{"id":221,"date":"2008-03-16T23:01:34","date_gmt":"2008-03-17T07:01:34","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/16\/security-review-credit-cards-stored-in-company-databases\/"},"modified":"2008-03-16T23:03:22","modified_gmt":"2008-03-17T07:03:22","slug":"security-review-credit-cards-stored-in-company-databases","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-credit-cards-stored-in-company-databases\/","title":{"rendered":"Security Review: credit cards stored in company databases"},"content":{"rendered":"<p><!--StartFragment-->Summary:<\/p>\n<p>It is now very common to do business with companies that will by default (or even as a requirement to patronize) permanently store credit card and associated personal information in a database to help speed up future transactions or insure them against liability.  While this action can sometimes be a convenience to consumers it is worth exploring how it is a general security risk.<\/p>\n<p>Assets:<\/p>\n<ul>\n<li>The confidentiality of credit card and personal information within the database. Only authorized individuals should be able to access it and it should be stored in a secure manner on disk.<\/li>\n<li>The availability of the credit card number if it is is needed or depended on by a patron (say for something like Amazon\u2019s One Click service)<\/li>\n<\/ul>\n<p>Adversaries:<\/p>\n<ul>\n<li>Employees of a company who may use your personal information for their own gains. At a video store, they may do something like shift their own late fees onto your credit card.<\/li>\n<li>Outsiders who would try to retrieve your credit card or personal information.  This might include people who would physically steal machines or people who would use social engineering techniques to retrieve your credit card from an unsuspecting employee.<\/li>\n<\/ul>\n<p>Weaknesses:<\/p>\n<ul>\n<li>The employee who is the gatekeeper of the personal information is most likely not trained with security in mind and might therefore be likely to give up your personal information without proper verification.<\/li>\n<li>The information will most likely be viewable by more than just the person who has to access it.<\/li>\n<\/ul>\n<p>Defenses:<\/p>\n<ul>\n<li>The ultimate defense to protect ones self would be to stay \u201coff the grid\u201d so that there wouldn\u2019t be any concerns of private data getting in the wrong hands.  Doing this, however, is becoming increasingly difficult and impractical for most people.<\/li>\n<li>Being vigilant about credit card information.  This involves auditing ones credit card bill each month to make sure that no unauthorized charges were made.<\/li>\n<li>Being mindful of anything that may suggest someone is trying to use your personal information or impersonate you.  It\u2019s possible that what looks something like a phishing attack (mail from the bank) is actually an indication that someone has acquired personal information and is trying to use it.<\/li>\n<\/ul>\n<p>Risk Analysis:<\/p>\n<p>There is a very real risk that personal information will be compromised when stored in company\u2019s databases.   Perhaps the most interesting threats are those waged by adversaries who pursue a social engineering route.  There is an interesting incident recounted in Kevin Mitnick\u2019s book \u201cThe Art of Deception\u201d (google \u201cart deception filetype:pdf\u201d p. 47) where a son is able to get his father\u2019s credit card number from a videostore in a matter of minutes without leveraging his relationship or anything personal about his father.<\/p>\n<p>Conclusion:<\/p>\n<p>The only practical approach consumers can take to limiting the risks that go with having credit card information in company databases (other than opting out altogether) is to be vigilant in recognizing when information might have been compromised.  As consumers we have a broad range of choices to make when patronizing businesses, and ultimately the most important thing to do is to recognize one\u2019s own habits and assess the threats accordingly.<!--EndFragment--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: It is now very common to do business with companies that will by default (or even as a requirement to patronize) permanently store credit card and associated personal information in a database to help speed up future transactions or &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-credit-cards-stored-in-company-databases\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-221","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=221"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/221\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}