Internet Outlook with Richard Wiggins | 48

Putting Risk in Perspective

Please Swipe My Credit Card

Just as the most dangerous part of an airplane flight is the takeoff and landing (midair collisions are especially rare) the most dangerous parts of your credit card number's journey are the starting point and the destination. Even browser encryption may not provide complete security. Dr. Nathaniel Borenstein is perhaps most famous for inventing MIME (Multipurpose Internet Mail Extensions), the mechanism for sending e-mail attachments. Currently he is Chief Scientist for First Virtual Holdings, and the architect of their payment system. (Co-incidentally, he too is an Ann Arbor institution.)

Dr. Borenstein is fond of going around the country and demonstrating a different kind of sniffer program on his audience's PCs. He shows a security exposure that defeats encryption: suppose a program is watching your keystrokes on the PC, looking for the unique pattern of a credit card number. Once it spies a number, it quietly opens an Internet connection to a secret net-resident card cache. You thought your connection was secure, and your number has been stolen as you typed, completely without your knowledge. The data may be encrypted by the browser for transmission, but the theft takes place outside the browser. The First Virtual payment system obviates this risk. Your credit card number actually never goes over the Internet; it resides in a special database maintained by First Virtual. You're prompted to approve sales via a simple e-mail message. You can reply Yes, No, or Fraud. Because this "challenge" comes to you via a different path from a third party, it offers added security.

Another point of exposure that the popular press consistently overlooks is the data processing shop of the company you're doing business with. What do they do to secure your credit card number against crackers? They can encrypt data between you and their servers, but do they encrypt confidential data on their Oracle or SQL servers? This is important because a cracker could break straight into the company's database machines and find credit card information in clear text. The risk isn't theoretical at all: one major Internet Service Provider (ISP) was cracked a couple of years ago, and the thief didn't steal Internet accounts -- he stole credit card numbers stored in clear text in flat files.

So with all these risks, does this mean the wise person avoids Internet commerce? Not at all! It turns out your credit card numbers aren't very secure in the physical world, either. Old credit card receipts can be stolen from your trash. An unscrupulous store clerk could run his own imprint of your card. And my favorite example: yesterday while pondering the cell phone authorization machine, I stopped in a local gas station, and sitting at the pump was a freshly printed receipt, showing a complete credit card number as well as the expiration date. If I'd seen the car drive off, for $5 I could've looked up the license plate via the Secretary of State office, and I'd have all I need to know to commit fraud.

In the United States at least, your best protection is Federal law. Your liability for a lost or stolen credit card is limited to $50. If you report the loss before fraud occurs, your liability is zero. This doesn't mean you'll want to shout out your credit card numbers over a bullhorn at the Art Fair, of course, but your attitude about the Internet and credit cards should be "appropriate paranoia."

As for those cellular credit card terminals, until someone in the industry assures me the data is encrypted, I'll write a check, thank you.