Monthly Archives: March 2007

Hash or Crypt…Hash or Crypt?

I read this story over on the BBC news this morning and sadly it’s not an uncommon one, except perhaps this one is on a *far* bigger scale than we usually hear about.

In a nutshell, a big US retailer has had data ‘stolen’ which contains customer credit card details, over 45 million customer credit and debits cards in fact. That number is simply mind-blowing, 45 million card details have been stolen, so if you owned that Company what would your response be? Here is a quote from the BBC site –

However, she said that that for most people, the card details stolen would no longer be relevant.

That’s right, because some of the details date back to transactions from December 2002 many of the card details that have been stolen will now be invalid because the cards will have expired and new ones will have been issued.
Well, call me cynical, but is that *really* a good answer? Are they actually saying ‘we’ (I say we, but it’s unlikely that my details are amongst those particular ones) shouldn’t be too worried, because much of the data they stole was almost 5 years old? Do they have two servers there, one for really recent data which is ultra secure and one for old data that they’re not really too bothered if it gets stolen, because ‘hey the customer will have a new credit card by now’.

Now, the reason for this post, and the reason for the title for this post, is due to another comment I found on the story, which is:

the intruder had access to the decryption tool for the encryption software utilized by TJX

Now, obviously I don’t know the specifics of how their systems work, but I have worked on many financial systems so I can take a pretty good guess. The word that leaps out at me there is ‘encryption’. So, they either encrypted the entire customer record and the hackers have been able to decrypt it, or they encrypted the specific credit card details (such as the number) and the hackers decrypted that.

This is where I have a problem with it…..

Why do they need to retain that credit card number once I have completed a transaction? In other words, I go up to a counter at one of their stores to buy something, I hand over my credit card and either the transaction is accepted (if I have enough money in my account) or declined (if I don’t). Remember that the store is using a third party payment network, they are not processing the payments themselves, so they are passing on the card details to their payment handler who essentially says ‘yes’ or ‘no’.

So once that transaction has taken place, either successfully or not, why does the store need to retain my card details? They have no further need for them really, since I have not authorised them to retain the details to make my next transaction faster (in the way that some websites offer too….I *always* decline that offer!).

The only possible reason for maintaining those card details is for accounting and auditing purposes, i.e. so that can say “Ahhh yes, he used his card on such and such a date at such and such a store to try and buy such and such an item”. But again, do they really need to store the full card details to do that?

That word in the quote ‘crypt’ suggests at least they weren’t storing the details in plain text (which would be even worse) and were at least attempting to encrypt the data, although if someone has access to the decryption routines then exactly how useful is encrypting it really?

I would suggest that it would have made far more sense to ‘hash’ the card details rather than ‘crypt’ them. Hashing is a one way function (currently in theory at least), once you hash something you cannot get back the original content by ‘unhashing’. So, they could have stored a hashed version of the card number details (combining the card details with some other criteria to stop someone using a list of all possible hashed card details). Then if someone steals the data, all they have is a hashed code representing my card details, rather than having my *actual* card details.

If I ever wanted to query a transaction with the store, I would simply need to tell them my credit card number I used, they could hash that card number detail and compare it with their stored hash value to confirm it was the same card.

I always uses hashes if I need to store password in applications that I write, there is simply no reason to use encryption for that. You use encryption when you want to be able to get back the original text. For things like passwords you do not need to get back the original text, all you need to to is hash the text that they user enters and compare it with your stored hash value and see if they are identical.

I have worked in lots of ‘secure’ environments and on lots of ‘secure’ systems and sadly it is all too common for security issues like this to not be thought out properly, but when you’re in charge of 45 million card details I think you have an obligation to do things ‘properly’. I can’t believe that nobody ever stood up at one of their meetings and said “But what if someone gets access to the decryption routine?” because then the answer should have been clear, that using encryption was not appropriate in this case.

Perhaps someone will manage to convince me of a reason why it was necessary for them to maintain the card details themselves, but until then I’m going to continue to Hash rather than Crypt.

First 3.0 Upgrade

Well, only minutes after blogging about 3.0 being made public, I’ve downloaded and successfully upgrading one of my laptop installations (upgraded 2.2 to 3.0).

All went extremely smoothly, without any major issues.

Once again, well done and thanks to the Oracle team, they’ve made it an extremely smooth process!

Apex Evangelists goes live!

Today Dimitri Gielis and myself are launching Apex Evangelists, we formed the idea for an Application Express services company during one of our many discussions at Oracle Openworld and over the last few months have honed our idea of what we are going to provide.

Apex Evangelists-thumb.jpg

The idea behind Apex Evangelists is that we will use our knowledge and experience of Application Express to provide a range of services, some of which are listed here –

  • Application & Website Development (plus of course hosting)
  • Training & Coaching (onsite and in our European Training Days)
  • Application and Database Migrations
  • Support Services

Our primary goal is to be able to provide these services to the European market and to generally evangelise (hence the name!) about how beneficial using APEX can be to European companies. We also decided that in order to take on bigger projects than just two of us could handle and to also cover more of the European market we would also need to involve other great enthusiastic APEX developers, so we’re pleased to announce that Dietmar Aust, Patrick Wolf, Denes Kubicek will be helping us in our quest.

These are very exciting times and I’m sure that there are busy times ahead!

An hour well spent…

I’ve just finished watching a presentation that Jonathan Lewis has recorded and made available which covers how the optimizer works and how you have to think when dealing with a difficult problem in SQL.

The presentation is (as you’d expect) extremely well done and Jonathan covers some extremely advanced subjects in a way that makes them (slightly!) easier to understand. I attended one of the presentations that Jonathan did at Open World and I can remember sitting there thinking “That makes sense, I must look into doing that” and then of course once you get back home other things crop up and you don’t get a chance to look at it again.

I’m very happy that Jonathan has chosen to share the presentation online, it makes fascinating watching and I have learned a huge number of useful things.

So, do yourself a favour, grab a coffee/tea/beverage of your choice, take the phone off the hook, put up a Do-Not-Disturb sign on the door and watch the presentation, your experience with the database will be all the better for it.