Re: Creativity and security
Anne & Lynn Wheeler wrote: recent posts mentioning some skimming threats http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to desktop near you re: http://www.garlic.com/~lynn#aadsm22.htm#30 Creativity and security Trial starts on swipe-and-go card; A new smartcard could result in shorter queues in the shops http://www.theage.com.au/news/business/trial-starts-on-swipeandgo-card/2006/04/12/1144521400790.html the above has the quote: "The card never leaves your hand," ... "In fact, it need not even be taken out of the wallet, and there is no chance information from the card can be skimmed, the most common form of card fraud." ... snip ... while the earlier reference is to a situation where the crook is using their own device for extra swipes, a significant portion of skimming involve compromised devices that harvest information http://www.garlic.com/~lynn/subpubkey.html#harvest as part of a normal transaction. The real issue is whether "static data" is used for authentication and therefor the infrastructure is vulnerable to any kind of skimming/harvesting/evesdropping and replay attacks. a few recent comments about static data exploits for replay attacks http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing" http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now http://www.garlic.com/~lynn/2006f.html#39 X.509 and ssh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Anne & Lynn Wheeler wrote: the trivial case from nearly 10 years ago was the waiter in nyc restaurant (something sticks in my mind it was the Brazilian restaurant just off times sq) that had pda and small magstripe reader pined to the inside of their jacket. At some opportunity, they would causally pass the card down the inside of their lapel (doesn't even really have to disappear anyplace). This was before wireless and 801.11 ... so the magstripe images would accumulate in the pda until the waiter took a break ... and then they would be uploaded to a PC and then to the internet (hong kong was used as example) ... counterfeit cards would be on the street (opposite side of the world), still within a few hours at most. supposedly new? iPod used to store data in identity theft http://news.com.com/2061-10789_3-6059128.html from above .. April 7, 2006 4:55 PM PDT A 35-year-old identity theft suspect may have taken Apple Computer's mandate, "Think Different," a little too far. ... snip ... above article references: Beware the 'pod slurping' employee http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl ... from above Published: February 15, 2006, 10:29 AM PST A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. ... snip and some conjecture about a possible MITM-attack ... using counterfeit card in conjunction with PDA wireless internet connection to a lost/stolen valid card at some remote location. http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a desktop near you This is scenario where a card may be authenticated separately from its actual operation. The hypothetical MITM-attack is against a terminal's willingness to agree with the business rules in a valid card used for offline transactions. Since the attack is against the offline transaction business rules in a valid card, it may not even be necessary to obtain a lost/stolen valid card ... it may just be just necessary to obtain any valid card (say thru valid application using false information) ... the MITM counterfeit card uses any valid card for the authentication exchange ... and then proceeds with the rest of the transaction using its own business rules. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
On Mar 26, 2006, at 22:07, Joseph Ashwood wrote: - Original Message - From: "J. Bruce Fields" <[EMAIL PROTECTED]> Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, Tiny cameras are pretty cheap these days, aren't they? The employee would be taking more of a risk at that point though, I guess. The one I find scarier is the US restaurant method of handling cards. For those of you unfamiliar with it, I hand my card to the waiter/waitress, the card disappears behind a wall for a couple of minutes, and my receipt comes back for to sign along with my card. Just to see if anyone would notice I actually did this experiment with a (trusted) friend that works at a small upscale restaurant. I ate, she took my card in the back, without hiding anything or saying what she was doing she took out her cellphone, snapped a picture, then processes everything as usual. The transaction did not take noticably longer than usual, the picture was very clear, in short, if I hadn't known she was doing this back there I would never have known. Even at a high end restaurant where there are more employees than clients no one paid enough attention in the back to notice this. If it wasn't a trusted friend doing this I would've been very worried. Joe Heh, that's marvelous. I touched briefly on the awfulness of restaurant payment protocols in my 2004 paper from the Cambridge Protocols Workshop, which you may enjoy: M. Blaze. "Toward a broader view of security protocols." 12th Cambridge International Workshop on Security Protocols. Cambridge, UK. April 2004. http://www.crypto.com/papers/humancambridgepreproc.pdf -matt - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
On Sun, 26 Mar 2006 19:07:07 -0800, "Joseph Ashwood" <[EMAIL PROTECTED]> wrote: > - Original Message - > From: "J. Bruce Fields" <[EMAIL PROTECTED]> > Subject: Re: Creativity and security > > > > On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: > >> IOW, unless we're talking about a corrupt employee with a photographic > >> memory and telescopic eyes, > > > > Tiny cameras are pretty cheap these days, aren't they? The employee > > would be taking more of a risk at that point though, I guess. > > The one I find scarier is the US restaurant method of handling cards. For > those of you unfamiliar with it, I hand my card to the waiter/waitress, the > card disappears behind a wall for a couple of minutes, and my receipt comes > back for to sign along with my card. Just to see if anyone would notice I > actually did this experiment with a (trusted) friend that works at a small > upscale restaurant. I ate, she took my card in the back, without hiding > anything or saying what she was doing she took out her cellphone, snapped a > picture, then processes everything as usual. The transaction did not take > noticably longer than usual, the picture was very clear, in short, if I > hadn't known she was doing this back there I would never have known. Even at > a high end restaurant where there are more employees than clients no one > paid enough attention in the back to notice this. If it wasn't a trusted > friend doing this I would've been very worried. > There was a Dilbert strip on that about 10 years ago. (Jan 11, 1996, according to my saved copy, but it doesn't seem to be available via their web archive.) It shows Dilbert saying that he'd never buy anything online because he doesn't want his credit card number floating around the net. He then hands his credit card to a waitress, who comes back wearing a fur coat. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
regardingg the XXXing on receipts it turns out that things aren't as grim as i thought. i anlayzed the checksum algorithm and if you are missing n digits there are 10^(n-1) clashes. i verified this with a brute force program. but in the "photograph the card" scenario ... if one digit is blurry then you still win because 10^(n-1) is 1. if two are unknown then mr nasty could try buying stuff from 10 diferent sites. brucee - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
ref: http://www.garlic.com/~lynn/aadsm22.htm#30 Creativity and security and a more recent skimming news item from this month: Cloned-card scams socking it to bank accounts http://www.mysanantonio.com/news/metro/stories/MYSA030506.09B.atm_theft.27d5322.html the above card mentions pins with debit cards ... which is typically required for atm machines for withdrawing cash ... but the new class of debit cards with logos can also be used w/o pins at pos terminals (aka at pos, it is option selection to decide whether the debit card is used with or w/o pin). various recent postings mentioning skimming attacks: http://www.garlic.com/~lynn/2006e.html#2 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail message? http://www.garlic.com/~lynn/2006e.html#10 Caller ID "spoofing" http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act of 2005 Make Sense http://www.garlic.com/~lynn/aadsm22.htm#2 GP4.3 - Growth and Fraud - Case #3 - Phishing http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing key http://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#12 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#13 Face and fingerprints swiped in Dutch biometric passport crack (another card skim vulnerability) http://www.garlic.com/~lynn/aadsm22.htm#14 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#15 thoughts on one time pads http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10) http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a desktop near you - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Joseph Ashwood wrote: > The one I find scarier is the US restaurant method of handling cards. > For those of you unfamiliar with it, I hand my card to the > waiter/waitress, the card disappears behind a wall for a couple of > minutes, and my receipt comes back for to sign along with my card. Just > to see if anyone would notice I actually did this experiment with a > (trusted) friend that works at a small upscale restaurant. I ate, she > took my card in the back, without hiding anything or saying what she was > doing she took out her cellphone, snapped a picture, then processes > everything as usual. The transaction did not take noticably longer than > usual, the picture was very clear, in short, if I hadn't known she was > doing this back there I would never have known. Even at a high end > restaurant where there are more employees than clients no one paid > enough attention in the back to notice this. If it wasn't a trusted > friend doing this I would've been very worried. >Joe the trivial case from nearly 10 years ago was the waiter in nyc restaurant (something sticks in my mind it was the Brazilian restaurant just off times sq) that had pda and small magstripe reader pined to the inside of their jacket. At some opportunity, they would causally pass the card down the inside of their lapel (doesn't even really have to disappear anyplace). This was before wireless and 801.11 ... so the magstripe images would accumulate in the pda until the waiter took a break ... and then they would be uploaded to a PC and then to the internet (hong kong was used as example) ... counterfeit cards would be on the street (opposite side of the world), still within a few hours at most. recent posts mentioning some skimming threats http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to desktop near you - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
- Original Message - From: "J. Bruce Fields" <[EMAIL PROTECTED]> Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, Tiny cameras are pretty cheap these days, aren't they? The employee would be taking more of a risk at that point though, I guess. The one I find scarier is the US restaurant method of handling cards. For those of you unfamiliar with it, I hand my card to the waiter/waitress, the card disappears behind a wall for a couple of minutes, and my receipt comes back for to sign along with my card. Just to see if anyone would notice I actually did this experiment with a (trusted) friend that works at a small upscale restaurant. I ate, she took my card in the back, without hiding anything or saying what she was doing she took out her cellphone, snapped a picture, then processes everything as usual. The transaction did not take noticably longer than usual, the picture was very clear, in short, if I hadn't known she was doing this back there I would never have known. Even at a high end restaurant where there are more employees than clients no one paid enough attention in the back to notice this. If it wasn't a trusted friend doing this I would've been very worried. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: > J. Bruce Fields wrote: > > If all that information's printed on the outside of the card, then > > isn't this battle kind of lost the moment you hand the card to them? > > 1- I don't hand it to them. I put it in the chip-and-pin card reader > myself. Oh, right, sorry, I missed that. > In any case, even if I hand it to a cashier, it is within my sight > at all times. > > 2- If it was really that easy to memorize a name and the equivalent of a > 23-digit number at a glance without having to write anything down, surely > the credit card companies wouldn't need to issue cards in the first place? Well, obviously there's some gap between what you need to make use of the card convenient, and what you'd need if you were an attacker willing to spend some minimum of effort. > IOW, unless we're talking about a corrupt employee with a photographic > memory and telescopic eyes, Tiny cameras are pretty cheap these days, aren't they? The employee would be taking more of a risk at that point though, I guess. --b. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
| > If all that information's printed on the outside of the card, then | > isn't this battle kind of lost the moment you hand the card to them? | | 1- I don't hand it to them. I put it in the chip-and-pin card reader | myself. In any case, even if I hand it to a cashier, it is within my sight | at all times. | | 2- If it was really that easy to memorize a name and the equivalent of a | 23-digit number at a glance without having to write anything down, surely | the credit card companies wouldn't need to issue cards in the first place? | | IOW, unless we're talking about a corrupt employee with a photographic | memory and telescopic eyes, the paper receipt I leave behind is the only | place they could get any information about my card details You're underestimating human abilities when there is a reward present. Back in the days when telephone calling cards were common, people used to "shoulder surf", watching someone enter the card number and memorizing it. A traditional hazing in the military is to give the new soldier a gun, then a few seconds later demand that he tell you the serial number from memory. Soldiers caught out on this ... only get caught out once. Besides, there's a lot less to remember than you think. I don't know how your chip-and-pin card encoding is done, but a credit card number is 16 digits, with the first 4 (6?) specifying the bank (with a small number of banks covering most of the market - if you see a card from an uncommon bank, you can ignore it) and the last digit a check digit. So you need to remember one of a small number of banks, a name, and 11 digits - for the few seconds it takes for the customer to move on and give you the chance to scrawl it on a piece of paper. Hardly very challenging. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
J. Bruce Fields wrote: > On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: >> So what they've been doing at my local branch of Marks & Spencer >> for the past few weeks is, at the end of the transaction after the >> (now always chip'n'pin-based) card reader finishes authorizing your >> transaction, the cashier at the till asks you whether you actually >> /want/ the receipt or not; if you say yes, they press a little >> button and the till prints out the receipt same as ever and they >> hand it to you, but if you say no they don't press the button, the >> machine doesn't even bother to print a receipt, and you wander away >> home, safe in the knowledge that there is no wasted paper and no >> leak of security information ... >> >> ... Of course, three seconds after your back is turned, the >> cashier can still go ahead and press the button anyway, and then >> /they/ can have your receipt. With the expiry date on it. And the >> last four digits of the card number. And the name of the card >> issuer, which allows you to narrow the first four digits down to >> maybe three or four possible combinations. OK, 10^8 still aint >> easy, but it's a lot easier than what we started with. > > If all that information's printed on the outside of the card, then > isn't this battle kind of lost the moment you hand the card to them? 1- I don't hand it to them. I put it in the chip-and-pin card reader myself. In any case, even if I hand it to a cashier, it is within my sight at all times. 2- If it was really that easy to memorize a name and the equivalent of a 23-digit number at a glance without having to write anything down, surely the credit card companies wouldn't need to issue cards in the first place? IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, the paper receipt I leave behind is the only place they could get any information about my card details. This was of course not the case in the old days when your card was rolled over a receipt with multiple carbons, one of which was the retailer's copy that they needed to deposit with their bank, but things are a lot more secure now: a debit card transaction, authorised and completed online, leaves a lot less exposure; so nowadays I reckon that it is worth worrying about the remaining risks, that /were/ relatively speaking lower risks back then when compared to the fact of the retailer's retaining a hard copy of your card details, but that (now /that/ particular risk has been eliminated) are relatively higher risks. Of course, a corrupt employee could conceivably replace the card reader with a corrupt one of their own, but since it would take major carpentry to detach them from the cashtills and counters to which they are firmly fixed, I think that's a lot more likely to be noticed than an employee craftily pressing a little button and palming a receipt. YMMV! cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: > > As we all know, when you pay with a credit or debit card at a store, it's > important to take the receipt with you > [..] > So what they've been doing at my local branch of Marks & Spencer for the > past few weeks is, at the end of the transaction after the (now always > chip'n'pin-based) card reader finishes authorizing your transaction, the > cashier at the till asks you whether you actually /want/ the receipt or not; > [..] > ... Of course, three seconds after your back is turned, the cashier can > still go ahead and press the button anyway, and then /they/ can have your > receipt. > [..] > I think the better solution would still be for the receipt > to be printed out every single time and the staff trained in the importance > of not letting customers leave without taking their receipts with them. Two observations: - your preferred solution to a problem of fraudulent cashier staff doing the wrong thing ... relies on the cashier staff doing the right thing. Training fraudulent and creative cashiers on the importance of this action probably encourages them to come up with other ways to do the same thing. - even when they've handed you a receipt, on many systems there's a good chance they can get a reprint those same three seconds later. Paper jams or gets torn, ribbons run out, and sometimes you legitimately need a duplicate. -- Dan. pgpwSsJTGLOWq.pgp Description: PGP signature
Re: Creativity and security
Blanking out all but the last 4 digits is foolish. The last is a checksum and the first four are determined by the merchant. This greatly reduces the possibilities for the other 8 digits. I'd rather just Bank Name or even the first 4 digits. (I know that amex use only 15, even worse.) brucee - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: > So what they've been doing at my local branch of Marks & Spencer for the > past few weeks is, at the end of the transaction after the (now always > chip'n'pin-based) card reader finishes authorizing your transaction, the > cashier at the till asks you whether you actually /want/ the receipt or not; > if you say yes, they press a little button and the till prints out the > receipt same as ever and they hand it to you, but if you say no they don't > press the button, the machine doesn't even bother to print a receipt, and > you wander away home, safe in the knowledge that there is no wasted paper > and no leak of security information ... > > ... Of course, three seconds after your back is turned, the cashier can > still go ahead and press the button anyway, and then /they/ can have your > receipt. With the expiry date on it. And the last four digits of the card > number. And the name of the card issuer, which allows you to narrow the > first four digits down to maybe three or four possible combinations. OK, > 10^8 still aint easy, but it's a lot easier than what we started with. If all that information's printed on the outside of the card, then isn't this battle kind of lost the moment you hand the card to them? --b. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Olle Mulmo wrote: > On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote: > >> I was tearing up some old credit card receipts recently - after all >> these years, enough vendors continue to print full CC numbers on >> receipts that I'm hesitant to just toss them as is, though I doubt >> there >> are many dumpster divers looking for this stuff any more - when I >> found >> a great example of why you don't want people applying their >> "creativity" >> to security problems, at least not without a great deal of review. >> >> You see, most vendors these days replace all but the last 4 digits of >> the CC number on a receipt with X's. But it must be boring to do the >> same as everyone else, so some bright person at one vendor(*) decided >> they were going to do it differently: They X'd out *just the last >> four >> digits*. After all, who could guess the number from the 10,000 >> possibilities? >> >> Ahem. >> -- Jerry >> >> (*) It was Build-A-Bear. The receipt was at least a year old, so for >> all I know they've long since fixed this. > > Unfortunately, they haven't. In Europe I get receipts with different > crossing-out patterns almost every week. > > And, with "they" I mean the builders of point-of-sale terminals: I > don't think individual store owners are given a choice. > > Though I believe I have noticed a good trend in that I get receipts > where *all but four* digits are crossed out more and more often > nowadays. In the UK, that is now the almost universal practice. And it's equally almost universally the /last/ four digits across all retailers. Which is good. What is not so good, however, is another example of not-as-clever-as-it-thinks-it-is clever new idea for addressing the problem of receipts. As we all know, when you pay with a credit or debit card at a store, it's important to take the receipt with you, because it contains vital information - even when most of the card number is starred out, the expiry date is generally shown in full. So we're all encouraged to take them with us, take them home, and shred or otherwise securely dispose of them under our own control. Of course, this is a) a nuisance and b) wasteful of paper. And obviously enough, someone's been trying to come up with a 'bright idea' to solve these issues. So what they've been doing at my local branch of Marks & Spencer for the past few weeks is, at the end of the transaction after the (now always chip'n'pin-based) card reader finishes authorizing your transaction, the cashier at the till asks you whether you actually /want/ the receipt or not; if you say yes, they press a little button and the till prints out the receipt same as ever and they hand it to you, but if you say no they don't press the button, the machine doesn't even bother to print a receipt, and you wander away home, safe in the knowledge that there is no wasted paper and no leak of security information ... ... Of course, three seconds after your back is turned, the cashier can still go ahead and press the button anyway, and then /they/ can have your receipt. With the expiry date on it. And the last four digits of the card number. And the name of the card issuer, which allows you to narrow the first four digits down to maybe three or four possible combinations. OK, 10^8 still aint easy, but it's a lot easier than what we started with. The risk could perhaps be fixed with an interlock which makes it impossible to print the receipt out after the card has been withdrawn from the reader, but I think the better solution would still be for the receipt to be printed out every single time and the staff trained in the importance of not letting customers leave without taking their receipts with them. cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Unfortunately, they haven't. In Europe I get receipts with different crossing-out patterns almost every week. And, with "they" I mean the builders of point-of-sale terminals: I don't think individual store owners are given a choice. Though I believe I have noticed a good trend in that I get receipts where *all but four* digits are crossed out more and more often nowadays. /Olle On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote: I was tearing up some old credit card receipts recently - after all these years, enough vendors continue to print full CC numbers on receipts that I'm hesitant to just toss them as is, though I doubt there are many dumpster divers looking for this stuff any more - when I found a great example of why you don't want people applying their "creativity" to security problems, at least not without a great deal of review. You see, most vendors these days replace all but the last 4 digits of the CC number on a receipt with X's. But it must be boring to do the same as everyone else, so some bright person at one vendor(*) decided they were going to do it differently: They X'd out *just the last four digits*. After all, who could guess the number from the 10,000 possibilities? Ahem. -- Jerry (*) It was Build-A-Bear. The receipt was at least a year old, so for all I know they've long since fixed this. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Creativity and security
I was tearing up some old credit card receipts recently - after all these years, enough vendors continue to print full CC numbers on receipts that I'm hesitant to just toss them as is, though I doubt there are many dumpster divers looking for this stuff any more - when I found a great example of why you don't want people applying their "creativity" to security problems, at least not without a great deal of review. You see, most vendors these days replace all but the last 4 digits of the CC number on a receipt with X's. But it must be boring to do the same as everyone else, so some bright person at one vendor(*) decided they were going to do it differently: They X'd out *just the last four digits*. After all, who could guess the number from the 10,000 possibilities? Ahem. -- Jerry (*) It was Build-A-Bear. The receipt was at least a year old, so for all I know they've long since fixed this. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]