Re: OT: Internet ordering

Hi Terry,

   Although I usually disapprove of non-perennials messages
   on the list, I think the subject is important enough to warrant some
   discussion.  There are so many half-truths and misunderstandings
   out there that it would be good to set at least our ~450 members
   straight!  :)

   Messages that are off-topic like this should be designated by
   an OT: on the commandline -- thanks to whoever started doing
   that.

   There are a couple of points that I want to make before answering
   any questions:

      o Nothing is 100% secure.  For example, it was discovered just
        a few days ago that the SSL protocol has a problem that 
        allows individual sessions to be "cracked" by sending 
        targetted queries to the secure web server.  

        There are only varying degrees of security.

      o I'm probably more hyper about security than other folks.  Part
        of the work that I do at NCSA is security-based, and the data
        that we deal with is much more sensitive than credit card
        numbers.  

> The cost of securing our site would be very high in relation to the 
> size of our business but we do not wish to put customers at risk. We 
> therefore offer several payment options as you suggest. 

   I'm not sure what you consider to be high, but it's not terribly
   expensive.  The key is finding an ISP that can handle some of
   the more competitively-priced site certificates.  Just as a
   shameless plug, Mallorn does this, so send me private email if
   you want to talk about it in more detail.

> >4) Finally -- as of mid-97, the last
> > official report I read -- there had been No, repeat No, verifiable
> > instance of credit card number theft on the net.  Many rumors &
> > anxieties but no actual incident.

   I'm not sure about this.  What about Kevin Mitnick?
   Wasn't he charged with possession of over 10,000 credit card
   numbers that he had hacked from various databases on the Internet?

> It has been  suggested to us that, for people who have concerns 
> about security, they could send half of their credit card number with 
> the on site order form viz: 5432 1234 and the other half plus expiry 
> date in a personal e-mail to the webmaster viz 8988 8766 exp 02/01. 
> This seems to us, as a small operation, to be ideal and many folk are 
> happy with it. I would be grateful for comments about the 
> security aspects of this method.

   I've dealt with this type of method before, and I REALLY dislike
   it.  :)  The problem is that mail doesn't always go directly from
   one machine to another; it can hop around the Internet and be
   stored on various servers.  Each of these servers keeps a copy
   of the message until it forwards it on to another server, so you'd
   better be sure that you trust the system administrators at all of
   these sites.   One of my (slimier) previous employers archived
   all incoming and outgoing mail, made backups, then sent the backups
   off-site.  And I still know of about a dozen security holes on their
   system that could let me, as a remote user unassociated with the
   company, break in and read any messages stored anywhere.

   Why not get a PGP key?  They're free, come with Eudora now and can
   be used with other mailers, work outside of the United States as
   well as inside, and encrypt messages with strong encryption.  Send
   me mail if you're interested in learning about this, too.

> Our New Millennium Delphiniums are year 2000 compliant
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   That's cute.  :)

   Couple of other points (and you're all going to be _SO_ sick of this).

      o The encryption level (40 bit vs. 128 bit) is embedded in your
        browser, so if you're in the U.S. you can download a 128-bit
        version from Netscape or Microsoft.  This does NOT limit you
        only to US sites for purchases -- your browser will self-adjust
        when connecting to a site with lesser encryption.

        The servers also have encryption embedded in them, and 
        it's possible for a non-US site to have 128-bit encryption.
        The key to US encryption law is that the programs or source code
        cannot leave the country in an electronic form (funny story here
        -- PGP got around this by printing out the entire source code for
        their program into a book and taking THAT out of the country --
        and it's perfectly legal!), but other non-US developers have
        created their own RSA-compatible encryption algorithms for their
        web browsers.

        So in a nutshell, get yourself a 128-bit browser if possible.
        Definitely available in the US, should be available in Europe
        soon now that Netscape has given away their source code.  Will
        work no matter where you connect and always give you the best
        security for a given situation.

      o Most Internet credit card theft doesn't happen because someone
        watched your network traffic.  It's usually because the site
        accepting your credit card keeps it in a database which gets
        hacked at a later date.  But I still encourage you NOT to send
        anything "in the clear" -- that is, unencrypted, unless you
        have no other choice.  I personally will only order through a
        secure connection, and if not available, I'll call and give them
        my number.

      o As Anne said, try to stick with one credit card.  I use the
        one with the lowest credit limit, just in case...  :)

Comments, questions, rebuttals welcome.  Please preface the Subject:
header with "OT:" to indicate that it's off-topic.  Of course, personal
mail is welcome too (just can't get enough of the stuff)...

Chris
---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mallorn.com with the
message text UNSUBSCRIBE PERENNIALS
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index