Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because they can't harvest your information if you don't sign up for stuff.


Couldn't a card number be tokenized in some way so as to allow for tracking?


I dont think so, this would probably go against PCI DSS.


Most payment gateways offer a card fingerprinting feature. Here’s Stripe’s: https://stripe.com/docs/api/cards/object#card_object-fingerp....

It’s fine with PCI DSS as long as it is not reversible.


Stripe and Square both identify consumers by their unique CC numbers. If I swipe my card on a square reader, it recognizes me and asks if I want a receipt sent to my phone or email, even if I’ve never purchased from that vendor before.


The whole point of tokenizing is to get rid of PCI problems on CC analysis and testing, as I understand it.


Is there credit card tokenization services from which you can get a token identifying permanently a card without the possibility to make a payment?


Yes, most PSPs do this. E.g. Stripe calls it a fingerprint. It's only valid for your merchant ID (i.e. if we both signed up for Stripe and swiped the same card, we'd get different fingerprints).

https://stripe.com/docs/api/tokens/create_card (notice the request has no charge, but the response contains a fingerprint).

To state the obvious: it's not determinstic outside of Stripe, and there's no way to revert it, or even iterate over all CC numbers and brute force the space. You'd need Stripe's secret, e.g. assuming they use HMAC.


Not really. I work with payment processing, I've got the partially obscured credit card number, usually the name and the location. Plus a bunch of other info.


I've seen several deterministic tokenizers for payment cards.


Where there done by the payment processor like Artemis2 or in house?

I'm asking because I saw a lot of in-house tokenizer with hashes or deterministic encryption that could get reversed in a few seconds by brute force since the space to cover is so small.


Tokenized? One-way digest: SHA-512 the card number, iterate SHA-512 on the results 100 times, store that as your tracking code.


No. With 10^12 possible account numbers and a hash rate of ~10^10 H/s using off the shelf hardware [1] it would only take 100*(10^12/10^10) = 10000 seconds to deanonymise the token.

[1] https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...


With 10^12 possible account numbers, it should be relatively easy to build a rainbow table for tokens of any practical complexity.


Never attribute to malice that which is adequately explained by stupidity.

I would be completely unsurprised to find that other than having the data in some poorly secured database it isn't used for anything useful.


Never forget the corollary!

“...But don’t dismiss malice.” Dismissing reasonable concerns about a nearly universal practice is best done through reasoned argument, not aphorism.


To be pedantic, that's till harvesting your data, it's just not selling it.

Does that make it malicious and stupid?


I'm really surprised this was down voted so much. I really don't think it's all that controversial. Like so many websites require registration when you are almost guaranteed never to return.


I feel really bad for bobsmith@aol.com. He probably had to abandon that address years ago.


You should be aware that many malicious people feign incompetence when caught.


never attribute to stupidity that which is adequately explained by profit motive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: