W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1997

Re: security on the web

From: Andrew Daviel <andrew@andrew.triumf.ca>
Date: Mon, 12 May 1997 11:56:41 -0700 (PDT)
To: Sarra Mossoff <sarra@smallworld.com>
cc: www-talk@w3.org
Message-ID: <Pine.LNX.3.91.970512112722.7630J-100000@andrew.triumf.ca>
On Mon, 12 May 1997, Sarra Mossoff wrote:

> Intercepting a credit card number that has been sent over the phone lines
> via a web connection is, in contrast, nearly impossible.  You'd need a

Seems to me that if you have a scheme that works, you can amortize
your considerable effort over thousands of fraudulent transactions. If 
someone *knew* that quantities of credit card numbers were going in clear 
over a particular link, they might crack a machine on a connected
segment and install a packet sniffer, or conceivably physically attach 
a bug in a cable tray. Get out yer TDR sets ...

Incidentally, data from properly secure transactions may hang around in
the users system memory in clear for a while. If someone gains
access over the net or physically they may be able to snarf 
account numbers, PINs, passwords etc.

Yes, giving credit card numbers over cellphones or cordless phones is daft.
You'd have to listen to a lot of drivel to get even one number, though.
(The CIA reputedly have software to pull this trick).

IMO, risks are as follows:

Someone cracking a commerce site and installing a trojan horse which
intercepts sensitive data in clear and transmits it to a remote 
location. This includes both software and hardware firewall bypasses.

Someone with enough horsepower to crack short encryption pulling this 
trick at any routing node.

Andrew Daviel
Received on Monday, 12 May 1997 14:55:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:22 GMT