AmEx unprotected login site

R. Hirschfeld ray at unipay.nl
Thu Jun 9 05:23:48 EDT 2005


> From: "Perry E. Metzger" <perry at piermont.com>
> Date: Wed, 08 Jun 2005 19:01:37 -0400

> The other major offender are organizations (such as portions of
> Verizon) that subcontract payment systems to third parties. They are
> training their users to expect to be directed to a site they don't
> recognize to enter in their credit card information. "Really! This is
> your vendor's payment site! Pay no attention to the URL and
> certificate!"
> 
> That one in particular takes amazing brains...

For Verizon maybe, but there are plenty of Mom and Pop internet
merchants for which it is arguably more secure to do it this way.  The
merchant never sees the customer's payment information and thus
needn't know how to properly protect it, and one-time shoppers may not
know/trust the merchant anyway.  If the redirect is from a secure
merchant site to a secure payment provider site, and the merchant site
informs users where they will be redirected, is this so bad?

Ray

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list