| Author |
Topic |
|
X-Factor
Constraint Violating Yak Guru
392 Posts |
 Posted - 2009-03-25 : 21:29:21
|
| Hi there,Does storing the last four digits of payments cards along with billing address details constitute a security risk?Cheers, XF. |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2009-03-25 : 21:53:45
|
| Short answer: yes.Longer answer: your security is only as strong as your weakest link. For instance, you could encrypt the data in the database, but if it's sent unencrypted over the network at any time, it's insecure. Or if the keys are used in the app layer and someone hacks that, then they could decrypt it.Does anyone have ad-hoc access to the database? Even your boss? Even you?While it sounds reasonable to store just that data, you still need to evaluate how that data goes through your systems. Also find out if your company has to obey any auditing standards like SAS 70 or SOX, or some internal restrictions. Then you'll know if that's too much, too little, and whether you need to encrypt or hash it for storage. |
 |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-03-26 : 04:20:40
|
| I'd say no. Those 4 numbers will not do anyone any good.- Lumbago |
|
|
|
X-Factor
Constraint Violating Yak Guru
392 Posts |
Posted - 2009-03-26 : 10:26:43
|
| The bank says its secure information and that its a risk. |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-03-26 : 10:43:18
|
Then listen to your bank. No need to take advice from wiseacres like us  - Lumbago |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2009-03-26 : 10:46:27
|
Mathematical, revealing the last 4 digits drops the number of brute-force attacks with 1/10000th part.A criminal would only have to use a 1/10000th of the attempts to crack full number.
E 12°55'05.63"N 56°04'39.26" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2009-03-26 : 10:49:15
|
Also, revealing the last 4 digits also shows a criminal the Luhn checksum number, which gives the criminal a greater chance to build the other digits depending on the Luhn checksum.
E 12°55'05.63"N 56°04'39.26" |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-03-26 : 10:50:47
|
| Still you got a trillion left...1000 billions...I'd say you're in for some work - Lumbago |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2009-03-26 : 10:56:05
|
Nah. All issuers have same first digits. Visa always starts with 4 and so on.MasterCard always starts with either 51, 52, 53 or 54.http://en.wikipedia.org/wiki/Credit_card_numbersAnd then all participating banks have their fixed numbers after the issuer code. http://en.wikipedia.org/wiki/List_of_Bank_Identification_NumbersSo essentially first 4 characters are "known" (often more) and last 4 are known by display.So there are 8 characters left, which is 100 million combinations in brute-force and by knowing Luhn checksum this is really 10 million combinations which is bruteforced in minutes.For some VISA first 6 characters are "known" and last 4 by display.Then there is ony 1 million combinations left (6 digits) which are really 100 000 combinations left using Luhn checkdigit.100 000 combinations are bruteforces in seconds.
E 12°55'05.63"N 56°04'39.26" |
|
|
|
TG
Master Smack Fu Yak Hacker
6065 Posts |
Posted - 2009-03-26 : 10:59:42
|
| just knowing the address and last 4 digits may be enough info to convince other institutions that the hacker is someone else.Be One with the OptimizerTG |
|
|
|
X-Factor
Constraint Violating Yak Guru
392 Posts |
Posted - 2009-03-26 : 12:07:38
|
quote:
Then there is ony 1 million combinations left (6 digits) which are really 100 000 combinations left using Luhn checkdigit.100 000 combinations are bruteforces in seconds.
I'm convinced OK, but how would expiry date and the security code on the back change this? Would it result in...100000 x 30 x 12 x 1000 combos?This would get us back to 36,000,000,000 combinations.Or perhaps the long number is independent so the hacker just needs to work out another two numbers which would be 1 in 360 and 1 in 1000 respectively? |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2009-03-26 : 12:42:46
|
| Well, the real point is if they get the number and billing address, they can call up the bank and say "I've lost the card, please send another to my new address". Or they can use other sources to get the expiration date and 3-digit code. |
|
|
|
X-Factor
Constraint Violating Yak Guru
392 Posts |
Posted - 2009-03-26 : 13:18:31
|
| Yes, dodgy stuff. |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2009-03-27 : 04:03:08
|
| You always have to compromise between security and usability, and you gotta make sure that what you're making is adequately secure but still usable. None of these posts have convinced me that storing the last 4 digits of a credit card number is such a security risk that I wouldn't do it. That being said, most payment providers return the cc-number along with some extra stuff in an encrypted string as an identification of the credit card and this is what you should be storing. And if you end users can register several cards you can let them add "nicknames" to each card (i.e. "My private Mastercard").- Lumbago |
|
|
|
|
Last four digits of CC.