[FYI] Did Encryption Empower These Terrorists?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Sep 26 00:39:04 EDT 2001


Enzo Michelangeli <em at who.net> writes:

>Many merchants need a unique identifier for the buyer, and their traditional
>processes often use the PAN (card number, for credit transactions). According
>to what I heard, at one point the original specs of SET were altered in order
>to accomodate, as an option, the visibility of the PAN to the merchant,
>thereby giving up the other advantage of SET besides cardholder's
>authentication (i.e., protection of the card number from eyes different from
>cardholder's or banking system's).

I've run into the same issue with various companies (including some big ones)
who eventually run into the following situation:

  "We need to encrypt our customer database because of security concerns over
  credit card numbers being stolen.  Oh yes, we use the CC# as the primary key
  for all our accounts".

This practice seems to be fairly widespread.  Workarounds are very difficult
(*everything* is keyed off the CC# as a unique customer ID, something like that
is very hard to fix in practice).

(And before someone jumps in with the obvious "It's easy, just replace the CC#
 with <some cryptographic transform of the CC#>", consider the following
 scenario: You have a company with gear distributed over 300 sites worldwide,
 using software from 120 vendors running on 18 different platforms, of which 3
 provide source code.  8 have gone out of business (the software is still being
 used because it does the job), and all but the 3 which have source code
 available use an undocumented, proprietary format for their data.  Your job is
 to provide a time-and-materials estimate on what it'd take to fix this.  You're
 allowed a maximum of 90 days and $50K (+ 3 programmers) to get the problem 
 solved).

Peter.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list