Multiple Protocol Attacks
In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here’s an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number.
I have to admit this puzzles me, because I thought there was a standard for masking credit card numbers. I only ever see all digits except the final four masked.
wombat94 • December 20, 2011 7:03 AM
I believe according to the PCI spec, the garage masking ONLY the last 4 digits is in violation – there should not be that much of the PAN visible.
But PCI does allow for retailer implemented variations. Also, PCI really aims at large retailer, high volume environments. There are many exceptions for “low value” (my quotes) targets like mom-and-pop shops because the PCI requirements would be prohibitively expensive and the risk of loss is relatively low.
In the US, however, there IS a standard. Several financial regulation bills in the last 10 years have mandated that ONLY the last 4 digits of the PAN be visible (the rest need to be truncated or masked) AND the expiration date must be masked.