Jaqui Greenlees wrote: > one friend of mine won't purchase online, he will phone the company and > do transactions with credit card over the phone instead. he had one time > problem with a site charging more than he bought to his card. turns out > that the site in question didn't secure the order data, but once burned > twice shy.
Chances are, unless he was sending credit card details over a wifi network it was unlikely it was intercepted, more likely either his computer had a trojan or the company he was dealing with had their database broken into, and from memory inside jobs are still more common then outside attacks being sucessful. However it's a lot easier to "sniff" a copper phone line then an SSL connection, here in Australia no one would think anything of it if you rocked up with a little white van put up a little man hole tent and started attaching wires in the phone network pitts. I'm sure the same could be said for a lot of countries, then of course if you're friend is sending credit card details via a cordless phone or mobile/cell phone and all you need is to be close + high gain antenna and you can kiss your credit card details good bye... But once you start digging into all this you start hearing other things, like merchants purchasing a certificate from a commercial CA, then having the credit card details emailed back to the customer or themselves in the clear, or of course weak security in their database... So while the risk of an online purchase can leak credit card numbers it's usually not the SSL/TLS layer at fault... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
