1995-11-15 - Re: credit card conventional wisdom

Header Data

From: Arley Carter <ac@hawk.twinds.com>
To: “Vladimir Z. Nuri” <vznuri@netcom.com>
Message Hash: cc5f83223445765a99df85ce5e3f01cbe469c618e2c662c2a7eb2b61f4dff637
Message ID: <Pine.HPP.3.91.951115165438.20268D-100000@hawk.twinds.com>
Reply To: <199511151924.LAA29261@netcom13.netcom.com>
UTC Datetime: 1995-11-15 22:48:13 UTC
Raw Date: Thu, 16 Nov 1995 06:48:13 +0800

Raw message

From: Arley Carter <ac@hawk.twinds.com>
Date: Thu, 16 Nov 1995 06:48:13 +0800
To: "Vladimir Z. Nuri" <vznuri@netcom.com>
Subject: Re: credit card conventional wisdom
In-Reply-To: <199511151924.LAA29261@netcom13.netcom.com>
Message-ID: <Pine.HPP.3.91.951115165438.20268D-100000@hawk.twinds.com>
MIME-Version: 1.0
Content-Type: text/plain


On Wed, 15 Nov 1995, Vladimir Z. Nuri wrote:

> 
> Arley Carter <ac@hawk.twinds.com>
> 
> >This may be a stupidly obvious question but..... 
> >We could argue until the cows come home, hell freezes over or the Cubs win
> >the World Series, what ever comes first ;-) about whether giving your credit
> >card number to a waiter or an 800 # clerk is any more or less secure than
> >transmitting it encrypted or clear text over a data link.
> >
> 
> the point of my post was that I AGREE. the only issue is that we should
> make internet security as superior as possible regardless of the security
> of credit cards in the real world. I was attacking the line of thought
> that goes, "credit card security is already marginal, therefore why 
> should anyone try to improve it in cyberspace"? this is circular
> reasoning. "why should anyone try to make something more secure when
> it is already insecure?"
> 
In my post I am looking at this from an economics point of view. Simply
put: If there is unlimited liability to the credit card holder because
Mallet is stealing card numbers from the telco switch, encyrpted, plain text,
it doesn't matter, there will no users.  If there are no users then
there will be no transaction fees generated, no transaction fees, then it
won't be deployed.  Therefore, there is no reason to develop the code 
or even read the latest and greatest specs. and we are all wasting out 
time.  

We must recognize that no matter what code we write, how secure it is,
it won't be used until the banks that must clear the transactions
agree to accept the risks of loss in return for their transactions fees.
I haven't seen this from any of this consortiums and would like besides 
publishing their specs for the best system agree that this risk bearing
is a necessary step for electronic commerce to become a reality.

I would like to see members of the MasterCard and Visa coalitions comment 
on this aspect of the systems that are promulgating.  The one who cracks
this nut first without losing their shirt to Mallet will be the winner. The
others that expect us to deploy systems based upon if Mallet breaks the 
system, the cardholder and or merchant pays is wasting our time. 
MasterCard/Visa,  you're going to have to *earn* those transaction fees in
cyberspace.

>From the card holder's point of view all he cares about is that he can't 
lose money from using his card.   

For anybody else that wants to argue about what is more dangerous,
restaurant dumpsters or telco switches, take it to alt.who.the.hell.cares.


Regards:
-arc

Arley Carter
Tradewinds Technologies, Inc.
email: ac@hawk.twinds.com
www: http://www.twinds.com

"Trust me. This is a secure product. I'm from <insert your favorite 
corporation of government agency>."









Thread