[610] in WWW Security List Archive
Re: Credit Card Security
daemon@ATHENA.MIT.EDU (Chuck Yerkes)
Fri Apr 21 23:38:37 1995
From: "Chuck Yerkes" <yerkes_chuck@jpmorgan.com>
Date: Fri, 21 Apr 1995 19:53:22 -0400
In-Reply-To: Paul Rarey <Paul.Rarey@Systems.DHL.COM>
"Re: Credit Card Security" (Apr 21, 9:50am)
To: Paul Rarey <Paul.Rarey@Systems.DHL.COM>,
Prentiss Riddle <riddle@is.rice.edu>, Kent Saxe <ksaxe@midwest.net>
Cc: www-security@ns1.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, I offer "some 800 #" as a model that's currently in use and, by
definition, no less secure than what we have now. No, I do not send
credit card info with 40 bit encryption. Perhaps the development of
this had better come from non-US sources....
Intrigingly, I could however I could send it to by brother clear by
saying MC number: "My age-3" "the last 4 digits of my phone number at
my last place*2+56" "Your age time the number of cats you have +2"etc,
etc...
But that's not practical for business use, as it uses shared encryption
numbers, as it were...
On Apr 21, 9:50am, Paul Rarey wrote:
> On Apr 20, 7:24, Prentiss Riddle wrote:
> >> To: www-security@ns1.rutgers.edu
> >> From: ksaxe@midwest.net (Kent Saxe)
> >> Subject: Credit Card Security
> >>
> >> I was wondering if you could reccomend a security program for a WWW site
> >> that will have credit card numbers entered in it. Please respond!
> >
> >While we wait for the web community to agree on a bulletproof standard
> >(and for the holes in X and Unix and all of our LANs to be plugged as
> >well), here's an approach that I like:
> >
> >The InfoSeek service (http://www.infoseek.com/Home) has a
> >telephone-based system for reporting credit card numbers. The user
> >dials an 800 number and is prompted to enter a credit card number on
> >the touch-tone pad; the system responds with a six-digit code which the
> >user then enters into a WWW form. The credit card number itself never
> >goes over the IP network. Assuming that the six-digit numbers are only
> >usable once, this setup should be pretty secure from network-based
> >attacks.
>
> So now you trust some 800 # eh?
>
> The model that still works best for me is http:/www.fv.com/tech
>
> --
>
>
> Cheers!
>
> [ psr ]
>-- End of excerpt from Paul Rarey
