[ILUG] Domain Registration

[Colm MacCarthaigh]

On Sun, Sep 23, 2007 at 07:38:27PM +0100, Michele Neylon :: Blacknight wrote:
> >That's not a compromise, that is placing ordinary people at huge
> >increased risk to identity and monetary theft - merely for the
> >convenience of the business. Frankly - it's a pretty dumb thing to do,
> >and it's wise to give businesses which ask for it a wide berth.
> 
> Colm
> 
> Why?

Because there is simply no way to know what happens the fax at the other
end. It might be printed on glossy roll paper and lie in an inbox all
week, it might be handled by fax-to-e-mail service somewhere, it might
be kept in a folder for years for records purposes, it might be thrown
un-shredded into the days garbage, the list goes on and on ... and
this assuming the fax even went to the right place.

It might go to the wrong number (it's pretty easy to typo a number),
someone may be man-in-the-middling the fax (via methods as simple as
hacking the website and replacing the number) and this is before we
begin to think about the multitude of old-school attacks someone with
access to the PBX or SS7 node could perform. This list goes on and on
too.  

> You love making broad sweeping statements without being able to back 
> them up with anything

If you're just going to make blatant ad-hominen attacks you might aswell
come up with some good names or something,  and then back up your own
statement.

> How is asking someone to fax over a copy of their credit card going to 
> be more of a risk than the person handing over their details on an 
> online form?

The fax contains more data ... namely your signature, and the format of
the card, the entire validity (longer valid cards generally have bigger
credit limits too btw, this is useful information). Many cards also have
other indicators of the credit limit (e.g. a Gold or platinum card).
The security numbers on the back (it's typical to ask for a CVV, but
ther others are useful too - for extended authentication).

But most of all, the attack is multiplicative. Once you have the fax
image, you can send that to all sorts of businesses that insist on ...
wait for it ... a fax image. It's stunningly simple, and terrible
terrible security. Your own process destroys your own point ... since
you now have a copy of what my credit card looks like, the image is no
protection from fraud at all.

> >It's also ineffective, it's not diffucult to counterfeit a fax-quality
> >representation of a credit card. 
> 
> A lot of things can be faked. The point is that if you were a scammer / 
> phisher you'd be more interested in targetting the providers that don't 
> do any checks, so it wouldn't be as attractive for you to signup with 
> someone who does.

Sure - but that's the business's problem. I care about my credit card
security. I don't accept trade-offs that reduce my security to make that
of the business's any easier, that's not a compromise - that's a reason
for me to take my bussiness elsewhere, simple as that.

> >A better compromise solution is for
> >businesses to sign up to the extended-verification programs Credit Card
> >providers offer (Visa, Mastercard and Amex offer these via Irish banks -
> >I use Visa with AIB for this). 
> 
> First off not all banks use 3d secure, so while the provider may have 
> implemented it the user's credit card provider may not be in the scheme, 
> so you're back to square one.
> 
> AIB is one of the few Irish banks to have implemented it. BOI didn't 
> seem to know anything about it when we spoke to them a couple of months ago.
> 
> Secondly it also seems to confuse end users
> 
> We implemented it quite some time ago, but it will only work with banks 
> that are actually using the system

All of that is unfortunate :(

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net