[OT] Credit card ordering and Security

I've had good luck with FAX machines for sending credit card info
(they're
sort of point to point and slightly harder to intercept than email -
only
slightly mind you). Anyone who can catch email in transit either belongs
to
the NSA, CSE, a similar organization, organized crime, or is a cracker
geek
who has backdoor access into the PSTN. Although this is a worry, it
shouldn't be a huge one. Mail (normal) can be intercepted, phones can be
tapped... all at about the same level of difficulty. 

Allan made a good point in that regard. And if you PGP encrypt your
email,
then the only people who are likely to read it are you, Jon, and the
NSA.
And you probably will just bore the NSA or the FBI. Even if you order
salacious figures, try to dodge customs duty, and are known to consort
with
renegade Tasmanian population modellers. <*wink*>

However, I will point out there exists one major danger in on-line
transactions: The databases that your information gets left in. These
can be
easily hacked (they are a static target, unlike email) and there are
plenty
of tools for cracking websites, exploits newer and more nasty each day.
Most
times, web admins even with the best intentions can't keep up with CERT
bulletins. I'd wager a good cracker could take down any ecommerce site
run
by our manufacturers (Jon, Nic or KR) and that isn't the slightest
slander
on them or their webadmins. The simple fact is that the only way to
secure a
computer is to disconnect it from the net, put it in a TEMPEST shielded
room, lock the door, throw away the key, shoot anyone who ever touched
it,
and pour concrete over the TEMPEST room. Even then, it's not 100%
secure.
The only way to "secure" your credit cards is never to use them. Which
is
darned inconvenient. 

I'm assuming that KR and Nic and Jon will ensure that their web hosts
for
any online commerce conduct regular (I'd hope monthly, but at least
quarterly) security audits of the host systems and that said hosting
services keep up to date with exploits in BugTraq and CERT bulletins. If
they don't, they'll end up relying on obscurity and lack of interest
from a
competent cracker to protect the data on those systems. Another useful
step
can be deleting the credit card info after it is used (after the order
is
shipped... say within a week or so). That way it won't be there if the
site
is cracked. Otherwise, it is just sitting there. Behind a lock perhaps,
but
lockpicks are available to those with intent and interest. 

Now, Allan also makes the point that the credit card companies want
online
commerce to go so they cover your losses making you not liable for such
victimizations. But, in a sense, we're all victims when this happens.
This
is why credit cards have 18% interest... because EVERYONE pays for these
kind of breaches. You as an individual will not be singled out, but you
as a
member of the group of cardholders will pay for this, never doubt it.
And
you pay for every similar incident. 

I feel comfortable enough to exchange credit card info with Jon or Nic
or KR
(it's the only way I can get my fix, for goodness sake!). There are
risks. I
hope they regularly have those risks audited and examined by competent
pros,
and I hope they take precautions with their databases themselves
(encrypt
the data before it goes into the database perhaps?). But I think they're
all
good businessmen and will give you as much protection as they can, given
the
cottage industry nature of this business. If you feel uncomfortable with
credit cards, then send them a money order or IPC. It's undoubtedly
(taken
as a whole, over the long term) a bit safer. 

Tomb

------------------------------------------
Thomas R. S. Barclay
Voice: (613) 722-3232 ext 349
e-mail: tomb@bitheads.com

2001: To the New Millenium! The next thousand years
are MINE. 
------------------------------------------