Interesting People mailing list archives
IP: more on Credit-card data used for extortion -- a look at it froman expert from Risks
From: David Farber <farber () cis upenn edu>
Date: Mon, 17 Jan 2000 13:53:24 -0500
-----Original Message----- From: Faisal Jawdat [mailto:faisal () faisal com] Sent: Monday, January 17, 2000 12:03 PM To: farber () cis upenn edu Subject: Re: IP: Credit-card data used for extortion -- a look at it froman expert from Risks There is a funny little bit of irony here... When people started setting up electronic storefront operations most of the geeks and especially everyone who cared about security *realized* that SSL put all the security weaknesses onto the host. The world broke out in to three camps: 1. People who "got it" used SSL to transit from the client to the server, commit the transaction, and flush the CC number from memory. (this is still insecure, but the hacks are more visible because you need to actually hook into the processing software on the host and then log CCs that come through, as opposed to just reading a file) 2. People who "did not get it" used SSL to transit from the client to the server, then left the CC numbers lying around on the server for easy theft. 3. amazon.com, who had some really good security people and figured it could get away with it for purposes of "one-click" ordering. So then everyone in the #2 group saw amazon.com doing it and felt justified. Now it's 2000 and we see the #2 group getting fouled up for following through on a bad idea and, of course, amazon.com suiting people for putting a good user interface on a bad idea. End result? Users lose. -faisal "Steven M. Bellovin" <smb () research att com> writes:
By focusing on transport encryption, they miss the point entirely. The real risk is bulk theft, as has happened here. Consider the following text from their Web site: If you have previously placed an order and want to use the same credit card, you can select the "Use previous credit card info" option. You do not need to enter your credit card information unless your credit card expiration date has passed. By maintaining this information online, they (and many other Web merchants, of course) are inviting trouble.
Current thread:
- IP: more on Credit-card data used for extortion -- a look at it froman expert from Risks David Farber (Jan 17)