[FYI] Did Encryption Empower These Terrorists?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Sep 26 00:39:04 EDT 2001
Enzo Michelangeli <em at who.net> writes:
>Many merchants need a unique identifier for the buyer, and their traditional
>processes often use the PAN (card number, for credit transactions). According
>to what I heard, at one point the original specs of SET were altered in order
>to accomodate, as an option, the visibility of the PAN to the merchant,
>thereby giving up the other advantage of SET besides cardholder's
>authentication (i.e., protection of the card number from eyes different from
>cardholder's or banking system's).
I've run into the same issue with various companies (including some big ones)
who eventually run into the following situation:
"We need to encrypt our customer database because of security concerns over
credit card numbers being stolen. Oh yes, we use the CC# as the primary key
for all our accounts".
This practice seems to be fairly widespread. Workarounds are very difficult
(*everything* is keyed off the CC# as a unique customer ID, something like that
is very hard to fix in practice).
(And before someone jumps in with the obvious "It's easy, just replace the CC#
with <some cryptographic transform of the CC#>", consider the following
scenario: You have a company with gear distributed over 300 sites worldwide,
using software from 120 vendors running on 18 different platforms, of which 3
provide source code. 8 have gone out of business (the software is still being
used because it does the job), and all but the 3 which have source code
available use an undocumented, proprietary format for their data. Your job is
to provide a time-and-materials estimate on what it'd take to fix this. You're
allowed a maximum of 90 days and $50K (+ 3 programmers) to get the problem
solved).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list