Re: Session tracking

Excerpts from mail: 3-May-95 Re: Session tracking brian@organic.com (4912)

> > Email addresses work pretty
> > well (that's what we use to search for an ID if someone loses theirs - we
> > just mail the result of the search to them - First Virtual-style security
> :-). 

I know this isn't really a discussion about First Virtual, but I really
have to correct something here.  Not only is this not "First
Virtual-style security", it completely misrepresents how we do business.
 In particular, if one of our users loses their ID, our policy is that
we will NOT email their ID back to them -- in fact, with rare
exceptions, their account is permanently lost in such situations, and
they have to set up a new one.  This is because part (by no means all)
of our transactional security comes from the lack of direct correlation
between an email address and the associated FV ID.  If we let just
anyone forge mail to us saying they'd forgotten their ID, and then use a
sniffer on the resulting traffic back to the real user, we'd open up a
somewhat easier path to fraud than we are willing to tolerate.

You don't have to love our model, but you shouldn't criticize it without
understanding it.  We take security *extremely* seriously, and we have
lots of very happy buyers and sellers who are grateful for it.  (And our
user community and transaction volumes are both growing at a very steady
15% per week, by the way, so we must be doing *something* right.)  --
Nathaniel
--------
Nathaniel S. Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings Incorporated
Phone: +1 201 540-8967  (fax 993-3032)
FREQUENTLY ASKED QUESTIONS (& PGP key):  nsb+faq@nsb.fv.com

-----VIRTUAL YELLOW RIBBON----zldf@clark.net----VIRTUAL YELLOW RIBBON----

> When privacy is outlawed, only   Support the Zimmerman Legal Defense! <
> outlaws will have privacy!       http://www.netresponse.com/zldf      <

-----VIRTUAL YELLOW RIBBON----zldf@clark.net----VIRTUAL YELLOW RIBBON----

Received on Wednesday, 3 May 1995 17:13:46 UTC