From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 3 Jun 94 14:58:18 PDT
To: hughes@ah.com (Eric Hughes)
Subject: Re: IMP (was Re: ecash-info (fwd))
In-Reply-To: <9406032131.AA09024@ah.com>
Message-ID: <9406032157.AA05381@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Eric Hughes says:
>    > Transmitting card numbers electronically over the Internet can only
>    > exacerbate that problem.
> 
>    Yes, if transmitted in the clear, PGP is legal now :-).  Vendors on the
>    net need to be pushed to use encryption.
> 
> I'm not referring to the problem of sniffing credit card numbers off
> the net.  I'm referring to the problem of credit card fraud by the
> operation on the receiving end.  Even if the transmission is
> encrypted, there's still risk.

Eric is, of course, pointing out the fact that credit cards qua credit
cards are inefficient. (By the way, the transmitting end is also a
source of risk -- fraudulent possession of the card number is
possible.)

In general, you can't make credit cards secure by encrypting the
transmission of the numbers because the credit card mechanism has
inherent flaws irrespective of interception.

The only information needed to use the card is the card number.  Given
the card number, there is no restriction on how much of an account I
may draw. Stealing the (short) number, which must be communicated to
use the card, is the equivalent of stealing the account. The merchant
has no restrictions on how much he can draw other than the fact that
he'll be caught if he draws more than he says he will.

Fraud is naturally rampant, since it is childsplay to commit fraud. It
is a major cost of the system.

In even a primitive public key based system, there is no need to take
anyones word for anything, and no need to reveal the "key" to the
account in order to use it.

Perry