In message <[EMAIL PROTECTED]>, Steve Holden wrote: > Lawrence D'Oliveiro wrote: >> In message <[EMAIL PROTECTED]>, Steve >> Holden wrote: >> >> >>>Credit card numbers should be encrypted in the database, of course, but >>>they rarely are (even by companies whose reputations imply they ought to >>>know better). >> >> How would encryption help? They'd still have to be decrypted to be used. > > Indeed they would, but with proper key management the probability that > they can be stolen from a database in their plaintext form is rather > lower. Just last week a police employee in my class told us of an > exploit where a major credit card copmany's web site had been hacked > using a SQL injection vulnerability. This is usually done with the > intent of gaining access to credit card data.
If they can do that, it doesn't seem much of a step to compromise the code that decrypts the credit card data, as well. Keeping it encrypted, when the key needs to be kept at the same (in)security level, is just security-through-obscurity. -- http://mail.python.org/mailman/listinfo/python-list
