Credit Card Contracts & banking liability
paulfordh@uk.ibm.com
paulfordh at uk.ibm.com
Tue, 17 Aug 1999 11:02:21 +0100
Go to http://www.verisign.com/server/index.html and look at Global Site
Most UK banks use 128 bit server gated crypto. Don't expect a phone
operator to understand the ins and outs.
Paul
--
Paul Ford-Hutchinson : EMEA eCommerce application security :
paulfordh@uk.ibm.com
OSU-1, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5YR +44 (0)1926 462005
"S S" <crypto24@hotmail.com> on 17/08/99 10:07:28
Please respond to ukcrypto@maillist.ox.ac.uk
To: ukcrypto@maillist.ox.ac.uk
cc: (bcc: Paul V Ford-Hutchinson/UK/IBM)
Subject: Re: Credit Card Contracts & banking liability
Credit cards, Banks....also applies to other 'Insurance banks'.
A certain very well known UK enterprise offered free internet banking, with
the possibility of transferring funds around too.
When asked what security they used, the answer was 'we use the standard MS
&
Netscape browser configuration which is totally secure & uses military
grade
encryption also approved for governent use '
When pressed as to how they had obtained the 128 bit SSL version for their
customes, the answer was--' we don't supply any add-ons, customers use the
standard browser supplied with the opereating system (eg, MS Internet
Explorer)'. It was pointed out that this is only 40 bit SSL, the adviser at
the other end of the phone made assurances that this ' was absolutely
secure'
So, does anyone on this list know something we don't?
Or are the banks really deluding themselves- surely it's a matter for the
Bank of England to take away their banking licence if they are being so
naive with their customer's money?
Incidentally, if you though a bank to be a secure place for your money-
think again.
Under the regulations the maximum liability is for 90% of upto ?18,000
savings. So you lose 10%, and above 18k you stand to lose the lot. Banks
these days are large multinationals with dealing interest worldwide, so
the
exposure to market fluctuations is huge. I personally know several people
who lost their life's retirement savings in the BCCI scandal, & then there
was Barings too....
If you just sold you house & are waiting for a completion, any one know a
safe place to put the money (short term?).
I believe the building societies come under the sam e banking laws....
Regards,
>From: Richard Clayton <richard@turnpike.com>
>Reply-To: ukcrypto@maillist.ox.ac.uk
>To: UKcrypto@maillist.ox.ac.uk
>Subject: Credit Card Contracts
>Date: Sun, 15 Aug 1999 16:07:57 +0100
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I don't recall this topic being mentioned before, but it does seem quite
>important, since some of us have been telling anyone who will listen
>that the Government are wasting their time with an "ECommerce Bill",
>since real ECommerce will use credit cards and SSL provided by browsers,
>and that will all use standard contract law and nothing special is
>needed...
>
>Anyway, Howard is a friend of mine, and he recently mentioned that he
>has been looking at some Internet related small print on his credit card
>agreements. I asked him for the details and he has kindly provided them:
>
>Bank One International say:
>
> "4(f) do not send details of the Card Account Number over the
> Internet unless such details are sent in encrypted format using the
> secure session features included in the Netscape or Microsoft
> browser, or by using any other software approved by us or providing
> at least the same level of security"
>
>which seems clear enough, and I think many who read this list would
>consider this a reasonable condition (the software listed reflects the
>realities of the marketplace).
>
>However, GE Capital bank (Debenhams Visa card) say:
>
> "3.5 You must not send details of your Card or Account number over
> the Internet or any other online services unless such details are
> sent in a suitably encrypted format or by using software approved by
> us."
>
>Being (I'm sure he wouldn't mind me saying) a stroppy sort of fellow,
>Howard rang up this credit card company to enquire what "suitably
>encrypted" might mean. This is clearly not something that many people
>have done. To quote Howard:
>
> "it started as stunned silence and after seeking advice from
> elsewhere it was clear that whoever was advising a) hadn't got a
> clue what they were talking about and b) was making it up on the
> spot. Essentially they could offer no absolute standard of security
> and when pressed said that if it was a reputable company it was OK
> (which is of course contrary to their T&Cs). It was clear that the
> brain cell on the other end of the phone was by this time
> exhausted."
>
>To change the topic very slightly ... it's notable that these credit
>card companies are NOT insisting that you only deal with companies who
>can identify themselves by means of chains of certificates linked
>upwards to some master certificate endorsed by a Secretary of State...
>about the only thing that the upcoming Bill might provide us with.
>
>Is this ignoring of the value of certificates a foolishness based on
>ignorance ? an inability to write such a clause without filling the rest
>of the page ? or a hard-headed commercial approach to what is in
>practice a tiny commercial risk ?
>
>Perhaps others can contribute some more contract clauses (good or bad)
>or even (to amuse us) some similar experiences with customer support ?
>
>I seem to remember Ross Anderson once saying that all the security
>professionals renewed their journal subscriptions by just sending plain
>email... but perhaps this is changing ?
>
>- --
>richard writing to inform and not as company policy
> only 25 MPs still need adopting: http://www.stand.org.uk/
>"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPsdk version 1.1.1 (C) 1997 Pretty Good Privacy, Inc.
>
>iQA/AwUBN7bXze5vmeyLY9DdEQJARQCgzrWtbU7zzy1nYekFYhon49u4dewAnA0c
>txcPEEGpA5WWw9xajjPdGVyL
>=vlge
>-----END PGP SIGNATURE-----
>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com