MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2014

Re: Security and SSD



fixed

If all you're using to "encrypt" the cc# is a basic hash then all you've done is replace the number with a token. A simple dictionary attack will reveal the cc#'s pretty quickly. If you've salted your hash then the lookup you propose becomes much more difficult. There are many real world reasons to maintain cc#s (or their tokens)...fraud detection (e.g spotting unusual card activity) being just one.

On 2/19/2014 2:18 PM, Briggs, Trevor (TBriggs2) wrote:
You tell me the credit card number you want to use for a transaction, I
encrypt it and compare it with the encrypted number on file. If it's the
same, then your card is valid. Unless you're the actual financial
institution that issued the credit card number there's no reason for you
to want to know what the (unencrypted) number actually is.

Trevor Briggs
Analyst/Programmer
Lincare, Inc.
(727) 431-1246
TBriggs2@xxxxxxxxxxx

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Wednesday, February 19, 2014 8:16 AM
To: Midrange Systems Technical Discussion
Subject: RE: Security and SSD

Then what's the point of recording it? If it can never be retrieved or
utilized?


Rob Berendt






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact