Cryptographic hash functions seem to be an ideal method for protecting and securely storing credit card numbers in e-commerce and payment applications. A hash function generates a secure, one-way digital fingerprint that is irreversible and meets frequent business requirements for searching and matching of card numbers. However, due to the predictability of credit card numbers and common business requirements in processing credit cards, e-commerce and payment applications may implement such hashing of card numbers in an unsafe manner that allows an attacker to obtain a large percentage of card numbers by brute forcing compromised hashes in a matter of hours. This paper is an analysis of actual application practices for storing of credit card number hashes and a review of brute force attack methods against such hashes. The impetus for this paper was identification of this issue during multiple application security assessments. The objective is to highlight the weakness of common credit card hashing techniques and to educate application architects and programmers on the issues of storing credit card numbers as hashes.

Encryption, PCI, IT Security, Whitepaper