Keeping Private Customer Data...Private?

Suffering Sekret Keys asks: "When I first started working for the company I'm with now, back in 1996, I was charged with finding a way to keep our customer credit card info secure in our database. Now that I'm smart enough to realize the flaws in this system, I am wondering how you avoid the catch-22 of needing to be able to encrypt/decrypt the data on the same machine that houses it, without exposing a secret key that could make that data more vulnerable in the event of an intrusion?" This question has been submitted a few times, recently, but this was the best one out of the lot. It seems many of you are wisely concerned about private data stored on your company's net, and the risks involved if it gets stolen. Well, now is your chance to discuss various solutions. How would you securely store your customer's private information, especially when it comes to critical pieces like credit card numbers?

"I chose 1024-bit PGP encryption with a long passphrase. I use the Cryptix java package to handle the encryption from a Perl script (the reasons for this are legacy related, but I'm in the position where I can start clean if need be -- a Perl-only solution would be great).

The thing that makes me nervous is the secret key being stored on the machine that houses the database. The reason for this is so that our billing staff can handle the recurring billing. (They have a web interface where they must enter the passphrase to gain access to the credit card information.)

I have realized for a long time now that if someone gained full access to this machine, they could fairly easily run a brute-force attack on the encrypted data, if they found our secret key on that machine. But when we recently worked on our privacy policy, this potential problem became more important.

What changes could we make to our setup so that we can encrypt/decrypt the credit card information on the same machine that houses the data, while making it as hard as possible to decrypt the credit card data assuming the entire machine was stolen (or cracked)?

We are a very small company. How do "the big boys" handle these things? What is the best book on this particular subject?"

While this setup may work well for credit card numbers, what about setups that will protect other personal information like a customer's address and phone number? Would such information be practical to obfuscate in such a manner?

Why store cc# at all?

[EricBoyd]

I think the first question these people should ask themselves is why they are storing their customers cc # at all? If you can avoid doing that, it's by far the most "secure" solution!

Websurfing done right! - StumbleUpon

Re:Why store cc# at all?

[corebreech]

So when I ask for my money back you guys can figure out which account to credit.

Re:Why store cc# at all?

[Sharkyfour]

The reason for this is so that our billing staff can handle the recurring billing.

It's right there in the article.

Re:Why store cc# at all?

And even more importantly - if you must store them, shuffle them off to a machine that is not on the Internet.

At my old company, there was a system which handled new CC number entries. As part of a nightly process, they were moved into a database on a separate machine which was only connected for that window of time. All of this was on top of standard security measures. So the biggest risk was having the "temporary" entries compromised.

Re:Why store cc# at all?

[realdpk]

It's not unusual for a merchant to ask for your credit card to process the refund. So, they ask for that again, and it's compared against a hash generated from the original order. Tada, easy as pie.

Re:Why store cc# at all?

[gmack]

There are many reasons that it may be needed such as fraud control, credit backs etc.

One scenario is if you discover a card was false after you charged it. It's a lot cheaper to credit the card before the real owner generates a charge back since there is a signifigant fee (for the reseller) attatched. You can't do this if you don't have the number stored somewhere.

2 basic things can help keep the customers secure though.

1: not storing more info than you have to. On this point there is NO excuse for keeping the CVV2 info yet I see people doing this a LOT.

If they don't have the CVV2 codes the card will be harder to use as more credit card companies demand it's use. Use the code to verify the card then forget what it was. (yes I've seen buisnesses store it in the db)

2: properly secured servers with up to date patches/daemons. If the server isn't secure it won't matter how much you use encryption they can simply grab the data as you process it.

Re:Why store cc# at all?

[ncc74656]

So when I ask for my money back you guys can figure out which account to credit.

You store the last four digits and ask for the full number at refund time. It's what the big chain stores do...look at a receipt; it'll typically have on it the last four digits of whatever card you used. You have enough information to know which card to accept for the refund, but not enough that a disgruntled/dishonest employee (or the 1337 h4X0r who just 0wn3d j00) can do something bad with it.

Re:Why store cc# at all?

[jackb_guppy]

Your database server should not be the machine processing the credit cards. That is billing. You encrypt your card number with the billing machine's public key (better yet the banks). When the billing machine access the data it can decode the credit card to readable form.

If you need to search database by credit card number... just encrypt with public key and use that agianst the database encrypted card number. Same as checking your password in Unix -- a one way transformation. If you do not want to use that -- use 2 16 bit CRC (with different primes) makes a nice one way "finger print" -- very few matches.

Re:Why store cc# at all?

[corebreech]

Or if the merchant doesn't bill your credit card until they ship?

Or if they bill your credit card in installments?

Or if they require your credit card on file in order to prove your creditworthiness?

Refunds are but a single example. There are many reasons for having a CC# on file.

big companies

If work for a big bank in Canada (about 3 million clients), and you would be surprised to know that out databases are NOT encrypted in any way...

In fact the sole security rests on the passwords and the physical access to the machine.

But our servers are in a secured building, administered by IBM (you should see what it takes just to be able to enter the computer room, let alone trying to stay 1 minute in front of a console without someone asking you what you are doing there...)

Re:big companies

> If work for a big bank in Canada (about 3 million clients), !
I don't think that the National Bank of Canada whom have 3 million client can be considered like a Big Bank !
Anyway who can trust a Bank who need IE to access it's "Secure" Internet banking

Re:your first problem

[baudbarf]

I suggest you change your solution to run on Win2k.

Ah, yes, if you want to increase your security, run a Microsoft OS. And if you want to increase your protection against STD's, use condoms manufactured by Firestone.

I wonder...

[kill-hup]

I wonder if this question (and the others mentioned) have anything to do with this recent IDG story.

A little obfuscation?

[Hard_Code]

create a new column called, say, PASSWORD, in the database, and throw some random junk in there, and hope the cracker wastes all their time trying to crack *that* ;)

Re:A little obfuscation?

[lrichardson]

One place I worked at had a couple of interesting little tricks, in the same vein. First, numbers (SSN, cc) were simply encrypted (e.g. SSN + 123456789). Next, there were bogus entries. And a good number (i.e. the first 100 odd records) were not just bogus, they are traps ... if someone in the RW tries to use the account, all sorts of alarms go off ... the cc co. phones the company that has the trap account on their file, and then all hell breaks loose.

I had to laugh at the one incident that occured while I was there ... turned out to be an employee of the cc co. who lifted the file, which caused the headless chicken dance at work.

But, as others have pointed out, keeping the data on another non-internet connected system is probably the simplest and best method

Don't decrypt

[Osty]

Why do you need to decrypt the credit card number? Once you've encrypted it and stored it in your database, that should be it. It should never need decrypting (by you, anyway -- your financial partner will have a key for decrypting, and if you can't trust them then you have other problems). No actual person should ever see the unencrypted number, nor have access to that number (too much temptation there).

Of course, the very best thing to do is simply never store the credit card. Granted, your business model may not allow that, but it's still the safest option (crackers can't get what you don't have).

Re:Don't decrypt

[jackb_guppy]

Agreed.

I just did a transfer function, GnuPG at 2048.

Each end knows the other's public key and that is it. One way transmission.

And just for that warm fuzzy feeling, we compress and use a secondary cypher just to make it a little harder.

Why store secret key?

[demi]

I've done something similar before (though it was passwords, not credit card data) and the trick is to not store the secret key anywhere, especially on the server that stores the data.

I coded a server component that could decide whether a requester could view an encrypted datum (for example, if the requester authenticated correctly) and decrypt it using a key stored only in memory, that had to be entered by a human being to start the server. The humans who could administer the server memorized the key. A small enough amount of data was stored that changing the key was feasible.

This server was in perl, but the encryption/decryption code was in C; I used blowfish (libblowfish) and also stored the key in a C buffer pointed to by a perl scalar, and used the mlock() system call to prevent the key from being swapped--an alternative might be to use OpenBSD where it is possible to encrypt the swap area.

Anyway, I hope that gives you some ideas. Any form of storing or recording the decryption key reduces to storing the credit card numbers in plaintext, so you should avoid that.

Re:Why store secret key?

[Hard_Code]

"Any form of storing or recording the decryption key reduces to storing the credit card numbers in plaintext, so you should avoid that."

Well, if you want to get technical, if they rooted the box, they could still presumably walk through memory (ok, encrypted swap would add another level here).

Re:Why store secret key?

[pogle]

My usual method of key storage is to have all my keys on a mini-cdr. There exist two copies, one in a safe box of some sore (safe deposit, fire safe, etc) and one under lock and key or on my person at all times. Insert the disk, access the key, remove the disk. I know that one could still parse thru memory, but thats a royal PITA in any case that I don't worry about too much, as my data isnt *that* critical to worry about encrypted swap. When it comes time to change the key, change it, burn the new one to a new pair of mini-cdrs, and destroy the old two (fire works well). Then even if someone downloads your encrypted data and you change the key, they can never recover the old key from a garbage bin or something.

Re:Why store secret key?

[H310iSe]

While I'm sure this is a great solution, I'm a poor network adm who was literally thrown into the job (I have other specialties, server admin just isn't one of them), I can barely program javascript no less C, and I have been tasked w/ securing a server w/ CC #s on it (as w/ the poster, they're used for recurring billing).

When I firewalled the server I found a backdoor was already on it.

Anyway, are there any far-less-than-perfect-but-even-a-networking-newbie -can-implement-them solutions? I'd like to do SOMETHING but realistically my employer is not going to pay for a 'real' net admin to do the work and I can only learn so much so fast...

Oh, to make matters more interesting the server is NT 4 running SQL 6.5 w/ a blank SA password (which must be blank due to ... oh, I don't want to get into it...)

I'll be happy to R any FMs y'all suggest.

Re:Why store secret key?

[dubl-u]

Or better yet, no swap at all. For all of the real-time (as opposed to batch) server stuff I write, I make sure the hardware should never need to swap. Once you allow swapping, response time goes into the toilet, usually causing queuing and spiralling delays. Yuck.

Of course, root can still walk through RAM, but there are ways to fix that. I've lately been trying LIDS, which adds a more complex permission model. You can make it so that root is normally pretty limited, requiring a separate maintenance password to do anything dangerous.

Re:Why store secret key?

[Oestergaard]

So when you crack the server and get root, you need to go *all* the long way to a gdb which you attach to the running process, in order to get the key out.

Wow. Good thing it doesn't get swapped out, then the "print" from gdb might have taken an extra millisecond ;)

Re:Why store secret key?

[ChadN]

It has been shown that encryption keys can easily be found in dumps of memory, because their entropy patterns do not match surrounding memory. It helps to produce hashed chunks of memory as decoys, and then embed the key in one of these chunks (obviously, the chunks should have a similar entropy profile as the surrounding decoy memory).

If these are session keys, this obfuscation can help delay the time it would take to discover the key (by following pointers, etc.). But just storing keys in memory, without obfuscation of some sort, is a no-no.

Credit cards should, ideally, NEVER be stored online. They should be combined with other necessary information (name, address, etc.), then stored as a hash (just like UNIX does with the secret password file). Any intruder who gets the hashed data won't directly be able to use a credit card.

BTW, it is also the way Slashdot should have been storing user passwords (except that they want to be able to mail your password to you). For that, they need an offline database, and the encrypted passwords could be loaded into memory with a session key, as above.

Re:Why store secret key?

[dubl-u]

And what happens when they compromise the second password? [/obvious] Great idea.

This is one of the things about talking about security that makes me froth. The implication is that perfect security is unachievable, ergo all imperfect security attempts are somehow dumb.

This yutz probably has a lock on his house. A smart guy could pick it in under a minute. A beefy guy could just kick down the door. A sneaky guy could probably get in through a window. A smooth guy could pose as a postman and get him to open the door. A brutal guy could kidnap his girlfriend and demand to be let in. Does this mean that locks are useless? That we should forget about them, leaving our houses open?

In this particular case, I said, "here is a way to make it so that somebody who has rooted your box can't do anything harmful." The scoffing answer of "what happens when they compromise the second password" is so clue-deficient that it is probably a troll, but in case somebody has been fooled by it, reasonable answers are:

• They're unlikely to get the first password; 99% of breakins involve getting root through insecurities, not through password compromise.
• And how would that happen? The password is only used during OS maintenance, which should happen rarely on a production server. LIDS itself protects the LIDS binaries from being trapdoored. Use it only from the console to remove a number of network risks.
• Then do something more! This is all open-source software; if you need SecureID cards, thumbprint scanning, and blood sampling, you can put that in, too.

Nothing is perfectly secure; the interesting question is how much you can get for a given level of money and inconvenience. LIDS adds quite a bit of security for relatively little inconvenience.

avoid the problem

[dan_bethe]

One way for small businesses to deal with the problem would be to avoid it by using Paypal. They're a reputable financial institution which can broker the exchange for you. You would never know the other party's confidential information. Some small businesses distribute their payroll to independant contractors that way.

On a related tangent, here's another question. Do you guys have any recommendations for a low end credit card purchase system requiring low or zero startup fee, but rather charging a per-transaction fee?

Re:avoid the problem

[reschly]

I've never used it myself, so I don't actually have an opinion, but here's what some other people think about paypal. Just incase you haven't heard other people's horror stories already.

Re:avoid the problem

[morcego]

Paypal ? Reputable ?
Surely, you must be kidding.

Re:avoid the problem

[mosch]

do not use paypal. they're not a "real" bank, they're accountable to nobody but themselves. They declare accounts as being potentially used in fraud with no evidence (this happened to me) and lock all the funds in the account unless I was willing to provide them a full, uncensored copy of a credit card statement, which no real bank would ever ask for.

They don't have a customer service phone number.

They don't have a customer service email address.

They don't have any customer service at all, except a web form which gets answered in about 3 days, with an unhelpful answer.

Use c2it or some other service where your money is FDIC insured, treated according to standard federal banking regulations, you can talk to people if you have a problem, and they don't randomly freeze accounts. Additionally, c2it doesn't seem to have any fees for most transactions, so you don't even have to pay the 1% paypal tax.

Re:avoid the problem

[gmack]

Reputable??? PAYPAL?

I think not.. they just froze our business' account and the money contained in it because my boss' last name is Cuban... Never mind that he lives in Canada with resident status.

Many of the buisnesses we deal with have similar horror stories of paypal freezing money for months with no explanation. The worst case being $750 000 frozen for 8 months of a large processing company.

Re:avoid the problem

[Tadghe]

> One way for small businesses to deal with the problem would be to avoid it by using Paypal. They're a reputable financial institution

Tell me, what color is sky in your world?
Or Let me ask it like This...
What Color Is The Sky In Your World?

Re:avoid the problem

[ahde]

I thought the funniest part was "institution."

Re:avoid the problem

[DreamerFi]

Do you guys have any recommendations for a low end credit card purchase system requiring low or zero startup fee, but rather charging a per-transaction fee

I use kagi.com.

-John

Re:avoid the problem

[mOdQuArK!]

Do you guys have any recommendations for a low end credit card purchase system requiring low or zero startup fee, but rather charging a per-transaction fee?

Costco provides credit-card processing services on a per-transaction fee basis, but I don't know how cost-effective they are relative to other credit-card processing merchants.

key storage

Ive ran across this problem myself several times.
According to VISA rules, the merchant is NOT allowed to store the cardnumber - its the property of VISA.

To get around this, I dont store the card. I store its SHA1 hash signature. This is great because you're guaranteed to get a match on the card's record - but you dont have to store the cardnumber itself. This also enables great negative database checking without liability to the merchant. You've got the sig - thats all you need.

The key storage you're referring to is an old problem. The key is never secure as long as it's in software (software can be cracked, reversed,
analyzed...I dont need to explain this). The only secure way is to store it in hardware somewhere.

Re:key storage

[Hard_Code]

"I store its SHA1 hash signature."

So how do you regenerate the card number from the hash for billing?

Re:key storage

[bcrowell]

This technique means that the user has to type in the card number for every transaction. Why not just encrypt the card number using the user's password as the key? The user's password doesn't have to be stored anywhere except in the user's brain cells.

Re:key storage

[PunchMonkey]

According to VISA rules, the merchant is NOT allowed to store the cardnumber - its the property of VISA.

Can you point out the source of this? I'm not trying to argue it, I'd just like to know as this strikes me as somewhat odd.

The convenience/computer stores I've worked at in the past have all had credit card numbers printed right on the receipt, which in turn are stored away in secure filing cabinets, etc.

Re:key storage

[RelliK]

But you need to decrypt the key to bill someone. You need the number 1234-1234-1234-1234 to bill, not abracadabra. One-way hashing works great for password precisely because you never need to decrypt them so you don't need to store the key. However, one-way encryption is not appropriate for stuff that you actually want to decrypt.

Re:key storage

[BlueWonder]

There are 10^16 = 10000000000000000 possible credit card numbers, and there are 2^160 = 1461501637330902918203684832716283019655932542976 possible SHA1 hash values. Therefore, the probability for a collision is so exceedingly small that it can be totally ignored.

Re:key storage

[tzanger]

Isn't the user needing to reenter details to reauthorise transactions more of a feature than a bug?

Not with the general public. "XYZ Co. doesn't make me have to reenter all this credit number stuff like you do and I've never had my number stolen with them!" Convenience is the game.

ISTR that if you have proven that you took reasonable measures (co-host) to protect the credit card data and you were still 0wned and had it stolen that that would be enough to deflect loss of merchant status / lawsuits, although IANAL and I've never been in that position.

Re:key storage

[G-funk]

Why not just encrypt the card number using the user's password as the key? The user's password doesn't have to be stored anywhere except in the user's brain cells

Because:
a) users are dumb, making brute-force attacks easy
b) it's very easy to discard a lot of incorrect cc details

Is there real safety?

[colmore]

I find it disturbing how companies seem to be rushing into Passport like systems that keep a large number of credit card #s and other sensitive data in a central repository, when no such system has ever shown to be reliable enough to justify the risk.

Frankly, I'd prefer to just keep typing in my credit card number, or have the info stored on my computer for my convenience. I don't like the idea of my personal data being permanently stored in a potentially insecure remote location.

Re:Is there real safety?

[ahde]

Internet Explorer is not Windows

So, don't store the key

[Breakerofthings]

Require the key on startup (of some daemon, probably the Web Server ... add a command line option to apachectl, for example). The key is held in process memory for the processes that need it, not on disk (except maybe in swap). OK, so it's not perfect, but it's better than keeping the key on disk ... you have to admit it would be *hard* to get the key this way. As a bonus, no process started by an intruder would know the key either, even a web server instance ...

Re:So, don't store the key

[Yottabyte84]

Wanna encrypt you swap in linux? It's really easy....

dd if=/dev/urandom bs=1 count=64|losetup -e AES128 -p 0 /dev/loop4 /.swap &&
mkswap /.swap &&
swapon /.swap

Stick this in your boot script after creating an empty /.swap of the size you need. It'll create an encrypted swapfile with a random password.

Protect the machine

[photon317]

The bottom line is, if you're in the scenario where the data is stored on a single box and is both encrypted and decrypted on that box, and a key is stored there in some (secure) fashion - no matter what, if the box is rooted, the data will be taken.

The solution is to adequately protect the machine from being rooted in the first place, rather than jump through hoops trying to keep root from being able to get the data.

Start by firewalling the machine well. I would recommend OpenBSD if your traffic volume is slow enough for it to handle (no SMP, so it is kinda limited in that respect if you've got big demands).

Lock down the applications - know every port that's open, what protocol is spoken, what daemon is listening, etc... Do some testing of your own - if you can crash any of the box's services by sending random and/or long string of junk to any of the listening ports, you have a security problem.

Secure co-host.

[vkg]

You answered your own question: you don't put the decryption key on the same box.

You put it on another box, close all of the ports, and have a simple protocol running over something low-level which you trust like SCP or a PERL socket reader.

Your "co-host" stores the secret key, and does all decryption: the main host passes it a datum to decrypt, the co-host decrypts it, and passes back the cleartext.

The key never leaves the box, and the co-host should erase it's copy of the key and shutdown on any unexpected network activity (like an attempt to log-in). If you're really paranoid, have it also look for patterns in the access and die if anything unexpected show up - or return bogus, flagged test data (i.e. a list of bogus credit card numbers in stead of real ones).

Does that answer your question?

Re:Secure co-host.

[vkg]

I forgot to mention: the co-host is *not* internet routable: put a second NIC in the web host, and hide the co-host behind that. Anything touching the co-host other than a decrypt request should trigger a shut-down: John Q. Hacker roots your web server & database, sees requests going to the co-host, pokes it a bit to see what it is and in the process shuts the box down cold.

Not perfect security, but done right unlikely to be the weakest link: a determined hacker will root your web server and simply copy all of the credit card numbers as they are used, by backdooring your e-commerce application.

But at least that's a trickle: you lose numbers to him as they are used, rather than your whole database at once. Read Bruce Schnier's stuff about all security being target hardening.....

Re:Secure co-host.

[GigsVT]

The key never leaves the box, and the co-host should erase it's copy of the key and shutdown on any unexpected network activity (like an attempt to log-in).

Worker 1: Holy shit Bob, the web site is down again!

Worker 2: Yeah, every time someone enters a bad card number or tries to log into our security box, we lose thousands of dollars, but at least our customer's data is secure!

Re:Secure co-host.

[GrenDel+Fuego]

The key never leaves the box, and the co-host should erase it's copy of the key and shutdown on any unexpected network activity (like an attempt to log-in).

You'll obviously want to keep a copy of the encryption key stored somewhere secure besides the machine. Otherwise an attempted hack will quickly make all of your data useless.

Re:Secure co-host.

[Time_Ngler]

But if you can simply ask the "protected box" to decode the data over your "trusted low level protocol", why not just ask it to decode everything?

Re:Secure co-host.

[Oestergaard]

So let me get this straight: You set up an "oracle" (a machine which you can ask to decrypt data and which will do so when asked). Your "security" lies in your "low-level" protocol (for which you obviously have communications code on the front-end machine).

Where's the security in that ?

Let's say I r00ted your front-end machine. Why don't I just look at your script or your binary and see that it sends the request over SCP. Or over a PERL socket reader.

You have added a very tiny amount of obscurity, but nothing that resembles security. Your "oracle" has no way of knowing who's asking, if you built the assumption into the system that "anyone who can ask must be in their good right to know".

Even if it's on a private network on another NIC, this doesn't help one bit. I r00ted your front end machine, remember - if the front end machine can talk to the oracle, so can I, when I'm root on the front end.

You may be able to add a little security resemblence with your "anomaly detection". However, it is quite likely that I am smart enough to just see how valid requests are built, before I try my own requests at the oracle.

Re:Secure co-host.

[tzanger]

Where's the security in that ?

I hope you're trolling, because your question is unbelievably dense. You don't put the security on the live machine, you do it on the protected box. You're not out to eliminate credit card theft, but rather to limit it greatly. Who cares if you can get 1 or 10 or 100 card numbers? It's the "hax0r steals 10k card numbers from insecure site!" headlines you're trying to avoid, and that's exactly what this system will help prevent. It slows down the rate of card numbers you can get and anything excessive is easily alarmed.

Thieves don't often go for difficult targets, they want the fast big payoff. This system prevents that, although I think they're being excessive with the serial ports with snipped leads. Two NICs in the live host and one in the protected system going through a VLAN-capable switch or a router with the bandwidth on the connection set to 8kbps or something is just as good, IMO.

Re:Secure co-host.

[buffy]

The key never leaves the box, and the co-host should erase it's copy of the key and shutdown on any unexpected network activity (like an attempt to log-in). If you're really paranoid, have it also look for patterns in the access and die if anything unexpected show up - or return bogus, flagged test data (i.e. a list of bogus credit card numbers in stead of real ones).

That's an OK idea in a theoretical sense, but not from a practical commerical view point. Most applications have a requirement to fail gracefully, and just having your data handler die kind-of sucks from an administrative point of view.

Instead, perhaps a better solution would be to provide a selective lockout mechanism which would block accesses to certain bits of information (those that were trying to be cracked) or access to/from certain clients (a specific web session in the PHP sense of the word.)

Having your entire app die would be the same as if someone (you, in this case) DOS'ed your site. If I was your client, and that was your solution, I'd be hard pressed not to move my business elsewhere.

-buffy

Re:The Best Policy

[nam37]

You ARE kidding right??? Data collection is a needed component to all business (e- or otherwise). Welcome to the 19th century. Neil

Re:Testes, testes, 1,2...3?

[colmore]

oooh, nice troll.

you should put that in tags to preserve the width though.

I'm not sure I understand the question...

[edashofy]

The poster said:

The thing that makes me nervous is the secret key being stored on the machine that houses the database. The reason for this is so that our billing staff can handle the recurring billing. (They have a web interface where they must enter the passphrase to gain access to the credit card information.)

I'm not sure I understand the question. Why is the secret key stored on the machine? Is it stored in cleartext? If it is, that's a problem. The trick here would be to encrypt the secret key on the machine using the billing staff's password (or a hash thereof), and only decrypt the key when the password is entered. If you change the billing folks' password, you can re-encrypt the secret key with the new password. That way, you'd at least have to run a brute-force on the password (which may not be that hard, depending on how you pick passwords). An alternative is to use a more secure mechanism than passwords for authentication--something like a keyring dongle or somesuch, but that makes things more complicated.

Old problem.

[AftanGustur]

A commonly used solution in high-security environment is to isolate the database machine from the network. I.e no network card. You then connect the database machine to the data processing machine via either a serial cable, parallel cable or similer that doesn't have a network stack on top of the driver.

You then have to create a client/server/queue manager on both ends.
Your security problem is now reduced to the functionality of the client/server that talks over the cable and performs requests on the database.
(Assuming of course that you can control access to the console)

A bit of effort, but it works.

Re:Old problem.

[stilwebm]

The problem with this is speed. A serial or parallel interface (unless USB or FireWire) will be much slower than a 10Mbps and slower still than 100Mbps ethernet connection. But you can easily and securely set up a nonroutable network between your database and application server(s). A simple crossover between a single db and single application server, each with a separate NIC for this network, works well. The hardware is just as secure as a serial link, but fast enough for realtime processing or high speed batch processing. The same applies to kernel level security. Use an isolated switch (or VLANs if budget is a concern) to connect multiple computers on this "off net" backend connection. It is just as easy [hard] to sniff this ethernet connection as a parallel or serial connection - you have to have physical access to the hardware or kernel level access to the system's memory. Still, you can encrypt all connections across this network to add additional security.

Re:Old problem.

[RelliK]

Yeah, let's transfer megabytes of data over a searial cable. Sure, that'll work!

Re:Old problem.

[Oestergaard]

So you don't use a standard network stack. Instead, you create a communications library and use that in your applications.

How is that different from just using the network stack ?

Granted, it adds a tiny amount of obscurity. But your apps on the front-end will still be using your comms. library, and if I r00t your front-end, I will still be able to talk to the "secure" machine (using your neatly written comms library).

Fundamentally, you change nothing. You add a tiny layer of obscurity, but that's it.

Re:Old problem.

[tzanger]

Yeah, let's transfer megabytes of data over a searial cable. Sure, that'll work!

Where are you transfering that amount of data? I would see maybe 100 bytes to 500 bytes for a single request or answer.

So let's use easy numbers: 1k per transaction. at 115200 baud that is 11 transactions per second, assuming 10 bits per character (8 data + 1 start and stop bit). The database shouldn't be a bottleneck there but serial cards these days can do 512kbaud easily (51 transactions/sec). Remember this is at 1k per transaction. A more realistic number would be around 200 bytes per transaction -- including packet framing and checksumming -- at which point 115kbaud gets you 57 transactions/sec and 512kbaud hits ~260 transactions/sec. If you've got requests for numbers exceeding that I think you can probably afford bigger and badder security hardware.

Hell, sync serial ports can do T1 speeds and faster without breaking a sweat. With a pair of v.35 cards your systems can now handle 1280 1k transactions/sec, or ~6550 transactions/sec for 200 byte transactions. (Remember that v.35 can do 10MBps at 90m cable lengths.)

Christ the ideas people write off without a shred of thought...

I have the answer!

[Ribo99]

How would you securely store your customer's private information, especially when it comes to critical pieces like credit card numbers?

On my Palm Pilot.

Learn from the past

[L.+VeGas]

I would consider storing the numbers in Navajo. It worked in WWII.

What the Big Boys do...

[Frobnicator]

Many big groups don't emply the level of security you already have. Most bank 'security' is password protection and physical access protection. When break-ins happen they are not published; banks and credit unions are broken into quite often, and they pay to keep it out of the news. The unfortunate truth is that for big companies, it is cheaper to pay for damage from break-ins than it is to get good security to begin with. With the level of security you already have, look into business insurance. Tell them the precautions you have already taken and ask what would get you a better rate. (You would probably be a good risk for Insurance.) Implement those things, and have the insurer audit you in advance to make sure everything is up to snuff.

Re:What the Big Boys do...

[swb]

The unfortunate truth is that for big companies, it is cheaper to pay for damage from break-ins than it is to get good security to begin with.

This is the lesson lost on the Slashdot crowd.

Perfect security is impossible, good enough security is possible. Aim for good enough -- if you aim for perfect you will never achieve it and waste a lot of money trying.

Re:What the Big Boys do...

[ahde]

That's what insurance companies (like Counterpane) tell you. Maybe you should ask someone else what insurance does, in their opinion.

Data Integrity and Security

[buffy]

As with most security related topics, depth layered solutions are best. Of course, design your network and connectivity with least access in mind--i.e. the database server itself is never directly accessible via the Internet, or even your first layer of permimeter defense. Typically, only http and https are externally acessible, with perhaps a few others like DNS, and FTP.

Usually your database will either be accessed by your web servers directly, or through an application server. Limit access to your database explicity to these addresses, through both the database configuration, and, if possible, IP-level configuration (like iptables in Linux). For each client connecting to the database (be them web servers or application servers) have then use unique password keys (and users, too, for that matter.)

Finally down at the application layer (we've done network, and server layers so far) you need to be more careful than ever. First, do the obvious, don't store sensitive material (read: credit cards) in plain text ANYWHERE. At list build in some kind of cipher key (crypt, if nothing else) that will encode the data in the database. If possible, you may want to look at more elaborate schemes for storing data in such a fashion. Beware, this is the piece of the puzzle that many will spend a lot of time focusing on, which is good, but not the whole shebang. Also note, any fields that you store encrypted, you will not be able to use easily as an index field.

Another oft forgotten place to focus on, is in the tools that you use for manipulating and storing the data. Everything above is worthless, if you have a careless programmer who writes a utilitiy that doesn't sanatize user input prior to executing an SQL query. A tremendous amount of the hacks you see out there are due to tools like these that are very vulnerable to misuse--since they were designed to have the ability to access your data, your security measures are for naught.

Make sure your programmers understand how the data is being stored both in the database, and the computer (ie. buffers, sanatized user input fields, etc...)

These are by no way complete, just thoughts of things I've had to deal with in the past while facing similar issues. Hope they help.

-buffy

one-way

[jabbo]

PGP-encrypted SMTP relayed on an internal VLAN to a machine with the 'recipient' key, decrypt ONLY on the destination machine, encrypt ONLY on the Internet-facing machine. Perl classes for this exist and implementing it is therefore a question of writing the appropriate 'glue' for your site.

Internal access and usage is a policy issue. There is no way to engineer a usable solution whereby a user cannot write down a credit card number and expiry date and begin using it to buy stuff short of policy, enforcement, and legal action. You'll come up with some real Rube Goldberg schemes if you try, but fundamentally, if you must have human contact with the billing authorizations, you have a policy issue, not something you can ironclad by technology.

You will simply have to ensure that only trusted staff (eg. have a vested interest in the company's success) have enough access to do any damage. Technological solutions to social problems are a very poor fit and a very large time sink.

Sorry. We segregate authorization and billing where I work so that I don't have to jump through these hoops anymore. Small-order authentication is farmed out (and with it, the liability) so that our major customers are charge accounts with whom we deal personally in case of a problem.

Don't store it on the same machine

[spotter]

Don't store the data on a machine that can get cracked.

store it on a totally seperate machine.

Basically, you'd write to the seperate machine over a defined interface such as update_customer(customer id, credit card number) pairs), and read from the machine over a defined interface such as verify_credit(customer id, amount).

this way, "important" information is never leaked, operations and data that you want to be secure are placed on a box that doesn't have to run any extra services that can possibly be cracked.

seperate the worlds.

[Zapman]

Anything put out on the internet should have no important data on it. Period. No connections from the internet (aka untrusted aka hostle) should be allowed to the box with the real data, other than those which are PROVEN to be needed, and secure. So:

internet -> firewall(1) -> web server -> firewall(2) -> database

So, you have 2 firewalls. One internet facing, and one (idealy a different vendor) from the DMZ to the internal world.

Also, you can set up 2 houses for the data. One (the one that the internet can get access too by proxy) should only cache the recent data. Hourly, or nightly, it should then be put into another server, from which the accounting department can run bills. Then this box (for accounting) should have no allowed connection to the rest of the world, save from the accounting department.

Oh, and the important data should be then purged from the internet proxy accessable database.

Why the requirement to decrypt on the web server?

[ryanr]

Why does the web server need to decrypt? It should be storing the sensitive info in the DB encrypted with the public key. If your personnel need to decrypt it for something, do that on a seperate machine.

Your own response states the problem ...

[TheViffer]

administered by IBM

In otherwords, people outside of the bank have access to that information.

And all it takes is 30 seconds to dump an SQL output of 10,000 CC#/account info records to a flat file on a 1.4M "service patch disk" and out the door they go.

Re:Your own response states the problem ...

[Hard_Code]

"And all it takes is 30 seconds to dump an SQL output of 10,000 CC#/account info records to a flat file on a 1.4M "service patch disk" and out the door they go."

With a BIG FAT log of who logged into the console and database and performed the dump, not to mention paper logs of entry if they do that. To tell the truth, there are many things which we could just "walk away" from...but there would be sufficient trail that would lead right back to us, so it would be suicidal (nothing is really physically preventing me from mugging old ladies on the street, but it's still not the perfect crime).

Re:The Best Policy

[Vecna!]

If you bill a customer's credit card, you are required to keep that credit card information on file so that you can reverse the charges and/or provide information on charge traces that may be requested by the customer.

There's an implict social contract between the parties when a credit card is used - the contract is that in exchange for providing a good or service to you with nothing in the way of security other than reliance on a banking infrastructure, I will be allowed/required to keep certain private information about you so that I can validate my accounting records of our transaction on demand.

Keeping this kind of info is not being "up to No Good", it's fulfiling my obligations under the social contract.

Security needs to be in place in all levels

[puppetman]

Our credit card info is stored encrypted in our Oracle database.

No one accesses the credit card info directly - we generate reports for billing staff. When credit card info is sent across the net (to process charges), we use secure sockets (as does everyone I'm sure).

The only machine that knows how to decrypt is a weblogic app server with the key, running on Solaris.

The database is on one virtual LAN, the webservers on another, and the app servers on a third.

We have PIX firewalls to keep out intruders, and our boxes are physically locked down in a cage.

In addition, our hardware topology is based on Windows 2000, Linux and Solaris. You would need to take advantage of security flaws in all three OSs in order to be able to traverse our site.

We make sure the passwords are not words or phrases. Numbers, funny characters, and letters.

The holes in our system are:

1) On weblogic, the connection info to the database is out in the open in the connection pools.

2) Billing staff need to be careful with how they handle paper reports. Perhaps we should only show the last 4 digits of the CC number when generating.

3) We refresh our QA environment once in a while. I have to be sure that I wipe credit card info, passwords, and email addresses from the QA database. While it's fairly secure as well, no point in leaving it around.

No system is perfect. So long as they are encrypted, on a machine that has the latest security patches, the machine is in a secure environment, and the passwords are "strong", you can sleep at night. Most of the large credit card thefts have been against systems that violated one or more of those rules.

The above is the best solution

[jabbo]

and I've implemented reasonably correct versions of almost all the others, so I am not just 'guessing' but offering observations from someone who's built several systems like yours.

You want accounts and you want them managed separately from billing. Physical security is what should realistically protect the private payment and identification information that relates to those accounts (eg. the substance to their metadata) so that day-to-day manipulations of orders are separate from month-to-month billing updates.

You simply must keep private info private and enforce it via legal and policy measures. No amount of technology will easily prevent misuse of your data. You could, however, experiment with CryptFS or StegFS to make it much more difficult for a physical security breach (eg. stealing the machine) to result in information leakage.

When I went back and reviewed the submitter's question I decided that I had focused on the wrong aspect of his question. One-way encryption (outside-to-inside) is important, and it can be keyed to the same database as customer account identifiers, without divulging useful information on a public interface. However, the primary measures for his company to take are still going to be policy (dissociating private customer data from public/unimportant customer identification data) and legal (physical security, pressing charges when anyone tries to circumvent).

Again, every measure I'm discussing above is something I've had to deal with in my job, and I am merely offering opinions as to what has worked best for us. I design my systems (at least at this point in my career) so that, for the most part, someone could steal them outright without greatly affecting our day-to-day operations.

nCipher and alike

[friday2k]

You might want to consider hardware based crypto like nCipher. This way you do the key storage and en/decrypt functionality in (supposedly) tamper resistant hardware. HOWEVER, if someone hacks your system and is able to access/copy your code and get the right privileges to talk to the nCipher box you are screwed anyway. But it would certainly raise the bar ...

Microsoft is going to be pissed ...

[TheViffer]

you have reveiled thier new security strategy after the month long security audit they did.

Re:Securing the co-host.

[Ashurbanipal]

Make sure the co-host is not networked at all; have the connection be a pair of RS-232 serial lines instead. On the line that sends the data to be validated, clip the wire that would allow signal to be transmitted back - (break RD, leave TD intact) to create a one-way signalling method.

Go/no-go decisions are signalled on the other link, either with simple sense carrier signalling (wire CD to DTR or whatever) or a very restriced set of allowed responses.

Programming the system is a pain in the ass since you have to use the console, but once set up it should be so simple it'll need no other maintenance than backup tape loading.

Any cracker who can figure out how to break your system when you have no net link is so much smarter than you, you're probably doomed anyway!

Summerizing

[SirSlud]

Just a summy post to collect most of the points above that are good ideas:

- Use 'per record' encryption, where the records are encrypted each with a per-record unique key that is hidden from the outside (user-supplied is good, like a password, or if you need to decrypt without customer interaction, on a seperate box inaccessible from 'outside')

- You should have a method of 're-encrypting' records should a key(s) be compromised, to get the data safe as soon as possible after detecting comprimisation of your key(s).

- Dont ever decrypt - if you can get away with it, dont ever decrypt .. if you need the # for display on pages (like receipts), you only need to display the frist/last 4 digits for confirmation purposes, so only store those (encrypted). This is along the lines of minimizing the 'pot of gold' in a worst case scenario.

- Isolation .. depending on the data's sensitivity (and CC#s are supermega sensitive), you can opt for various levels of hardware isolation of the box that stores the key, via a serial cable or something.

- DONT ENCRYPT USING A KEY ON THE BOX ON WHICH THE DATA WILL BE STORED, or you might as well call your box a honeypot.

- make sure you use 'proofs' to verify the data, post encryption. Store the proofs on a box other than the data hosting box, so you can detect data comprimisation as soon as possible! (You could run a local data intergrity job nightly to detect mofified or currupted records.)

Everyone knows the worst can happen with computers - but if you did your best (and kept interested parties informed as to your efforts), then you wont/shouldn't be blamed if the worst happens. This is analagous to drunk driving ... everyone knows car crashes can happen, but being drunk during one is going to void any possible blame that could have been placed on people other than you.

I can help!

[teamhasnoi]

I'll need a copy of the database and the passwords, then I'll get back to you. Oh, It'll cost you $19.95, too.

Let someone else worry about it

[stuce]

TrustCommerce has a great system called BillingID's where you can submit all your credit card info for storage on our secure Linux servers. You are given a handle that you can use bill the customer at any time through our cool GPL'ed client API. Retrieval of the CC info is impossible so even if your server is compromised the hacker can't get your credit card information. This lets you bill customers at your leisure but lets you offload all the extra security responsibility onto us. Security is, after all, what we do. </shameless plug>

From my archives, a pretty good solution

[jukal]

You can find this also here:
Following Text authored by Albert Langer not me, posted to ZCommerce mailing list on Fri 09, Jun 2000 . Still very valid:

<clip>
Warning: Following ideas are "off the top of my head". Not verified.

Q. "Where do I store the decryption key so that the cracker who snarfs the database file can't get it (just in memory somewhere?), and yet have the system be able to boot itself, including having the key, without human intervention?"

A. "Using a 'one time' fast key in a client cookie".

Details:

1. Generate single Public/Private key pair off site. (Slow but only done once).
2. Store only the Public key on web server.
3A. Store Private key very securely on internal site with controlled and audited access etc.
3B. Or better still, immediately destroy it. Losing only the functionality marked * below.
(Above are common to several previous responses. Following are new.)
4. Compress each CC card as received to shorter equivalent bit string (eg convert the parts that are card type to enum, remove checksum, convert remaining ascii digits to large binary integer and concatenate with the enum. This makes the cookie below smaller, also removes some redundancy.
5. Use public key to generate and store encrypted copy of compressed CC number on web server. (Fast). Do NOT store or transmit to internal site, except on specific secure request with audit records maintained at web server as well as internal site. Use same precautions as would be used for storing plaintext CC numbers or private keys.
6. Generate XOR of encrypted copy and plaintext on server. (Very Fast).
7. Store the XOR in long term client cookie (expiry no later than CC expiry date, or add expiry).
8. Destroy plaintext of CC AND the XOR on webserver.
9. Steps 4, 5 and 6 MUST be carefully designed to leave no trace of plaintext or XOR on web server, eg in virtual memory paged to disk etc etc.
10. Step 7 MUST be designed so web server cannot store cookie in client unless transmission protected by secure transport (https).
11. Step 7 SHOULD be designed so client cannot transmit cookie to anybody other than the same server and with the same secure transport (possibly impossible and a key flaw).
<clip>

See the link provided above for benefits of this approach, this post is already too long :)

Virtual Machines

[kevinank]

One option used by many companies is to compartmentalize the data that needs to be secured. HP sells VirtualVault, or you could brew your own by running a chroot jail, or more completely by running a seperate virtual machine like User Mode Linux.

Simple solution ...

[bigjocker]

The best solution is to use a second machine to host the secret key. This one machine must be phisically disconected from the world, just a connection with the database machine.

The database machine receives the CC# and sends it to the black-box. How to do it? When you connect to the black box it automatically sends a public key for communication, the DB machine generates another pair of keys and sends the CC# using the black box public key. The DB machine will receive the encrypted key using the secret key, encrypted with it's own public key (double encryption). Store the key in the DB.

When you need to decrypt a CC# the DB machine sends the encrypted CC# to the black box (again, using public/private keys for secure communications) and receives the plain CC# encrypted in it's public key. The session public/private keys should be generated at runtime.

Setup the black box so it deletes the key on ligin and on ethernet communications with the wrong MAC Address (it should only receive connections from the DB machine).

The black box should be in a safe place, under a different security staff than the DB machine, so you will not loose both, and if someone plugs itself between both of them, they are communicating in a secure way.

Required to keep records for 7 years

[Codex+The+Sloth]

Merchants are required to keep accounting records of this sort of thing for 7 years.

However, does this information need to be stored online? No!

Whenever people talk about credit card security I always snort derisively ... check out the "secure storage" of credit card information at the local gas station or the restaurant. It's secured with a shoebox for the most part.

Re:Required to keep records for 7 years

[lamp77]

Sure, but when was the last time a Gas Station had 30,000 credit card receipts in that shoe box.

It's economies of scale here, the threat is higher because the exposure is higher.

lamp.

better idea

[RelliK]

Well, just to expand on that thought: you could store the key on a floppy (or CD, or that funky USB keychain, or whatever...) and require the disk to be inserted and mounted while starting the server. Then take the disk out, carry it with you, and guard it with your life :-)

Re:better idea

[thelaw]

one problem with this approach is reboot convenience. for example, if you need your webserver to be able to do automated reboots or unattended startup cycles, then this won't work (unless you're willing to plug in the token every time the machine crashes or reboots). if you have older or failing hardware this is more of an issue than you'd think.

jon

Re:better idea

[RelliK]

And what kind of a fuced up server you are running that needs to be rebooted all the time?

Re:better idea

[iCEBaLM]

And what kind of a fuced up server you are running that needs to be rebooted all the time?

My guess is Win2k...

-- iCEBaLM

Re:better idea

[thelaw]

solaris. if you need high-availability, but have close-to-failing hardware, the machine will crash with increasing frequency until you fix the hardware. unfortunately, not all of us can run apache on an old 486 with debian, have a load average of 0.01 and still pay the bills. so if the hardware is failing, you have to schedule a proper time to replace it, but you can't do this during business hours. or the business hours of anyone else in your company, if it's a worldwide joint.

jon

credit card number goes in, doesn't come out

[The+Pim]

The obvious part, which others have said, is don't store credit card numbers. But that can't be the whole answer, because you at least need the credit card number for as long as the order is "active". (I haven't run a store, so tell me if I'm missing something.)

Assuming you need to store a credit card number for at least some period of time, the best way to keep it safe is to store it on a machine that will never give it out--except to local users on a separate network. The web server can send the number to this machine, but cannot ask for it back. Your employees and your order-processing code can access the number via the local network.

If you must store the numbers long-term (to enable that "novel and non-obvious" wonder called "one-click shopping"), they still cannot be accessed from the web server. When the user enters his credit card number, the web server tells the credit card database, "Bob's VISA card is 12345". When the user places an order, he selects "VISA card" from a drop-down, and the web server records in the order that Bob wants to pay with his VISA card. But the web server still doesn't have access to the number itself.

You can take this further by placing additional limitations on what someone who cracks the web server can do. For example, the web server doesn't need access to Bob's password, or even a hash of Bob's password. It just needs to verify it. So store the password on another system that will only verify passwords (and has some rate-limit to guard against guessing). Nor is there any reason to blindly trust the web server when it says "Bob wants to pay with his VISA". Have the password verifier return a random token when the password is correct, and only allow the order if the web server supplies a valid token.

You get the idea--put the important data on a system that trusts the web server as little as possible.

Additionally, I've heard people suggest connecting the web server to the credit card database with something less "featureful" (and thus, hard to secure) than a network connection. A serial cable, for example.

USB 'Keys'

[gouldtj]

I don't remember where I saw them (I think it was on Slashdot), but there are these little key sized devices that hold flash in them. I would recommend buying one of these. Then on that device store one, really big ass key.

When the machine boots up it 'mounts' this key. Decrypts your 'usable' keys. Then it unmounts the key. This key is then used to decrypt the keys that you actually use to get to your information. So if the machine is stole it is useless (difficult to crack). Remember not store the 'usable' keys dycrypted on the hard drive :)

This way you can store the USB key in another location (fire safe sounds like a good idea to me). And it is only needed when you boot up the machine (read: not really inconvienent). I might recommend getting two and storing one off site :)

As far as hackers - well, there has been alot of good comments about that above...

Simple solution

[Oestergaard]

It's easy; don't store the information. If it's not there, noone can steal it.

Store the address, name, phone number, visit history, mother's maiden name, shoe size, whatever you want - but don't store the credit card number.

I'm quite happy with entering my credit card information whenever I purchase something. Knowing that this information will not be leaked to the next script kiddie who drops by - you simply cannot trust security at sites with dropping revenues, budget cuts, etc.

Clearly, the number one priority for many business sites today is to keep things running. Security is only a problem if it's broken. And that only happens if you're unlucky... Yearh right...

Am I pessimistic, or are you naiive ? ;)

Re:Simple solution

[rtaylor]

Subscriptions simply don't have much choice in the matter. Some people don't mind paying tens of bills each month, but I'd much rather deal with Amex or Visa when problems occur.

Generally they only need a record of the bill, and paper showing what the business was allowed to take out -- receipt. I've yet to have any problem not straightened out within a month.

I do almost everything through the CC for that reason. Don't trust banks, they've already sent the money (and don't care) but Visa hasn't received my payment yet and Amex is cruel to small business. I know this for a fact -- I've been on both ends. They pick on businesses like you wouldn't believe, so I'm an Amex client :)

Re:Simple solution

[Oestergaard]

Then whatever you do, make sure you build your systems on a B1 (or better) certified system, and that it's properly configured.

Take a look at Trusted Solaris. It is by no means a solution in itself, but it is a prerequisite for a moderately secure system.

The idea is, that even if your system is rooted, the intruder will not have access to change system parameters (root is not allmighty), he cannot run standard utilities if he entered via. the network (compartments, mandatory security and trusted paths), and his activities can be logged (auditing).

Offline CC# Store

[Mr.Sharpy]

If you are worried about storing the credit card numbers, why not just put them in a db on some form of offline storage that is only connected on the day billing occurs. The only way you can really keep something secure for sure is to have it physically inaccessible.

Combinations should include "staff training"

[texchanchan]

No matter how secure the file is, if your staff members take down the credit card number on scratch paper, possibly in a legal pad which they keep in their desk, or yellow stickies which they throw away in the regular wastebasket, you've got a problem. I tried and tried to get us some secure waste disposal at one place I worked, never succeeded. Fortunately we did not have any grifters among us (that I ever found out about).

There are a lot of opinions on here...

[tgd]

Very few make much sense, and very few are (hopefully) from people who have done it before. For what its worth, I have.

People talking about system security, shutting off services, firewalls and the like are just plain wrong. I hope, very strongly, that no place I've ever entered my credit card information online was designed by these hacks. Unfortunately, as those of us who had our info stolen from egghead two years ago learned, morons are the rule not the exception when it comes to security.

There is only one way to make this secure -- absolutely no network access to that box whatsoever. Not to the database, and not to anything that can talk to the database. Complete electronic and physical isolation. As someone else said, you need a client/server application that communicates over serial, with a very carefully scrutinized protocol that allows credit cards to enter, and not leave.

Thats the *only* way to be secure. None of the other things people are talking about works. If the data is accessable, no security can totally protect it.

example

[cr@ckwhore]

For example in dealing with encrypted passwords in a database... lets say I have a user database with encrypted passwords in it. (Could also be credit card info, etc.) For security purposes, I'd like to NOT decrypt any passwords for authentication, because that will place the password in plain text somewhere in memory, which is undesireable. Instead, for authentication, when the user supplies a password, I encrypt it and compare against the encrypted string in the database.

Same can be applied to credit card info. Once encrypted, you should rarely have to decrypt. Think of dealing with it from the standpoint of encrypting user input for comparison and validation against encrypted info in the database. This will save you from having to decrypt at all.

The other argument is "its not secure if its attached to the net". Basically, you should have the info stored on a separate database server with a direct cable link to the application server via a private NIC.

Re:example

[cr@ckwhore]

I agree.

There are a number of applications by which the methodology can not be applied entirely, but it serves as a good example to get the mind thinking about secure engineering practices.

I Know How...

[Servo5678]

How would you securely store your customer's private information, especially when it comes to critical pieces like credit card numbers?

In order to best answer this I'll need to see all your private data. Send it over and I'll look it over and let you know what I think is best.

[Note: the preceeding is a joke and not to be taken seriously. In this day and age of lawsuits, one can't be too careful about gags such as this.]

Re:The Best Policy

[geirt]

Vecna! wrote:
> If you bill a customer's credit card, you are required to keep that credit card information on file so
> that you can reverse the charges and/or provide information on charge traces that may be requested
> by the customer.

In that case, send the credit card information to an old fashion line printer, in a closed room.

Re:Doesn't really answer your question, but...

[gmack]

We have this it's called CVV2(the number should be on the back of your card) unfortunatly not everyone uses it yet.

This problem is the size of a HIPPA

[SkyLeach]

I am faced with a similar problem: storing PET scan overreads for peer/specialist review along with patient medical information and allowing access to those overreads by only the referring physician and his peer.

The approach I am considering most is to use an applet to compress and then encrypt the overread file on the client machine before sending it over SSL to be storred in the database. Of course, I don't have to access the actual overread here, just the authentication information and general contact information for the involved parties. We are using AMA certificates as the key system. This takes it completely out of our hands and prevents us from suffering the headaches. Other personal information which is not encrypted is kept in an Oracle database behind two firewalls, both of which only allow SSL/SSH traffic. Threre are two certificates being used: the site certificate for the public side and an OpenSSL certificate for the private side. I use a streaming program which I wrote to make the SSL connection from the frontside server to the backside servlet. Oracle handles the encryption on the Database side.

This provides the following security levels:
A registered physician must access the site an log in via SSL to the external server. Once he has the overread file, he must have a valid AMA certificate to decrypt the overread. Obviously, his certificate must have been one of those used to encrypt the file.

Security protecting the data is pretty straight forward. You must get through both firewalls, which I check daily for security updates. Both firewalls have different passwords.

Well .. we could take this further ...

[TheViffer]

Who knows if the log files are even examined? What is to say that they would not get lost in a massive amount of logging, if logging is even turned out (performance issue at hand)

How about planting a program to run in the middle of the night under user X to dump the file in place Y which you would later get. Every situation would be different. How about places which are ran solely by IBM and where the company is lucky enough to do an ls, let alone trying to administrate a DB2 server? Maybe we tell the company were going to do a backup dump of the DB just to be sure we don't loose anything and swipe from thier.

It could be as simple as taking a used backup tape just laying on top of the machine that some operator carelessly layed there.

The point was not if "you" would get caught, but the point that "others" beside a select few bank personal are granted access to the machine. And just because the "room" is secure, does not mean that what is inside of it is.

Again, the attack was not directed at IBM. IBM could have just been as easily replaces with "Ma and Pa's used Blendor and Computer Repair Shop."

Another approach

[isa-kuruption]

I work for another industry... health care... while with credit cards you can deal with various situation with hashes and the such, in the health care industry, and within our website, patients need access to their PRIVATE information 24/7. This leads to a very interesting dilemna.

First, all private and highly sensitive information needs to be available 24/7, so moving it off to another secure server is not an option since it may be needed within the next 5 minutes. This includes patient records, prescription history, etc (and even credit card information).

This is basically that 'chicken and the egg' problem. You have encrypted data, but how do you encrypt and keep it secure while the data remains on the server with the passphrase for the private key.

While there is really no way for us to solve the problem, the hope is to make it EXTREMELY difficult for a hacker to break into the boxes and if they DO break into the boxes, to find out before they actually reach confidential data.

Method: A 3 tier architecture. This includes 2-3firewalls depending on how you implement it. Basically, your network will look like this:

{INTERNET}---[FW]---[WWW]---[FW]---[APP]---[FW]- -- [DATABASE]

Due to ACLs on the firewalls, Internet users can only access the WWW servers in the Front DMZ. Those WWW servers can only access the APP servers in the second DMZ. Then, those app servers (which use an authentication and authorization technique like netegrity) access the DATABASE servers. However, since the DATABASE servers actually do the authentication, anyone not already authorized can access the data without breaking into the DATABASE servers (which probably sit on the Internal network of your business).

How you protect data: Since in order for an attacker to actually get your data, they would have to crack 3 different servers. First, your web servers, then your application servers and finally your database servers. This makes it EXTREMELY difficult to get data. With firewall restrictions, you can specify only certain protocols and ports are allowed through. This way, the cracker would need to be good enough to break through 3 different communications protocols (this would require hours and hours of studying the protocols). Not only that, but since the protocols are typically encrypted with SSL, they'd have a VERY hard time doing this.

Hopefully, with the right Network IDS system (e.g. snort) and right host IDS (e.g. tripwire) you can find a hacker once they get onto your web server... and most likely by the time they reach your application servers.

Re:The Best Policy

[hexx]

The Only Best Policy is: Don't store private information, ever.

It's easy, meaningless, hackneyed non-answers like this that are eroding slashdot.

I ask "What the best way to do X", and the highest modded answer is "You silly boy, don't do X". Well, if "not doing X" were an option, the question would not have been asked.

People need to understand that virtually any question can be inappropriately (and quickly) answered with "do something else", but then that's not a real answer. It's an excuse to vent an opinion (just like this rant).

And really, it's the moderators who are to blame.

The parent (and this post) should be modded as -1 offtopic.

NEITHER ONE ANSWERS THE QUESTION OR OFFERS A REASONABLE ALTERNATIVE. They both preach. Blah.

I've had enough.

Limited performance

[Pac]

If the data you are protecting is valuable enough to make the company bother with a setup like this, one can add a whole host of features.

You can limit the amount of data decripted (per day and per user). You can limit each user to certain periods of the day. You can enforce frequent password changes everywhere. You can even enforce a certain unrelated routine to be performed (say, daily or at turn shifts) in the exposed box console by a human operator.

Every one of these features by itself is breakable, and each one represents added costs and worse usability. But depending on what you are protecting you will want these and many more.

Use a two-phase query system.

[Futurepower(R)]

I agree. Mod the parent up.

Use a two-phase query system. The main network generates a request for CC #s, and that request is passed on to the CC number storing machine, using a serial cable with the two receive lines cut. The CC number machine answers the query and writes encrypted results to a re-writeable CD. Twice a day someone puts the CD in a computer connected to the main network and runs a program that checks that the results are reasonable. If they are, that computer puts the results in a shared directory. Then someone runs the program that uses the CC #s.

Maybe this is not the best system that can be designed, but something can be designed so that there is no networking connection between the CC number storing computer and the CC number using computer.

If someone breaks in to the main system, they get a maximum of only the CCs being processed that day.

An important feature of any security system is also to make the system difficult to hack from inside.

Re:Use a two-phase query system.

[ahde]

I think this is a job for the old floppy disk.

typedef struct
{
char CCType[16];
double CCNumber;
unsigned short CCExpDate;
char MD5HashID[128];
} CCData;

1.44 MB / sizeof (CCData) is a lot of records

Re:Use a two-phase query system.

[tzanger]

I think this is a job for the old floppy disk.

Yeah, until the fuxing disk drops data. I don't trust floppies for anything these days. Hell you could use a Zip (new ones, not the old click 'o death ones) or even cheap-ass 8MB CF which'll work for a year or so without flaking out.

I like the idea of having the data stored to disk but NOT floppies. Even the best quality floppies are shit these days.

Re:Use a two-phase query system.

[zeno_2]

And I thought it may have just been me. I just built a new system, and ive built a few for some friends, and everytime it comes to finding a blank floppy to make a boot disk, I have to go thru 5 of them before I find a new one. My new system doesn't have a floppy drive anymore (partly so I can stand up against the evil force of floppy disks, other part is that they are useless these days). Why use a floppy anymore when you have blank cds that cost about 50 cents a piece, and you can make boot cds from them if need be..

Air Firewalls.

[Mike1024]

Why not have the billing sstem physically disconnected from the network?

If you have a web interface, it could locally store the last four digits of the person's credit card number to display.

Accounts-related data (Changes to credit card number, orders, etc.) are saved to a file, which is public-key encrypted in memory (PGP?).

At midnight every day, you copy the file to a floppy, then carry it to the accounts server. Put the disk in, decrypt, and integrate with the current data.

The accounts server (Which isn't network connected) can then be used to print packing manifests, bills etc. while the web server has 'cut down' data on order status, etc.

Granted, this wouldn't be the most high-tech solution possible, but it would make remote access (at least over the internet) impossible.

Just my $0.02

Michael

Re:Why the requirement to decrypt on the web serve

[cicadia]

Thanks; that's the insightful comment I've been looking for. I was despairing of ever finding it, reading through this thread.

You're right; there should be no reason for the web server to have access to the credit card information once it has been accepted. The web server should absolutely not be the machine in charge of the recurring billing.

The point which has not been stressed enough here is that if the web server has any method of retrieving the credit card information, then it doesn't matter how many layers of encryption, how many layers of firewalls and semi-isolated machines connected through obscure cabling techniques you use, all of the information an intruder needs to access it is sitting right there on the web server.

If an intruder has root access to the web server, (a not-uncommon occurrance these days,) then it won't matter how complicated you've made the protocol for accessing the information; all he has to do is trick the server into getting it for him.

The only 'solution' to this problem is not to give the web server any access. Use write-only media, like public key encryption with no private key, a network connection to a machine which will not give the data back, or use a physical line printer and have someone re-key the data later.

Re:The Best Policy

[Telastyn]

So let's see here.

You the business provide a service with nothing in the way of security, and you are allowed/required to keep private information about me?

Sounds like I the customer have a raw deal.

Scale == 1

[Codex+The+Sloth]

It's true that a gas station has a much more limited # of cards so the overall fraud is smaller. But that's the credit card companies problem (who, for there own crap security, get whatever they deserve). So if you get my number then it matters to me. And since you probably give your card to many more insecure physical merchants than insecure electronic merchants, your net risk from the former is higher than the net risk of the latter. It's like air safety. Airplane crashes kill many fewer people than car crashes but when they do, it makes a big explosion (and kills a bunch of people).

All I'm saying is people tend to respond to specific threats while ignoring other threats which have become common.

Passwords are "security through obscurity"

[drew_kime]

Fundamentally, you change nothing. You add a tiny layer of obscurity, but that's it.


Would your "ideal" system include passwords for users to log in remotely? Probably. If you have a password, the security is based on the assumption that only you know it. Once it is publicized -- no longer "obscure" -- it is no longer effective. As long as the obscurity you're relying on is sufficiently difficult to guess, it's effective.

This is not to say that security through obscurity by itself is effective, but it is frequently an essential component.

Protecting at the system level

[eyeball]

I don't know if anyone posted this yet (or if it might've not been moderated above my threshold), but....

One method would be to prompt for the passphrase upon starting the process. That way only a trusted admin (if there is such a thing) would have the passphrase. Then the passphrase would be stored in memory and never on disk.

Of course there's the possibility that someone could cause the process to dump core and sift through it looking for the passphrase. Or someone could read from a memory psuedo device. Either way would likely require root access. You could try and prevent this by obfuscating the passphrase in memory, but that is a cat and mouse game. I think if you went with the premise that if someone gained access to the machine with enough priveledges to read a process's memory space, there's nothing you could do.

Not that difficult: break the problem down

[Jobe_br]

This problem (while common) is really not that difficult to solve, in your situation. Here's what you have:

1. e-comm server with 'Net access
2. need to store sensitive info
3. need to encrypt sensitive info

Break the problem down, especially the flow of information, sensitive and otherwise, because this is key:

• sensitive information flows from customers to your e-comm server via the 'Net
• sensitive information does NOT need to be seen by customers (e.g. CC#s, last 4 digits suffice)
• employees need access to sensitive information
• employees accessing data are 'trusted' (both in a personal sense and an access method sense, either an internal network or an encrypted VPN connection)

So, after sketching this down, here's what I've come up with:

1. You'll want three servers:
   • 'Net accessible web server, contained in a firewall's DMZ (demilitarized zone)
   • sensitive data DB server (restricted access from DMZ, unrestricted access from 'trusted' source)
   • 'trusted' web server (for employees)
2. sensitive information flows to DB server via well-defined interface, but not back (see above posts regarding serial cables, restricted ports, etc.)
3. auth info (success/failure) and de-sensitized information (last 4 digits, etc.) flows back to the 'Net accessible web server (to support e-comm apps)
4. Open communication to trusted server (secure to your hearts content, see posts on policy & social problems above, key point: trusted server should mean trusted server)
5. Employees access sensitive information via trusted server either from private internal net or VPN connections.
6. Make it impossible for anyone to access your sensitive DB server from the DMZ (this should be easy to). Once you've accomplished this, your information is secure, regardless of what you do on the actual DB server ... sure, you can still encrypt the data in your database (you should) and all that, a few different methods are described above, but in essence, by restricting the flow of information and then segregating the information repositories based on that flow, you've taken care of your problem.

This type of system allows for updating of information in the DB as well, if you want to allow this, you'll want to design some kind of authentication mechanism between the requestor of the update (the user's password would work) and the sensitive DB server. Otherwise, a cracker could, potentially, corrupt your sensitive data (not really a big deal since backups are being kept). If this is the worst that can happen, you're sittin' pretty.

Note: while this 'scheme' requires three servers, they don't necessarily need to be distinct (the one in the DMZ needs to be distinct, of course). The others, though - that's up to you, depends on your resources. Check out user-mode-linux if you want to logically distinguish servers on the same hardware. Encrypting the data files used for each user-mode-linux session should suffice to secure each session from the other, should the host become compromised (again, shouldn't be a consideration, this would only be done on a 'trusted' machine).

If anyone's more interested in what I've written down here, feel free to contact me via the contact info associated w/ my Slashdot acct.

Brice
--
WebProjkt
VP, Director of Internet Technology

S/N Ratio

[Kagato]

This is where S/N really comes out. It's obvious that many people on here haven't actually done e-com, or if so, not seriously. To clarify for others talking out the ass. The person needs to do recurring billing. You can't just get on VisaNet and say "bill that guy again". The card number needs to be stored. They also need all the billing address and phone number. This needs to be done for AVS. If you don't know what AVS is and you posted in the thread you're part of the noise. Not having all the info costs merchants real money. There's more to writing a good CC Number system than being able to patch a web form into Signio/Verisign.

Good ideas, seperate Database on a seperate machine. One way encryption systems. Big keys to limit brute force. You can do it in house all with Perl, or you can use several off the shelf packages that allow recurring billing via a reference number. However, few shrink wrap packages are Unix friendly. Most tend to be Windows (ugh) based.

If you were to do it yourself combine several forms of security. Place the DB on a seperate physical network. Dual nics in machines that need to talk to the DB. Give the machine an non-routed IP range. An extra firewall isn't a bad idea either.

Don't forget DB User Level security. Seperate logins for everyone. Limit what they can SELECT, UPDATE, INSERT, and DELETE. Most DB's have column level security. For instance you can give an employee rights to INSERT or UPDATE the cc number field, but not select it. If you can use SSL on the DB transport use it. Billing persons shouldn't need to see anything more than the last four digits of the CC num. That can be stored in a seperate field.

You might also want to consider seperating the CC Number DB from billing DB. Using a ref idea. Again, you can never be too secure.

You should also be looking at application security. A couple posts have talked about putting a serial link between the billing app and the credit clearing DB. It's not a bad idea, but it only takes a couple lines inserted into your perl code to start trouble. You should be looking at tripwire systems as well.

Just because you're paranoid doesn't mean they aren't out to get you.

Re:S/N Ratio

[jbf]

0wn the DB server and you're doomed. If you're billing once a month, why not bill everyone on the same day, encrypt all the necessary information with RSA, and have the DB server burn the information onto a CD. Physically take the burnt CD to a net isolated machine that knows the key, have that machine decrypt everything and send it to Visa?

Re:S/N Ratio

[Kagato]

AVS is a method to verify billing information. When initially submit an order in a batch you also include the numeric portion of the address string, as well as the phone number. The credit processor will then return an AVS value. This value determines how much of the information matched what is on file. A merchant can then decide if they will process the transaction when they batch out. This costs the merchant real money, as the less secure the transaction, the more the more the merchant bank takes in fees. So when someone who does recurring billing gets on your ass when you move, it's because you're costing them real money until your address is updated.

Re:Why the requirement to decrypt on the web serve

[ryanr]

Yes, nicely worded.

That's one of the things I tell people when I'm speaking on the topic of credit card theft:

How do you know how well a site is protecting your card number? Go to your user profile. Can you see your full credit card number and expiration date there? Well, guess what...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

here you go

[geekoid]

Set it up so part of your security is only alowing people with the correct MAC id to even gain access to your machine.
Also, use rolling passwords. That way they have to have the device that tells them what the password is at a given moment.
Then, store the decrypt key on your partners machine.
If you want to prevent insider, ultimally you will need physical security. I recommend talking to IBM about there server room security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

administered by IBM...

[dpilot]

But since the system is administered and controlled by IBM (or any other company), they become liable for problems. Therefore they're going to be on the ball about controlling access, etc, and limiting their liklihood of getting sued.

Re:The Best Policy

[ahde]

Q. What's the shortest path to build a bridge from Alaska to Australia.

A. Don't build a bridge. Build a boat (or plane)

Use secure key management hardware

[mzito]

There are a number of companies that make equipment to handle this type of situation - NCipher is the only one I'm familiar with specifically (I've never used it - just evaluated it).

Basically its a PCI card, or a little box with a SCSI connector on it (don't ask), that you plug in/hook up to your server. The card/server can then store keys internally and perform operations on data passed in & out of it. So, generate a key, store it on the card/box, write your app to pass CC info to the card library, statically link the library into the application and then erase the library.

To protect the information from physical tampering, the card and the box implement FIPS-grade protection. The card is level 2 (iirc) - the chips that store the data have a big thick black cover on them. Should you tear that off, it creates a chemical reaction that destroys the chips and their data. The box can be FIPS level 3, which means if you pick it up or otherwise shake it, the keys are destroyed.

Key escrow is handled by built-in smartcard readers, and you can do secret sharing (i.e. requiring two-of-five people to insert their smartcards to load the key).

It's not cheap - the lowest-end model is 11k, as I recall, but it gives you what you need. It's a secure mechanism for maintaining secret data.

For an extra level of paranoia, use LIDS or Argus Trusted Solaris, and use ACLs to only grant your application permission to access the device files for the key storage. That way, even if someone wrote an app and linked it against the key management lib, they can't get at the device instance to do anything.

Just depends on how much you're willing to pay and go through (hassle-wise) to get real security.

Thanks,
Matt

Data Oriented Encryption

[seaan]

The way I'd approach this problem is to use data oriented encryption, with dedicated encryption hardware. Although I've seen traces of this suggested in other posts, I have not seen someone put it all together.

First, instead of faking up a general purpose computer as a crypto box, you are much better off getting a FIPS 140 rated hardware crypto device. They may cost a bit more up-front (although they are becoming cheaper), but dedicated devices have a lot of advantages. They are designed for security from the ground-up, and you don't have to worry about the "weekly" patch. They usually perform cryptography much faster (think SSL accelerators), and have better protection against insider attacks too.

Second, you need to break down the data access requirements. Carefully look the functions that need to be performed. Many times when you think you might need access to the data, you really can get by with something else (for example as mentioned in another thread, you can create a cryptographic hash of CC info, and compare it with a stored hash).

Most importantly, the design should not require the crypto box to decrypt the data. It does not matter how safe the crypto box keeps your keys, if the hacker can decrypt the data by hijacking an existing decryption script. So long as the crypto box can't decrypt data, the hacker could have complete control of the machine and still have no way to get the protected information. You can see this also protects against insider attacks too.

A logical questions is how do you actually use the credit card info, if the crypto box encrypts it right away, and has no way to decrypt it? The basic technique is to allow the box to make limited "translations". For example, incoming data is translated from SSL to a database key. Another transaction translates the data from encryption under a database key into a switch key. If someone absolutely has to see the data in the clear, make them use a smartcard; and have the crypto box translate the data into a format that only that specific smart card can decrypt.

You can see why you have to be so careful about knowing what functions need data access. Actually, I'm leaving a lot of things out, but here are a couple more considerations. Be very careful with the allowed translations, since you don't want to allow the attacker to translate the protection into a usable or weak format. Also don't forget about auditing all of these transactions (a Visa requirement).

I'd recommend starting by looking at crypto box vendors. A traditional way is to get a crypto box that either already supports this type of application (protecting CC info is a common problem), or to arrange for custom commands (also see Atalla, Thales, and Eracom). There is a relatively new concept of running ordinary programs on a secure box (such as nCipher). I'm kind of skeptical of this approach, since designing a logical secure interface can be fairly difficult. I recommend using PKCS#11 based boxes only with great care, since the protocol has some significant logical security problems, and is probably not the right type of tool for this issue.

A problem with using a diskette...

[Futurepower(R)]

A problem with using a diskette for both transfers is that it would delay transferring the CC data off the main computer.

Re:The Best Policy

[zeno_2]

Makes buying stuff with cash sound much better =) I think it would be nice if I could go to my bank website, enter my name and password, and issue a one time credit card that I could use on a website to buy something with. I would make it for the exact amount of the sale, and it would only be used that one time. If someone gets that number later, it wont matter.

My only thought to all that is this:

I buy something with a one time credit card issued from my bank or whatever.

I get a refund on said 'something'

The company I got a refund thru would send that info back to the bank, but could they securely trace that 'one-time' credit card back to my account?

I guess what im thinking is an FDIC insured paypal =).

Re:The Best Policy

[zeno_2]

I dont store your CC, Address, any of that. You buy something, give me some information, I verify, and bill you. I take the hash of your information and store it in my DB.

Up front, I dont know what im talking about. I had heard of other people in this thread mention that you had to keep records of a credit card sale for later use (to cross reference with credit card companies, or whatever it might end up being). Does yer system accomidate for this in any way, or is it untrue (about having to keep records), or do you not live in the us and its different there or what? I apologize in advance if its a dumb question im really sick today :-o.

Re:Doesn't really answer your question, but...

[zeno_2]

A few banks are issuing single-use card numbers, which is a neat idea, and works better...

What banks are these? I had mentioned it on an earlier post that it would be a cool idea, id say its a more secure way of doing things then how they are done now. Id think of it similar to an electronic money order.

It might even been kinda cool to setup something like this:

I decide to buy something from website x.

I go to my bank website, shift some funds from my checking account into a one-time credit card. This generates me a number (im thinking we may have problems with numbers running out, not sure how credit card numbers work).

I take that number, go to website x, and buy whatever. When the order is finished, the website will spit out some sort of hash'd info.

I then go back to my bank website and enter that into their system, and when it is billed, if the hash's do not match up then they might know something is up. At this point you could be contacted, or the sale just doesn't go thru or something to that nature.

After typing all of that it seems that just having one time credit cards would just work fine, just as long as they worked similar to how they do now with normal credit cards to the store owner.

Well its an interesting problem nonetheless, i know i don't feel 100% safe and secure when I buy stuff online.. And ive only been asked once for that 4 digit code on my credit card.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why ? Easy

[Betcour]

Because the charge on the CC can be done at shipping time and not ordering time (customers like it better this way), because you need to cancel a charge sometimes, or because a customer ask you to "charge the same card as the last time". All perfectly good reasons to keep the numbers.

What should be done : encrypt the CC number on the server, and decrypt it only on the employee personnal system using a custom-made software. This avoid leaving the private key on the server.

Beside CC have a "built in" security feature : they all expire sometime :)

Get trustworthy AND competent people.

[TheLink]

[I'm posting this because I think there'll be enough answers on how to build good systems]

Critical data and systems should be handled by trustworthy and competent people.

You should place more importance over the integrity of your people than the integrity of your systems. Similarly for reliability of your people. Machines just multiply the abilities of people. Good tool x bad person = bad results.

Structure things so as to limit exposure to the less trustworthy/competent - you'll have these around, they are still useful, and they may actually prove to be trustworthy/competent later. Note that people are competent at different things (and competency can change) and thus should be placed accordingly.

Once you have done a decent job of that, then your job is mostly done - even if the data is accessible to internals, it will be to just a few competent individuals of integrity - they won't screw up or sell out. So you (or a trusted and more security competent employee) design the systems so as to keep the exposure accordingly - physical security, network security. No matter what you do you are going to have to trust somebody. If you have a small business you can do everything, but if your business grows you need other people.

If you can't find any trustworthy and competent people, try to build the competency of a trustworthy person. It's easier to build and test competency than trustworthiness.

The reason why some bad systems don't fail is because there are good people around.

Fix the bad systems but don't forget the people.

Cheerio,
Link.

What is "the same machine" anyways?

[ahfoo]

I think looking more carefully at this question could be one possible answer to your problem. I built a system where an exchange of key data coming in over the net took place in a directory that was shared by a second machine on a local ethernet. The second machine was monitoring that directory a few thousand times a second for updates. When there was an update, it took the key and checked it for validity on the second machine. This seemed to simplify everything because then I just used a very restrictive firewall on the machine that did the confirmation.
I'm sure this is not the best solution and perhaps for a bank or something with mega transactions it might be too slow, but for our needs it was mucho security and it was easy and cheap. In the end security was the least of our problems, but building the system was a lot of fun.

Re:The Best Policy

[seaan]

Your bank may issue credit and debit cards, but I doubt they are stored and accessed from the web like a normal e-merchant.

The closest that normal banks come to web access, is "internet banking". Account access is normally carefully controlled and monitored, but I've found some weak implementations too.

Separate Server

[SEWilco]

Yes, the user details database should be on a separate machine. And between the Internet server and details server should be a dedicated wire, whether it is a serial link or an Ethernet cable with only those two machines on it.

That way only the data link is exposed if the Internet server is compromised. You can restrict that data link, such as by having the details server never feed certain info back. To check a password you send the password (or hashed password) over, and get a reply back with the status (OK, not OK). To display a user's data to them a query has to be sent, and some info is not provided -- such as only the last 4 digits of the credit card number are given.

You can be even more obtuse. When the user logs in, use part of the plaintext password to create a hash. Require that this second hash be provided during any queries or the details server won't reply with valid info. Store that hash in a cookie, so it is available when needed but it is not kept in the server. Your Internet server now no longer can request any user data except when the user's machine is making a request. And the details server will complain through a different link if bad requests are made.

It also is not mandatory that this link be TCP/IP. Put your own protocol on it and there won't be accidents with servers accidentally talking to too many Ethernet interfaces.

Of course, the user details server has a separate connection for Billing and other systems which need info such as credit card numbers. And if this is a situation where CC numbers are only needed for billing during a few hours each month, write the CC info on a CD-R and lock it up until it is needed. Updates during the month can be added to another CD-R, then merge them into a single set (yes, "set" in case one CD is not enough). Only the updates would be on disk, until they are written out.

Re:Yes and No

[AndroidCat]

Those Uzis won't get you very far. Guards, cameras, "smart" cards, and man-trap doors. And that was just the visible security in 1990. I'm sure it's tougher now.

Security is a process not a product.

[AftanGustur]

Fundamentally, you change nothing. You add a tiny layer of obscurity, but that's it.

There is no obscurity involved, you can even take out a full page ad in 2600 Magazine and tell everyone how you did it. It doesn't change the level of security you get.

But your apps on the front-end will still be using your comms. library, and if I r00t your front-end, I will still be able to talk to the "secure" machine (using your neatly written comms library)

Sure you can root the data processing machine but so what ? You realy don't think that a security aware programmer would allow "SELECT * FROM Customers" query to run ?? (If you do, can I please have some of the stuff you are smoking ?)
Most likely the client would only send some details like name/address over the serial line and the server would reply with the rest of the personal information.

Re:The Best Policy

[hexx]

IF the question was "how do I make a Windows box secure?" their would be thousands of (right) answers saying "you don't, you make it Linux".

But that's simply not true. That is akin to saying Q: "What's 2+2?" A: "2+3=5".

You're not answering the question.

For the question "how do I make a Windows box secure", the answer is: "go through a long and convoluted process of turning off a large number of services, possibly disconnect it from the net, remove the floppy/CD or lock the BIOS with a password to stop booting from anything but the hard drive, etc... but the fact of the matter is it's a long and difficult process and might not be possible..."

Your "answer" of "you don't, you make it Linux" is in fact not an answer at all, but merely a suggestion.

Re:The Best Policy

[hexx]

Q. What's the shortest path to build a bridge from Alaska to Australia.

A. Don't build a bridge. Build a boat (or plane)

That is not an answer. It is a suggestion of an alternative means to accomplish what you believe the problem behind the question is.

If the person wanted to build a bridge from Alaska to Australia to allow bicyclists to bicycle straight from Gnome to Sydney, your "answer" doesn't help.

That's why one can't "answer" a question with a simple remark akin to "don't do what you want to do, do this instead".

A policy designed for trouble on the first error

[Spamalamadingdong]

Hashing the address and other information sounds really good, at first blush. However, what happens when someone makes a typo in a house number or mis-spells the street name? Will you ever get the hashes to match again, and how do you verify that the customer is who she says she is once you've got an error like that in your system?

All in all it sounds great, but you'd have to be really specific about what you use to generate hash keys and other crucial data in such a scheme.

Re:The Best Policy

[hexx]

Hrmm.. I thought begging the question was this:
http://skepdic.com/begging.html

Applied Cryptography

[Gleef]

Read Applied Cryptography, by Bruce Schneier (ISBN 0471117099). It covers all the basics of cryptographic systems, in depth, including when to use which kind of setup.

After you've read that, if you want more information about Alice and Bob, read here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:My point was...

[AndroidCat]

I haven't been into any large hosting facilities since the September 11 deal, but before then I NEVER saw an armed guard in any of the facilities I went to. Not to say they aren't at some, but never were at Verio, level3, etc. Or I didn't see them...

I'm talking about a bank data centre. They take their physical security very seriously. I'd lay odds those man-traps are buttet-proof and explosive resistant. I'm not sure where the servers were, but I doubt they'd be on the ground floor, and security could probably switch off the elevators. By the time you got up the stairs, stole the data, and back down again, you'd find a lot of new friends waiting.

Okay, maybe if you were The One and had a kick-ass girlfriend with guns, lots of guns... :^)