- From: Andrew Daviel <andrew@andrew.triumf.ca>
- Date: Mon, 12 May 1997 11:56:41 -0700 (PDT)
- To: Sarra Mossoff <sarra@smallworld.com>
- cc: www-talk@w3.org
On Mon, 12 May 1997, Sarra Mossoff wrote: > Intercepting a credit card number that has been sent over the phone lines > via a web connection is, in contrast, nearly impossible. You'd need a Seems to me that if you have a scheme that works, you can amortize your considerable effort over thousands of fraudulent transactions. If someone *knew* that quantities of credit card numbers were going in clear over a particular link, they might crack a machine on a connected segment and install a packet sniffer, or conceivably physically attach a bug in a cable tray. Get out yer TDR sets ... Incidentally, data from properly secure transactions may hang around in the users system memory in clear for a while. If someone gains access over the net or physically they may be able to snarf account numbers, PINs, passwords etc. Yes, giving credit card numbers over cellphones or cordless phones is daft. You'd have to listen to a lot of drivel to get even one number, though. (The CIA reputedly have software to pull this trick). IMO, risks are as follows: Someone cracking a commerce site and installing a trojan horse which intercepts sensitive data in clear and transmits it to a remote location. This includes both software and hardware firewall bypasses. Someone with enough horsepower to crack short encryption pulling this trick at any routing node. Andrew Daviel
Received on Monday, 12 May 1997 14:55:56 UTC