From: goedel@tezcat.com (Dietrich J. Kappe)
Date: Wed, 16 Aug 95 16:53:54 PDT
To: cypherpunks@toad.com
Subject: Re: SSL challenge -- broken !
Message-ID: <v0151010bac5841656d54@[206.1.161.4]>
MIME-Version: 1.0
Content-Type: text/plain


Perry E. Metzger <perry@piermont.com> writes:
>Joe Buck writes:
>> However, I disagree with your conclusion:
>>
>> > Don't trust your credit card number to this protocol.
>>
>> Your credit card number, expiration date, etc, are continually being
>> revealed to minimum-wage clerks all the time, unless you never use the
>> card.
>
>On the other hand, those clerks can be traced down in most cases and
>have fairly limited numbers of cards they get. It might be very
>profitable to run a vacuum cleaner operation on the net slurping down
>credit card number or other confidential information and then selling
>it in bulk to people who could exploit it.

Most credit card companies ship their registration information off shore to
low tech developing countries. The idea is that the people entering the
information are unlikely to be able to exploit the information they are
exposed to.

Capturing a set of credit card tapes is certainly profitable, as would be
capturing large volumes of numbers, as you suggest. Now, are those West
African credit fraud rings dialing up DEC, SUN, and SGI? :-)

DJK

P.S. There could be an article in tomorrows WSJ about the SSL Challenge.
The technical details and facts will surely be mangled. :-(