Magento – How does magento encrypt credit card numbers

magento-1.9Security

I have been playing around with the Credit cards (saved) payment option and noticed it encrypts the credit card numbers. What algorithm is it using? What are the specifics? I quite interested to see what method they are using.

Note: I am not going to use the Credit card (saved) payment option on my live site. I understand it is a huge security issue. I am just curious about how strong of encryption it uses!

Best Answer

According to Magento:

Strong Data Encryption, Hashing and Key Management Strong data encryption based on AES-256 and strong hashing based on SHA-256. Database keys are easily managed and updated.

From my understanding and some quick glances at code:

Community is mainly Mcrypt and Blowfish (ECB Mode) based, as Don pointed out in the comments.

Enterprise uses a custom class for PCI compliance which uses both Mcrypt and Blowfish as with different cyphers and stronger encryption.

MCRYPT_RIJNDAEL_128,MCRYPT_RIJNDAEL_256,HASH_VERSION_SHA256,etc.

https://en.wikipedia.org/wiki/Blowfish_(cipher)

Both using a combination of MD5, salting and hashes.

You can override the encryption models if you wished to use your own:

 /**
 * @return Mage_Core_Model_Encryption
 */
public function getEncryptor()
{
    if ($this->_encryptor === null) {
        $encryptionModel = (string)Mage::getConfig()->getNode(self::XML_PATH_ENCRYPTION_MODEL);
        if ($encryptionModel) {
            $this->_encryptor = new $encryptionModel;
        } else {
            $this->_encryptor = Mage::getModel('core/encryption');
        }

        $this->_encryptor->setHelper($this);
    }
    return $this->_encryptor;
}

https://github.com/OpenMage/magento-mirror/blob/magento-1.9/app/code/core/Mage/Core/Helper/Data.php#L79

With that said, storing Credit Card data makes you a target and future legal issues possibly.

However I have seen scrapping hacks that are capturing data input before it is encrypted and logging it. So simply not storing them makes you immune either. This is proof that other exploits outside of Magento in its stack should always be considered.

As far as encryption strength, that would be a better question for:

https://crypto.stackexchange.com/

Related Solutions

How to Purge Credit Card Numbers Stored on Magento 1.9.1.0

The encrypted credit card numbers are stored in the cc_number_enc column of the sales_flat_order_payment table. With this SQL query you can delete them all:

UPDATE sales_flat_order_payment SET cc_number_enc=NULL;

To delete all credit card data, do the same with the other columns that start with cc_:

cc_type
cc_number_enc
cc_last4
cc_owner
cc_exp_month
cc_exp_year

Magento – Credit Card Hijack Malware Detected

If you just cleaned up the code without upgrading to the lastest Magento version or applying the latest patches there is a good chance the same vulnerability to inject the malware was used again.

Update to the latest version CE 1.9.3.1 or apply all (missing) security patches.

You can check your site with http://magereport.com to find out what's missing.

Furthermore, you might be interested in the answers here: Website infected by virus and Magento hacked even after applied patch

Best Answer

Related Solutions

How to Purge Credit Card Numbers Stored on Magento 1.9.1.0

Magento – Credit Card Hijack Malware Detected

Related Topic