CGI Tutorial

Steve Holden steve at
Mon Oct 9 10:36:40 CEST 2006

Lawrence D'Oliveiro wrote:
> In message <mailman.98.1160379324.11739.python-list at>, Steve
> Holden wrote:
>>Lawrence D'Oliveiro wrote:
>>>In message <mailman.1374.1160073684.10491.python-list at>, Steve
>>>Holden wrote:
>>>>Credit card numbers should be encrypted in the database, of course, but
>>>>they rarely are (even by companies whose reputations imply they ought to
>>>>know better).
>>>How would encryption help? They'd still have to be decrypted to be used.
>>Indeed they would, but with proper key management the probability that
>>they can be stolen from a database in their plaintext form is rather
>>lower. Just last week a police employee in my class told us of an
>>exploit where a major credit card copmany's web site had been hacked
>>using a SQL injection vulnerability. This is usually done with the
>>intent of gaining access to credit card data.
> If they can do that, it doesn't seem much of a step to compromise the code
> that decrypts the credit card data, as well. Keeping it encrypted, when the
> key needs to be kept at the same (in)security level, is just
> security-through-obscurity.

It depends on what level of compromise they obtain through SQL 
injection. It does represent a significant additional burden on 
attackers before sensitive data becomes known. Clearly if someone mounts 
a successful privilege escalation attack then potentially everything on 
the system is compromised.

Note further, by the way, that credit card numbers need not necessarily 
be decrypted to be used: if you are the credit card processor (rather 
than a merchant requiring payment) then you can instead encrypt the card 
number provided by the user and use that as your database key.

Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd
Skype: holdenweb
Recent Ramblings

More information about the Python-list mailing list