Don't store the truncated cardnumber with a non-salted hash of the cardnumber

If an attacker acquires the database or database records AND you store a truncated cardnumber and an non-salted hashed accountnumber (which is a pci compliant approach, BTW) it take 3 minutes per card to acquire the plaintext value and generated ~ 9MB file Hashed account numbers are typically stored to assist in the lookup of card’s in the database, the quering application would calculate a hash on the accountnumber and query that hash to find the related transactions without using the account number. Let’s use the following test card as an example: 4111111111111111 This would be stored or displayed as: 411111______1111 I wrote a small program that iterates through the missing digits, calculating the checksum (Luhn), and then calculating the MD5, SHA1 and SHA-256 hashes and stores it in a file, This program took approx 3 minutes to run per truncated card: You would typically see a data record that would look like this: Masked Account Number 411111______1111 Hashed Account Number() 68BFB396F35AF3876FC509665B3DC23A0930AAB1 Encrytped Card Number(**) 4888e25d9d01532e343dd261cbcebc91ccb17d029496b8c5 () #SHA1 hash of 4111111111111111 (**) 3des of 4111111111111111 with “forum.aegenis.com“ as the key With my program: [dbergert@debian:$](mailto:dbergert@debian:$) bin/bruteforce.bsh 411111______1111 .. takes ~ 3 minutes to run [dbergert@debian:$](mailto:dbergert@debian:~$) grep “68BFB396F35AF3876FC509665B3DC23A0930AAB1” bruteforce.txt 4111111111111111,5910F4EA0062A0E29AFD3DCCC741E3CE, 68BFB396F35AF3876FC509665B3DC23A0930AAB1,9BBEF1947 6623CA56C17DA75FD57734DBF82530686043A6E491C6D71BEF E8F6E I guess the key lesson to use salted hashes, and just because you can show the first six and last four, if you don’t have a business need, only show the first for card type and last four. (which would only add required time to this process…) *** Please don’t email me for the code, you are not getting it. Update: Just for fun I calcuatlated how long it would take to bruteforce if you only stored the first digit and last four. i.e. – 4____________1111 You are looking at it taking a single processor 347 days, with a file that is is 1.47 terabytes in size, but remember that this only needs to be calculated once and that the timing can further be reduced by using well known BIN’s, From reducing what numbers are displayed from 10 to 5, changes the timing from 3 minutes to 347 days. I wonder when we will see longer account numbers.

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×