrary refunds: they
> didn't care if a corresponding payment had ever gotten authorized and
> settled.  And corporations leave the decision about refunds up to
> customer service reps in a lot of cases.  At the very least, there's little
> to no accounting for the refunds.  A place ripe for a huge fraud to take
> place, if you ask me.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/