WebApp Sec mailing list archives
Re: storing SSNs, CCNs, password in the DB
From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Mon, 28 Feb 2005 15:25:57 +1100 (EST)
Francesco said:
It's for a web-based financial application (users accessing credit-card transaction information, signing in with their card number, PIN and last 4 of SSN) so we pretty much *have* to have that information in the DB to compare at logon.
Unless you're the employer of these people, proving welfare services, or require the SSN for mandated government reporting you must NOT collect or use the SSN for authentication purposes as you can't repurpose the collection from its primary purpose. The SSN is also available in many semi-public ways, so it's not a good authenticator and is officially frowned upon. http://www.ssa.gov/pubs/10064.html The card number is a poor account identifier as attackers can loop through your institution's BIN numbers and DoS lockout your application trivially. The CCV (the three digit validator) is ephemeral data only. You must not use this in a persistent way unless you are the issuing institution, and even then you should take appropriate steps to protect the confidentiality of this data. Try again. :) Andrew
Current thread:
- RE: ISA Server and SQL Injection, (continued)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)