Results 1 to 13 of 13
  1. #1
    Join Date
    Apr 2004
    Posts
    181

    How safe is ModernBill for credit card storage?

    Hi there,

    I am considering using PsiGate as my credit card processor, but Im REALLY am paranoid about storing the credit cards myself.

    There are many exploits out there for older versions of ModernBill, and to be honest its not a product I trust in terms of security. Now, correct me if I'm wrong, but a decent hacker who gets database access will eventually be able to decrypt all the client's credit card info.

    Why? Because they are protected by a 4-digit pin, and credit card numbers can be verified using a simple algorithm. Once the encrpyted hash is downloaded, the hacker can run a brute-force crack attack on the hash until it reveal a valid credit card number. Since the PIN is only 4 digits, it won't take long. Am I wrong? And what precautions do you take? Is it worth it to store the credit cards yourself or should I go with a system that stores it for me like WorldPay?

  2. #2
    Just for the record, ModernBill has the ability to store an LEKHash & LEKPin (the 4-digit pin cyman is referring to). If you enable LEK, you are able to run ModernBill in a 100% automated mode.

    However, by default, LEK is disabled. When disabled, you (the ModernBill Admin) have to enter your encryption key each and every time you want to process a batch of credit cards or do anything credit card related. By far, this is the most secure way to run your ModernBill and the way it was designed to run from the very beginning.

    With both options available, it is really up to the ModernBill Admin which method they choose to use. While LEK may be good if you want 100% automation, not using LEK may offer you a better nights sleep (but you have to login and enter your encryption key to run the daily batch).

    Hope this helps.
    ModernBill
    Web Host Billing Software
    www.ModernBill.com

  3. #3
    Join Date
    Apr 2004
    Posts
    181
    Uh, I don't think you understood what I was saying...

    ModernBill still doesn't provide protection, so far as I can tell.
    A 4-digit code isn't going to stop someone from decrypting your credit cards, whether the code is stored in ModernBill or not. Read my first post for details.

    So I am mistaken with ModernBill? Is it safe? Or is it worth the risk?

  4. #4
    >> A 4-digit code isn't going to stop someone from decrypting your credit cards, whether the code is stored in ModernBill or not. Read my first post for details.

    Yes, I reread your post. Let me clear that up for you...

    1) The LEK Pin itself does not have anything to do with the actual credit card encryption. I can not explain more without giving away the formula, but in-short, the LEK Pin is only one piece of the master key and each customer has a unique master key.

    2) When LEK is disable, the encryption key you use manually can be up to 4000 characters long. Even with that long manual key, it is still just a portion of the master key and each customer has a unique master key.

    I am sorry I can not go into details about the actual formula to create a unique key for every client.

    >> So I am mistaken with ModernBill? Is it safe? Or is it worth the risk?

    We will let others answer this question for you as our answer would be biased of course.

    Again, hope this helps ... I will now step aside and let others respond. If you wish to know more, create a ticket and I (we) would be happy to assist.

    Thank you.
    ModernBill
    Web Host Billing Software
    www.ModernBill.com

  5. #5
    Join Date
    Apr 2004
    Posts
    181
    hmmm... that actually does sound a little more secure, since each customer has his/her own master key. Therefore, it stops someone from downloading the hashes, registering modernbill (or the demo) and using the algorithm....

    Where is the master key located tho? Is it data that is downloaded securely (and then deleted) from a ModernBill server, or is it stored on the same computer?

  6. #6
    Join Date
    Jul 2001
    Location
    Melbourne, AU
    Posts
    1,392
    Originally posted by cyman

    Where is the master key located tho? Is it data that is downloaded securely (and then deleted) from a ModernBill server, or is it stored on the same computer?
    I think it might be best if you ask MB this directly in private.
    SERVSTRA | THE ENTERPRISE CLOUD SERVER & DEDICATED SERVER SPECIALISTS
    中国优先网络 - 最快到中国大陆
    14 world wide locations to choose from!

  7. #7
    Join Date
    Feb 2004
    Location
    Southern California
    Posts
    751
    Well even if someone somehow was able to get your database of credit cards, and you were smart enough to encrypt it with TripleDES(MB supports this), then the hackers would still have quite a little journey before they found any information.

    From some security site I cannot remember the name of:
    At a rate of one million keys per second, an exhaustive search of 2^112 keys would require about 1.65*10^20 years to complete. Since the universe is estimated to be only about 10^10 years old, that is probably long enough for most purposes.
    So your data is safe.
    SkyLineHost.com
    ▓ ▓ Shared hosting that soars above the competition
    ▓ ▓ ▓ Based in Los Angeles. sales@skylinehost.com

  8. #8
    Join Date
    Apr 2004
    Posts
    181
    Umm... but we are not talking a direct brute force attack. We are talking about ways of obtaining the master key, then trying 9999 different combonations, which is nothing.
    I'll ask modernBill privately, tho to be honest, the whole idea behind encryption systems is that it shouldn't be a secret. In previous decades, this is what got people into trouble. Some company would have a defeatable encyption method and then all it took was a good hacker or defect employee to spill the beans of how it was done and the encryption became vulnerable. If a company keeps its encryption methods secret, it means there is likely a way to defeat that encryption. That is why all standard encryption protocols are open architecture.

    We know, for example, how strong SSL encryption is because its an open standard, and the way that it is used is well documented. No one is afraid for it to be open architecture because we know its a secure method. The only time we don't want people to know how the encryption system works is when we aren't sure exactly how secure the encryption system is.

    I mean, if ModernBill's encyption method can't be defeated within 2 UL's (Universe Lifetimes) then what's the big deal in releasing how the encryption works? It can't be decrypted anyhow so there should be no risk.

  9. #9
    I am sorry I can not go into details about the actual formula to create a unique key for every client.
    I am sorry, haven't we all learned by now in 2005 that security by obscurity is not only stupid and ridiculous, but simply DOESN'T WORK?

    I agree with the previous poster. If you think that your 'uber-secret' algorithm is so wonderful it cannot be published, chances are that in reality it is probably either a re-implementation of an open-source solution, or a poor attempt at a proprietary one.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  10. #10
    Join Date
    Jul 2004
    Posts
    329
    modernbill is very secure!

  11. #11
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,036
    Yes, as mentioned, if you have mcrypt enabled you can make use of TripleDES encryption, a great, secure standard.
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  12. #12
    Think for a moment about the big picture. It doesnt matter in the slightest how secure T-DES is (BTW, the new standard is AES, not triple DES) if the decryption key is stored on the server.

    So the question again returns to, using 'LEK' what becomes of the decryption key? Bottom line, if its stored on the server, your credit card numbers might as well be stored in plaintext.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  13. #13
    MBAdmin, good to see you participating in these fora. Perhaps you could address another ModernBill security issue that was posted a while ago?
    http://www.webhostingtalk.com/showth...hreadid=394749

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •