[885] in WWW Security List Archive
Re: Java and trojans: any last words before Netscape 2.0 is out?
daemon@ATHENA.MIT.EDU (Chuck McManis)
Thu Sep 21 00:00:57 1995
Date: Wed, 20 Sep 1995 17:59:10 -0700
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: cmcmanis@scndprsn.Eng.Sun.COM, cwg@DeepEddy.Com
Cc: orchard@mda.ca, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>What a peculiar argument. Are you suggesting that the biggest risk is from
>people who want to get you personally but who don't know where you live?
No, I am suggesting that comparing the ease with which someone can rummage
through my trash bin on trash day with the ease with which someone could
"snoop" my packets on the internet is inapplicable in this case. As Dave
later pointed out (quite accurately).
>Somehow I think the more likely situation is that they merely want to get
>anybody's credit card number. (i.e., the situation that you dismiss so
>quickly.)
And we are all agreed are we not that grabbing "any" credit card is in
fact easier by going to one's bin. However, as a personal issue the question
for me as the user is how easy is it to grab *MY* credit card number.
And you won't find any of my credit slips in the dumpster because I don't
let them get there.
> In fact, I would suspect that the successful credit card
>criminal doesn't use any one credit card number for very long. After all,
>you can't keep using Bill Gates' credit cards forever, but if you instead
>make one charge on each card number you dig up in the dumpster near a large
>apartment complex; you can probably keep doing this for quite a while
>before you're caught.
That is true, you miss the fundamental distinction. Some people, such as
myself, are very judicious with the use of our credit cards. We shred
our charge slips and put the trash out in the morning (as opposed to the
night before). We never leave our carbons, and we always audit our statements.
So to me, using credit cards over the internet in a protocol that can
be cracked (easily) is a lose. I won't do it. In the model of a security
system, there are physical properties that protect my card number in
the physical world, you can't look over my shoulder at the book shop, the
telephone line between the shop and the acquiring bank is protected by the
phone company, etc. However, on the internet it nearly equivalent to
putting my credit slip into an envelope, handing it to a crook, who hands
it to the vendor, who processes my order. And now we find out that if
you hold the envelope up to a blue light it is transparent. Since I can't
avoid having the crooks look at it on the internet, the least I can do is
get a damn good envelope. :-)
>And as someone else pointed out; merchant fraud is fairly common as well.
Yup and I can catch that too.
>I suspect that fairly soon credit card transactions on the internet will be
>*more* secure than any other way that you use your card.
I agree, and the technology exists it is simply denied to us in the non-
free world by our government.
I also like the First Virtual scheme since it changes the problem into one
of a second order effect. It however is not applicable in my mind to people
selling hard goods.
--Chuck
