Wednesday 11 January 2012

Choice of Credit Card Hashing Algorithm

In December 2011, i tried a Groupon code that allowed me access to four boxes of nibbles to be delivered to my door.

Lets call this company that delivered the nibbles to your door as Company A. We all know who this company is!!!

Although all i wanted was the four box trial, i had to enter my credit card details.

I tried my first box and was unhappy with their delivery and the fact they put all the onus onto Royal Mail rather than accepting the fact that legally it is the responsibility of Company A to deliver the item to my door and whoever they choose, if they are let down, legally they are still held accountable.

So i requested for my account to be closed and requested for all 4 boxes to be delivered as per my trial and made it clear on the 11th of December that they should not charge my credit card.

On the 15th of December a charge appeared and hence this set of a series of issues.

Now to the part part of the Blog.... I askedCompany A how they protected my credit card details while held on their servers and their response was simply amazing:

Reply from Krista@Company A on 16th December 2011 was - The one-way hash that we use is MD5 encryption algorithm.

  • For a start MD5 is a Hashing algorithm and NOT encryption.
  • Secondly the PCI (Payment Card Industry) Code themselves ask you not to use a weak Hashing algorithm.
  • Finally MD5 is probably the weakest algorithm you can choose.
So i asked Company A why they used such a weak algorithm and why they did not understand the difference between Hashing and Encryption.

The reply from Krista@Company A on 16th December was - We will give no furhter details on this or on our use of the MD5 algorithm as that in itsself would compromise security. 

So Company A confirm they use MD5 to hash the credit card number, with so many public hacks regarding MD5 why on earth does Company A use it? And why would it make this public to me on an email? If i was their security chap i would never state this to start this.

Even if this hash is further encrypted, at some point within their system it will have to be stored as an MD5 hash to be processed (charge a card, refuse, etc). So at some point the MD5 hash value of my credit card would be available.

Please Company A can you kindly stop the use of MD5 and move to either SHA-1 or SHA-256?

 And if you have made the change since you provided the information of the 16th of December, can you let me know so i can update the Blog?