Re: [Full-disclosure] Hardcoded Keys

---

• From: "Avraham Schneider" <avri.schneider@xxxxxxxxx>
• Date: Fri, 5 Sep 2008 01:16:29 +0300

---

I believe it almost never happens. As I understand the card association
rules, the merchant has to hang on to the data for refund purposes.

..
..
..

A few years ago I worked on a corporate credit-card processing system, and
I pushed for keeping a cryptographic hash of the credit card number, but
not the number itself. That would have eliminated the need to encrypt
card numbers, and any basis for accusing a programer of stealing card numbers.

Alas, between card association rules, and the anti-fraud group wanting the
exact card number, my idea got discarded.

Why didn't you suggest encrypting card numbers, without storing the
decryption keys?
If the user wants a refund - he will have to type his password (which
will be the key) to decrypt the card number and the decrypted card
number will be sent to the processing gateway.
Since the user's password is not stored in the database, just the hash
of it, you don't risk an attacker getting access to all credit card
numbers if/once he hacks into your server...



On Thu, Sep 4, 2008 at 8:21 PM, Bruce Ediger <eballen1@xxxxxxxxx> wrote:

On Wed, 3 Sep 2008 16:31:25 +0700
"Samuel Beckett" <beckett.samuel@xxxxxxxxx> wrote:

After the successful credit card transaction, certain credit card details
are then encrypted and stored within the database.

And then, on Thu, 4 Sep 2008, Shaun wrote:

There is your worst case. Game over.

Agreed. Keeping card number/CVV2 (or CID, or CVC, whatever you call it)/
expiration date constitutes a real problem.

You process my transaction, you are done with my certain credit card
details the moment you get an auth or nack from your gateway. You as a
vendor should never see my credit card number to start with. You should
be passing my transaction to an originating bank. Alas, we know this
rarely happens.

I believe it almost never happens. As I understand the card association
rules, the merchant has to hang on to the data for refund purposes.

I will grant you that Chase/Paymentech will do arbitrary refunds, but I
don't think that's the case for other payment processors (the "gateway"
you mention above). In fact, I believe BillMatrix will only refund
a previously authorized and settled payment. The merchant has to have
all the right data, otherwise BillMatrix will reject the refund.

A few years ago I worked on a corporate credit-card processing system, and
I pushed for keeping a cryptographic hash of the credit card number, but
not the number itself. That would have eliminated the need to encrypt
card numbers, and any basis for accusing a programer of stealing card numbers.

Alas, between card association rules, and the anti-fraud group wanting the
exact card number, my idea got discarded.

Since we're on the topic of credit cards, why don't we hear more about
refund fraud? As near as I can tell, that's the part of the system
that an insider could abuse the hell out of. Most corporations have some
kind of internal accounting, so that making fake or fraudulent payments
really can only happen for a few dollars, and then only for a month, or
whatever the accounting period happens to be. But refunds, that's another
story. As of 2 years ago, Paymentech would do arbitrary refunds: they
didn't care if a corresponding payment had ever gotten authorized and
settled. And corporations leave the decision about refunds up to
customer service reps in a lot of cases. At the very least, there's little
to no accounting for the refunds. A place ripe for a huge fraud to take
place, if you ask me.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] Hardcoded Keys
    • From: Gary E. Miller

• References:
  • [Full-disclosure] Hardcoded Keys
    • From: Samuel Beckett
  • Re: [Full-disclosure] Hardcoded Keys
    • From: Shaun
  • Re: [Full-disclosure] Hardcoded Keys
    • From: Bruce Ediger

• Prev by Date: [Full-disclosure] Xc0re Security Research Group GuestBook xss
• Next by Date: [Full-disclosure] [ MDVSA-2008:186 ] python
• Previous by thread: Re: [Full-disclosure] Hardcoded Keys
• Next by thread: Re: [Full-disclosure] Hardcoded Keys
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Distance selling regs question ... If you paid by credit card the easiest way to proceed is to contact ... the card supplier and ask for a charge back. ... Yes of course he should ask for a refund first, ... (uk.legal) Re: Distance selling regs question ... If you paid by credit card the easiest way to proceed is to contact ... the card supplier and ask for a charge back. ... Yes of course he should ask for a refund first, ... (uk.legal) Re: paypal question ... make it impossible for buyers to complete payment within my 7 day ... I've no debit card registered - although I ... have a credit card on file - but I can do "instant" bank payments, ... Instant Bank Transfer will be the default method of payment. ... (uk.people.consumers.ebay) Re: A Tax refund ............. ... Do you actually deal with HMRC by eMail then? ... So how come they don't just pay the Refund into whatever Account ... Scammers & Phishers - the Legit firms mean it & the Scammers say it, ... HMRC don't pay Refunds into *Credit* card Accounts!!! ... (uk.people.silversurfers) Re: Some live without credit cards -- could you? ... I send at most one payment per monthand still don't pay any ... I haven't had a credit card for almost 10 years. ... (misc.consumers)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)