Announcement

Collapse
No announcement yet.

Host to Host payment systems code genaration

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Host to Host payment systems code genaration

    Am currently working on an internal host to host payment system using triple encription. Am using a combination of static data such as account number or card number which will be triple ecriypted using special card verification key pair. Selected digits from the result will be used to creat the CVV and will be written onto the magnetic stripe. My problem is how to generate the CVV using the assigned card number and expiry date. should I assign any numbers or is there any formula or algorithim to do this. If I have to assign any number when the users are many how will I handle this? who know how I can automaticaly genarate the CVV hence it will provide an added level of confidence that the card will not be easly cdublicated. Also I will further generate CVV2 to be used for telephone authorisation. Any HELP!!!!!
    Last edited by oby; November 11, 2004, 15:47.

  • #2
    Originally posted by oby
    Am currently working on an internal host to host payment system using triple encription. Am using a combination of static data such as account number or card number which will be triple ecriypted using special card verification key pair. Selected digits from the result will be used to creat the CVV and will be written onto the magnetic stripe. My problem is how to generate the CVV using the assigned card number and expiry date. should I assign any numbers or is there any formula or algorithim to do this. If I have to assign any number when the users are many how will I handle this? who know how I can automaticaly genarate the CVV hence it will provide an added level of confidence that the card will not be easly cdublicated. Also I will further generate CVV2 to be used for telephone authorisation. Any HELP!!!!!
    There are generally accepted 'standard' ways to deal with this- I would hope if you are the one responsible for the production of such a system that you would have the know-how to accomplish the task that you've been given...

    ...and this really isn't the forum for this.

    LosT

    Comment


    • #3
      Originally posted by LosT

      ...and this really isn't the forum for this.

      LosT
      I'd say this is the proper forum, he just may not have much luck finding the expertise he needs.

      I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

      Comment


      • #4
        Originally posted by noid
        I'd say this is the proper forum, he just may not have much luck finding the expertise he needs.

        I didn't clarify...that is exactly what I meant...there are forums specifically for the discussion of this type of topic...

        LosT

        Comment


        • #5
          Originally posted by LosT
          I didn't clarify...that is exactly what I meant...there are forums specifically for the discussion of this type of topic...

          LosT
          ???which forums are specifically for this kind of discussion??
          More info for who may wish to add.
          What am looking for now is the mathematical relationship between the following:
          Primary account number (PAN)
          2 0r 4 digit exairy date
          3-digit service code (sometimes non zero)
          A pair of Des keys (CVKs)
          who have come across the relatioship either in algorithim or simple formula
          You may direct me where to read up or kind of encription to play with???

          Comment


          • #6
            I've designed am implemented a similar system.

            triple encription
            is useless. Use a known trusted standard and encrypt it once. AES should work just fine. If you're looking to store the information in a databse, store the SHA-1 digest of it and just hash and compare to make sure they match.

            A pair of Des keys (CVKs)
            DES keys don't run in pairs. You have a 56 bit DES key, or a 168 bit 3DES key (3-56 bit DES keys). You're probably thinking RSA.


            Use known standards for everything, don't complicate things or think you can write something more secure. RSA has been around since the 70s and the only viable attack against it is brute force.

            More specific questions will get more specific answers. :)


            I think I'm going to try and present at Defcon in 05 regarding the credit card networks. We'll see if time allows.

            --Medic

            Comment


            • #7
              Originally posted by Medic
              I've designed am implemented a similar system.

              is useless. Use a known trusted standard and encrypt it once. AES should work just fine. If you're looking to store the information in a databse, store the SHA-1 digest of it and just hash and compare to make sure they match.

              DES keys don't run in pairs. You have a 56 bit DES key, or a 168 bit 3DES key (3-56 bit DES keys). You're probably thinking RSA.


              Use known standards for everything, don't complicate things or think you can write something more secure. RSA has been around since the 70s and the only viable attack against it is brute force.

              More specific questions will get more specific answers. :)


              I think I'm going to try and present at Defcon in 05 regarding the credit card networks. We'll see if time allows.

              --Medic

              Is there where I can download and run any program to generate CVV. That will definitly be great or stuff like cvvGen . will be greatfull on more info regarding crdit card networks, dumbs etc

              Thanks
              Last edited by oby; November 12, 2004, 12:01.

              Comment


              • #8
                Originally posted by oby
                Is there where I can download and run any program to generate CVV. That will definitly be great or stuff like cvvGen . will be greatfull on more info regarding crdit card networks, dumbs etc
                Hi. I'm calling bullshit on you. If you really were developing the host-to-host payment system you claim to be, you'd be able to speak directly with the credit card companies to obtain this info.

                So, am I wrong? Or are you trying to slide a 'please tell me how 2 get CC numbarz kthx' post under the radar?

                Comment


                • #9
                  Thanx for the Bull... call.
                  What I say is an internal host to host currency payment. If do not know what to say stop making nasty statements. I ask a qustion in a forum. if I want to know how to get CCV what for??
                  Can't we look inwards ??? This is an internal thing that will run like a credit card network, Helloo

                  Comment


                  • #10
                    Originally posted by oby
                    Thanx for the Bull... call.
                    No problem.

                    What I say is an internal host to host currency payment. If do not know what to say stop making nasty statements.
                    I'm not making nasty statements, I'm asking you to prove that you haven't started this thread solely for the purposes of trying to ask a question clearly forbidden in the rules by making it appear to be somehow legitimate. It wouldn't be the first time someone's tried doing it, and quite frankly the way this thread has been going it's not inspiring any confidence that you're on the level here.

                    I ask a qustion in a forum. if I want to know how to get CCV what for??
                    Fucked if I know, since I can't read your mind - hence my earlier comment re: calling bullshit on you. Incidentally, I notice that you haven't answered any of the points I raised in that post, rather going immediately on the defensive. Quite frankly, this isn't doing you any favours either.

                    Can't we look inwards ??? This is an internal thing that will run like a credit card network, Helloo
                    Nope. Not buying that. Here's the text of your original post:

                    Am currently working on an internal host to host payment system using triple encription. Am using a combination of static data such as account number or card number which will be triple ecriypted using special card verification key pair. Selected digits from the result will be used to creat the CVV and will be written onto the magnetic stripe. My problem is how to generate the CVV using the assigned card number and expiry date. should I assign any numbers or is there any formula or algorithim to do this. If I have to assign any number when the users are many how will I handle this? who know how I can automaticaly genarate the CVV hence it will provide an added level of confidence that the card will not be easly cdublicated. Also I will further generate CVV2 to be used for telephone authorisation. Any HELP!!!!!
                    Here's where I'm having problems with all of this: the CVV is used as a *physical* means of security only. It is *NOT* transmitted as part of the card number or other verification info. There is no reason for this to be included with other information passed on in a card-not-present transaction - its sole purpose is to verify that the person posessing the physical card has it in their hands. In fact, transmitting this along with the card number, etc. would defeat the entire purpose of the CVV number, with the added possibility of enabling someone to create a forged physical card.

                    This plus your comments about writing out magstripes as well as the generally poor explanation of why you're doing this in the first place makes me highly suspicious of your motives. Too many things here don't add up so, again, I'm calling bullshit on you.

                    Comment


                    • #11
                      I have to explain here to see if you can get where am comming from!!!
                      the project is tageting African electricity trading industries in markets related to Power Exchanges, Financial Trading, Clearing and Settlement systems etc. There is a need therefore to further develop relevant capacity in order to establish and strategically position the group in this new business environment.
                      An important area is in the financial transaction processing (automated electronic transfer of funds and payments etc). In order to achieve this, we require capacity and skills in e/m commerce technologies such as SMS, WAP, WIG, J2ME (java 2 micro edition) GPRS and Low Earth Orbit Satellite Comms.y
                      This we can't afford, so a group of people are called to give kind of open ended peer to peer service.
                      Now we are doing some thing close to AES but without any knwlg... of the technology. Now we are doing it on own . We can,t afford BCSS software. etc.
                      This is the much I can explan , Ican't tell you exactly what it is this is close as ever.
                      This is a big forum, am not stupid.
                      So PLEASE your self.

                      Comment


                      • #12
                        Originally posted by oby
                        I have to explain here to see if you can get where am comming from!!!
                        the project is tageting African electricity trading industries in markets related to Power Exchanges, Financial Trading, Clearing and Settlement systems etc. There is a need therefore to further develop relevant capacity in order to establish and strategically position the group in this new business environment.
                        An important area is in the financial transaction processing (automated electronic transfer of funds and payments etc). In order to achieve this, we require capacity and skills in e/m commerce technologies such as SMS, WAP, WIG, J2ME (java 2 micro edition) GPRS and Low Earth Orbit Satellite Comms.y
                        This we can't afford, so a group of people are called to give kind of open ended peer to peer service.
                        Now we are doing some thing close to AES but without any knwlg... of the technology. Now we are doing it on own . We can,t afford BCSS software. etc.
                        This is the much I can explan , Ican't tell you exactly what it is this is close as ever.
                        This is a big forum, am not stupid.
                        So PLEASE your self.

                        Are you sure you're not Bob Knuth?

                        LosT

                        Comment


                        • #13
                          I find it highly unlikely that there is a mathematical relationship between the CVV number and the CCN. Given the relatively small space of CVV numbers, any relationship would allow the CVV to be brute forced trivially. I would certainly hope that CVV numbers are generated randomly by the credit card company, and function much more like a PIN.
                          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                          [ redacted ]

                          Comment


                          • #14
                            Originally posted by oby
                            So PLEASE your self.
                            s/please/pleasure.

                            Comment


                            • #15
                              Originally posted by oby
                              the project is tageting African electricity trading industries in markets related to Power Exchanges, Financial Trading, Clearing and Settlement systems etc.
                              If you're working with such powerhouses and large bank accounts, why post on a hacker forum for information? Call the credit card companies. They'll answer all your questions.

                              Originally posted by skroo
                              Hi. I'm calling bullshit on you.
                              ++

                              --Medic

                              Comment

                              Working...
                              X