From: Barclay, Tom <tomb@b...>
Date: Tue, 16 Jan 2001 11:22:31 -0500
Subject: [OT] Credit card ordering and Security
I've had good luck with FAX machines for sending credit card info (they're sort of point to point and slightly harder to intercept than email - only slightly mind you). Anyone who can catch email in transit either belongs to the NSA, CSE, a similar organization, organized crime, or is a cracker geek who has backdoor access into the PSTN. Although this is a worry, it shouldn't be a huge one. Mail (normal) can be intercepted, phones can be tapped... all at about the same level of difficulty. Allan made a good point in that regard. And if you PGP encrypt your email, then the only people who are likely to read it are you, Jon, and the NSA. And you probably will just bore the NSA or the FBI. Even if you order salacious figures, try to dodge customs duty, and are known to consort with renegade Tasmanian population modellers. <*wink*> However, I will point out there exists one major danger in on-line transactions: The databases that your information gets left in. These can be easily hacked (they are a static target, unlike email) and there are plenty of tools for cracking websites, exploits newer and more nasty each day. Most times, web admins even with the best intentions can't keep up with CERT bulletins. I'd wager a good cracker could take down any ecommerce site run by our manufacturers (Jon, Nic or KR) and that isn't the slightest slander on them or their webadmins. The simple fact is that the only way to secure a computer is to disconnect it from the net, put it in a TEMPEST shielded room, lock the door, throw away the key, shoot anyone who ever touched it, and pour concrete over the TEMPEST room. Even then, it's not 100% secure. The only way to "secure" your credit cards is never to use them. Which is darned inconvenient. I'm assuming that KR and Nic and Jon will ensure that their web hosts for any online commerce conduct regular (I'd hope monthly, but at least quarterly) security audits of the host systems and that said hosting services keep up to date with exploits in BugTraq and CERT bulletins. If they don't, they'll end up relying on obscurity and lack of interest from a competent cracker to protect the data on those systems. Another useful step can be deleting the credit card info after it is used (after the order is shipped... say within a week or so). That way it won't be there if the site is cracked. Otherwise, it is just sitting there. Behind a lock perhaps, but lockpicks are available to those with intent and interest. Now, Allan also makes the point that the credit card companies want online commerce to go so they cover your losses making you not liable for such victimizations. But, in a sense, we're all victims when this happens. This is why credit cards have 18% interest... because EVERYONE pays for these kind of breaches. You as an individual will not be singled out, but you as a member of the group of cardholders will pay for this, never doubt it. And you pay for every similar incident. I feel comfortable enough to exchange credit card info with Jon or Nic or KR (it's the only way I can get my fix, for goodness sake!). There are risks. I hope they regularly have those risks audited and examined by competent pros, and I hope they take precautions with their databases themselves (encrypt the data before it goes into the database perhaps?). But I think they're all good businessmen and will give you as much protection as they can, given the cottage industry nature of this business. If you feel uncomfortable with credit cards, then send them a money order or IPC. It's undoubtedly (taken as a whole, over the long term) a bit safer.