On Tue, 14 Nov 1995, Greg Broiles wrote:
Detweiler writes:
the argument goes like this: secure credit card number uploading schemes (such as in Netscape) are not important on the internet because credit card numbers are already insecure. you give them to low-wage workers all the time who might steal the number from you anyway.
there are a lot of fallacies with this. I find this to be a key cypherpunk issue, and I hope others will agree to the point of trying to attack this fallacy through letters to the editor, debates, etc., because it seems to rationalize weak security.
You're only reproducing half of the debate, which goes like this:
Actually, this is not quite correct. There is a difference if I give a credit card to *one* person, or if I give the message containing that number to a chain of twenty or thirty strangers to get my information to the one person I want to have that information. We're back to handing your card to the neighbour, who gives it to the doorman, who flags the cab and gives it to a cabbie, who then drives cross town and gives it to another doorman, who then etc, etc. Something completely different than the long bomb from the quarterback. Our potential interception points have increased substantially ... and we have absolutely no audit trail to figure out who *might* have scarfed the card. I guess the average customer won't care. His loss is limited to $50. But some of us who try to live in the real world wonder how long that'll last. Can we measure the life of it in a matter of weeks?? Or months?
Businesses/customers won't trust the Internet for commerce, because it's not perfectly secure.
And then others go on to point out that businesses and consumers do business every day using commerce tools whose security features are weak to nonexistent.
Hmmm ... maybe we'll even get a whole whole new industry going ... don't ya think?? Maybe we can create a whole new set of risks which are additive to those we already have. Maybe every petty grifter might trade in his very own credit card number and simply claim that their credit card got stolen over the internet. Just disappeared into the anonymous aethyr ... the one without an audit trail ... but my loss is limited to $50, right?? I guess other people understand systems much, much, more than I do. I guess that the NY Times is right ... it won't change the loss rate for the card companies, at all ... nope ... won't create a new problem ... naahh ... the public wouldn't actually take advantage of holes like this in the system. Nope, no sirreee ... Give your head a shake. Alice de 'nonymous ... ...just another one of those... ...hunters... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.