[4263] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PI
daemon@ATHENA.MIT.EDU (James E. Hoburg)
Thu Feb 6 12:15:29 1997
Date: Thu, 6 Feb 1997 10:09:35 -0500
From: "James E. Hoburg" <james.e.hoburg@att.com>
To: <www-security@ns2.rutgers.edu>
In-Reply-To: <32F89816.1A0E@HomeCom.com>
Reply-To: james.e.hoburg@att.com
Errors-To: owner-www-security@ns2.rutgers.edu
Jay Heiser writes:
> The onus has always been on the account holder to check their own
> statement.
> I know many people don't -- THAT IS A RISK THAT THEY HAVE MADE THE
> DECISION
> TO TAKE THEMSELVES. Banks make mistakes, credit card numbers get
> ripped off,
> stuff happens. Consumer beware. The Internet doesn't change that.
>
> I'm not saying that ActiveX doesn't have the potential to put home
> banking at
> risk. I'm saying that I don't see the current risk as being as great as
> that
> already demonstrated with credit cards. The current system presents
> many
> risks, but we understand them and deal with them. The same thing will
> happen
> with the intersection of the Internet, home banking, and executable
> content
> web pages.
I agree: the immediate risks are not intolerable for the consumer--given that
they are armed with knowledge. But there is a much greater risk for the
institutions providing electronic commerce.
For example, if I can compromise a website holding thousands of customer
credit card numbers, bilking each cardholder for $50 is a minimal hit to each
individual. But what of the cost to the card issuer? What of the reputational
damage to the compromised vendor? Lost revenues because of lost confidence?
The outcome of the ActiveX attack could be the same if mounted against
thousands of machines. Concerns about "NetCommerce" and security are a result
of the very real potential for unprecedented _large-scale_ theft and fraud.
Make no mistake: ultimately we will each pay for those risks; either by
increased transaction costs or fewer transaction options.
Regards,
jeh
