Re: [OT] Credit card ordering and Security
From: Andy Cowell <andy@c...>
Date: Tue, 16 Jan 2001 11:28:05 -0600
Subject: Re: [OT] Credit card ordering and Security
In message
<417DEC289A05D4118408000102362E0A34D51E@host-253.bitheads.com>, "Bar
clay, Tom" writes:
>
> However, I will point out there exists one major danger in on-line
> transactions: The databases that your information gets left in. These
can be
> easily hacked (they are a static target, unlike email) and there are
plenty
Another easy static target is the recipient's e-mail box. The best
thing to do when sending your CC via e-mail is to avoid easily
recognizable patterns, like this:
V
i
s
a
1234
5678
9012
3456
1/2/03
Most people aren't dedicated enough to read each and every e-mail box
for interesting stuff, and just use a program to check for words like
"visa" in all e-mail boxes. The bonus is that this is usually used by
bored sys admins more to look for porn passwords than credit card
numbers. ;)
> bulletins. I'd wager a good cracker could take down any ecommerce
> site run by our manufacturers (Jon, Nic or KR) and that isn't the
> slightest slander on them or their webadmins. The simple fact is
However, many ecommerce sites don't keep the CC number in any sort of
database. By either automatically charging it and discarding the
number, or by storing the charge details offline, you get around this
pretty easily. Many places will bundle up the details of the order
and e-mail or fax it to you to handle in a traditional manner.
Faxing, as mentioned, is pretty secure, although inconvient to most
consumers. (Personally, I'd rather risk my CC number getting snatched
than drive five minutes out of my way to find a fax machine.) On the
back end like this, it can be nice.
> I'm assuming that KR and Nic and Jon will ensure that their web
> hosts for any online commerce conduct regular (I'd hope monthly, but
> at least quarterly) security audits of the host systems and that
> said hosting services keep up to date with exploits in BugTraq and
> CERT bulletins. If
You'll never actually get this. Either you pay a prohibitive amount
for real security, or you get somebody lying to you for a reasonable