1995-08-17 - Re: SSL challenge – broken !

Header Data

From: Joe Buck <jbuck@Synopsys.COM>
To: liberty@gate.net (Jim Ray)
Message Hash: 595c9eb258d59d6ff6208b2987b03e8061f9e3b634cdf90de8640bde27e40a48
Message ID: <199508170224.TAA05372@deerslayer.synopsys.com>
Reply To: <199508170140.VAA40390@tequesta.gate.net>
UTC Datetime: 1995-08-17 02:25:19 UTC
Raw Date: Wed, 16 Aug 95 19:25:19 PDT

Raw message

From: Joe Buck <jbuck@Synopsys.COM>
Date: Wed, 16 Aug 95 19:25:19 PDT
To: liberty@gate.net (Jim Ray)
Subject: Re: SSL challenge -- broken !
In-Reply-To: <199508170140.VAA40390@tequesta.gate.net>
Message-ID: <199508170224.TAA05372@deerslayer.synopsys.com>
MIME-Version: 1.0
Content-Type: text/plain



> >Your credit card number, expiration date, etc, are continually being
> >revealed to minimum-wage clerks all the time, unless you never use the
> >card.  A chain is only as strong as its weakest link; it makes no sense to
> >buy an expensive lock when your door has a big enough opening to climb
> >through.  Should some bad person get hold of your card number and misuse
> >it, you're not out any money: 
> 
> I'm not so sure....Checked the fees/interest lately?
> "There ain't no such thing as a free credit card theft."

Yes, it's true that this contributes to high interest rates (though
defaults cost more than fraud).

> >you just tell the card company "I didn't buy
> >that".  Since there's so much tracing in the system, if you buy a physical
> >something with a stolen credit card number it can usually be traced to you
> >(who'd they ship the package to?).  
> 
> They only *sometimes* find the person/loot.

Doesn't matter, this is a disincentive to theft and you are never liable
unless you lost your physical card.

> OK, but I had an idea a number of years ago. It's not too new,
> either, and considering the BILLION$ in credit-card fraud, I think
> the credit card companies could implement it with little trouble at
> every site the cards are used.

It would cost billions to get every single merchant that accepts credit
cards set up with PIN equipment.

> Why not PIN numbers. Banks and their
> customers are already used to them, they could be entered over the
> phone (I know, not too secure) or in person, and considering the
> dollar ammount of the current fraud, they would be cheap (I think).
> [There is probably a flaw in my idea, but I haven't found it.]

You have to make sure the clerk that gets your order doesn't see the
PIN (so you need a secure path between you and your credit card co.
that avoids the merchant).  And what about the tellers?  Do you know
how badly they are treated?  They can get all those #'s.  Yes, it
can be done: ATMs are set up that way.  But as long as it's not done,
those who scream at the horrors of sending credit card #'s over the
net aren't thinking clearly.

Never forget that social engineering is the easiest hack.  Technical
solutions that ignore wide-open social engineering paths are worse
than useless (worse because they give an illusion of security).





Thread