On 25 Mar 99, at 18:53, Jim Meagher wrote:
> -----Original Message-----
> From: David Gillett <[log in to unmask]>
>
>
> > Bottom line: Odds that your card number will be stolen are a
> > little higher if the seller accepts such info over the net. Whether
> > you actually use the net to send the info probably doesn't make much
> > difference.
>
> Since I said basically the same thing yesterday, we are obviously in
> agreement on the how/what/when/where, but I disagree with your final
> analysis.
Oh dear. A disagreement like this probably means that subscribers may
have to rely on their own judgements -- one size does not fit all, and
perhaps the "real answer" to the question lies beyond the scope of the
technologies involved.
I've explained elsewhere why I think your description of the
how/what/when/where is too simplified, and I think that's probably part
of our disagreement.
> I think the odds of a stolen card number are SIGNIFICANTLY less on
> the internet.
If a secure protocol is used, I agree that odds of a given transaction
being snooped are minuscule. But I can't see why they would be
"SIGNIFICANTLY" better than fax, just comparable. [Which is why I didn't
think the transmission medium made much difference from a security
standpoint.]
My "bottom line" comment above reflects the likelihood that a site that
accepts credit card info over the net MAY be vulnerable to a server
compromise netting the credit card numbers of many customers more or less
instantaneously. The general level of site security, even amongst
businesses, is pretty lax, and so I have to rate this a higher risk than
dealing with someone whose credit card purchase data is not connected
to the net at all.
[This is reverse-analogous to the perceived risk levels of driving
and flying. More people die on the roads, but plane crashes kill a
couple of hundred at a time. Most people feel safer driving than
flying, but that's not what a numerical risk analysis would recommend.
If encryption is used to transmit the data, I believe it's
vulnerability to intrusions while stored at the receiving end is much
greater than its vulnerability in transit.]
> Naturally for all the reasons we explained, but mainly because with
> the internet, the information is flowing directly from one computer
> to another.
This is about equally true in both cases -- except that (for other
reasons I mentioned) snooping the information (if not encrypted...) from
the intervening computers (including routers, etc.) is much easier on
the Internet.
> The total number of humans involved in the process is much
> lower for an internet transaction -- ergo -- more secure.
I'm sorry, you've lost me here. I can see where it's *possible* to
eliminate one human in the Internet case, but (a) it's not obvious how
you could tell, and (b) the human is replaced by a piece of software
which may itself be vulnerable to a range of undetected sabotage or
subversion. I'm somehow not seeing "much lower" and perhaps that's why
I also don't see "more secure".
I *do* occasionally use my credit card on the web -- that's a
pragmatic judgement that it is "safe enough for me to be comfortable
with it". But I do also recognize that there are risks involved that
not everyone is comfortable taking.
David G
PCSOFT's List Owner's:
Bob Wright<[log in to unmask]>
Drew Dunn<[log in to unmask]>
|