[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypted bank account info



On Fri, Mar 5, 2010 at 2:12 PM, David A. Bandel <..hidden..> wrote:
> On Fri, Mar 5, 2010 at 16:54, Chris Travers <..hidden..> wrote:
>> Hi all;
>>
>> I was reviewing the requirements for 1.3 from a security perspective
>> and thinking we really should encrypt customer/vendor bank account
>> info.  If nothing else, I think this should be in a recommended add-on
>> if not in the main branch.
>
> Encrypt what?  Transmission to the web browser (done if using https)?
> Transmission from web server to psql database (PgSQL supports SSL, but
> I hardly worry in the case where PG is on the same server as the web
> server)? DB storage?

DB storage.
>
> If DB storage, what do you do about transaction logging?

Presumably the transaction would log  the encrypted value.   I can see
a lot of possible ways to do this and none are pretty.

>
> I hear you, but this could get ugly.  Anyway, I'm more concerned if
> someone breaks into my server and the resultant damage than that of
> someone stealing some bank account numbers.  I hope the data in the
> database only allows deposits and not withdrawals.  Online CC payments
> should require use of the CVV and hopefully that is not stored.

If the CVV (card present) or CVV2 (card not present) values are
stored, you have major issues, which is why credit card merchants are
not allowed in their contracts to store these numbers.  Honestly, I
wouldn't store credit card numbers unless I absolutely needed them and
had a lot of money to absolutely ensure compliance with all necessary
regulations at all times.....

However, I am worried about the fact that we even allow bank account
numbers to be stored and I don't see how this info would be sufficient
to restrict to deposits only.  Certainly it would be sufficient to set
up ACH withdrawals, etc.

My current thinking was to either:

1)  Encrypt a system key with user's password.  Rotate as needed, or
2)  Encrypt a system key with a system password.

Interested on folks' thoughts on the matter.  At any point, I can't
imagine a way to do this such that an individual who obtains root
access on both db and web servers would not be able to attack the
storage without attacking the encryption itself.  But done correctly,
it might substantially raise the bar.

Best wishes,
Chris Travers