CGI Tutorial

Lawrence D'Oliveiro ldo at geek-central.gen.new_zealand
Mon Oct 9 10:22:15 CEST 2006


In message <mailman.98.1160379324.11739.python-list at python.org>, Steve
Holden wrote:

> Lawrence D'Oliveiro wrote:
>> In message <mailman.1374.1160073684.10491.python-list at python.org>, Steve
>> Holden wrote:
>> 
>> 
>>>Credit card numbers should be encrypted in the database, of course, but
>>>they rarely are (even by companies whose reputations imply they ought to
>>>know better).
>> 
>> How would encryption help? They'd still have to be decrypted to be used.
> 
> Indeed they would, but with proper key management the probability that
> they can be stolen from a database in their plaintext form is rather
> lower. Just last week a police employee in my class told us of an
> exploit where a major credit card copmany's web site had been hacked
> using a SQL injection vulnerability. This is usually done with the
> intent of gaining access to credit card data.

If they can do that, it doesn't seem much of a step to compromise the code
that decrypts the credit card data, as well. Keeping it encrypted, when the
key needs to be kept at the same (in)security level, is just
security-through-obscurity.



More information about the Python-list mailing list