Openly Published e-Commerce Security Precautions? 101
zCyl asks: "When I went to purchase a SCSI card online a while back, I went to a dealer that I had heard was reputable. Then a little later they were purchased by Egghead, and I was added to the Egghead database and I unwittingly became one of the millions of customers who were notified that the Egghead database containing their information had been compromised. How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from? Are there any existing e-commerce sites that openly publish the precautions and security measures they take to ensure the safety of the information I entrust to them while making a purchase?"
a Losing Proposition (Score:1)
Your security is not their concern. Deal with it.
They only way they'll change their ways is when pressure is brought to bear by the CC companies themselves. That will happen, but slowly. As more and more online CC fraud occurs, the CC companies will (1) raise their rates to cover fraud/chargebacks, and (2) start setting minimum security requirements.
In the meantime, some russian hax0r is buying pr0n with your CC. Or at least that's what you'll tell your wife when she sees the bill.
Re:The Question Doesn't Match the Anecdote (Score:1)
Their name on Slashdot, of course.
A.S.P - A Security Problem (Score:1)
big talk? (Score:1)
PrivatePayments Work/Stiff New Rules For Merchants (Score:2)
AMEX Private Payments is a system of which you get a one time use number/exp date credit card number. All payments show up on your regular AMEX bill, but you give the merchant a different CC num and exp date.
I've used AMEX's Private Payments over a dozen times online, and it's worked beautfily every time. They have software for Windows that can autofill forms and authentic you via a smartcard. But, for those of us running under other OSes, they have a web page that gives out the numbers. Really easy to use. I just double click on the number, drag and drop it onto the merchant's webform. I do have to manually select the exp date, but that is always the end of the current month.
If you have an AMEX card, try using it. Saves time and limits your exposure to fraud. It also lowers the bogus charges to AMEX, so it saves them (and to a small extent me) money.
I sometimes wonder why we are in this mess to begin with. Merchants should _never_ _ever_ store your CC number online. I don't care if they claim it is for 'ease of use' or 'security'. Use the realtime CC submit, and just hang onto the transaction number. Most merchant processors support the use of just the transaction number or autherisation number to finalize the payment.
By the way, we could have one time payments already, but SET [setco.org] got bogged down in technical details and tried to do too much at once. Shame SET never got a chance to get up and running, but it required too much infrasture changes. Every CC user (you and me) had to get a digital certificate for our CC. It's kind of like X.500, too bloated and complex. I hope we would see a SET trimmed down to the needs, like LDAP trimmed down X.500.
I work for an industrial computing manufacture. We have millions of dollars of parts, inventory, and equipment around. Every year, in order to maintain our insurance, we have a physical audit at an unannoucned time.
I've been chatting with some of my friends about the whole CC on the internet mess, and I can tell you that merchant contracts are going to be stiffened up for online transactions ('card not present'). Most will have to get randomly audited on an IT/computer security level, plus new restrictions on keep the number 'on file'.
99% of merchants won't be able to qualify for 'on file' status unless they are using secured OS where the number never leaves the machine, but external machines can ask for it to be used or validated. Visa will also be planting 'fake' numbers in the database, some the company will know about, some it won't. If transactions start showing up on these fake numbers, heads start to roll if the merchant didn't inform Visa ahead of time.
On average, it costs a credit card company over 50 dollars to sort out the damage of a stolen number. Not only in reissuing a new card, but in stopping all the fraudluant transactions. Under the plan for the new rules, these costs would be thrown onto the merchant whose systems got cracked and the CC numbers gotten from. They would be charged a set fee per number that they every have had on file, plus they would be required to pay for the fraudlant charges that the crackers ring up. My guess is that few vendors will keep numbers around, or use a more secure backend online payment provider (YahooStore, etc).
Next Week: Privacy and Money, why didn't Chaum and ecash survive.
thanks
dunk
Credit Companies: Please Kill Credit Card Numbers! (Score:1)
As it is, right now vendors need to keep credit card numbers on file as part of their reciept of a credit card transaction. Forcing vendors to keep this information until the transaction completes (which would normally be a complete payment cycle) is an invitation for disaster.
Ideally, credit card numbers would accept a hash of the credit card number, the vendor number, a transaction identifier, and maybe evewn the amount and date. It would be virtually impossible for anyone to pull anything useful out of this hash, but this hash could be used by the consumer, vendor, and credit card company to authorize and authenticate transactions.
Taken to the next logical step, web browsers could be configured to generate these e-commerce hashes, in which case web consumers could be guaranteed that a vendor didn't know their credit card number at all.
Credit card companies could even supply two cards, one with a number printed on the front and one without. For the majority of in-person credit card transactions nowadays, there is no need to publish your credit card number on the card when most restraunts and stores use a bar code or magnetic strip reader built into their registers. There is much less chance of some teenager at the pizza joint making a carbon copy of your CCN if it is only on a magnetic strip. Sure it is not totally fraud proof, but it raises the expense and complexity of stealing your credit card, saving the credit card companies tens or hundreds of millions of dollars in fraudulent charges.
Re:One thing you can do (Score:2)
My scheme worked roughly as follows (it's been a few years, so I may be missing things):
Each consumer is given a hardware device which contains a public value, a private value and a counter (for the number of times it's been used). Each transaction it contains contains in cleartext the public number and the amount. It also contains a one-way hash of the private number, the amount and the usage counter.
To verify, the bank runs through a series of hashes made up of the private number (looked up from the pub#), the amount and last 20 (or so) possible unused usage counter values. Get a match, and it's good.
The number had to be something like 26 digits to provide decent security, longer being better of course, but it worked. I still have the prototype software around somewhere.
Re:One thing you can do (Score:2)
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing.
I agree. Furthermore, it should be used for all purchaces. This would be a good application for smart cards and wallets. The merchant creates a clearsigned transaction record. The purchasor authorizes the card for the represented amount of the transaction. The card recieves the transaction record (including merchant's deposit only number and transaction amount) from the merchant, and if the amount is in agreement with the authorized amount, it adds a serial number and clearsigns the record (including the merchant signature). The merchant may at any time (including immediatly) submit the signed transaction record to their merchant account. It is then returned to them with the transaction result (auth or deny) signed by the merchant bank.
Nowhere in the process does any entity provide an abusable key or datum to any other party. The serial number prevents double processing the transaction. Each party can prove that the transaction took place independantly of the other parties. Neither the merchant or their bank needs to know the identity of the purchasor (only the id of the purchasor's bank). It is even possable for the merchant's identity to be a secret from the purchasor (limited utility but possable). If the smart card is activated by providing a passphrase, the cardholder need not fear theft or loss of the card. Since the cardholder authorizes the amount and provides a one transaction authorization to the card through his own wallet, there is no need to trust the merchant's hardware.
Extensions of that protocol could create reusable transactions (authorizations) with limited abuse potential for periodic charges. The transaction would only allow credit into the merchant's account to remove incentive for dishonest employees. The period and amount of the charges would be specified to eliminate double charges. The cardholder could invalidate the authorization at any time and dispute the last charge if necessary. These transactions should also have expiration dates as an option.
Such a system would greatly reduce fraud and fully de-sensitize credit card data.
Re:One thing you can do (Score:2)
As a result, they either hold the money back from the merchant's future payments or write it off. Joe Consumer (you and I) aren't liable for it, and generally aren't affected by it.
When the money is held back, we aren't affected by it. The write offs show up in everybody's service charges and interest rates on their card. The money has to come from somewhere (and it's not going to be the bank's pocket, I assure you).
Re:One thing you can do (Score:2)
Hmmm.. now what prevents someone from using my now-encoded signature to "sign" something else that I didn't intend to sign?
Very true. Of course, what stops someone from using Gimp to transfer your pen and paper signature to another document. By making a photocopy of that, they then have a photocopy of the document with 'your signature'.
The fact is, signatures don't signify much unless they're cryptographic.
Re:One thing you can do (Score:2)
If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.
Typically, that's the case. And so the merchant raises prices a little and you and I still end up paying for it. It's also unfair to the merchant who had no way to know the card was stolen in many cases.
Re:One thing you can do (Score:2)
Apparently there is a technology that tracks more than just the shape and "look" of your signature. It watches how you press the pen into the surface and the actual movements of the pen as you write your signature. So merely copying the signature would not be of much value.
I've seen that. Copying a signature could be of value because most signatures are not made with that technology, society at large (and even courts) make much of the physical resemblence of a signature. The full capture devices further invalidate signatures, because now, even the more detained forensic examination trying to determine pressure based on indentation in the paper and damage to it's fibers will be in doubt.
Re:some thoughts (Score:1)
1) Buying something from an online merchant
2) Buying something from a brick & mortar merchant who occasionally throws credit card records out in the trash
3) Buying something from a brick & mortar merchant whose staff occasionally resells a credit card # that passed through their register.
Obviously no matter what the hell you do, online or in store, you're taking a risk any time you use a credit card.
#3 is pretty uncommon, though all it takes is someone with a good memory at the sales counter & the "right" kind of friends-of-friends. Hand over your card, obstentiously they stare at your signature, but instead have memorized the card number so conveniently printed on back. Bigger retail chains keep a somewhat tight control on the cashier's box (or try to), so beware of mom 'n pops...
The problem as I see it is that the penalties levied against the merchants by credit companies doesn't seem to be enough incentive for online merchants to butch up on their defenses. From the scope of Egghead's breach I would have expected the
companies to sever relations with them, but hey, I never understood high finance anyway.
However, in any case, the problem isn't yours - it's the credit card company's problem (technically the merchant & the issuing bank get to fight it out). Every credit card I have has a "if you didn't charge it you're not liable" policy (this is why AmEx no longer authorizes adult/erotic merchants - too many disputes at the end of the month).
Though my ATM/debit (nee "Checkcard") card has a $50 liability per fraudulent charge, which is why I never use that - except at ATMs. An informal survey of my friends has shown that this is commonplace, so I'd be a little less ready to whip that card out if I were you.
BTW, my sole credit fraud incident (so far) wasn't at an internet store - it was either #2 or #3 above (that card hadn't been used online, ever). I never found out, the credit card company just issued me a new card and dealt with the merchants. Was I liable? No. Did any of the charges even show up on my bill? No - the company contacted me monday morning after someone went on a massive weekend buying spree.
Re:One thing you can do (Score:2)
It is the merchant, not the bank nor any other CC company, that is liable for fraudulent purchases. This is where the money comes from. This is why it is so easy to challange a change on your credit card.
If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.
Re:A Third Agent is needed. (Score:2)
Actually, although security through obscurity is not a solution in and of itself, it is necessary. A properly designed security policy will not only protect against unauthorized traffic, it will have detection mechinisms in place to detect when crackers are "Rattling the Doornob" (i.e. NIDS, portsentry, multi-level firewalls, etc...)
By not publishing the security policy, you are forcing crackers to figure it out for themselves, which greatly increases the chance that they will trigger alarms set to catch them.
Re:One thing you can do (Score:2)
Yes, but you also have the option of seeking out other merchants (for most products, that is).
I have been doing systems security for over ten years, and it is my professional opinion that it is IMPOSSIBLE to completely secure a machine (short of unplugging it totally and encasing it in concrete). Anyone who tells you any differently is either a)completely clueless when it comes to system security, or b) trying to sell you something.
The point is, is that compromises ARE going to happen. It is the job of the security engineer to make this more and more difficult. Constant vigilance is key here.
As long as there are systems on the Internet, there will be crackers. As long as there are crackers, there will be security compromises. And as long as there are security compromises, the cost of this will be passed on to the consumer.
This is simply an operational cost associated with online commerce. This is no different than the cost of shoplifting being passed on to the consumer in meatspace stores. It can be minimized greatly, but cannot be completely eliminated.
Re:One thing you can do (Score:3)
Very, very wrong. I've developed secure transaction systems that were audited by Visa. They don't have a clue. They have no concept of asymetric encryption (their specs only required things to be encrypted using 3DES, which is useless for storing credit cards). They had no cooncept of known-plaintext attacks on credit card numbers, and very little concept of systems security in general. They were more concerned with hiring policies than anything else.
As to why a symetric algorithm is useless in storing CC numbers, I will leave this as an exercise for the reader.
It is actually the vendor, not the credit card company, who is responsible, because the vendor has to eat the cost in a fraudulent purchase (this is federal law in the US). The CC companies have no vested interest in e-commerce security, other than via a marketing angle.
Re:E-commerce Site Security Policy (Score:2)
One thing you can do (Score:3)
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
Re:How Credit Cards Work - for Shoeboy's benefit (Score:1)
Of course, you can't use this as a way to cheat merchants - you might get away with it once or twice, but if it became clear that that's what you were doing, your card could be cancelled and your credit rating would suffer.
Re:An Important Distinction (Score:1)
That's true. Of course, sale clerks at most stores don't often actually check the signature carefully, and if the store is found negligent, the card company can refuse to pay. Even so, banks absorb the costs far more often in these cases, so I'm sure you're right that they have an incentive to promote e-commerce (although the same applied to good old pre-Internet mail order.)
But in fact, it seems to me that in almost all cases, much fraud could be prevented by merchants. Simply checking all signatures, or only shipping to addresses registered with the credit card company, would eliminate a lot of fraud that currently happens. It comes down to the fact that merchants don't want to appear not to trust their customers - it's not good for business.
Anti-fraud measures like computerized detection of unusual buying patterns has helped a lot, though. Last time I saw a figure, approximately 0.08% of the dollar value of all card charges were fraudulent. This used to be closer to 0.2%.
How Credit Cards Work - for Shoeboy's benefit (Score:4)
If I steal Shoeboy's credit card number (assuming she actually had one) by hacking into shoeboy.com [dnsalias.com] (assuming there was actually something there to hack into), and use it to purchase an imperial ton of grits (the hot kind, naturally), it is the merchant who sold me the grits that will be out of pocket when the theft is discovered. The credit card company checks with the cardholder, and if the cardholder denies having purchased the items in question, the grits merchant doesn't get paid. Shoeboy wouldn't lose a dime.
This puts the onus on the merchant to verify that they are dealing with a legitimate customer, which is why many online companies won't ship to addresses not registered with the card company, especially when dealing with a first-time customer.
So, Shoeboy's statement, "Anyone who buys anything online is a fucking moron", might be applied to merchants who sell things online - or more to the point, their investors! - but not to cardholders. Someone buying something online with a credit card is actually being pretty smart. The only downside when your card or card number is stolen tends to be minor inconvenience.
In addition, if you're not happy with a product, and the merchant doesn't want to give you your money back, within reason, card companies will refund your money and stiff the merchant. I've had that happen when purchasing telephony hardware from a company that went out of business right after shipping my product - the company couldn't be reached for support, so I called Amex and they credited me the money.
Now, with Shoeboy, you can never really tell whether she's trolling or not, so maybe she already knows all this. But I post this purely out of the altruistic knowledge that I am contributing to the free and pure flow of e-commerce. Bezos would thank me, if his company weren't tanking...
some thoughts (Score:4)
At shoeboy.com [dnsalias.com], we take the elementary precaution of changing the default password on our database servers! Your data is completely safe!
Not going to happen. Companies can tell you that they "employ a security team" or that they "have been audited by a third party" or that the software the run has had "no remote exploits in 3 years."
It means nothing. How can a company prove that it didn't misconfigure anything?
How can they be sure that their in house developed project has any security at all.
How can they verify that the well camoflaged back door the sysadmin put in to make his job easier won't get found? How do they even know it's there?
How do get the CTO and Director of IT (both of whom threatened to fire you if you didn't give them domain admin permissions) to lock their workstations?
Sure auditing is an answer, but what happens when the auditing team leaves? Security goes to pot again, that's what happens.
There's always in house auditing, but do you trust a team that reports directly to the half witted manager who designed the network? You shouldn't.
If nothing else, how do you know that the system is as secure as the company says it is? You don't.
The final answer is that there is no good way to trust an online merchant if you can't inspect their setup yourself.
And since you can't do that, you can't trust them at all.
Anyone who buys anything online is a fucking moron. If your credit card gets stolen, tough - you deserved what you got.
--Shoeboy
Re:E-commerce Site Security Policy (Score:1)
I run the systems for one of the largest e-commerce sites on the net. We have extream precautions when it comes to credit card info. We do not however publish the details about that security because it's like giving a map to the loot to a theif. All our credit card info is passed to the authentication service via SSL and then stored in a double firewalled machine with console only access for a period before they are totally expunged. Similar precautions are used for the customer e-mail base and other such goodies. Our hosting facility requires retna scans and palm scans in order to enter the site and an escort to our cage, where we store our cluster. We designed the systems to be ultra secure from day one. Customer security is priority one. In short, we didn't use Microsoft products and companies like egghead that trust their solutions to people like Microsoft are basically doomed from day one. Large companies that f*ck up like that give companies like ours a bad name.
Well. (Score:2)
Do you evaluate the security of your bank? Of everyone you ever do business with? Then why should you evaluate them for computer security?
And to top it off.. why does everyone still get so worked up about credit card fraud? I read my contract over and over again, and it says I am *NOT* responsible at *ALL* for fraudulent use of my card. I am responsible for up to $50 if my *CARD* is physically stolen, and the charges happen before I report it.
Let them steal my # out of some database.. it's not MY money they are spending.
Re:Work around the problem... (Score:2)
The only time you are liable for anything, in any case I've ever seen, is if your card is physically stolen, you can be held liable for up to $50.
The other way you can be responsible is if they can prove gross negligence, ie: lending your visa to your neighborhood crackhead because he 'promised' to only go get your groceries for you.
The card is only a token used to authenticate your credit line with the credit company; it is not the credit itself. It's the mechanism the credit company chooses to employ to ensure that they are extending credit to you and not someone else. If that system breaks down, and it's not your fault, they CANNOT hold you responsible. They onus will be on whatever merchant is involved to prove that it was, in fact, you that used the card. A signature, delivery to your house, perhaps phone logs... but that's it. They can't prove it, it's not your problem.
Also (Score:2)
It does not generally apply to simply fraudulent transactions where all they had was your number.
Seriously? (Score:2)
Re:Well. (Score:2)
I know we tend to live off credit, but let's not forget that using a Visa is a SERVICE they are selling to you; you are their customer. If they make it inconvenient for you to use, then you won't use it.
Re:Seriously? (Score:2)
What I mean is, my credit card contract says that I am liable if my *card* is stolen. What you describe is not your card being stolen, just the info from your card.
What I'm saying is, it's a failure in their system, not your own failure.
We shouldn't forget that Credit card companies are a business, and we are their customers. It shouldnt' be up to us to police their merchants and make sure our info isn't stolen (Remember, the card belongs to THEM, not us... they should protect that information)
Re:Work around the problem... (Score:2)
They don't pay their merchants.
Remember, you are the customer. Remember, on your card, it the card is THEIR Property, not yours. THe card is their way of authentication you for purchases, so they can extend credit to you.
If the merchant doesn't have your signature, or other way to prove the transaction actually involved you personally (delivery to your house, etc), then the credit company doesn't pay the merchant.
It's GOOD that it's $0 liability.. it should be! They agreed to extend me, personally, some credit. It's not my fault whatsoever if they have difficulties determjining if it's 'me' or not buying something.. that's solely a problem in their business model, and we shouldn't be made to absorb the cost.
This is why I'm puzzled at people who get really worked about about online card theft. It's inconvenient, but it's not like someone draining your bank account. Sure, you might have to cancel your card, and that is a pain in the ass.. but other than that.. it wasn't your card that was stolen, it was the issuers card, and the issuers problem to deal with.
Re:Well. (Score:2)
A more sensible approach (Score:3)
Credit card companies don't 'jump all over it' because if someone fraudulently uses a card to buy a stereo, the credit card company DOESN'T HAVE TO PAY THE MERCHANT unles the merchant can prove they did everything by the book, including checking for signatures and obtaining an imprint, or some other form of authentication. If they just took the number and it turns out to be false, they don't get paid.
Re:Hrrm (Score:2)
On the other hand, if it's a case of your tires blowing up, then it will be a long fight - but generally the lawyers figure it's worth the mega-fees and will take it on.
Where you lose is the middle ground. If your case is too small to interest a land-shark, er lawyer and big enough to annoy the company, well, you are going to have a tough time.
Just my opinion.... (Score:1)
JoeLinux
Work around the problem... (Score:1)
Gratuitious plug: MBNA's card works like this, at least in the UK.
Re:Work around the problem... (Score:1)
The only time you are liable for anything, in any case I've ever seen, is if your card is physically stolen, you can be held liable for up to $50.
That's what I was getting at; my card has a $0 liability limit, regardless of cause. Dunno how they can do that, but that's not my problem. :)
Re:Work around the problem... (Score:1)
Easy.. (Score:2)
Just follow these thee easy steps - this works for all present and future e-commerce sites:
Simple and idiotproof, plus you're doing the .com's a favor by pointing out their lackluster security.
-henrik
Egghead was bought out. (Score:1)
Terry
Will this solve another problem (Score:1)
My primary concern is with whether the link is secure (I have seen one site where they didn't have any security and wanted people to put in their credit card details). It is more to do with what happens once they have my credit card number. Who exactly am I dealing with here? Anyone with a little bit of money can get their own domain, can get a security certificate from Thwaites or some one similar, and can set up a secure server (and DNS and email servers for that matter) fairly cheaply. One Australian magazine even included on their cover cd ezimerchant for setting up this up (http://www.pcauthority.com.au/cd.asp?TOCID=256). It isn't all that difficult for them to set up a nice looking professional site either. So how do I know they are ridgy didge? How do I know that are not a dog[1]? Put simply, I don't. This is one thing that has kept me away from e-commerce (apart from all of the other security concerns), even though I have been on the web for 5 years. [1] For those of you who haven't been around that long, there was a saying that basically said that you never knew who you where talking to on the internet, it could even be a dog.
An Important Distinction (Score:1)
So, with credit card companies getting off the hook for Internet purchase fraud, is it any wonder that they're some of the biggest proponants of e-commerce? I've heard that the big Internet merchants take hundreds of losses of sub-hundreds of dollars everyday; money they'll never recover, because it costs too much to track down. Commerce on the Internet isn't safe at all, at least for the merchant. As a consumer though, I'll take my chances.
What's the big deal? You're only liable for $50. (Score:2)
By U.S. law you're only liable for $50, and most companies won't charge you anything if your account is jacked (if you're a good account for them).
I pay all of my bills on time, don't carry a balance, and don't sweat it.
What's the big deal?
If you're concerned about your personal information getting out, get a credit card that contains bogus information, including name. I have one in my dog's name. It's perfectly legal.
Re:Does noone recognize the business opportunity!? (Score:1)
Re:Simple Solution (Score:1)
Re:One thing you can do (Score:2)
Re:A Third Agent is needed. (Score:1)
Secure Audit (Score:1)
This could probably be easily expanded to the IT site. Most of the large accounting firms also have IT consulting counterparts. I'm surprised we don't have some kind of e-commerce security certification like Trust-e is for privacy.
I don't believe that any company willfully leaves their systems insecure. If they did know better, they would fix things. Perhaps a standardized security audit is an inevitable. I can see banks getting in a line to have their systems audited since they have the most to lose.
Adi.
The Question Doesn't Match the Anecdote (Score:4)
Following his purchase, Egghead buys the company. Now that company is absorbed into Egghead. Virtually nothing the company did before being purchased matters now, because now he is dealing (after a fashion) with a different entity, the security of which he never thought to judge.
That being said, he wonders how to determine the security/privacy of a site, but, ya see, in the case he details, it didn't matter, because the business transaction of the company purchase completely obviates any 'security checks' he could have done.
What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?
Egghead IS responsible... (Score:3)
THE COMPANY WHO CHARGED YOU
You may eat the $50 (although any good credit card company won't even charge you that if you notify them quickly), but Egghead will eat the rest.
That's part of the problem: a credit card crook will steal from several companies, none of which were hit for more than a few hundred dollars. If the crook is in another country, it isn't worth the companies' time to go after him. They just eat the loss and write it off.
Now, if the CREDIT CARD COMPANINES were responsible and had to eat the charges, now our crook has pissed off ONE company, for THOUSANDS of $monetary_units, and it's well worth the credit card company to go after him. And for those crooks in semi-lawless places (like the former Soviet Union), it may be worth their while to sub-contract the collection of the money to, shall we say, local collection specialists.
True, were the credit card companies responsible, they would also charge the costs back to us in higher interest rates.
Guess what! They do that anyway!
(that's also why I don't carry a balance from month to month on my cards. Pay them off in full every month, manage your money, and you don't pay interest. And good cards don't charge yearly fees.)
Re:One thing you can do (Score:1)
Make the numbers so large that the probability of hitting a valid one by chance is infinitisemally small. After all, that's how cryptography works: somebody also could try random keys, in the hopes that one of them cracks the message... And moreover, as the numbers would only be good for one transaction, for a preset amount, the damage would be rather limited, even if somebody did somehow manage to guess a valid number. All they could do is steal the money set aside for one transaction, and not empty your whole account.
best interests of the e-commerce site (Score:1)
But anyway more to the point is that it's in these sites best interest to openly publish their security model on their website. Customers like to know their data is safe. If you don't tell them that their details are going into a backup database beyond many layers of security, they might as well pressume that their details are being published elsewhere on their website where the world can view it.
AussiePenguin
Melbourne, Australia
ICQ 19255837
It's simple (Score:1)
Re:Three basic security ideas... (Score:1)
Re:One thing you can do (Score:2)
I like this idea; encoding a specific amount, though, would be a bit awkward. I don't want to have to go to my bank every time I want to buy a book online!
However, a "check-book" of these numbers would be quite usable. Maybe have a couple of categories - under $10, $10-$50, etc. That way, I can buy a $5 book from anyone I like, knowing the worst case is they charge me $10 instead. Not good, but a hell of a lot better than giving them my Visa card details!
Alternatively, you could get these numbers online: just go to www.visa.com, enter your details, and it gives you a one-time number for $4.99 or whatever. Properly implemented, this could work pretty well...
Re:Work around the problem... (Score:2)
Gratuitious plug: MBNA's card works like this, at least in the UK.
In the UK, all credit cards work like that. Fraudulent use isn't your problem, unless you've been 'negligent' (which is basically a getout to stop you selling your card to a crook, then claiming the money back from the CC company.)
That's probably why UK CC companies are (IME) very good at stopping fraudulent use. Last month, my father moved to Houston, and bought lots of stuff (new TV, microwave, all that stuff) from a store. To check who he was, Visa US called his UK bank, and the operator spent 10 minutes asking questions like "Complete the following 'phone number" (which turned out to be his direct dial number at the job he left six years ago!)
Probably sounds silly - except under UK law, if he had been an imposter, Visa would have been left $1000 or so out of pocket. They tend to care about that kind of thing!
Re:The Question Doesn't Match the Anecdote (Score:1)
I know all this information they give about secure databases and SSL encrypted transactions are supposed to make the user feel more secure, but asking for a credit card number before even placing the order shouldn't make anyone feel confortable. Nor should the pushyness of Amazon's current business practices make anyone want to deal with them ("Oh, signing up for an account, well, we'll just turn on add the advertising, and allow us to share information with anyone we choose, and did we mention one-click(TM) purchasing is on by default?").
There are a number of companies out there that have this right, such as ebworld.com, and chapters.ca. They ask for credit card information during each and every transaction. Unforunately, it's not just the online world that's a little too lax with credit card precautions -- nearly any of the major gasoline stations in my area, will print your full credit card number on any and all receipts, etc. If you think about how easy it is to locate a credit card number in a normal person's trash, suddenly the danger of online transactions seems trivial.
Re:You Can't (Score:1)
I would rather take whatever risk there is in using my credit card online, rather than go into a store and be made to feel like the cashier is doing me a favor by taking my money.
Simple Solution (Score:1)
Answer: Easy, hack them before you purchase. Duh?
Three basic security ideas... (Score:1)
Oops (Score:2)
--
Re:One thing you can do (Score:2)
One, it's a pain in the ass to go to the bank every time you want a fresh number.
Two, there are only so many numbers available in the 16-digit LUHN-verified [techtarget.com] pool currently in existence. There are even further restrictions:
Three, it's more trouble than it's worth, considering you are only legally responsible for the first $50 of unauthorized charges to your card, and most banks won't even hold you to that. I've had merchants double-bill me (and once some totally unauthorized charge from Denmark showed up), and Royal Bank instantly credited my account for the full amount and mailed me a form to sign and return stating that the charge in question was unauthorized. In every instance, the whole process took less than 5 minutes of my time and was totally painless.
Essentially, the banks themselves are the only ones left holding the bag when fraudulent use occurs. As a result, they either hold the money back from the merchant's future payments or write it off. Joe Consumer (you and I) aren't liable for it, and generally aren't affected by it. Worst case, if the abuse on your particular card keeps up, they might cancel your card and send you a new one with a different number. Big deal.
--
Re:One thing you can do (Score:2)
Merchants are held to a very strict contract with the credit card company called the Merchant Agreement. It states exactly what can and can't be done. For example, merchants cannot favor the use of one card over the other ("We'll take Amex, but we prefer Visa."). They also can't apply a surcharge when you pay by credit card. (Merchants have gotten around this by calling things "already cash discounted; add 2% for credit card payment".)
"Mr. DiCarlo, you did not just buy a loaf of bread, you entered a contract in which we will supply you daily with three loafs of bread for a minimum contract length of 2 years and in which the initial discount of 80% expires after the 3rd delivery."
Show me my non-forged signature on something that says that and you can have my money because I was a dipshit for not reading the fine print. A bank will also expect a copy of that.
It all comes down to precisely two items: the signature and the card imprint. If you, as a merchant, don't have the person's signature on a slip clearly outlining what they're authorizing by signing it, or alternately a credit card imprint to prove the card was physically there, then you have no basis to defend against a chargeback, period.
You will then say that the credit card company will intervene? Yes, they will negotiate with this particular vendor, especially if he's big enough, and in exchange for a higher commission rate on the transaction, they will prevent their customers from successfully initiating charge-backs.
There are laws protecting consumers that prevent this. Notwithstanding that, if your bank will stab you in the back over a transaction, you can take your interest payments (and merchants' discount fees on every transaction you do) elsewhere. My bank [royalbank.ca] doesn't do that kind of shit. (I know from experience, as stated in my post.) Also, they'd make more money off you legitimately than by screwing you over once (because that's all it'll take to lose your business forever).
--
Chill. You remind me of my grandmother. (Score:1)
If you use credit cards at all, you're obviously not very concerned with security (Or privacy, but that's an entirely different issue). They are inherently insecure. You're about as likely to have someone take your wallet from your pocket as your walking down the street, as you are having your credit card stolen on the Internet.
Until we all have finger-print readers built into credit card readers, you'll never be safe. The more I think about this question, the more the utter absurdity bothers me. If you're seriously frightened enough to post an Ask Slashdot question about this, JUST DON'T USE A CREDIT CARD, YOU ARE FAR TO SKITTISH. My guess is you just wanted to AskSlashdotSomething, and this was all you could come up with.
signature smigmature
Re:One thing you can do (Score:1)
"To receive your package, you must sign your name on this electronic pad."
Hmmm.. now what prevents someone from using my now-encoded signature to "sign" something else that I didn't intend to sign?
For that matter, what would happen if I just say "Yes, name is Joe Blow and this is my package, but I won't sign that electronic gizmo. Give me a paper waybill and I'll sign that."
Re:One thing you can do (Score:1)
You Can't (Score:1)
I'd rather go into a Radio Shack and give the 17-yr old geek my CC number - and look him in the eye - than put my Amex # on the big I.
Re:You Can't (Score:1)
Re:The Question Doesn't Match the Anecdote (Score:1)
Re:some thoughts (Score:1)
The gubmint wants to enact 3 thousand anti-law bills a year in the US. WTF? Why doesn't the Congress just mandate IPV6? Within 5 years that's all the router mfgrs are allowed to sell. Period.
End of story.
Re:You Can't (Score:1)
Re:One thing you can do (Score:1)
I think this is the best alternative. Put the reponsibility for security in the hands of the CC's. It's easier for each of the Card Companies to have a team of security gurus, than for every business to have even one of their own. I believe that the guys that work at the CC's probably have done quite a bit of work to make the unique transaction numbering issue a non-issue. It is in their business interest to engineer secure systems, much more so than the individual business owner.
E-commerce Site Security Policy (Score:4)
Basically, we are a smaller site who is hosting in a shared environment (as are virtually all smaller e-commerce sites). We added some extra precautions that the big guys should do, too. For instance, once the credit card is processed, it is removed from our online systems. We move it to another system for record-keeping purposes, but the online system's database is altered to show just the last 4 digits (XXXX-XXXX-XXXX-1234) of the credit card, mainly so a customer can tell which credit card was used when later looking at the order online. Sure, this is more of a hassle for us, but it makes things a heck of a lot better for our customers. And we wouldn't even think about storing the numbers in our system for "convenience" of customers when placing a new order. That's just asking for trouble.
Also, someone noted that even if you check a company out, you can't be sure what will happen when that company is bought or merges. Well, we actually make a statement about that. For security, it doesn't really matter, since cc numbers are removed from our online systems. For privacy, we state that if we merge, etc, we will ensure that your data has the same protections we offer (no unwanted contact, no spam, no renting, no selling, no changes to our policy without notifying you).
I wish all sites I dealt with offered these same protections.
Re:Three basic security ideas... (Score:1)
Re:A Third Agent is needed. (Score:1)
Security through obscurity? That isn't security at all... If one person stumbles accross it by accident then everything is lost. Also, if only a select few know how something is secured the chances are that they'll have missed something.
Plus, all it takes is one ex-employee to reveal all and the whole thing is made public. And what about these external body employees? Do you trust them?
Re:Hrrm (Score:1)
Yeah, but there will be ten years of court battles before anything ever gets paid out. I'm not an expert on the american legal system, but from what I hear any large corporation will just cover everyone in paperwork and never actually pay up.
Re:One thing you can do (Score:1)
That might work... Thing is, what's to stop someone trying random numbers until they manage to get money off someone at random? The basic idea sounds good, but it would have to be implemented extremely carefully to work.
It might be easier to only allow banks / credit card companies to use credit card details. Maybe you could do your shopping on whatever e-commerce site, then be redirected to a credit card company to do the payment. Some domain name registrars (Gandi [gandi.net], for example) already do this successfully. This way the company never gets your credit card details.
Re:The Question Doesn't Match the Anecdote (Score:2)
If they don't keep your credit card info after the sale, they can't sell it when they get bought. There should be an option where they don't keep it. If you wan't them to keep it for one-click-shopping, then that's your decision and your problem when shit happens. Presumably, this guy wouldn't check that box.
Re:A Third Agent is needed. (Score:1)
We know that's not true!
Re:The Question Doesn't Match the Anecdote (Score:1)
Actually, that's not such an unreasonable demand. One should be able to consult a document that does inform you, the consumer, about what happens to the information that you give about yourself in the event of a merger.
Take, for example, what might happen in the even of a medical practise being privatised and purchased by an insurance company. Would you like your medical records to become a part of that company's records?
Re:Credit Companies: Please Kill Credit Card Numbe (Score:1)
Couldn't someone steal the hash in the same way they can today steal the actual credit card number? Once stolen, the hash would be as useful as the card number itself.
Re:Hrrm (Score:1)
I know with my bank, that I'm not responsible for ANY charges fraudulently placed on my card. If it's proven that I didn't authorize the transaction, the merchant who sold the goods to the fraudulent person has to incur the costs, and write it off, unless they're able to track the item to a person and prove they committed the fraud.
As far as egghead.com being responsible for any fraudulent charges caused by their database being broken into, it'd be near impossible to prove (without confession) that the fraud was directly a result of their dbase being compromised, and not by another merchant (brick & morter or otherwise) Fraud is committed and cards are compromised everyday, and ya know..I'd be willing to bet that more times than not it's because of card holder laziness/error/inattention, rather than a big bad corporation getting compromised.
Re:Egghead IS responsible... (Score:1)
Limited liability (Score:1)
Part of the benefit of using a credit card is that by law the card issuer cannot hold you liable for more then $50 of unauthorized purchases. I know $50 isn't chump change (at least for me) but if you look at it from the issuer point of view they needed someway to discourage false unauthorized purchase claims.
In the end it is a risk, just like ordering pizza over the phone. Not quite the same scale but you don't really know how trustworthy the other end is.
If the convenience isn't worth $50 of risk to you then don't use them.
disclaimer: I'm not 100% familair with the details, please correct me if I'm wrong.
Leknor
A Standard would be nice (Score:1)
What i'd propose is that someone (some company more like it) draft up a list of guidelines which it deems necessary to protect consumer privacy. Conditions like not storing credit card numbers on publicly available servers (or not at all as someone suggested
If the standard were publicly available, geeks like us could check them over, and decide if their protection is deemed adequete. This would allow companies to keep their security policies private, and yet have the verification of a third party to say, "Yeh, they are ok." But then again, I'm not sure if it'd make a difference to the lay-person.
I honestly don't know if this has been done already. Like I said earlier, it seems obvious that the Credit Card companies would jump all over it, but they haven't. Next I would think one of the bigwig "Security" companies would do it. But I don't know.
A Response to whether you think this can be done, would be interesting.
xxxx-xxxx-xxxx-xxxx (Score:2)
Re:I'm a big shot (Score:1)
But since you are too pathetic to I.D. yourself, we don't know who you are.
Also what does this have to do with security of computer systems.
Discover are doing it too (Score:1)
Does noone recognize the business opportunity!?! (Score:2)
Simply start a security "brand" based on a security rating that you provide. Audit sites once a month or so, then give them a numerical score based on their security precautions. If they are deemed secure, they can place a logo of some kind indicating that they've been "certified" secure.
Sites will be happy to get the audit, and the logo, once recognized, will drive business to their site. So they kill two birds with one stone and are happier to pay for a security audit than from a firm without a publicly-recognized brand.
And the unwashed masses, who aren't quite sure how this internet thing works and are therefore a bit nervous about the whole thing, are happier to shop at sites that have the logo.
A million dollar idea, folks. Yours for free
Security by obscurity (Score:1)
I recently got carded from russia... (Score:1)
Re:Seriously? (Score:1)
Hrrm (Score:2)
As for companies telling you what they do to protect from eletronic theft, isn't that the same as publishing what they don't do? I agree that security through obscurity is not the best way at all times, but does it have particular uses in these days of h/crackers releasing patches which DDoS the company? (I couldn't find the URL, but Network Associates underwent a light DDoS attack after a black hatter released a patch for BIND to fix the recently discovered bugs [slashdot.org] which had zombie code installed. What's incredible is it made it past BugTraq and NAI as "safe" and got posted)
Sites will be hacked. That is the nature of the Internet. What I would like to see is a site that will reimburse you if you are the victim of their own lax security. What if Egghead.com became responsible for the $50 or so that every person is responsible for with false/stolen credit card charges. Would this put a great monetary risk at the company? Yes. And isn't money what gets things done with the "Big Business"
IANA Business Major, but would this work? Just my thoughts on the matter.
Re:Well. (Score:2)
The premium would be a function of how much sales the company makes by cc. Granted, this would be passed on to the customers, but the merchant is free to put a "Your credit card number is protected by {INSERT COMPANY NAME HERE]" logo on their site, and they receive a listing on the insurer's website.
Obviously, the insurance company is going to make the premiums dependent on the extent of security precautions. In other words, if the merchant doesn't even change the database default password, then their premiums'll be sky-high and either the company goes under more quickly or it charges exorbitant prices to cover the premiums. Meanwhile, a company that employs a good security guy who secures the servers (keeping up with all the tricks of the trade) pays next to nil in fees, thus giving them lower prices.
Build the security into the price of what you buy online, in other words.
Re:Kikes are nation wreckers (Score:1)
One thing you can do (Score:2)
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
A Third Agent is needed. (Score:2)
Well, the only way is to have an external body that will grant companies security certifiacations. The companies will be required by law to get a liscense to hold data, on the condition that a secure external body examines their security arrangements. This way the company does not have to reveal its security arrangements to anyone but the government, and the customer can be assured that his data is safe because the company he trades with is certified by an external body.
Its a bit like bob and alice. We need a third agent to make things really secure, it would seem to me.
You know exactly what to do-
Your kiss, your fingers on my thigh-
Re:I recently got carded from russia... (Score:1)
[Let me guess, 415 Rubles (about $15) in Moscow Russia, from a company called "Global Telecom", right?]
So, despite what Egghead says about their break in, database theft, or however it was classified, it DID happen. My CC Company was smart enough to send a letter just in case I missed the charge on the bill. (I am in the process of contesting the charge at the moment.)
The problem with this type of thing and having the retailer pay for it, is that there is no real connection between the fraudulent charges and the one from Russia. I dont know if the company in Russia will get the money, but if they do, it wont necessarily be Egghead that takes the loss. It will likely be my CC company.
The "single use" number would work to combat this, and I see that more and more credit card companies will start using them. (Assuming there is not some overly restrictive patent on the concept.) But better than that, would be a "single retailer" number. One that works only if a certain retailer makes the charge. Then you know exactly who the culprit is, and you could turn it "on and off".
The single retailer number (I'd only need 5 or 6 of them, so they would be easy to manage) could then help the customer by allowing retailers to much more safely use the "single click" shopping method without overly jepordizing the consumer's credit card if a hole were found and exploited. In the event that the company is purchased or reorganized as in the case of OnSale and Egghead, there would be less for the consumer to worry about.
jafiwam
We really need this! (Score:1)
Corporations have been doing this against us for so long - sharing and even selling personal information about their customers. It is time to turn the tables around. We have no choice but to try and protect ourselves also.
Why store credit card details (Score:1)
$0.02 worth