At 09:53 AM 1/30/96 -0500, nsb@nsb.fv.com wrote:

...

... likely, you store the card numbers on a computer. And no doubt, someone or something enters those numbers into a database. You have just violated your own cardinal rule.

Nope, afraid not. We keep the credit card numbers on a non-Internet computer.

Let me restate your cardinal rule, direct from your "alert":

Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet commerce, and that the use of software to encrypt credit card numbers can NEVER be made safe. For consumers, we recommend the following simple rule:

NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

How about we here it again, just because it's so well thought out:

NEVER TYPE YOUR CREDIT CARD NUMBER INTO A COMPUTER.

Now, the fact that your customer database of credit card numbers is not directly available via the Internet does not make it cease to be a computer. Regardless of its networkability, it is still a computer. Do you suggest, then, that computers cannot exist without networks?

As to how the credit card numbers are entered: they are entered at account setup time via a telephone call.

And just *where* do they get entered? Into a computer. And *how* are they entered? Via a keyboard. What was that? You guys enter credit card numbers via the keyboard? But YOU CAN'T DO THAT! IT'S NOT SAFE! If I can't trust myself to keep my credit card number secure, why should I trust your minimum-wage data entry employees?

Believe me, we've thought a LOT about this.

I believe that you thought more about writing your glorified keyboard sniffer than you did deciding how to announce your discovery to the public. --- Jeremy Mineweaser | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$ j.mineweaser@ieee.org | L+>++ E-(---) W++ N+ !o-- K+>++ w+(++++) O- M-- | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+() *ai*vr*vx*crypto* | tv(+) b++>+++ DI+(++) D+ G++ e>+++ h-() r-@ !y-