Re: [U2] Credit Card info

Sat, 16 Jan 2010 15:38:25 -0800

In message <[email protected]>, Tony Gravagno <[email protected]> writes 
Final note: I recommend breaking up any secure data you have and
storing it in different files.  A compromised credit card number
is no good without other data including name, address, zipcode,
phone number, etc.  If you store the card ID in pieces, and
encrypted, and separate from this other data, then even if the
environment is compromised, the only person who could make use of
the data would be someone who is intimate with your code and file
structures.



That was something I was thinking of. I saw on Risks where somebody 
discussed this "print only the last four digits of the card number". I 
*think* actually, that's NOT what you should do for credit cards. The 
reason is strange, but makes sense ...



Certainly with Barclaycard/Visa, the *first* four digits are pretty much 
constant per the issuer. It's the last digits that vary most. So if you 
only display the *first* four digits, you will give enough info to the 
card owner for him to identify his card, but any attacker will only be 
able to identify the bank that issued the card. All Barclaycards, for 
example, begin with 4929 iirc (or they did, I think there are a couple 
of other variants around now).



Other cards are, I gather, the other way round. That article on Risks 
was how people who didn't understand WHY a particular 4-digit group had 
been chosen, arbitrarily changed it and thereby actually undermined the 
entire security behind the idea.



The danger is if different people print different bits of the number. An 
attacker can then put the whole number together from different 
printouts.



Either way, if you're going to print 4 digits, DON'T pick which four at 
random or because someone else says "this is the four". Ask yourself WHY 
pick that four, and there's a damn good argument which tells you which 
set to pick, and it isn't just because they're the first, or the last.


Cheers,
Wol
--
Anthony W. Youngman <[email protected]>
'Yings, yow graley yin! Suz ae rikt dheu,' said the blue man, taking the
thimble. 'What *is* he?' said Magrat. 'They're gnomes,' said Nanny. The man
lowered the thimble. 'Pictsies!' Carpe Jugulum, Terry Pratchett 1998
Visit the MaVerick web-site - <http://www.maverick-dbms.org> Open Source Pick
_______________________________________________
U2-Users mailing list
[email protected]
http://listserver.u2ug.org/mailman/listinfo/u2-users






















					Reply via email to