If I can access your server somehow (i.e. some sort of security compromise) and find that key I don't need to guess.
First place I'd look would be your CF templates. You probably have to read that key sometime from one of them. --------------------------------------- Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --------------------------------------- ---------- Original Message ---------------------------------- from: "Koo Pai Lao" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Thu, 04 Oct 2001 17:20:01 -0500 ok, what if the CC numbers were stored in the database as this... "hga67IAHSIO7283hI:OH:LHSAIYo*(^*23600*A_UAIOUSDOI[pa][p}OQU*(^@#&*%(@#IUDASGUIGASGKLGAGSDAIUGTDYIUSA" and the algorithm to crack it lies safely and securely on the server (not in the root). is it possible to guess the CC now? >From: Jochem van Dieten <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: CF-Talk <[EMAIL PROTECTED]> >Subject: Re: Storing Credit Cards >Date: Thu, 04 Oct 2001 18:31:55 +0200 > >Dave Hannum wrote: > > > Just FYI - it's a fact. Munging the credit card numbers is harder to >crack > > than encryption. > > For example. You have a key. You add a documented value to the first >set > > of four numbers and add another number to the second set of four >numbers. > > (dummy cc number here) > > > > Visa 4563 2784 9001 2483 > > > > Add Key 1 = 4321 > > Add Key 2 = 9876 > > > > Store number as 8884 12660 9001 2483 > > > > Without the keys, this number is impossible to crack. > > > > You store your key. Then, when you want to process again, you subtract >the > > numbers you added in and you have a valid credit card number. As long >as > > that key is not web accessable, you're secure. VERY secure. And much > > cheaper than PGP. > >Except when I know a cc somewhere in the database. Just trying them all >with a MOD 10 algorithm can probably be done at a rate greater than 1000 >keys per second. For a 100000 cc database this is a guaranteed crack in >100 seconds. > >Munged CCs in hacked database: >8884 12660 9001 2483 >4568 13131 5465 5466 >7897 8798 4823 9312 > >Hackers CC he knows is somewhere in database: >4563 2784 9001 2483 > >How long would it take to get the Key 1 and Key 2? > >NEVER do this, it is stupid because anyone can crack it. You don't even >need to do all the math because you know that CCs start with special >numbers (like 4 for Visa, 37 for AmEx etc. (these numbers are fictional, >but actual numbers are wel known)). > >Jochem > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
