iffy data, but generally a laudable attempt to reduce the Fear, Uncertainty,
> Besides, once the server is able to support security, we
> can't assume the majority of browsers visiting our site
> will support this. It will be a while before the AOL and
> CompuServe masses support this next level.
This is exactly what hurt SHTTP so seriously.
July 15, 1996
Hype over credit card fraud is hurting the Web
By _Mark Tebbe_
As a consultant, I travel often and thus have been to more than my fair share
of restaurants--some swanky, some dives.
I have seen literally thousands of people pay their bill by giving a credit
card to the waiter without so much as a second thought.
Then why is there such a big security concern when it comes to paying with a
credit card over the Internet?
We have been conditioned to think that a hacker is actively lurking around
just waiting for our credit card number to fly past him or her on the Net. We
have been brainwashed to think that we shouldn't use a credit card unless we
have a secured socket between our browser and server.
Yet it is nearly 11 times more likely that your credit card number will be
stolen by a waiter than from an unsecured Internet transaction.
Granted, it's doubtful that you will personally walk your credit card to the
restaurant's Verifone device and swipe the card to ensure that no one looks at
it in the process. It is just too inconvenient for the one-in-374,000 chance
that your credit card number will be illegally obtained.
But we often inhibit our credit card use on the Internet because of this
somewhat market-driven hype.
Since most browsers in use today don't support secured sockets, we are
slowing this rudimentary form of electronic commerce on the Internet.
Moreover, this paranoia is dampening the effectiveness of your own Web site.
We think we need to sport a fully configured secure Web server in order to
expect even the first order. This is an artificial barrier that is
counterproductive to our efforts.
Building upon the significantly remote chance of credit card fraud, as a
consultant I am often asked to build systems for clients that support credit
card usage without a secure facility already in place. Sure, adding security
is always in the plan but, because of cost, usually slated for a later date;
after the site shows promise for an investment return.
Besides, once the server is able to support security, we can't assume the
majority of browsers visiting our site will support this. It will be a while
before the AOL and CompuServe masses support this next level.
But don't get me wrong. You need to be very concerned about Internet
security. If not, your site could be at risk.
We recently had a client who discovered a security breach. Some hacker had
attempted to access a secured area of the server and download numerous files
of system source code. After some investigation, it appeared that his efforts
were thwarted. At least, at first.
After doing some routine monitoring, those same file names showed up in a
file transfer list. It appeared that this "hacker" was able to breach a
proven-secure firewall by dialing in to the system through a RAS connection.
After logging in to an established admin account, the hacker was able to
create a new user. With this new account, our hacker then downloaded the
As you might have guessed, the profile of this hacker was common--a
disgruntled employee who was able to move faster than the procedures to secure
_)_So, next time think harder when you hand that credit card to your waiter
than when you submit it on the Web.
Mark Tebbe is president of Lante Corp., a national technology, consulting and
integration firm. He can be reached via E-mail at firstname.lastname@example.org_.
_TOP OF PAGE_