Interesting People mailing list archives
IP: Some selections from RISKS
From: Dave Farber <farber () cis upenn edu>
Date: Thu, 11 Feb 1999 07:20:55 -0500
Date: Sun, 07 Feb 1999 10:28:30 -0500 From: Edupage Editors <edupage () franklin oit unc edu> Subject: E-Trade computers crash again -- and again The computer system of online security firm E-Trade crashed on Friday for the third consecutive day. "It was just a software glitch. I think we were all frustrated by it," says an E-Trade executive. Industry analyst James Mark of Deutsche Bank is essentially sympathetic: "It's sort of a black eye for them. They've been claiming that their architecture is superior. But it's the application on a large scale. As soon as E-Trade's volumes started spiking up, they had the same problems as others." Marks adds: "If you call a broker, he may be on the phone or away from his desk or on vacation. There are all sorts of times you can't get through and once you put an order through there's no guarantee on terms. Here you have a customer base that is paying 5 percent to 10 percent of what it was paying for service in the full-commission environment and it's demanding service above what was available in the full-service environment. And they feel it's their right." (*The Washington Post*, 6 Feb 1999; Edupage, 7 February 1999) Date: Tue, 09 Feb 1999 10:15:12 +0000 From: Ross Anderson <Ross.Anderson () cl cam ac uk> Subject: The risks of shopping at Amazon Today I tried to order a book from Amazon. Their server asked for a credit-card number and I duly filled out the form. At the bottom it demanded a password. According to Amazon, this means that `you won't need to give us your credit-card number again unless you enter a new shipping address'. I tried to enter the order without a password but it was refused. What is the risk? Well, merchant retention of credit card numbers is a well known vulnerability; card numbers are much more likely to be stolen from merchant servers than while in transit on the net. Forcing customers to choose a password adds four extra risks. Firstly, the customer may choose a bad password; secondly, if he doesn't, he will probably write it down somewhere; thirdly, it will be kept on Amazon's system somewhere; and fourthly, it is likely to cause problems for people who have a dispute with their bank. I have acted as an expert witness in a number of court cases of disputed cash machine transactions, and the bank usually says `you must have written the PIN down somewhere'. If everyone who shops at Amazon must choose a password which discloses their credit card details, then banks might turn away all complaints from people who've ever shopped there. There's another problem, which neatly highlights the tension between the USA and Europe over data protection law. The Amazon server also refused my order when I refused to give them a telephone number. This isn't necessary for the transaction, so compelling disclosure is dubious under European law. So I tried ordering from amazon.co.uk, which ought to abide by our local laws. This server also insisted on a password and a phone number, and even on a town in the address form (despite the fact that I live in the countryside). It also didn't turn on SSL for the credit card capture form, so the card number was sent in clear. This is bad news, as we Brits don't have the benefit of US consumer protections: if my credit card number is stolen and abused, my bank will likely charge me the whole lot, and it's not clear what evidence I will have that it was Amazon's fault. So amazon.co.uk appears to be in breach of the Data Protection Act of 1984. I therefore went to the Data Protection Registrar's Website at <http://www.dpr.gov.uk/> and did a register search:
Search terms: name=amazon and other=amazon.com No documents have been found that contain the above search terms. Please return to the form to begin a new search.
This looks highly illegal: under the Act, part 2, sections 5(1) and 5(5) compel everyone in the UK who holds personal data to register. (See <http://www.hmso.gov.uk/acts/acts1984/1984035.htm>.) I have e-mailed the Registrar, and will be interested to see what happens. For several years now, the media have been hailing Amazon as the miracle of the age, the model that all net based businesses - indeed all businesses everywhere - should follow. I find that rather worrying, Ross Anderson, Cambridge University ross dot anderson at cl dot cam dot ac dot uk
Current thread:
- IP: Some selections from RISKS Dave Farber (Feb 11)