Hash or Crypt…Hash or Crypt?

I read this story over on the BBC news this morning and sadly it’s not an uncommon one, except perhaps this one is on a *far* bigger scale than we usually hear about.

In a nutshell, a big US retailer has had data ‘stolen’ which contains customer credit card details, over 45 million customer credit and debits cards in fact. That number is simply mind-blowing, 45 million card details have been stolen, so if you owned that Company what would your response be? Here is a quote from the BBC site –

However, she said that that for most people, the card details stolen would no longer be relevant.

That’s right, because some of the details date back to transactions from December 2002 many of the card details that have been stolen will now be invalid because the cards will have expired and new ones will have been issued.
Well, call me cynical, but is that *really* a good answer? Are they actually saying ‘we’ (I say we, but it’s unlikely that my details are amongst those particular ones) shouldn’t be too worried, because much of the data they stole was almost 5 years old? Do they have two servers there, one for really recent data which is ultra secure and one for old data that they’re not really too bothered if it gets stolen, because ‘hey the customer will have a new credit card by now’.

Now, the reason for this post, and the reason for the title for this post, is due to another comment I found on the story, which is:

the intruder had access to the decryption tool for the encryption software utilized by TJX

Now, obviously I don’t know the specifics of how their systems work, but I have worked on many financial systems so I can take a pretty good guess. The word that leaps out at me there is ‘encryption’. So, they either encrypted the entire customer record and the hackers have been able to decrypt it, or they encrypted the specific credit card details (such as the number) and the hackers decrypted that.

This is where I have a problem with it…..

Why do they need to retain that credit card number once I have completed a transaction? In other words, I go up to a counter at one of their stores to buy something, I hand over my credit card and either the transaction is accepted (if I have enough money in my account) or declined (if I don’t). Remember that the store is using a third party payment network, they are not processing the payments themselves, so they are passing on the card details to their payment handler who essentially says ‘yes’ or ‘no’.

So once that transaction has taken place, either successfully or not, why does the store need to retain my card details? They have no further need for them really, since I have not authorised them to retain the details to make my next transaction faster (in the way that some websites offer too….I *always* decline that offer!).

The only possible reason for maintaining those card details is for accounting and auditing purposes, i.e. so that can say “Ahhh yes, he used his card on such and such a date at such and such a store to try and buy such and such an item”. But again, do they really need to store the full card details to do that?

That word in the quote ‘crypt’ suggests at least they weren’t storing the details in plain text (which would be even worse) and were at least attempting to encrypt the data, although if someone has access to the decryption routines then exactly how useful is encrypting it really?

I would suggest that it would have made far more sense to ‘hash’ the card details rather than ‘crypt’ them. Hashing is a one way function (currently in theory at least), once you hash something you cannot get back the original content by ‘unhashing’. So, they could have stored a hashed version of the card number details (combining the card details with some other criteria to stop someone using a list of all possible hashed card details). Then if someone steals the data, all they have is a hashed code representing my card details, rather than having my *actual* card details.

If I ever wanted to query a transaction with the store, I would simply need to tell them my credit card number I used, they could hash that card number detail and compare it with their stored hash value to confirm it was the same card.

I always uses hashes if I need to store password in applications that I write, there is simply no reason to use encryption for that. You use encryption when you want to be able to get back the original text. For things like passwords you do not need to get back the original text, all you need to to is hash the text that they user enters and compare it with your stored hash value and see if they are identical.

I have worked in lots of ‘secure’ environments and on lots of ‘secure’ systems and sadly it is all too common for security issues like this to not be thought out properly, but when you’re in charge of 45 million card details I think you have an obligation to do things ‘properly’. I can’t believe that nobody ever stood up at one of their meetings and said “But what if someone gets access to the decryption routine?” because then the answer should have been clear, that using encryption was not appropriate in this case.

Perhaps someone will manage to convince me of a reason why it was necessary for them to maintain the card details themselves, but until then I’m going to continue to Hash rather than Crypt.

2 thoughts on “Hash or Crypt…Hash or Crypt?

  1. Mike Long

    The problem with them storing it is two fold. The third party network processess the payment but the third party is NOT responsable for disputes. If someone disputes a charge then it would go back to the retailer. Now this would not explain why they need it for more then 5 to 7 years but Tax issues would and audit issues would.

    The Dem’s in office here in the US have stated that they want to track every creidt card purchase ( in thinking that they can find more money people are earning ). If this goes through then you will find many institutions saving CC data for 7 years or more.

    And again, the third party would not be responsable for this, the retailer would… (and ofr audits is responsable…



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s