Maybe It's Snake Oil All the Way Down
Bill Frantz
frantz at pwpconsult.com
Wed Jun 4 17:13:22 EDT 2003
At 8:07 AM -0700 6/4/03, Sunder wrote:
>Depends on how it gets passed from the web servers to that computer. If
>it's encrypted with a public key on the web server that only the database
>has the private half, you're safe from someone sniffing that "proprietary
>one-way interface."
>
>However, if somone's already broken into the web server, they can collect
>the cc:'s before they get sent to the secure db.
>
>So if you're an old Amazon customer and don't change your CC >BEFORE<
>someone hacks into their web server, you're safe.
>
>It's certainly better than storing all CC's on the web server.
>
>Now if those CC's are in raw text on the DB end, Amazon is up shit's creek
>if someone walks away with a db dump, backup tape, or whatever.
>
>....
>
>However, this is in a lot of ways MORE secure than handing that waiter or
>store clerk your CC. Remember that nice yellow slip has your signature,
>CC number and expiration date on it. Very useful for an attacker.
>Infact, they likely had physical access to the CC and have that extra 3
>digit # on the back too.
>
>...
>
>I feel safer with Amazon's use of my CC than the above, don't you?
Well, I've only ordered from Amazon 2 or 3 times since they've been in
business. Having my CC on file gives a much longer exposure time than the
brief periods of time it would be "in transit". So, no I don't feel much
safer. The $50 limit on unauthorized charges is what makes me feel safer.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Due process for all | Periwinkle -- Consulting
(408)356-8506 | used to be the | 16345 Englewood Ave.
frantz at pwpconsult.com | American way. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list