House of Hackers

J

The reason companies need 5 lines of code

It's been my experience that there are always new ways to get information from different people. Obviously one of the more intrusive ways is to actively sniff account information and copy it for your own needs. It is important to understand how this works so you know what risks you take in a store and just how simple it can be. These days there are plenty of rules going into effect for retailers, however due to budgets or workloads, it just isn't always happening fast enough, as seen on WIRED here:


http://blog.wired.com/27bstroke6/2008/05/international-h.html


The truth is I have helped to work on these systems before, and it really doesnt take much for a program such as this to be completely useless. Obviously in most cases it would take more than 5 lines, but not much more. Of course there are many OS's used for store servers so the code is always a little different as well, but the idea is still the same. At its simplest, just keeping the card number unreadable goes a long way in the process and could have stopped this from happening. The larger retailers have already started to fold into this and run what is called PCI compliancy, which is a series of steps to keep electronic security on your card's information. Such thing do take time, but in this case they are quite important and need to be done before the next big hole is found.


*picture borrowed from www.democraticunderground.com

Tags: pci, security, sniffing, wired

Share 

Add a Comment

You need to be a member of House of Hackers to add comments!

Join this Ning Network

J Comment by J on May 21, 2008 at 1:22pm
Yeah, PCI is really just the credit companies covering their ends since the transmission is going to them and they could get in some trouble if somone pulled it from them in transmission. Luckily there are some orginizations willing to mask it all the way through, or at least most of the way. I do think that's a minority.
cryptik Comment by cryptik on May 21, 2008 at 12:27pm
Unfortunately PCI does not state that the data has to be encrypted within your organization. It just states that it has to be encrypted when it goes out to a open network. This definitely needs to be changed. The data should have to be encrypted at all times. All in all I definitely agree with you.

About

pdp pdp created this Ning Network.

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!