"If someone wanted to steal a credit card number, all they would have to do is go to any gas station and look on the ground around the pumps," says the CTO at Internet security firm Terisa Systems.

Sure, if you wanted to steal a card number or two the ground around a gas-station would probably be a good choice. However, if you wanted to steal a thousand card numbers (or maybe even thirty thousand), just sniff packets off a hub near a large Web site that accepts unencrypted (or weakly encrypted) card transactions or hack your favorite ISP's machines. It really bothers me that officers at companies writing net commerce software are regularly quoted in the trade rags comparing the relatively little risk of a single net card transaction vs. a transaction at a restaraunt or gas station. We aren't talking about a crooked clerk who handles at most a few hundred cards per day or an unlocked dumpster with maybe the same number of carbons in it. We are talking about potentially hundreds of thousands of card numbers whizzing through a single point that could be easily (and undetectably) monitored and recorded with off-the-shelf-equipment for later analysis. Even if the transactions are encrypted, a single exploitable weakness discovered after widespread deployment could compromise massive numbers of cards. The stakes are much higher and this will invite much more sophisticated crooks to attempt to defraud the system. andrew