On 24 Mar 99, at 15:11, aldridge wrote:
> In the same area that has been discussed I would like to know if
> sending your credit card number in a Fax over the web is safe. What
> is the difference between just sending an e-mail and sending a Fax?
> I'm currently downloading a program called 'Just the Fax'. And would
> like to use it to send CC information to Australia to purchase
> something, I'm in the US.
There are two relevant differences:
1. The Internet is, by and large, "packet switched" while the phone
system is "circuit switched". In order to snoop on your phone
connection, one would have to be already watching either your line or
that of your correspondent, and that's likely to involve physically
installing equipment either on your property or the phone company's.
While illegal taps have happened (whether by telco employees or "phone
phreakers" (hackers)), I've never heard of one where a fax machine or
fax modem was used. [Which doesn't mean it couldn't happen, of course.]
Internet traffic travels, in pieces, from point to point until
reaching its destination. These intermediate points belong to various
organizations, and you cannot assume that they are all secure. A
network "sniffer" is a device or program that watches passing network
traffic and makes copies of anything that looks "interesting"; if a
"Bad Guy" can get one installed near enough to a place that all of your
(or your correspondent's) traffic goes through, it may be possible to
reconstruct and read what was sent. [If the sniffer is not near a
choke point, it may not see all of the traffic because packets may be
routed differently.]
2. The phone company carries an effectively analog signal. Having
tapped the line -- which requires some time to identify the line of
interest and install the tapping equipment -- the Bad Guy then has to
recognize that the signal on the line is a fax transmission, and route
it either to a fax machine or a tape recorder for later playback. Law
enforcement wiretaps are undoubtedly prepared to deal with this; odds
are that most other snoopers are not.
On the Internet, the packets are like postcards, each with address
and contents visible to anyone. Someone could set a sniffer to watch
for patterns in the contents that look like credit card information;
your message will be split up into packets, but you can't guarantee
that this info won't all be in one packet. No special equipment is
needed to read the packet contents besides the sniffer program itself.
[Protocols like SSL encrypt the packet contents; this increases the
effort needed to identify and capture info to where an external sniffer
cannot keep up and must start missing some traffic.]
Assuming that the web site you want to communicate with uses SSL or
something equivalent (you can configure your browser to notify whether
a connection is "secure" or not), your credit card number *in transit*
is about equally secure by either method.
The real question, I think, is how safe that info is *after* it
reaches the other end. Some of your correspodent's employees will have
access to it, and they might not all be honest; this is the same risk
as when you hand your card to a sales clerk, waiter, or gas station
attendant, so it's probably not something you'd worry about. But if an
outsider can hack into the company's billing database, yours may be
just one of hundreds or thousands of card numbers/expiries copied. [A
serious professional outfit is not going to have their billing data
directly on the net -- especially not on their web server -- but if a
billing clerk also has net access from the same PC, that security hole
may not have been recognized.
Bottom line: Odds that your card number will be stolen are a little
higher if the seller accepts such info over the net. Whether you
actually use the net to send the info probably doesn't make much
difference.
David G
PCSOFT mailing list is brought to you by:
The NOSPIN Group
http://nospin.com
|
