On Mon, Sep 24, 2007 at 10:12:32AM +0100, Thomas Bridge wrote:
> On 23/09/2007, Colm MacCarthaigh <colm at stdlib.net> wrote:
>> > Because there is simply no way to know what happens the fax at the other
> > end. It might be printed on glossy roll paper and lie in an inbox all
> > week, it might be handled by fax-to-e-mail service somewhere, it might
> > be kept in a folder for years for records purposes, it might be thrown
> > un-shredded into the days garbage, the list goes on and on ... and
> > this assuming the fax even went to the right place.
>> And how are any of these security risks mitigated by using an SSL form
> to submit your CC details instead?
Like I said, there is less detail. But also, back here in the real
world, I consider it substantially less likely that my https-submitted
details are being printed on roll-paper, at the very least.
> You argument is very weak - and essentially raises the generic
> security issues with credit cards generally, rather than anything
> specific to sending the details over fax.
Nonsense. Just because credit cards are pretty stupid in general,
doesn't mean that it's a good idea to ignore some other basics. I
wouldn't use any plaintext protocol for credit card details, not e-mail,
not http, not fax, and I try to avoid even phone. There may well be
other weak links in the chain, but that doesn't mean you don't try and
cover your ass from all the opporunistic people in the middle.
> > The fax contains more data ... namely your signature, and the format of
> > the card, the entire validity (longer valid cards generally have bigger
> > credit limits too btw, this is useful information). Many cards also have
> > other indicators of the credit limit (e.g. a Gold or platinum card).
> > The security numbers on the back (it's typical to ask for a CVV, but
> > ther others are useful too - for extended authentication).
>> Are they ask for both sides of the card? I assumed from Michele's
> email that just the front (ie no CCV or signature) was what was
Typically it's both sides, but even the front is more information.
> > Sure - but that's the business's problem. I care about my credit card
> > security. I don't accept trade-offs that reduce my security to make that
> > of the business's any easier, that's not a compromise - that's a reason
> > for me to take my bussiness elsewhere, simple as that.
>> "Credit card security" is an oxymoron. It doesn't exist. You can
> take reasonable steps to prevent your card being abused, but in the
> end they are not inherently secure.
>> It's really simple with credit or debit cards - you sacrifice security
> for convenience.
... and why would you voluntarily choose ways of using it which make
it even less secure?
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!