[LINK] Credit Card purchasing

Stilgherrian stil at stilgherrian.com
Tue Jun 26 14:55:33 AEST 2007 

On 26/6/07 1:47 PM, "COLLETT Martin" <Martin.COLLETT at publicworks.qld.gov.au>
wrote:
> So I ask if I am being too sensitive, or is this organisation conducting
> improper internet sales?

Short answer: Yeah, they're being pretty slack, but the risk to you probably
isn't that much more than if they were doing it "properly".

The bank which provides their credit card merchant facility will have rules
of some sort which they're supposed to follow. But when I've dealt with this
stuff, most recently with a nameless Big 4 bank, they seem more worried
about "128-bit encryption in the browser" than what happens to the credit
card numbers after that.

There was certainly no conversation about then keeping all paperwork or
backup tapes in a locked filing cabinet, for instance.

Despite the concerns over having that magic padlock appear in the web
browser, this is not the risk. Hackers don't go around trying to listen to
credit card numbers one at a time. They attack the organization's servers
where there might be a database containing hundreds or thousands of credit
card numbers and steal them in bulk.

Or they break into their office and steal things from the shelf, as happened
recently in Sydney with a licensed club of some sort -- members' names,
addresses, dates of birth and credit card numbers in one convenient go.

Or they monitor the keystrokes in the users' computers (which they've taken
over in bulk) and "steal" the credit card number at source.

As security expert Bruce Schneier says, demanding high-level encryption of
the link between the user and the store, without considering what happens at
each end, is like using an armoured car to deliver cash to people who live
in cardboard boxes.

Now all that said, given that encrypted email si easy to organise -- a few
extra lines of code on the website's side and a slight modification to their
email program, or using one of the many, many free shopping cart systems
that present the data back to them in an encrypted browser session, or using
a 3rd party gateway service that handles all the secure stuff for you -- you
could argue that they're not taking even the most basic precautions. And I'm
guessing their bank would probably give them hell if something went wrong.


> Is there a governing body that I can contact to pursue this further
> (providing, I have merited concerns)?

My understanding is that this is part of the problem...

HTH.

As an aside, a while back streetlife drug addicts could earn themselves
money by going through store rubbish bins and getting the merchant copy of
credit card slips -- with card number, expiry date and signature. $10 each
was the going rate -- though being paid directly in drugs was more common.
Apparently that market has dried up 'cos the higher-level crims can get
credit card numbers more cheaply fro the hackers.

Stil


-- 
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
ABN 25 231 641 421

More information about the Link mailing list