[595] in WWW Security List Archive
Re: Credit Card Security
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Thu Apr 20 14:01:01 1995
From: riddle@is.rice.edu (Prentiss Riddle)
To: ksaxe@midwest.net (Kent Saxe)
Date: Thu, 20 Apr 1995 09:24:43 -0500 (CDT)
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <199504192300.SAA19100@cdale1.midwest.net> from "Kent Saxe" at Apr 19, 95 06:00:25 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Thu Apr 20 00:51:44 1995
> Date: Wed, 19 Apr 1995 18:00:25 -0500
> To: www-security@ns1.rutgers.edu
> From: ksaxe@midwest.net (Kent Saxe)
> Subject: Credit Card Security
>
> I was wondering if you could reccomend a security program for a WWW site
> that will have credit card numbers entered in it. Please respond!
While we wait for the web community to agree on a bulletproof standard
(and for the holes in X and Unix and all of our LANs to be plugged as
well), here's an approach that I like:
The InfoSeek service (http://www.infoseek.com/Home) has a
telephone-based system for reporting credit card numbers. The user
dials an 800 number and is prompted to enter a credit card number on
the touch-tone pad; the system responds with a six-digit code which the
user then enters into a WWW form. The credit card number itself never
goes over the IP network. Assuming that the six-digit numbers are only
usable once, this setup should be pretty secure from network-based
attacks.
Naturally, this voids the convenience of not having to pick up the
phone in order to complete a transaction on the web; however, it still
offers the advantage of being available 24x7 without the expense of
human staffing.
I don't know whether InfoSeek put together the telephone-based system
themselves or contracted with an outside source. You might check with
them. Possibly they'd even license it.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- Systems Programmer and RiceInfo Administrator, Rice University
-- 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
