Perry E. Metzger <perry@piermont.com> writes:
Joe Buck writes:
However, I disagree with your conclusion:
Don't trust your credit card number to this protocol.
Your credit card number, expiration date, etc, are continually being revealed to minimum-wage clerks all the time, unless you never use the card.
On the other hand, those clerks can be traced down in most cases and have fairly limited numbers of cards they get. It might be very profitable to run a vacuum cleaner operation on the net slurping down credit card number or other confidential information and then selling it in bulk to people who could exploit it.
Most credit card companies ship their registration information off shore to low tech developing countries. The idea is that the people entering the information are unlikely to be able to exploit the information they are exposed to. Capturing a set of credit card tapes is certainly profitable, as would be capturing large volumes of numbers, as you suggest. Now, are those West African credit fraud rings dialing up DEC, SUN, and SGI? :-) DJK P.S. There could be an article in tomorrows WSJ about the SSL Challenge. The technical details and facts will surely be mangled. :-(