You know the retail establishment has invested alot of money, what about the
underpaid waiter/checkout person they employ?
What is that waiter doing with your credit card when he/she takes it from
the table for processing?
Is the checkout person have a photographic memory writing down name/credit
card combinations when they take their smoke break?
Is the establishment using unencrypted wireless networks to link their POS
terminals to their backend systems?
What if the b&m store has an antiquated system that prints out your entire
CC# on the reciepts?
What if they still use a card-impression system?
Heck, what if they set your card on the big magnet they use to turn off the
security tags on the stuff you just bought?
What if they pretend your card has been denied with a code which requires
them to destroy the card? They certainly won't give it back, and they'll be
able to copy the numbers down at their leisure.
You can play 'what if' until the cows come home. That doesn't change the
fact that the *VAST* majority of stolen credit card information was *NOT*
stolen as a result of an online transaction. Most are stolen through much
more mundane methods, like 'shoulder surfing' at the register, or a waiter
copying the info while they're away from the table. I don't shop at b&m
shops that I don't feel I can trust, any more than I shop at e-sites that I
don't feel I can trust. I don't trust *ANY* e-site that isn't willing to go
to the effort to properly protect the transaction (certificates from a
trusted CA, encrypted communication, reasonable security efforts, etc.).
Properly signed certificates don't prove the vendor is trustworthy. They
provide some sound evidence that the vendor is who they say they are. A
self-signed certificate doesn't say anything except that they say they are
who they say they are. The encryption provides a reasonable guarantee that
nobody except you and the vendor will be able to see your transaction.
The reason more CC fraud happens online isn't that more info is stolen
there. It's that the vendor has no way of knowing that YOU are who you say
you are. Thousands of sets of credit card info are stolen every day
*offline*. You don't hear about it because it happens in ways that are
impossible to detect. Some vendor's online site gets hacked, and you hear
about it because it could be detected.
- Theo
P.S.: Shopping carts 'too boring'?! Of course they're boring!
-----Original Message-----
From: Richard Lynch [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 08, 2002 4:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] HTTPS vs. HTTP ?
>>>How do you know their certificate hasn't been stolen, and they haven't
even
>figured it out yet? How do you know they were trustworthy people in the
>first place?<<
>
>Why do you ASSUME that they're NOT trustworthy people? Do you go through
>your entire life in that shell?
Everybody gets a limited amount of trust extended to them, for "free"
That amount is NOWHERE NEAR the trust where I hand them my credit card
number.
Do you hand your credit-card to random people in the street?
With a brick-and-mortar retail establishment, I can tell a lot from
location, size, even the "look" of the store -- I also know, right off the
bat, that they've invested a *TON* of money and won't be able to make it
back in a short-time con.
With a web-site, I can tell:
They paid $119 to somebody for the CA.
They paid $20/month or so to somebody else.
They maybe paid somebody to design/build the site, or a turn-key system,
or...
That really doesn't tell me a whole lot.
I don't know:
They aren't storing my credit card number in their database "just
temporarily" while we process it.
[I've had to fix this error a couple times myself, and I hate doing shopping
carts. Too boring. I quit doing them. I can't imagine how many times a
shopping cart "regular" has walked into this situation.]
They aren't using a badly-designed system where my CC# appears in "ps
auxwwww" output.
They aren't using a badly-designed system where the CC# is stored on the
disk during processing.
[Hint -- Last I checked, Linkpoint's PHP interface did this. Guess what
happens when you get a network time out or the script fails for some reason?
Your CC# is left hanging around in that file. Sure, if the instructions
were followed, only root can read it... If the server hasn't been hacked.
If, if, if...]
The scripts that process my CC # have correct permissions, and are
accessible only to one, okay, *two* people to avoid somebody inserting a
back-door.
The list of failure points is endless, and I *STILL* don't even trust that
randomsite.com has had any kind of background check carried out by the
people issuing Certifcates. Jeez, people -- We're talking one of the major
players is MICROSOFT! Do you trust them with Security?!
I've seen too many bad home-brew shopping carts to have any faith in them.
I still shop on-line, but rely on the fact that I can only get dinged for
$50, and we'll all be paying even higher interest rates next year. I have
no trust that my CC# isn't being exposed.
>>>The more I think about this, the more I agree with people who just won't
do
>eCommerce at all...<<
Hey, I'm not saying I don't shop on-line. I'm saying I have no faith that I
won't be calling up the credit card company and canceling the stolen account
much faster than at a traditional store.
I have no faith that the e-theft of credit cards won't raise my interest
rates.
The CC companies have already proven that they will accept an inordinately
high level of theft and just pass on the cost to consumers. What do they
care what your interest rates are?
--
Like Music? http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
