[598] in WWW Security List Archive
Re: Credit Card Security
daemon@ATHENA.MIT.EDU (Kipp E.B. Hickman)
Thu Apr 20 17:53:46 1995
To: www-security@ns1.rutgers.edu
From: "Kipp E.B. Hickman" <kipp@netscape.com>
Date: 20 Apr 1995 15:39:33 GMT
Errors-To: owner-www-security@ns2.rutgers.edu
riddle@is.rice.edu (Prentiss Riddle) wrote:
>> From owner-www-security@ns2.rutgers.edu Thu Apr 20 00:51:44 1995
>> Date: Wed, 19 Apr 1995 18:00:25 -0500
>> To: www-security@ns1.rutgers.edu
>> From: ksaxe@midwest.net (Kent Saxe)
>> Subject: Credit Card Security
>>
>> I was wondering if you could reccomend a security program for a WWW site
>> that will have credit card numbers entered in it. Please respond!
>
>While we wait for the web community to agree on a bulletproof standard
>(and for the holes in X and Unix and all of our LANs to be plugged as
>well), here's an approach that I like:
>
>The InfoSeek service (http://www.infoseek.com/Home) has a
>telephone-based system for reporting credit card numbers. The user
>dials an 800 number and is prompted to enter a credit card number on
>the touch-tone pad; the system responds with a six-digit code which the
>user then enters into a WWW form. The credit card number itself never
>goes over the IP network. Assuming that the six-digit numbers are only
>usable once, this setup should be pretty secure from network-based
>attacks.
>
>Naturally, this voids the convenience of not having to pick up the
>phone in order to complete a transaction on the web; however, it still
>offers the advantage of being available 24x7 without the expense of
>human staffing.
>
>I don't know whether InfoSeek put together the telephone-based system
>themselves or contracted with an outside source. You might check with
>them. Possibly they'd even license it.
This is especially useful for customers who have only one phone line :-(
---------------------------------------------------------------------
Kipp E.B. Hickman Netscape Communications Corp.
kipp@netscape.com http://home.netscape.com/people/kipp/index.html
