[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: INTERNET SECURITY RISKS FOR CONSUMERS OVERBLOWN
> "If someone wanted to steal a credit card number, all they would
> have to do is go to any gas station and look on the ground around
> the pumps," says the CTO at Internet security firm Terisa Systems.
Sure, if you wanted to steal a card number or two the ground around a
gas-station would probably be a good choice. However, if you wanted to steal
a thousand card numbers (or maybe even thirty thousand), just sniff packets
off a hub near a large Web site that accepts unencrypted (or weakly
encrypted) card transactions or hack your favorite ISP's machines.
It really bothers me that officers at companies writing net commerce software
are regularly quoted in the trade rags comparing the relatively little risk
of a single net card transaction vs. a transaction at a restaraunt or gas
station. We aren't talking about a crooked clerk who handles at most a few
hundred cards per day or an unlocked dumpster with maybe the same number of
carbons in it. We are talking about potentially hundreds of thousands of
card numbers whizzing through a single point that could be easily (and
undetectably) monitored and recorded with off-the-shelf-equipment for later
analysis. Even if the transactions are encrypted, a single exploitable
weakness discovered after widespread deployment could compromise massive
numbers of cards. The stakes are much higher and this will invite much more
sophisticated crooks to attempt to defraud the system.