I've been seeing a particular meme-nugget of conventional wisdom circulating in reference to credit cards that I'd like to debunk. (recently showed up in the WSJ, "Boardwatch" magazine editorial column, etc). these legends and thinkings are starting to annoy me to the point of becoming a pet peeve. the argument goes like this: secure credit card number uploading schemes (such as in Netscape) are not important on the internet because credit card numbers are already insecure. you give them to low-wage workers all the time who might steal the number from you anyway. there are a lot of fallacies with this. I find this to be a key cypherpunk issue, and I hope others will agree to the point of trying to attack this fallacy through letters to the editor, debates, etc., because it seems to rationalize weak security. - 1st point: yes, you do give credit cards to low wage workers in businesses, but this is not directly parallel to sending a credit card over the internet. the fuzzy thinking goes like this: "credit card numbers are already not secure. therefore, trying to secure them is frivolous". this is patently ridiculous on the face of it. it's circular reasoning. credit card numbers could become more secure if all businesses made them more secure. getting all businesses to make them secure is part of the battle. raising consciousness on the issue is part of the battle. saying, "there is no point" is a copout imho. - the insecurity of sending a card over the net could be far better or worse than that of handing it to an individual. 1st, when you send a number over the net, potentially anyone (including people other than the destination business) could spy on it. when you give it to someone in a company, only that representative (who would be trusted by the company) has access to it. or, alternately, maybe no one could *ever* see your card sent over the internet, including workers at the end site, who never deal with the numbers directly. such a system is possible and may become the norm. but not if shallow-thinking people can't imagine it as possible. - it is not impossible to have cards that don't have numbers but instead have magnetic stripes, and the only way for them to work is to be physically scanned. this would reduce fraud but would also reduce the convenience of sending numbers over the phone (mail order) for example. I'm not saying all cards should be this way, but it might make sense for some people to get a "scan only card" that cannot be used unless physically scanned. the point is that there are variations on the credit card theme that make them more secure, and there's a bit of a hurdle in getting Joe Sixpack to realize this, and realize it's desirable. - the boardwatch magazine editor argued that uploading credit card numbers over the internet in a secure fashion is a "non problem" because credit cards are already insecure. have you ever heard of PROGRESS, mr. bonehead? if the net began to make credit transactions more secure, perhaps that would create a momentum in which other offline businesses might become more strict or careful about credit card security. - credit card fraud is absolutely enormous in this country. and there are not really any very strong safeguards against it except a lot of "security through obscurity" (of credit card numbers). *everyone* pays the cost of this horrible fraud rate through increased transaction charges, higher interest rates, etc. just because you may not see it itemized on your credit card bill, does not mean you are not paying for it. (in much the same way that a sort of "shoplifting tax" is reflected in the cost of all merchandise). - the internet may eventually become completely secure. arguing that "we don't need security on the internet because we don't have it in the business world of daily credit card use, and they get along fine" is ridiculously simplistic and specious. the fact is that businesses do *not* really like many aspects of credit cards: low security, overhead costs, cost of interface devices to the credit card companies, etc. all these negative ingredients could be improved in cyberspace. but it won't happen if every time a new superior system comes along, someone argues, "but there's nothing wrong with what we have now!!!" when this is quite obviously mistaken to anyone with any minimal background& understanding in the area. furthermore, consumers are somewhat notorious for not really knowing what they want, and sometimes arguing against something they would buy or use in the future. == I'm continually amazed at how often security issues are mixed up in people's brains and reasoning. there are a lot of fallacies that work their way into respectable writing by reputable people that tend to mirror circular reasoning such as, "if something is insecure already, it makes no point to try to make a piece of it more secure". security is sometimes won slowly in increments, in which one could argue against each increment as useless or inconsequential, but the end result could lead to far better security. furthermore, there are a lot of different kinds of security weaknesses-- there is not a simple black-and-white measurement of "secure" vs. "insecure" but a lot of intermediate gradations. attempts to get secure credit card number transfer on the internet are not an end in themselves. they are the first steps toward an entirely new transaction system. those who see a single step and criticize it as feeble in the context of past systems are missing the point and apparently can't think past the present nanosecond of their lives.