PlayStation Network & the Credit Card Theft Storm
> Editorial Comments > SPOnG Comments Index
Topic started: Mon, 21 Feb 2011 11:57
Click here to view the editorial this topic refers to.
Click here to view the editorial this topic refers to.
Mon, 21 Feb 2011 18:20
The 000 ending may well mean the card number passes the checksum test, but every online payment goes to the bank to check the account has funds (know as "auth" or "preauth") and passes a plethora of fraud checks.
At that point your "000" shinanigans will be righteously called out, to the tune of "invalid card number"
At that point your "000" shinanigans will be righteously called out, to the tune of "invalid card number"
Wed, 23 Feb 2011 15:32
Interesting comment by the author - just because you weren't asked to take extra security measures by any banks, doesn't mean it shouldn't have been done.
I program as well and quite a few companies either don't know, don't care, or are too cheap to go the extra mile. That's why standards like HTTPS are changed eventually, once someone cares enough to hack it to pieces.
I program as well and quite a few companies either don't know, don't care, or are too cheap to go the extra mile. That's why standards like HTTPS are changed eventually, once someone cares enough to hack it to pieces.
Wed, 23 Feb 2011 20:27
Guest wrote:
Interesting comment by the author - just because you weren't asked to take extra security measures by any banks, doesn't mean it shouldn't have been done.
Sorry, that wasn't exactly well worded. The APIs don't support encrypting the card number or security code. It's impossible to do.
It's not like there is a variety of security levels that the banks and card clearing agencies are happy with, they demand the same level of security from everybody. It's just that there is no point in encrypting those details, for the reasons I mentioned in the article.
In order to encrypt the card details, you'd need to receive data from the server or pass data to the server so that both sides know how the encryption is happening. This already happens as part of the HTTPS protocol. However, if you can't trust an SSL certificate, then you can't trust any information passed over an HTTPS connection that is protected by it.
I think the hackers are thinking about storing the data at the server side, just like you should encrypt passwords in a database for example and not store the plaintext password.
Double encryption "over the wire" makes no sense. Lets face it, if they can fake a CA certificate, then they can fake the rest of it and still get to the plaintext version of the card details. After all, the card clearing agencies need to do this to authenticate the card.
Log-in or register to permanently change your layout setting.
2320 comments