Julien Pierre wrote:
Well, now you have heard one. What do you want me to do to prove it, give you the person's name, e-mail and and phone number, the name of the university ? I do have that info, but I don't believe she would want me to share it.
Of course. The 1st issue here is whether it really was a sniffing of a credit card. (I believe you've given the key clues below...)
The second issue is how much was lost, and then how frequent it is. Once we establish a cost of this, and multiply by the frequency, we can then work out how much to spend on protecting against it.
Say there were 1000 instances every year. And we lost $1000 each time. I'm picking numbers here which we should hear about.
That would be total losses of $1 million. So that's how much - give or take - we want to spend to protect against credit card losses. Across the net society.
Currently, certs are sold at about 40k per year [1]. Imagine each cert costs $1000 (include some hassle time in there).
That makes for total costs to protect against the loss as $40 million. If we only lose $1m per year, that's not a good deal.
Hence, we can conclude two things:
* we really *really* want to know how many losses
(like your friend's) there are, and * in considering the acceptance of a new CA cert
by MF or any other, there isn't much economic
support for insisting on costly protection such
as audits.[1] http://www.securityspace.com/s_survey/sdata/200401/certca.html
Also, I have seen legitimate (but security-ignorant) businesses that ask for credit card numbers by insecure e-mail. And very likely many security-ignorant customers will just volunteer the information over insecure e-mail.
Yes, I did a very basic test using google about 6 months back, and established there were about 10-30k sites who ask for credit cards without using any form of SSL. This sits against the approximate 100k sites that use SSL (these numbers are all orders of magnitude). The existance of significant numbers of people who transmit CCs across HTTP or email is one reason why I believe there to be unmeasurable numbers of cases of snooping.
I don't need to tell you how vulnerable that is to snooping by all the ISPs and relays, or any thief in between. I don't have any stats on it, but I bet it's a significant cause of fraud.
Nope, I doubt it is even measurable. Mind you, it would be really nice if we could provide a form of encryption protection to the very small businesses that can't afford the current expensive infrastructure. (It is for this reason that I suggest that Apache should install out of the box with a self-signed cert immediately generated, and Browsers should accept self-signed certs as a valid protected session.)
And, I've been looking for the last decade or so...
Where ? What was your research based on ?
Anecdotal sources (talking to credit card people, looking at the various media reports, etc). No company will reveal this formally, unfortunately, :-/ I have challenged a lot of people in the field on this point, and they've maintained their silence...
Did you ask the banks for their statistics on credit card fraud ?
No, mostly the credit card people.
Try asking the US credit card processors why they charge a higher rate for online transactions than for retail transactions.
Almost all fraud is one of these classes:
* insider fraud, where someone with access
to the information sells it in bulk,
* hacks of boxes, or
* false charge-backs. This latter is very
prevalent in Adult/Gaming.Because of these factors, in general, there is a much higher rate for online transactions:
* stolen batches of cards can be used over
the net to acquire goods,
* cards are at risk in the databases, no
matter how many security instructions
are sent out, and
* high chargeback rates in different areas.Not because of anyone sniffing on the wire.
> I don't think they
are just greedy (though they certainly are), but online fraud is a significant problem to them and they compensate for it by higher rate.
Right. But, they know it is not to do with sniffing on the wire. If it was, they would investigate where and when it was happening, and identify which insiders were doing it.
For example, have you ever heard of a sysadmin being arrested for sniffing credit cards? Or, an advisory that states that someone is sniffing cards in this or that place?
However, it may be difficult to establish in many cases how exactly the credit card numbers were compromised since there are so many different ways. And the thieves probably don't go and brag about the most popular methods.
Actually, it is fairly well known how it is all done. There are chat groups and rooms and so forth where one can pick up the info on how to do it, and find prices to buy, etc (don't ask me *where*, that's not my game, but I gather it is mostly in IRC and some of the anon variants...).
.... She knew this for a fact because
it had happened to other people as well and word had gotten out that there were people snooping on the university network (but they had not been caught yet).
Ah, well, that latter part is certainly apropos. If there were a bunch of these events happening, then it is a plausible conclusion - looks like this may be a case of students snooping over the uni networks!
> ... After
they reversed the charges, they canceled the old card account number, opened a new one with a new number, and sent her the new card very securely ... via US postal mail.
OK, so her cost was zero dollars, and some wasted time and hassle. The bank reversed the charges on the merchant, so the merchant was out for the cost of the goods sent.
> I believe this to be very common. And
this is one of the key risks SSL tries to protect against.
Well, I've been told by people who worked at credit card companies that they've never ever seen any proven case of credit cards being compromised while on the wire. But, they can document squillions of cases based on insider fraud, cracking, etc. This is all informal, of course, so I'm curious as to how to establish this more scientifically.
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
