[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: credit card conventional wisdom



On Tue, 14 Nov 1995, Greg Broiles wrote:

> Detweiler writes:
> 
> > the argument goes like this: secure credit card number uploading
> > schemes (such as in Netscape) are not important on the internet because 
> > credit card numbers are already insecure. you give them to low-wage
> > workers all the time who might steal the number from you anyway.
> 
> > there are a lot of fallacies with this. I find this to be a key
> > cypherpunk issue, and I hope others will agree to the point of
> > trying to attack this fallacy through letters to the editor,
> > debates, etc., because it seems to rationalize weak security.
> 
> You're only reproducing half of the debate, which goes like this:

Actually, this is not quite correct.  There is a difference if I give a
credit card to *one* person, or if I give the message containing that
number to a chain of twenty or thirty strangers to get my information to
the one person I want to have that information. 

We're back to handing your card to the neighbour, who gives it to the 
doorman, who flags the cab and gives it to a cabbie, who then drives 
cross town and gives it to another doorman, who then etc, etc.

Something completely different than the long bomb from the quarterback.

Our potential interception points have increased substantially ... and we
have absolutely no audit trail to figure out who *might* have scarfed the
card. 

I guess the average customer won't care.  His loss is limited to $50.

But some of us who try to live in the real world wonder how long that'll
last.  Can we measure the life of it in a matter of weeks??  Or months? 

> Businesses/customers won't trust the Internet for commerce, because it's
> not perfectly secure.
> 
> And then others go on to point out that businesses and consumers do
> business every day using commerce tools whose security features are weak
> to nonexistent. 

Hmmm ... maybe we'll even get a whole whole new industry going ... don't
ya think??  Maybe we can create a whole new set of risks which are
additive to those we already have.  Maybe every petty grifter might trade
in his very own credit card number and simply claim that their credit card
got stolen over the internet. 

Just disappeared into the anonymous aethyr ... the one without an audit
trail ... but my loss is limited to $50, right??

I guess other people understand systems much, much, more than I do.  I
guess that the NY Times is right ... it won't change the loss rate for the
card companies, at all ... nope ... won't create a new problem ... naahh
... the public wouldn't actually take advantage of holes like this in the
system. 

Nope, no sirreee ...  

Give your head a shake.




Alice de 'nonymous ...

                                  ...just another one of those...
                                                   ...hunters...

P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.