Re: Storing SSN ... I know, I know
Encryption and hashing aren't the same thing, but if there is only one end user for the data (the bank in question) then I'd say that PKI is the way to go. You have the bank set up a public/private key store. They give you the public key. You are able to encrypt the SSN's using the banks public key and store that in the db. Then when they get transmitted to the bank, the bank is able to decrypt them using their private key. The important part is that only the holder of the private key is able to decrypt the ssn's that were encrypted with the matching public key, so you couldn't give up the raw SSN info even if you wanted to because you don't have the private key. Judah On Tue, May 12, 2009 at 7:20 AM, Andy Matthews wrote: > > If the user is connecting with ONLY one bank, then see if that bank will let > you send them the encrypted SSN and they can decrypt it on their end using > whatever they have. > > Then all you have to do is one way hash it, and they can do the comparison > on their end. > > -Original Message- > From: ColdFusion Developer [mailto:cfdev...@gmail.com] > Sent: Monday, May 11, 2009 7:19 PM > To: cf-talk > Subject: Storing SSN ... I know, I know > > > What's a best practice for securely storing a social security number? I've > talked myself blue trying to talk my client out of doing this, but the bank > he's working with for this project absolutely, positively cannot process his > transactions without the SSNs of our users (most of the businesses they work > with are payroll companies with secure internal data storage, not a > public-facing site like his will be). > > What would you all recommend as a process/method for storing this info in > the most secure way possible? Most of what I've read just says > "encrypt/decrypt it in the database and you're fine" -- but I'm not so sure > that's the best course. > > Thanks in advance! > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Storing SSN ... I know, I know
If the user is connecting with ONLY one bank, then see if that bank will let you send them the encrypted SSN and they can decrypt it on their end using whatever they have. Then all you have to do is one way hash it, and they can do the comparison on their end. -Original Message- From: ColdFusion Developer [mailto:cfdev...@gmail.com] Sent: Monday, May 11, 2009 7:19 PM To: cf-talk Subject: Storing SSN ... I know, I know What's a best practice for securely storing a social security number? I've talked myself blue trying to talk my client out of doing this, but the bank he's working with for this project absolutely, positively cannot process his transactions without the SSNs of our users (most of the businesses they work with are payroll companies with secure internal data storage, not a public-facing site like his will be). What would you all recommend as a process/method for storing this info in the most secure way possible? Most of what I've read just says "encrypt/decrypt it in the database and you're fine" -- but I'm not so sure that's the best course. Thanks in advance! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322423 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Storing SSN ... I know, I know
> What's a best practice for securely storing a social security number? I've > talked myself blue > trying to talk my client out of doing this, but the bank he's working with > for this project > absolutely, positively cannot process his transactions without the SSNs of > our users (most > of the businesses they work with are payroll companies with secure internal > data storage, > not a public-facing site like his will be). > > What would you all recommend as a process/method for storing this info in the > most > secure way possible? Most of what I've read just says "encrypt/decrypt it in > the database > and you're fine" -- but I'm not so sure that's the best course. There's nothing inherently different from any other sensitive data here. The best solution, of course, is not to store it at all. And, as others have mentioned, you should attempt to meet due diligence requirements by contacting the banks themselves, getting indemnification from your client, etc. That said, that stuff will only carry you so far - just because your client has "absolved you from liability" doesn't mean that you can't be sued in civil court! Fortunately for you in that case, your pockets probably aren't deep enough for the plaintiff to bother. Encrypting and decrypting, by itself, only adds a minor obstacle to accessing your sensitive data - if your application on your server can read and write this data, your compromised application on your compromised server can do the same. Key management is the non-trivial problem for using encryption. If your application can encrypt and decrypt, it presumably contains the key or keys needed to perform this task, and those keys are only as secure as your application itself. If you use the same key to encrypt and decrypt - a symmetric encryption key - that key can be discovered within your application. If you use separate keys for encryption and decryption - public and private keys (PKI) - the discovery of the key used to encrypt won't let the attacker also decrypt, but if you store both keys within the same application or on the same server, both keys can be discovered. So, the obvious solution is, not to allow your application to perform both of these tasks. You could safely allow your public-facing site to accept, encrypt and store sensitive data, but you can't also allow that same site to decrypt and retrieve that data. You could, on the other hand, have another internal site that can safely decrypt and retrieve the data, but not accept, encrypt or store data. The public-facing site could use one key, while the private site could use another. Alternatively, if this sounds like too much infrastructure, one key could be stored by the client and manually entered when needed, or used to decrypt content after it's been fetched from your server. And, of course, you have to determine what, exactly, is the potential threat. Threat profiling lets you focus on the security problems that you most expect to have. So, are you concerned with unauthorized access to sensitive data through the web site itself? Or are you concerned with rogue administrators directly accessing the database? I'm guessing you're more concerned about the former, but building a threat profile is still a useful exercise - the measures you take to address the first problem might be significantly different than those for the second problem, or you might have to take measures to address them both. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322406 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Storing SSN ... I know, I know
> What's a best practice for securely storing a social > security number? See the PCI-DSS standards for storing credit card numbers and use that as a starting point. Essentially, encrypt what you have to keep, and mask or remove what you don't. Don't allow your database server to be directly accessible to the Internet. Put it behind a NAT router and use a secure VPN to get at it remotely if needed. Make sure the application is protected against SQL injection attacks (ala CFQUERYPARAM), use a custom error handler, and disable robust error reporting to keep from exposing information through error messages. Make sure you have a firewall in front of your public-facing servers with a deny-by-default and "allow only these ports through" configuration. Make sure the application has a secure connection to the transaction server via TLS or SSL. In short, do everything you would normally do for a credit card, and then some. -Justin Scott ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322402 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Storing SSN ... I know, I know
Watch out.. While you may be honorable and not do something like this, there are plenty of people who would for the money. So make sure not to piss off the clients to much. On Mon, May 11, 2009 at 7:03 PM, C S wrote: > >> At first they were talking about doing a CSV download and upload, to >> which I replied hell no. > > O.M.G. You may as well display names and SSN's randomly on the home page as > an ad banner. But it sounds like you will need some social security numbers > for testing. I am sure the clients would happy to provide theirs. > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322399 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Storing SSN ... I know, I know
> At first they were talking about doing a CSV download and upload, to > which I replied hell no. O.M.G. You may as well display names and SSN's randomly on the home page as an ad banner. But it sounds like you will need some social security numbers for testing. I am sure the clients would happy to provide theirs. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322398 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Storing SSN ... I know, I know
Use a command line encryption tool to encrypt via key before the transfer. PGP has one called command Line made for that very purpose. http://www.pgp.com/products/commandline/servers/index.html /scott On May 11, 2009, at 6:16 PM, ColdFusion Developer wrote: As for an admin area that lets them print the page -- They need to download and transmit the SSNs to their bank somehow. At first they were talking about doing a CSV download and upload, to which I replied hell no. Any suggestions for this? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322397 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Storing SSN ... I know, I know
Thanks, Alan. This kind of info is exactly what I was looking for. I've contacted my lawyer already; thank god I have a good one. As for an admin area that lets them print the page -- They need to download and transmit the SSNs to their bank somehow. At first they were talking about doing a CSV download and upload, to which I replied hell no. Any suggestions for this? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322396 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Storing SSN ... I know, I know
Well... First off DONT DO IT! That having been said I would follow this plan: 1. If you know an attorney or have one you trust, have them write up a contract that absolves you of any liability in this matter. Make the client sign it and have it notarized that they are are aware of your concerns with storing highly sensitive personal information and that they bear the responsibility AND liability if any of this data is compromised. 2. Make sure where this is going to be hosted is secure. Don't assume that even the best hosting providers are actually secure. I love Crystaltech, but I wouldn't assume their shared hosting plan is secure. 3. In your database design, store the SSNs in a separate table from the rest of the personally identifiable data and make another table that cross references the two. Thus making it somewhat harder to tie the two tables together. 4. IF you have enough control over the databasem make the SSN table on accessible to a specific SQL User. Only use that user on queries that will need to hit that table. For that matter, don't have any actual queries hit that table, on Stored Procs. 5. Don't name you tables or columns anything too obvious, like "tbl_SSN_lookup" 6. Coldfusion has some good encryption options, the ones in 8 are better than the ones in 7. Don't use the default settings. 7. I like blowfish or triple des. Don't ever tell anyone which one you used for this app. 1. Heck, use both encrypt the encrypted string... 8. Don't use the same encryption key for each entry. Use a fixed set based on something clever like the day of the week the entry was created or the like. 9. SSL, don't even think of not letting them have one. 10. If there HAS to be a page on the admin site where you can SEE the SSN... cover your butt by putting a warning on the page that user's should not print the page... 1. If you have some JS skills, put some keystroke protection on the page that tries to block ctrl P. It won't really stop them, but it could be used as evidence in your favor that you tried to stop them from doing it. 11. Don't agree to build an extract tool or API into the system that would allow access to the SSN table Thats all I can come up with right now, most of my ideas are pretty paranoid, but there is some risk to you, legally speaking, if anything happens to this data. So, be paranoid. =] -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322392 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Storing SSN ... I know, I know
I would suggest you contact the banks/financial companies that your client is working with. Ask them what their encryption requirements are for SSNs. If they don't have one, then you can use any system that you like, I prefer ones that have variable seeds to them, but that is just me. If they do have a specific requirement, post back here so we can help you figure out a good method that adheres to their requirements. William -Original Message- From: ColdFusion Developer [mailto:cfdev...@gmail.com] Sent: Monday, May 11, 2009 5:19 PM To: cf-talk Subject: Storing SSN ... I know, I know What's a best practice for securely storing a social security number? I've talked myself blue trying to talk my client out of doing this, but the bank he's working with for this project absolutely, positively cannot process his transactions without the SSNs of our users (most of the businesses they work with are payroll companies with secure internal data storage, not a public-facing site like his will be). What would you all recommend as a process/method for storing this info in the most secure way possible? Most of what I've read just says "encrypt/decrypt it in the database and you're fine" -- but I'm not so sure that's the best course. Thanks in advance! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322391 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Storing SSN ... I know, I know
What's a best practice for securely storing a social security number? I've talked myself blue trying to talk my client out of doing this, but the bank he's working with for this project absolutely, positively cannot process his transactions without the SSNs of our users (most of the businesses they work with are payroll companies with secure internal data storage, not a public-facing site like his will be). What would you all recommend as a process/method for storing this info in the most secure way possible? Most of what I've read just says "encrypt/decrypt it in the database and you're fine" -- but I'm not so sure that's the best course. Thanks in advance! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322390 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
