Second Life Forums Archive - Putting you on the spot

Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

Second Life Forums Archive > Previous Forums Archive > Linden Answers

Putting you on the spot
Gigs Taggart The Invisible Hand Join date: 12 Feb 2006 Posts: 406	09-09-2006 12:10 I'm a programmer. I know that stuff like this happens. But I don't like being lied to. MD5 is a non-reversible hash. It is not encryption. It also has the potential for collisions. Are you asserting that our credit card numbers are sent to your clearinghouse in MD5 format? What merchant account clearinghouse accepts this? I've never heard of it. And you store the last 5 numbers in plaintext to show us on our account history page... separately? I fully believe you hash our passwords to MD5. That makes sense. Asserting our credit card numbers were also stored MD5 hashed seems very fishy. If you do indeed do this, I'd like to know what merchant account service accepts this for my own future reference. I don't know if any would be willing to do it because of the potential for a MD5 collision after running millions of numbers, but prove me wrong. Please don't give me the cookie cutter response. Get someone who knows the real answer if you aren't sure. -Gigs PS- Assuming your earlier assertion was correct, given the last 5 digits in plaintext, one could brute force the MD5 in 10^11 tries. A modern computer can hash that many strings is 27 hours, by my estimation. The average time to crack it would be half that. _____________________
Robin Linden Linden Lifer Join date: 25 Nov 2002 Posts: 1,224	09-10-2006 18:37 I'm double-checking on how the back-end data transfer works, and will let you know what I find out. _____________________
Ian Linden Linden Lab Employee Join date: 19 Nov 2002 Posts: 183	09-12-2006 11:33 We simplified our explaination a bit to make it intelligible to the lay audience. The complate answer is that we have two records for your credit card - a hashed version in the customer database and a plaintext version on a seperate billing server. The hashed version is used only for uniqueness checking - collisions are possible but if that affects someone we can resolve that through customer service. The billing server where the plaintext card number lives has a one-way interface: card numbers go in, but they don't come out. Actual billing events go through it. This system wasn't attacked. We'll post more about this later, but our goal is to move more customer data into this sort of restricted data store to avoid this sort of thing in the future. You're right about the cracking - it's certainly possible. However, customer data doesn't appear to be this hacker's actual target, and given how easy it is to get lists of credit card numbers complete with security codes (which we don't store) and even social security numbers, I'm not sure why anyone would bother. That said, it's a weakness and we plan to remove the hashed versions from the customer database.