On 25 Mar 99, at 18:53, Jim Meagher wrote:

> -----Original Message-----
> From: David Gillett <[log in to unmask]>
>
>
> >   Bottom line:  Odds that your card number will be stolen are a
> > little higher if the seller accepts such info over the net.  Whether
> > you actually use the net to send the info probably doesn't make much
> > difference.
>
> Since I said basically the same thing yesterday, we are obviously in
> agreement on the how/what/when/where, but I disagree with your final
> analysis.

  Oh dear.  A disagreement like this probably means that subscribers may
have to rely on their own judgements -- one size does not fit all, and
perhaps the "real answer" to the question lies beyond the scope of the
technologies involved.

  I've explained elsewhere why I think your description of the
how/what/when/where is too simplified, and I think that's probably part
of our disagreement.

> I think the odds of a stolen card number are SIGNIFICANTLY less on
> the internet.

  If a secure protocol is used, I agree that odds of a given transaction
being snooped are minuscule.  But I can't see why they would be
"SIGNIFICANTLY" better than fax, just comparable.  [Which is why I didn't
think the transmission medium made much difference from a security
standpoint.]
  My "bottom line" comment above reflects the likelihood that a site that
accepts credit card info over the net MAY be vulnerable to a server
compromise netting the credit card numbers of many customers more or less
instantaneously.  The general level of site security, even amongst
businesses, is pretty lax, and so I have to rate this a higher risk than
dealing with someone whose credit card purchase data is not connected
to the net at all.
  [This is reverse-analogous to the perceived risk levels of driving
and flying.  More people die on the roads, but plane crashes kill a
couple of hundred at a time.  Most people feel safer driving than
flying, but that's not what a numerical risk analysis would recommend.
If encryption is used to transmit the data, I believe it's
vulnerability to intrusions while stored at the receiving end is much
greater than its vulnerability in transit.]

> Naturally for all the reasons we explained, but mainly because with
> the internet, the information is flowing directly from one computer
> to another.

  This is about equally true in both cases -- except that (for other
reasons I mentioned) snooping the information (if not encrypted...) from
the intervening computers (including routers, etc.) is much easier on
the Internet.

>   The total number of humans involved in the process is much
> lower for an internet transaction -- ergo -- more secure.

  I'm sorry, you've lost me here.  I can see where it's *possible* to
eliminate one human in the Internet case, but (a) it's not obvious how
you could tell, and (b) the human is replaced by a piece of software
which may itself be vulnerable to a range of undetected sabotage or
subversion.  I'm somehow not seeing "much lower" and perhaps that's why
I also don't see "more secure".

  I *do* occasionally use my credit card on the web -- that's a
pragmatic judgement that it is "safe enough for me to be comfortable
with it".  But I do also recognize that there are risks involved that
not everyone is comfortable taking.


David G

                         PCSOFT's List Owner's:
                      Bob Wright<[log in to unmask]>
                        Drew Dunn<[log in to unmask]>