On Mon, 2 Feb 2015, Derek J. Balling wrote:
On 2/2/2015 7:48 PM, David Lang wrote:
I also wonder if they started getting worried about number
exhaustion. I'm sure that when they started that they thought that
10 or so digits was enough to last forever, but unless they re-use
numbers (at which point they now have much more interesting
recordkeeping about who had what card number when), a different
number for each purchase by a large number of people will run
through numbers rather quickly.
Keep in mind that the card-issuers already add an additional 3-4
digits of entropy into that equation via the CVV. And while the
merchant isn't keeping track of that you can bet your sweet bippy the
card-issuer is.
And they know that they can reissue 4123-4567-8901-2345/CVV444 to a
new cardholder, years from now, as 4123-4567-8901-2345/CVV555.
from a pure computer science point of view, you are correct.
but how many systems are there that assume that the same 16 digit CC number
refers the the same card, and don't have any other criteria, let along timeframe
of the transaction?
I'll bet it's a much larger percentage of systems storing CC numbers than the
y2k was in systems storing dates :-)
David Lang
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
