On 24/09/2007, Colm MacCarthaigh <colm at stdlib.net> wrote:
> On Mon, Sep 24, 2007 at 10:12:32AM +0100, Thomas Bridge wrote:
> > And how are any of these security risks mitigated by using an SSL form
> > to submit your CC details instead?
> Like I said, there is less detail. But also, back here in the real
> world, I consider it substantially less likely that my https-submitted
> details are being printed on roll-paper, at the very least.
I agree it's unlikely to be roll paper - typically the paper used is
standard printer. My point stands, and you are incredibly naive if
you are relying on the details not being printed out.
> > You argument is very weak - and essentially raises the generic
> > security issues with credit cards generally, rather than anything
> > specific to sending the details over fax.
> Nonsense. Just because credit cards are pretty stupid in general,
> doesn't mean that it's a good idea to ignore some other basics. I
> wouldn't use any plaintext protocol for credit card details, not e-mail,
> not http, not fax, and I try to avoid even phone. There may well be
> other weak links in the chain, but that doesn't mean you don't try and
> cover your ass from all the opporunistic people in the middle.
I find your paranoia amusing.
While I agree that I wouldn't enter my details on a website that
didn't support SSL, that's got nothing to do with my paranoia that my
CC details would be collected on the wire.
The obvious weak link is at the ends of the line, not the transmission
process itself. That's where any "huge increased risk " to "ordinary
people" of "identity and monetary theft - merely for the convenience
of the business" exists.
> Typically it's both sides, but even the front is more information.
Actually, the front of the card typically contains the minimum
information you have to supply the business with in order for them to
process the transaction. As you're presumably already giving them
that, and typically such details are kept on file (as opposed to the
CCV number and possibly the signature) I don't see how much extra
information they are gaining.
> > "Credit card security" is an oxymoron. It doesn't exist. You can
> > take reasonable steps to prevent your card being abused, but in the
> > end they are not inherently secure.
> > It's really simple with credit or debit cards - you sacrifice security
> > for convenience.
> ... and why would you voluntarily choose ways of using it which make
> it even less secure?
Such as ringing up the vendor and giving the details over an
"insecure" line? Because I'm exposing my self to the tiny risk that
some one is listening in on the call to collect Credit Card details
for the convenience of not having to send them a cheque in the post.
Thomas
--
Thomas Bridge
CCIE #14108
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
