"The complate answer is that we have two records for your credit card - a hashed version in the customer database and a plaintext version on a seperate billing server. The hashed version is used only for uniqueness checking - collisions are possible but if that affects someone we can resolve that through customer service.
The billing server where the plaintext card number lives has a one-way interface: card numbers go in, but they don't come out. Actual billing events go through it. This system wasn't attacked. We'll post more about this later, but our goal is to move more customer data into this sort of restricted data store to avoid this sort of thing in the future.
You're right about the cracking - it's certainly possible. However, customer data doesn't appear to be this hacker's actual target, and given how easy it is to get lists of credit card numbers complete with security codes (which we don't store) and even social security numbers, I'm not sure why anyone would bother. That said, it's a weakness and we plan to remove the hashed versions from the customer database."
Community Manager, Nonprofit Commons in Second Life
Susan Tenby, Parernships, Online Community and Social Media Director, Caravan Studios, a division of TechSoup.org.
NonProfit Technology Consulting
Close this window