Obfuscation vs encryption

Reading a recent case study of a "respected" IT security company they proudly mentioned how they set up
an obfuscation system for storing client credit cards? I'm like WTF? should that not be encryption they should be using?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

TheFORCE

They can do both, obfuscation is actually used very much when it comes to database. In that case you dont want to encrypt the data but obfuscated so they can be read by other systems or people without actually providing the real numbers.

canadio

TheFORCE wrote: »

They can do both, obfuscation is actually used very much when it comes to database. In that case you dont want to encrypt the data but obfuscated so they can be read by other systems or people without actually providing the real numbers.

Thanks TF. I'm sure it's probably in widespread use.

But, I bet you that in the context of an exam like Security+ , you were given the choice between obfuscation and encryption and you stated obfuscation as an answer, it would be "wrong"!

canadio

Does anyone else notice this. There seems to be a huge chasm between the world of Security + , CISSP exams and the way
IT security is really practiced?

paul78

Huh? What kind of credit card data? Under PCI Requirement 3 - you cannot store the PAN unless it's done with a one-way hash of the entire PAN. The specific requirement is that the PAN must be unreadable and cannot be recovered. And if the data is SAD (sensitive authentication data) - well - you aren't suppose to store that at all.

So they came up with a new-fangled secure way to store the expiration date and service code?

Sounds like marketing baloney to me.

jcundiff

@paul78 obfuscation actually take the 16 digit pans and scrambles them which can allow the data to then be used in test environments... once you obfuscate the data, it is technically (yeah right) unrestorable back to original ... live card data should always be encrypted. PINs and CVVs should never be stored... in reality, we should be encrypt at swipe and tokenize before sending to the processor

paul78

jcundiff wrote: »

@paul78 obfuscation actually take the 16 digit pans and scrambles them which can allow the data to then be used in test environments...

Excellent point! But given that a PAN must be unrestorable - using an obfuscation technique must be crypto-tested. Also from a software engineering point of view - the term obfuscation has a very specific meaning - it implies an algo that is used to make data difficult to understand. ROT13 for example is an obfuscation technique but hardly qualifies as strong crypto.

jcundiff

agree

obfuscation has its uses but it should never be used to replace encrypting PCI data