From: Andrew Loewenstern <andrew_loewenstern@il.us.swissbank.com>
Date: Mon, 4 Dec 95 10:22:34 PST
To: OpsAn@gnn.com (Michael Coates)
Subject: Re: INTERNET SECURITY RISKS FOR CONSUMERS OVERBLOWN
Message-ID: <9512041821.AA00569@ch1d157nwk>
MIME-Version: 1.0
Content-Type: text/plain


>  "If someone wanted to steal a credit card number, all they would
>  have to do is go to any gas station and look on the ground around
>  the pumps," says the CTO at Internet security firm Terisa Systems.

Sure, if you wanted to steal a card number or two the ground around a  
gas-station would probably be a good choice.  However, if you wanted to steal  
a thousand card numbers (or maybe even thirty thousand), just sniff packets  
off a hub near a large Web site that accepts unencrypted (or weakly  
encrypted) card transactions or hack your favorite ISP's machines.

It really bothers me that officers at companies writing net commerce software  
are regularly quoted in the trade rags comparing the relatively little risk  
of a single net card transaction vs. a transaction at a restaraunt or gas  
station.  We aren't talking about a crooked clerk who handles at most a few  
hundred cards per day or an unlocked dumpster with maybe the same number of  
carbons in it.  We are talking about potentially hundreds of thousands of  
card numbers whizzing through a single point that could be easily (and  
undetectably) monitored and recorded with off-the-shelf-equipment for later  
analysis.  Even if the transactions are encrypted, a single exploitable  
weakness discovered after widespread deployment could compromise massive  
numbers of cards.  The stakes are much higher and this will invite much more  
sophisticated crooks to attempt to defraud the system.


andrew