Results 1 to 13 of 13
-
06-29-2005, 03:23 PM #1Junior Guru
- Join Date
- Apr 2004
- Posts
- 181
How safe is ModernBill for credit card storage?
Hi there,
I am considering using PsiGate as my credit card processor, but Im REALLY am paranoid about storing the credit cards myself.
There are many exploits out there for older versions of ModernBill, and to be honest its not a product I trust in terms of security. Now, correct me if I'm wrong, but a decent hacker who gets database access will eventually be able to decrypt all the client's credit card info.
Why? Because they are protected by a 4-digit pin, and credit card numbers can be verified using a simple algorithm. Once the encrpyted hash is downloaded, the hacker can run a brute-force crack attack on the hash until it reveal a valid credit card number. Since the PIN is only 4 digits, it won't take long. Am I wrong? And what precautions do you take? Is it worth it to store the credit cards yourself or should I go with a system that stores it for me like WorldPay?
-
06-29-2005, 03:51 PM #2Junior Guru Wannabe
- Join Date
- Mar 2002
- Posts
- 91
Just for the record, ModernBill has the ability to store an LEKHash & LEKPin (the 4-digit pin cyman is referring to). If you enable LEK, you are able to run ModernBill in a 100% automated mode.
However, by default, LEK is disabled. When disabled, you (the ModernBill Admin) have to enter your encryption key each and every time you want to process a batch of credit cards or do anything credit card related. By far, this is the most secure way to run your ModernBill and the way it was designed to run from the very beginning.
With both options available, it is really up to the ModernBill Admin which method they choose to use. While LEK may be good if you want 100% automation, not using LEK may offer you a better nights sleep (but you have to login and enter your encryption key to run the daily batch).
Hope this helps.ModernBill
Web Host Billing Software
www.ModernBill.com
-
06-29-2005, 03:57 PM #3Junior Guru
- Join Date
- Apr 2004
- Posts
- 181
Uh, I don't think you understood what I was saying...
ModernBill still doesn't provide protection, so far as I can tell.
A 4-digit code isn't going to stop someone from decrypting your credit cards, whether the code is stored in ModernBill or not. Read my first post for details.
So I am mistaken with ModernBill? Is it safe? Or is it worth the risk?
-
06-29-2005, 04:10 PM #4Junior Guru Wannabe
- Join Date
- Mar 2002
- Posts
- 91
>> A 4-digit code isn't going to stop someone from decrypting your credit cards, whether the code is stored in ModernBill or not. Read my first post for details.
Yes, I reread your post. Let me clear that up for you...
1) The LEK Pin itself does not have anything to do with the actual credit card encryption. I can not explain more without giving away the formula, but in-short, the LEK Pin is only one piece of the master key and each customer has a unique master key.
2) When LEK is disable, the encryption key you use manually can be up to 4000 characters long. Even with that long manual key, it is still just a portion of the master key and each customer has a unique master key.
I am sorry I can not go into details about the actual formula to create a unique key for every client.
>> So I am mistaken with ModernBill? Is it safe? Or is it worth the risk?
We will let others answer this question for you as our answer would be biased of course.
Again, hope this helps ... I will now step aside and let others respond. If you wish to know more, create a ticket and I (we) would be happy to assist.
Thank you.ModernBill
Web Host Billing Software
www.ModernBill.com
-
06-29-2005, 06:29 PM #5Junior Guru
- Join Date
- Apr 2004
- Posts
- 181
hmmm... that actually does sound a little more secure, since each customer has his/her own master key. Therefore, it stops someone from downloading the hashes, registering modernbill (or the demo) and using the algorithm....
Where is the master key located tho? Is it data that is downloaded securely (and then deleted) from a ModernBill server, or is it stored on the same computer?
-
06-29-2005, 11:51 PM #6Mr Unmetered
- Join Date
- Jul 2001
- Location
- Melbourne, AU
- Posts
- 1,392
Originally posted by cyman
Where is the master key located tho? Is it data that is downloaded securely (and then deleted) from a ModernBill server, or is it stored on the same computer?█ SERVSTRA | THE ENTERPRISE CLOUD SERVER & DEDICATED SERVER SPECIALISTS
█ 中国优先网络 - 最快到中国大陆
█14 world wide locations to choose from!
-
06-30-2005, 12:40 AM #7Web Hosting Master
- Join Date
- Feb 2004
- Location
- Southern California
- Posts
- 751
Well even if someone somehow was able to get your database of credit cards, and you were smart enough to encrypt it with TripleDES(MB supports this), then the hackers would still have quite a little journey before they found any information.
From some security site I cannot remember the name of:
At a rate of one million keys per second, an exhaustive search of 2^112 keys would require about 1.65*10^20 years to complete. Since the universe is estimated to be only about 10^10 years old, that is probably long enough for most purposes.▓ SkyLineHost.com
▓ ▓ Shared hosting that soars above the competition
▓ ▓ ▓ Based in Los Angeles. sales@skylinehost.com
-
06-30-2005, 01:02 PM #8Junior Guru
- Join Date
- Apr 2004
- Posts
- 181
Umm... but we are not talking a direct brute force attack. We are talking about ways of obtaining the master key, then trying 9999 different combonations, which is nothing.
I'll ask modernBill privately, tho to be honest, the whole idea behind encryption systems is that it shouldn't be a secret. In previous decades, this is what got people into trouble. Some company would have a defeatable encyption method and then all it took was a good hacker or defect employee to spill the beans of how it was done and the encryption became vulnerable. If a company keeps its encryption methods secret, it means there is likely a way to defeat that encryption. That is why all standard encryption protocols are open architecture.
We know, for example, how strong SSL encryption is because its an open standard, and the way that it is used is well documented. No one is afraid for it to be open architecture because we know its a secure method. The only time we don't want people to know how the encryption system works is when we aren't sure exactly how secure the encryption system is.
I mean, if ModernBill's encyption method can't be defeated within 2 UL's (Universe Lifetimes) then what's the big deal in releasing how the encryption works? It can't be decrypted anyhow so there should be no risk.
-
07-01-2005, 12:27 PM #9Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
I am sorry I can not go into details about the actual formula to create a unique key for every client.
I agree with the previous poster. If you think that your 'uber-secret' algorithm is so wonderful it cannot be published, chances are that in reality it is probably either a re-implementation of an open-source solution, or a poor attempt at a proprietary one."The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
07-01-2005, 10:05 PM #10Web Hosting Guru
- Join Date
- Jul 2004
- Posts
- 329
modernbill is very secure!
-
07-02-2005, 11:35 AM #11Web Hosting Master
- Join Date
- Aug 2003
- Location
- USA
- Posts
- 1,036
Yes, as mentioned, if you have mcrypt enabled you can make use of TripleDES encryption, a great, secure standard.
CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
:: Pay for your discount ModernBill license with PayPal
:: admin[at]cybexhost.com :: AIM: CybexH
-
07-02-2005, 11:49 AM #12Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
Think for a moment about the big picture. It doesnt matter in the slightest how secure T-DES is (BTW, the new standard is AES, not triple DES) if the decryption key is stored on the server.
So the question again returns to, using 'LEK' what becomes of the decryption key? Bottom line, if its stored on the server, your credit card numbers might as well be stored in plaintext."The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"
-
07-07-2005, 07:54 PM #13Newbie
- Join Date
- Jul 2004
- Posts
- 17
MBAdmin, good to see you participating in these fora. Perhaps you could address another ModernBill security issue that was posted a while ago?
http://www.webhostingtalk.com/showth...hreadid=394749