- From: Mike Meyer <mwm@contessa.phone.net>
- Date: Mon, 12 May 1997 12:24:07 PST
- To: www-talk@w3.org
> >I think she's still right - the technology required to snoop credit card > >numbers off a web server is noticably newer (and hence less obtainable) than > >the technology required to snoop credit card numbers off a hotels phone > >lines. > > The issue isn't at the server, which is either run by competent, trustworthy > people or there's no hope at all anyway. At the _user_ end, though, you're > trusting everybody who shares the same piece of ethernet. In our public > comuting sites that is a very scary thought. Randoms on your ISP are a problem, yup. But that's also where the ROI for the thief is lowest. If you're going to dedicate resources to swiping credit card numbers off the net, you start looking at the place you're most likely to find them, not with the random mishmash one finds on a large ISP. Of course, you've also overstated the case. You don't trust everybody who shares the same piece of ethernet, just those who can do computing on boxes attached to it. If you're in a room full of CPUs on one net and surfing on one of those, you've got a problem. If you're dialed into an ISP that doesn't have shell accounts or puts the shell account machines on a different subnet than the one you dial into, you don't. The attack at the user end seems similar to a shoulder surfing attack for phone card numbers . It works in ones and twos and is worthwhile for small-time crooks, but simple precautions will prevent you from being a victim. <mike
Received on Monday, 12 May 1997 15:33:32 UTC