<i>&gt; No, Frank, you're not the only one... I agree with you, and so do several</i>
<i>&gt; hundred thousand people who regularly use their credit cards on Prodigy or</i>
<i>&gt; AOL. As somebody posted several months ago, either on this list or</i>
Market-L,
<i>&gt; the obvious thing for a hacker of such ability to do is to whack off</i>
<i>&gt; thousands of them, like Mitnick in fact did, from somebody like Netcom.</i>
Please note that using your credit card on Prodigy or AOL is extremely
different, in terms of risk profile, than using it on the Internet.
When you use your credit card on one of these online services, there is
a single organization (AOL or Prodigy) that has complete control over
where your credit card goes. They might screw up, but they are the only
ones in a good position to compromise or guarantee its security. And if
anything goes wrong, they are clearly to blame.
On the Internet at large, if your password travels unencrypted, it can
be sniffed in any number of ways, by any number of sites. Tracing the
criminal is much harder, holding anyone responsible is nearly
impossible, and committing the crime is, in general, much easier.
<i>&gt; There are several cyber-cash representatives</i>
<i>&gt; on this list - can any of them offer statistical defense</i>
<i>&gt; of the need for secure servers or credit cards alternatives?</i>
Note: "Cybercash" is a trademark of Cybercash, Inc., but I assume that
you're really referring to the electronic payment industry as a whole
here.
I don't have any of the numbers on hand, but they are in fact
overwhelming. Credit card fraud is increasing at a very rapid rate even
without the Internet, and big changes to the way the system works are
inevitable even without the Internet. Having lots of unencrypted credit
cards on the net is something that the banks &amp; credit card companies are
very scared of, and with good reason.
Again, there's nothing for individuals to be scared of....except for a
collapse of the entire credit card system, under the weight of
too-much-fraud.
<i>&gt; If you do send your card no over the net don't send it in the form XXXX</i>
<i>&gt; XXXX XXXX XXXX, since this can be easily recognised. Much better to remove</i>
<i>&gt; the spaces (or reverse it)!</i>
Doesn't really help. It's still easy to check for credit card numbers,
because they have built-in checksums.
<i>&gt; His card issuer (a Visa bank I think) was quoted as saying that to send the</i>
<i>&gt; card unencrypted over the Net would be in breach of the card agreement, and</i>
<i>&gt; therefore unprotected. This leads to a good question: why don't more Net</i>
<i>&gt; vendors make use of PGP (public-key) encryption? Surely it's the obvious</i>
<i>&gt; thing to have a link to your public key on an insecure order page + a link</i>
<i>&gt; to download the PGP software from US/International sites!</i>
Because PGP is too hard for most people to use, and export-controlled to
boot. Don't get me wrong, I use PGP every day, but it's VERY hard to
teach it to newbies. I speak as one who has tried.
Also, encrypting credit cards with the merchant's public key doesn't do
much good if the alleged merchant is actually the person collecting
credit cards, which is a relatively easy net-based scam to set up. FV
protects against this because the merchant never sees the credit card
number, encrypted or not. -- Nathaniel
--------
Nathaniel S. Borenstein &lt;nsb@fv.com&gt; | When privacy is outlawed,
Chief Scientist, First Virtual Holdings | only outlaws will have privacy!
FAQ &amp; PGP key: nsb+faq@nsb.fv.com | SUPPORT THE ZIMMERMAN DEFENSE FUND!
---VIRTUAL YELLOW RIBBON--&gt;&gt; zldf@clark.net (<a href="<a href="http://www.netresponse.com/zldf">http://www.netresponse.com/zldf</a>">http://www.netresponse.com/zldf</a>)
----
The list is sponsored this week by: &lt;<a href="<a href="http://www.cortex.net">http://www.cortex.net</a>">http://www.cortex.net</a>&gt;
GROUP CORTEX - Bringing Your Web Site To The Next Level Of Interactivity
Post a message to this group by filling in the form below.