Credit Card Contracts
Richard Clayton
richard at turnpike.com
Mon, 16 Aug 1999 11:25:57 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In article <3.0.5.32.19990816093740.0093f8a0@mail.netkonect.co.uk>,
Nicholas Bohm <nbohm@ernest.net> writes
>The reason they aren't interested in making sure you're dealing with
>someone properly identified by a chain of certificates is simple: unless a
>merchant is signed up to the credit card system somewhere, directly or
>indirectly, he can't get value from a card transaction. The banks can vet
>who they will allow into the system, and rely on one another to do it. In
>the UK, and other countries where the card issuer is jointly liable with
>the merchant to the customer on the transaction, they are especially keen
>to do a good job of vetting. So certificate chains are irrelevant: all
>merchants are already identified by the banking system.
ah... but you've missed an exposure here...
I can construct a site called, for example, www.marksandspensers.co.uk
(they own a whole lot of .com names, but not this particular .co.uk one)
and set up credit card ordering upon it... [a net special!]
I then spam a whole heap of newsgroups offering cheap underwear, five
socks for the price of two, and half price woolly jumpers (just the sort
of goods that we all buy from M&S and calculated, in stereotypical
fashion, to appeal to the average reader of newsgroups).
Behold, I get a whole heap of credit card numbers and other details
because people trust me (I look like I'm M&S, remember).
I then disappear (preferably quietly, so that there's not lots of
publicity about what I've garnered). Chances are that M&S don't really
wish to rush around publicising the apparently pointless scam...
... anyway, I have no relationship with the banks, or credit card owners
and if I have any sense, I make sure I am not traceable through my
website creation activities either.
The following week I start using the credit card numbers I have to order
goods and services. As I understand it, there is a significant trade in
credit card numbers -- if I want to avoid risk I can just sell them into
this black market.
The credit card company abuse teams will not be able to detect the
pattern because they will not be aware of the common factor (use of the
fake M&S site) in a way that they could trace (eventually, through fancy
pattern detection software) dumpster diving behind a restaurant or a
crooked employee at a mail-order house.
[[[ Ultimately, it is this threat of patternless abuse that
makes credit card companies nervous about their numbers flowing
across the Internet in non-encrypted packets. ]]]
The classic way to prevent this scenario is to certificate websites.
That way you know that Stephen Byers (or his successor) has promised
that this is really M&S's website by means of approval for a CA who has
checked out the credentials in a diligent manner.
This works well for M&S (and that's why people tend to pay a lot of
attention to certification schemes - because it is the big boys who are
paying it attention today) but it suffers, like all certification
schemes from the usual problem of a limited name space.
When you look at the web site for your local paper shop then it may be
hard to associate "Alan's Newsagents" (the trading name, with
considerable local goodwill) with "Patel and Sons Newsagents (Dorking)
1997 Limited" who are the actual company to own it.
Anyway, I suspect that the credit card companies (or at least the two
whose contracts have been mentioned in this thread) are not convinced
(as I am) of the ultimate practical failure of name based certification
schemes... but have currently discounted their exposure to
impersonators.
- --
richard writing to inform and not as company policy
only 25 MPs still need adopting: http://www.stand.org.uk/
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.1.1 (C) 1997 Pretty Good Privacy, Inc.
iQA/AwUBN7fnNe5vmeyLY9DdEQK3EgCgxgWPvL7xLHqokIS1PkYem4oukloAoPav
31utdSTuP3h46TGDlmg0aFzz
=k1Zs
-----END PGP SIGNATURE-----