Hashing Credit Card Numbers: Unsafe Application Practices

Cryptographic hash functions seem to be an ideal method for protecting and securely storing credit card numbers in ecommerce and payment applications. A hash function generates a secure, one-way digital fingerprint that is irreversible and meets frequent business requirements for searching and matching of card numbers. However, due to the predictability of credit card numbers and common business requirements in processing credit cards, ecommerce and payment applications may implement such hashing of card numbers in an unsafe manner that allows an attacker to obtain a large percentage of card numbers by brute forcing compromised hashes in a matter of hours.

To provide more information on this issue, Integrigy has released a whitepaper that is an analysis of actual application practices for storing of credit card number hashes and a review of brute force attack methods against such hashes.  The impetus for this paper was identification of this issue during multiple application security assessments.

The bottom-line is that storing of credit card numbers by simply hashing only the card number is unacceptable and can be easily compromised by brute force methods. An attacker who is able to compromise the application or database can obtain many card numbers in a trivial amount of time –

• If only the hashed card number is available, it is actually practical to obtain all 14 and 15 digital card number hashes in less than thirteen days.
• If only the hashed card number is stored, an attacker can potentially obtain 30-70% of all card numbers within a matter of hours by intelligently focusing on the most popular card brands and issuing banks.

• If the Prefix 6 + Last 4 digits are known, all card numbers can be obtained in less than 2 hours.

Application developers can not rely on simple hashing methods and must build-in protections against such brute force attacks on compromised card numbers.

Whitepaper: Hashing Credit Card Numbers: Unsafe Application Practices