Re: OT: Internet ordering
Looks like this is going to be a topic for the time being, so here goes:
(with apologies to those hoping for plant discussions, but on the web,
security is a "perennial" issue! :->)
Christopher P. Lindsey wrote:
> o Nothing is 100% secure. ......... There are only varying degrees of security.
Entirely agree, and this is true of many situations, not just web-based
transactions. We need to accept a reasonable compromise.
>
> o I'm probably more hyper about security than other folks.
This seems to be the mind-set of anyone deeply involved in security
issues, Chris, and with good results. Our own security genius
(nicknamed "Sheriff") was hyper-paranoid about data security and would
absolutely not allow a new idea to be executed until he was convinced it
would not compromise our systems.
> > The cost of securing our site would be very high .....
>
> I'm not sure what you consider to be high, but it's not terribly
> expensive. The key is finding an ISP that can handle some of
> the more competitively-priced site certificates.
True. While some of the commercial server software packages are
expensive, there are alternatives that provide the encryption security
needed for web transactions. And this is a *basic* requirement for any
web business these days, IMHO.
> > >4) Finally -- as of mid-97, the last
> > > official report I read -- there had been No, repeat No, verifiable
> > > instance of credit card number theft on the net. .....
>
> I'm not sure about this. What about Kevin Mitnick?
> Wasn't he charged with possession of over 10,000 credit card
> numbers that he had hacked from various databases on the Internet?
OK, I'll modify that. The reports I referred to earlier specifically
concerned the theft of individual numbers used in web transactions, not
the cracking of large databases. I'd like to comment specifically here
on the storage of sensitive customer info by any enterprise:
--The important issue is to insure that customer records, including
credit card numbers, are stored in a system completely separate from the
public web server. In our case, there was a 24 hour window that held a
single day's transactions. These were then transferred to a separate
system behind a corporate firewall that was, if not impossible, very
very difficult to crack. The public system also had a firewall that,
while not as tight because of the need to allow the public partial
access, was monitored constantly against abuse. ("Firewall" was the tern
used for the software that prevented unauthorized access to our data
--different from software that encrypts data, such as credit card info.)
-- Many ISP providers offer firewall security of various kinds and many
also have the option of storing customer data separately. Warning: the
presence of a secure firewall is often a target for crackers who can't
resist a challenge. And the firewall software is not sufficient in
itself -- there must be constant and intelligent monitoring by real
people trained to spot attempted and actual breaches. On the upside,
it's probably a lot more fun to crack the firewall at the Pentagon or
AT&T than the one at Joe's Hardware or even JC Penney's.
-- Chris's point can bear repeating: contrary to a common belief that
any credit card number entered on the web goes flying out into
cyberspace available to any cracker lurking in wait to grab a number,
the reality is that crackers want to break into big secured databases
where thousands or millions of records are kept -- why go after one at a
time when you can get zillions at a crack (pun)?
-- This brings us to the MAIN POINT: you don't have to put your credit
card # on the web to be at risk. If you own a credit card, that number
is already in one or more databases -- the bank that owns it, any mail
order firms you do business with, retail firms you shop with, etc.,
etc. The increase in risk by using credit cards in web transactions is
so slight compared to what already exists as to be a non-issue (if
following secure practices -- don't send CC#'s via e-mail! See below).
> It has been suggested to us that, for people who have concerns
> > about security, they could send half of their credit card number with
> > the on site order form viz: 5432 1234 and the other half plus expiry
> > date in a personal e-mail to the webmaster viz 8988 8766 exp 02/01.
> I've dealt with this type of method before, and I REALLY dislike
> it. :)
I'm in total agreement with Chris here - e-mail is the least secure
thing on the net and I'd never put any sensitive data in any post to any
site.
...................................
...................................
> So in a nutshell, get yourself a 128-bit browser if possible.
> Definitely available in the US, should be available in Europe
> soon now that Netscape has given away their source code. Will
> work no matter where you connect and always give you the best
> security for a given situation.
This is good news and is the best option on the client side. On the
server side, encryption plus firewall security plus separate data
storage is the thing to look for.
In a nutshell, security is getting better and better but is still
(repeating Chris's statement above) only approximate. Crackers will
still attempt to crack high-end security systems for the pure challenge
of it as well as for potential profit. Other than cancelling all of our
credit cards and taking our cash out of the bank, I think we have to
rely on the vigilance of the security experts who, in my experience,
take very seriously their obligations to protect important customer data
- as well as exercising our own common sense precautions about who we do
business with, both on and off the web.
Chris, hope you can keep us up to date with news on these issues as it
arises. I agree that dispelling myths about net usage is very important.
Anne
---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mallorn.com with the
message text UNSUBSCRIBE PERENNIALS
