Prev: [FT-FB]Islamic Federation Ship Next: Re: Testimonial RE: [OT] inkjet printer decals

[OT] Credit card ordering and Security

From: "Barclay, Tom" <tomb@b...>
Date: Tue, 16 Jan 2001 11:22:31 -0500
Subject: [OT] Credit card ordering and Security

I've had good luck with FAX machines for sending credit card info
sort of point to point and slightly harder to intercept than email -
slightly mind you). Anyone who can catch email in transit either belongs
the NSA, CSE, a similar organization, organized crime, or is a cracker
who has backdoor access into the PSTN. Although this is a worry, it
shouldn't be a huge one. Mail (normal) can be intercepted, phones can be
tapped... all at about the same level of difficulty. 

Allan made a good point in that regard. And if you PGP encrypt your
then the only people who are likely to read it are you, Jon, and the
And you probably will just bore the NSA or the FBI. Even if you order
salacious figures, try to dodge customs duty, and are known to consort
renegade Tasmanian population modellers. <*wink*>

However, I will point out there exists one major danger in on-line
transactions: The databases that your information gets left in. These
can be
easily hacked (they are a static target, unlike email) and there are
of tools for cracking websites, exploits newer and more nasty each day.
times, web admins even with the best intentions can't keep up with CERT
bulletins. I'd wager a good cracker could take down any ecommerce site
by our manufacturers (Jon, Nic or KR) and that isn't the slightest
on them or their webadmins. The simple fact is that the only way to
secure a
computer is to disconnect it from the net, put it in a TEMPEST shielded
room, lock the door, throw away the key, shoot anyone who ever touched
and pour concrete over the TEMPEST room. Even then, it's not 100%
The only way to "secure" your credit cards is never to use them. Which
darned inconvenient. 

I'm assuming that KR and Nic and Jon will ensure that their web hosts
any online commerce conduct regular (I'd hope monthly, but at least
quarterly) security audits of the host systems and that said hosting
services keep up to date with exploits in BugTraq and CERT bulletins. If
they don't, they'll end up relying on obscurity and lack of interest
from a
competent cracker to protect the data on those systems. Another useful
can be deleting the credit card info after it is used (after the order
shipped... say within a week or so). That way it won't be there if the
is cracked. Otherwise, it is just sitting there. Behind a lock perhaps,
lockpicks are available to those with intent and interest. 

Now, Allan also makes the point that the credit card companies want
commerce to go so they cover your losses making you not liable for such
victimizations. But, in a sense, we're all victims when this happens.
is why credit cards have 18% interest... because EVERYONE pays for these
kind of breaches. You as an individual will not be singled out, but you
as a
member of the group of cardholders will pay for this, never doubt it.
you pay for every similar incident. 

I feel comfortable enough to exchange credit card info with Jon or Nic
or KR
(it's the only way I can get my fix, for goodness sake!). There are
risks. I
hope they regularly have those risks audited and examined by competent
and I hope they take precautions with their databases themselves
the data before it goes into the database perhaps?). But I think they're
good businessmen and will give you as much protection as they can, given
cottage industry nature of this business. If you feel uncomfortable with
credit cards, then send them a money order or IPC. It's undoubtedly
as a whole, over the long term) a bit safer. 


Thomas R. S. Barclay
Voice: (613) 722-3232 ext 349

2001: To the New Millenium! The next thousand years
are MINE. 

Prev: [FT-FB]Islamic Federation Ship Next: Re: Testimonial RE: [OT] inkjet printer decals