Windows & Credit Debt card security 16829

Larry Qualig

Some sort of public key encryption stuff going on there between Dell (the merchant) and the cc companies (the transactors) which means that the client doesn't actually see the connection between the two, but Dell actually forwards the transaction data over however secured line to the transactor, gets a reply back from the transactor that says yes or no, telling Dell's system whether or not the transaction was successful. Dell themselves don't actually have any access to the cc database beyond submitting transactions on their merchant accounts. I'm buttuming that this system which was compromised was a transactor's system, such as an online Bank (ie Mastercard), so the cc info will likely be in the backend or otherwise accessible via the frontend code. The public keys used by the database on the front end to send-fetch form data to the backend will be immediately accessible by the frontend code, so once that's compromised, game over. The public key's about as useful as a screen door on a submarine.

In all, if you hack Dell's site, you'll not likely get much beyond product descriptions and throwaway hashes. Hack Mastercard, and you've got the pot o' gold.

--

Unix love: { look; find; talk; grep; touch; finger; find; flex; unzip; mount; workbone; fsck; yes; gasp; fsck; yes; eject; umount; makeclean; zip; split; done; exit }