- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
And you're not necessarily increasing inconvenience for the customer - you're just trading an unknown for a known. Once the exploit is known and published, the customer will have a much easier time getting remedied, since there's no where for the company to hide. While it's hidden, the customer can still get screwed, but now the company can play dumb.
(Which is why I think the credit card companies are so friendly when it comes to fraud - it happens so much it's part of the routine customer service.)
Admin
Admin
Encryption functions are NOT something you should write yourself. There are many reasons why; many encryption functions break down not in the theory, but due to subtle holes in the implementation. See Bruce Schneier for the reasons why. Fascinating reading.
Admin
Wait... Most of what you said makes sense, but "Just because they don't ask for it isn't a guarantee that they store it" made my head explode. If they don't EVER ask for it, they can't store it. I don't remember if they ask for it on the first submission or not; maybe that's what you mean.
Still, there are very few sites that I allow to keep a CC of mine on file. Paypal and Amazon are two of them, and there is one more.
I think I was lucky that the debit card/ATM card of mine that was compromised, which resulted in money getting taken out of my checking account, did not have too many consequences such as (for example) my mortgage bouncing.
To digress, I had a friend who worked for a VERY large company (Fortune 500) where the interest on the float per day was huge. The company always put money in the account that employee paychecks were drawn on, over a period of several days after each pay period. In other words, there was not enough money to pay all employee paychecks on the first day after the paychecks were given out. (There was enough money there by about the fifth day, when almost all employees would have cashed their checks, or their deposited checks would have reached the issuing bank.)
This was in the mid 80s when actual checks were more common than they are now (direct deposits and such).
One of his paychecks that he deposited actually bounced, and then his check to his mortgage company bounced. Boy, was he pissed. He was compensated somehow; I forget the details.
Admin
Admin
Granted, my hypothetical function wouldn't perform any encryption itself, but I may still candidly refer to it as the "encryption function," since technically it is the function where I'm encrypting the passwords.
But if you assumed correctly, and if the GP did actually write the encryption logic, well, you're right, he SHOULDN'T do that.
Admin
Right, that is true. On the other hand, if you are REALLY trying to implement an encryption algorithm yourself, don't do it unless you completely understand papers that are as complex as http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf.
Admin
If you are not a mathematician or crypto researcher type and you are writing an encryption function... you are probably doing it wrong. Use a prebuilt, verified library.
Admin
Sounds like she was working for ACS:Law! http://www.bbc.co.uk/news/technology-11425789
Admin
Yeah, and to think my company went through all that trouble to be PA-DSS and now PCI-DSS compliance certified.
If only we knew you could just store nearly-plaintext card data indefinitely!
All that PABP stuff was plainly just a waste of our time...
Admin
Some points exemplified by this paper are a bit more subtle than just "don't touch cryptography yourself":
First, the attack described in the paper is completely independent of the actual cryptographic primitive (block cipher) being used. It's all in how this primitive is used in a larger context. So even if you refrain from coding any encryption primitives (and get them from a platform library instead) you can still be burned.
The major opportunities to shoot oneself in the foot are not in the cipher (assuming you stay away from completely idiotic things like trying to design your own), but in mistakes about modes, key management, protocols, and various other high-level brainfarts that using even a state-of-the-art crypto library will not help against unless you understand the basics of what is going on, which safety properties you get and how the components of the system work together to provide those properties. Arguably, to the extent that using an external library lulls you into thinking that you don't need to know about these things to work at the application level, you can be worse off using it.
In fact, it is easy and not particularly error-prone to implement an existing cipher primitive such as AES or Twofish. If the source is free of blatant backdoors and tests OK against test vectors from a standard or a reference implementation, it's unlikely to be a safety problem (unless you need it to work in untrusted execution environments like a smartcard that can fall into the hands of adversaries). About the only risk is circumstantial, namely that if you're coding the cipher yourself, who knows what else you're also doing yourself, including the stuff that does present footshot opportunities.
Last but not least: the fact that Vaudenay's attack works against quite a lot of respected and widely trusted frameworks. This demonstrates that using somebody else's crypto code is not a panacea. It just means that when you're shot in the foot it won't be you who pulled the trigger. On the other hand, someone who had decided to program CBC from scratch might well be immune from the Vaudenay attack, because they'd be "too stupid" to check redundant padding bytes while decrypting.
Admin
I guess the reasoning is that use of MS Access more or less guarantees that the data will become lost or corrupted sooner or later, so it's perfectly safe.
Admin
Admin
Assuming that you're at home, have plenty of supplies, and have nothing to do but sit there for the next week or so waiting for your card...and don't have any bills due, then that might be trivial.
For someone who's traveling a long way from home and relying on the card to pay for their hotel, car rental, etc., or someone with rent, medical, or other bills which need that money for payment, or even just someone who expects to be able to buy groceries and fill up their gas tank to commute to work for the week, maybe not so trivial.
One of many reasons why I no longer rely on debit cards or bank accounts. They have a habit of losing your money when you need it most and then requiring you to wait through weeks or months of bureaucracy while they try to find it again. And you're lucky if they don't try to charge you extra overdraft fees for losing your money and additional overdraft fees because they lost your money so you couldn't pay the overdraft fees for them losing your money...
Admin
Depends on the position being applied for ...
Admin
The real WTF is that credit cards do not use Secure ID tokens to verify them. Those contain a 6-digit number that changes every minute.
You can verify your card by giving the number for the current transaction because within a minute that number will be invalid.
Of course someone with a huge database of credit card numbers could pick a random 6 digit number and try to verify a transaction on all of them with it hoping to strike lucky, so it probably needs a bit more security too, but it would certainly be a start.
Admin
Admin
Admin
Admin
Admin
Admin
Now if my answer was different (as it was in the scenario posted earlier) then they would have canceled the card, initiated the replacement, and told me it was canceled and the new one was on its way.
Admin
Admin
Admin
Now that is the real WTF! Priceless.
Admin
Ah, and perhaps that'll teach me not to assume every dialogue I read on a web forum is an exact transcription of what really happened... Bloody hell, it brings out the pedant in some of us, doesn't it?
Admin
TRWTF is that it took me until now to get "ROT26."
Admin
To solve this problem for people at companies that "standarize" on encrypting with ROT13 twice, I started anonimatron: [image]
Please help me save the world. ;-)
Admin
Admin
No, they may quite simpy charge repeat purchases without the ccv. The bank will allow it - simply the merchant takes the risk on himself. And the merchant may easily judge that the customer convenience of not requiring to enter anything outweighs the risk there.
Admin
if it were me, i'd have run a process to turn the entire file into text comments, or encrypted it... not from a local terminal though, and added the decrypt key to the end of the file or something. if there was cooler blab 'well, i don't know what happened, maybe the security layer i added when i was doing intern work failed' go away 'nope, someone removed the security layer. the cracker was nice enough to put the decrypt key at the end of the file though, so i was able to fix it in a few seconds. emergency over, but, you should track down the person that decided to remove that security layer and cut their toes off or something'.
Admin
Companies don't have to get the CVVC. Charges will go through just fine without it. I'm told there's a discount on the merchant charges if it is supplied, but it's not mandatory. Amazon (or whoever) isn't necessarily storing the CVVC, they might just be eating the extra $0.25 or so per transaction.
Admin
Fortune 500 company, Unsecured and unencrypted database,
I'm guessing the company is Sony.
Pretty much like them as much as we know...
Admin
Seriously, this is the bloody problem with interns and others who think they know everything - they have no real-world experience, and they're not willing to listen. There are always politics involved in these decisions - I'm sure the implementer knew the security was missing and wanted to add it. Did the project have budget? Probably not. Did he recommend they don't go live till it was implemented? Probably. Did management listen? Guess.
I've seen this happen so many times at so many organisations that you could call it a pattern. Then some snarky intern who thinks they know best goes to management with it, and the political games and blamestorming start. Welcome to the corporate world.
Admin
Which the letter of the alphabet did you drop in order to add the period and the digits two and six?
If you allow those, you are going to need ROT29 :-)