Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: more on Credit-card data used for extortion -- a look at it froman expert from Risks

From: David Farber <farber () cis upenn edu>
Date: Mon, 17 Jan 2000 13:53:24 -0500


-----Original Message-----
From: Faisal Jawdat [mailto:faisal () faisal com]
Sent: Monday, January 17, 2000 12:03 PM
To: farber () cis upenn edu
Subject: Re: IP: Credit-card data used for extortion -- a look at it
froman expert from Risks


        There is a funny little bit of irony here...

        When people started setting up electronic storefront
        operations most of the geeks and especially everyone
        who cared about security *realized* that SSL put all
        the security weaknesses onto the host.  The world
        broke out in to three camps:

        1.  People who "got it" used SSL to transit from the
            client to the server, commit the transaction, and
            flush the CC number from memory. (this is still
            insecure, but the hacks are more visible because
            you need to actually hook into the processing
            software on the host and then log CCs that come
            through, as opposed to just reading a file)

        2.  People who "did not get it" used SSL to transit
            from the client to the server, then left the CC
            numbers lying around on the server for easy theft.

        3.  amazon.com, who had some really good security
            people and figured it could get away with it for
            purposes of "one-click" ordering.

        So then everyone in the #2 group saw amazon.com doing
        it and felt justified.

        Now it's 2000 and we see the #2 group getting fouled
        up for following through on a bad idea and, of course,
        amazon.com suiting people for putting a good user
        interface on a bad idea.  End result?  Users lose.

        -faisal

"Steven M. Bellovin" <smb () research att com> writes:

By focusing on transport encryption, they miss the point entirely. The
real risk is bulk theft, as has happened here. Consider the following
text from their Web site:
If you have previously placed an order and want to use the same credit
card, you can select the "Use previous credit card info" option. You do
not need to enter your credit card information unless your credit card
expiration date has passed.
By maintaining this information online, they (and many other Web merchants,
of course) are inviting trouble.
Previous By Date Next
Previous By Thread Next

Current thread: