[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] How safe is e.commerce

To: <minivend-users@minivend.com>
Subject: Re: [mv] How safe is e.commerce
From: "Gideon van Gelder" <gideon@swingmaster.nl>
Date: Mon, 7 Feb 2000 16:39:53 +0100
References: <041c01bf7133$3ee48e20$630f08c0@theboss>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from "Gideon van Gelder" <gideon@swingmaster.nl>     ******

Hi,

This is quite an issue. Let me burst anyones bubble, who thinks presently,
international e-commerce over SSL can be called SAFE in the true meaning of
the word. Really, 40-bit encryption is easily broken, and mind you, the NSA
make sure there will not be any encryption used globally that they can't
crack without a lot of trouble. But since not every hacker has access to
the kind of number-crunchers those guys have, 128-bit encryption is "safe",
unfortunately only allowed in America, because of the well-discussed browser
export-restriction because of fear of maybe getting in a fullscale nuclear
war with Russia, because they can use 128-bit SSL... But as mike said, this
will probably change under international pressure imposed upon the US.
Furthermore, if you use PGP, use version 5, with the largest key you can
generate, a Diffie-Helman key at that, since those are the safest. That
area is not your worry: PGP with DF 3072 for instance, is really safe.
You might want to encrypt passwords in UserDB, but those are not the stuff
a hacker is after. If you don't store CC info on the server, I think your
only "problem" is the fact that raw cc-data remains in memory for some time,
but that's not an issue I would lose any sleep over as well. The only thing
you must remember is that currently international SSL is unsecure, unless
you use a SGC SuperCertificate from Thawte or Verisign, their daddy.

BTW. Don't let those kind of shows scare you: they're about the few
instances
of people submitting CC-information over an insecure line, so my kid brother
even could intercept it. I recently read there are faq's and howto's online
for ripping people's cc-info, so..
Fact remains that the average hacker will not spend his precious time on
intercepting each encrypted package and trying to crack it to get the
session-key:
he needs to do this for each session and thus makes this a not very
efficient
rip-off.

Now, the biggest flunk is really to misconfigure the MV-server itself, or to
put it in WWW-space, where every idiot could download the userdb, for
instance.
Just make sure that as least as possible is in www-space, and the server
itself
and the db's and the pages are all in non-public space. Furthermore a
firewalled
server is always comfortable.

About credit card companies holding you liable: the only company that will
be
hold liable in the case of credit card misuse is the company that asked for
authorization
of the transactions. E.g. hacker buys 10.000-dollar Armani suit in Paris,
the
Armani store is asked to credit the account back to the hacked person's
account.
If the hacked information was ripped from your server, or your line between
the
customer and your server, this is allmost impossible to trace, and evenso,
you
can put in your disclamer that you can not be held responsible to any damage
made
to the customer in any sense, due to the use of your website, like
amazon.com does,
for instance.

My advice is to visit Dell.com, amazon.com and gateway.com and look at their
legal
sections/disclamers/terms of use: these guys know what their talking about.
And like them, if you wish, you could put the guarantee on your website,
that
if any fraudulent charges are made to a customers cc, you will credit the
amount
back to their account for a maximum of 50 dollars, which is the
US-bank-policy of
maximum card-holder liability. This however probably doesn't apply to non-US
customers,
but really, the major cc-companies such as VISA and MasterCard won't even
hold
their customers liable period.

This is what it boils down to: you credit card IS your main SECURITY !
Whatever
happens, if you report a fraudulent charge in time, 9/10 times the
cc-company WILL take
care of it, by contacting the vendor that made the charge and so getting the
money back.

Happy Vending,

-Gideon van Gelder


> ******    message to minivend-users from Johan Landman
<johan@datatex.co.za>     ******
>
> We are about to launch our first mvend site.
> There was some horrific program about credit card fraud on the
> internet on one of our local TV stations last night.
>
> It appears as if the major risk lies with the merchant.
>
> We will use SSL from VeriSign and PGP encryption's. Credit card info
> will not be stored on the mvend server.
>
> 1. What are your real life experiences, from a merchant point of view,
> of fraudulent transactions as a percentage of "safe" transactions ?
>
> 2. How do we convince the client to trust our site if it is "safe" ?
>
> 3. Is there anywhere the list can point us to: on more specific
information
> on how to secure an ecommerce site ?
>
> All help would be greatly appreciated
>
> johan
> johan@datatex.co.za
>
> -
> To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to
Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Follow-Ups:
- Re: [mv] How safe is e.commerce
  - From: Birgitt Funk <birgitt@booktraders.com>

References:
- [mv] How safe is e.commerce
  - From: Johan Landman <johan@datatex.co.za>

Prev by Date: Re: [mv] UNIX AND INET SOCKETS
Next by Date: [mv] display [total-cost]
Prev by thread: Re: [mv] How safe is e.commerce
Next by thread: Re: [mv] How safe is e.commerce
Index(es):
- Date
- Thread