At 04:39 PM 1/29/96 -0500, Nathaniel Borenstein wrote:
Well, the mis-conceptions are flying fast and furious.
You're twisting our words. We believe it is a truly fatal flaw in those internet commerce schemes that are based on software encryption of credit card numbers. There are several schemes for Internet commerce that are unaffected:
-- First Virtual (of course)
Question: Could you please describe the nature of the First Virtual protocol? Now before you tell me to RTFM, let me explain. I assume, although without absolute certainty, that in order to bill me you must know my credit card number. If you do not know my credit card number, and depend on someone else who does, you are nothing more than a middleman who introduces additional possibility for breach of security. If you do know my credit card number, you must deal with the associated problem of storing this number. Now perhaps I am wrong, and you really do keep all of your clients' card numbers in a printed book hidden within a safe, and for each transaction you remove the book, use your table to match FV_ID to CC#, process the transaction, and replace the book. However, I doubt this. More likely, you store the card numbers on a computer. And no doubt, someone or something enters those numbers into a database. You have just violated your own cardinal rule. Jeremy --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser@ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y-