From: "David Klur" <dklur@dttus.com>
Date: Sat, 23 Dec 1995 04:32:35 +0800
To: WWW-BUYINFO@ALLEGRA.ATT.COM
Subject: Cybercash questions...
Message-ID: <9511228196.AA819668788@cc1.dttus.com>
MIME-Version: 1.0
Content-Type: text/plain


     
     Hello,
     
     Just a few questions about Cybercash...
     
     - How is the consumer's credit card # stored on his hard drive?  
     Encrypted with the bank's public key? Or does the consumer have a 
     private key?
     
     
     - How does the merchant know where to ship the goods?  Is the merchant 
     required to ship the goods to the billing address on the cardholder's 
     credit card account?  If so, does the bank provide the merchant with 
     this info?  How is it encrypted?  Or does the customer indicate to the 
     merchant where to ship the goods?  Also, what infor does the merhcant 
     send to Cybercash, and how is it encrypted?
     
     The fraud possibility I see is that Bob could steal Alice's encrypted 
     credit card number (by sniffing when she buys something at Charlie's 
     Internet shop).  Then, without decrypting it, he could use it (still 
     encrypted) at Don's Internet shop, and ask Don to ship the goods to 
     Bob's address.  Since Don will not decrypt Alice's card number he will 
     not know that it is not Bob's card.  Cybercash will validate Alice's 
     card, but will not know that it is really Bob who is the customer.  
     Don will ship the goods to Bob, and Alice will get a fraudulent charge 
     on her bill.
     
     Am I missing something?