Re: Detecting CC numbers
I think this idea has many benefits: 1 helps the user do the right thing 2 drives better behavior in the market (CC#s are sensitive and should be protected) 3 user experience friendly, I don't think a Pentium2 user would notice any latency change 4 cost effective, relatively small amount of relatively simple software ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: HJ wrote: A credit card number can be as long as 19, 6 for the issuer, 12 for the account number and 1 for the checksum. Ah, OK. Do you have a reference to a document describing the format and the checking algorithm? I assume there is one, as sites do check for valid numbers. Gerv Just do a search for: ANSI X4.13 and/or ISO/IEC 7812-1:1993 /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert (You _really_ don't want to do this!) if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Gerv for details an what goes into each companies card numbers, just contact the companies. most e-commerce, from the business end, is through third party site. the banks have a contract with at least one company that handles all online transactions for thier business customers. transactions such as processing your credit card data when you buy something from the company. you could go through the banks to get thier online group, then talk to them about what they want as input, so that the browser can be secured to make the risks lower for both sides of the transaction. ( Canadian system different than US system, different from european system ) each payment agency has different layouts, so that is where layouts are controlled, not the site end. e-commerce sites have to use the processing companie's format, which really has nothing to do with the card type, or length of card number ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
HJ wrote: You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. Mining useful data from email accounts is harder, and probably involves a human step, so is harder to automate. If phishers are reduced to trying to break into your email, we'll have won a significant victory. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert (You _really_ don't want to do this!) if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? A credit card number can be as long as 19, 6 for the issuer, 12 for the account number and 1 for the checksum. OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert (You _really_ don't want to do this!) if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? Much of phishing isn't about credit card details so much as *any* information. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. (Phisher programmers almost certainly haunt these maillists...) Also, I'm not sure whether the drain on CPU would be worth the benefit? Which isn't to say that I don't think it will work, that's just a couple of reasons why it might not be as efficacious as first thought. OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Sounds like an arms race... It's for this reason that most people think about a crypto-inspired solution, as strong keys can't be arms-raced, only bypassed. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Ian G wrote: Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert (You _really_ don't want to do this!) if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? Much of phishing isn't about credit card details so much as *any* information. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. (Phisher programmers almost certainly haunt these maillists...) Yeah, *if* I was such a programmer, wich I am obviously not, I would rather have access to you inbox, because that will give me the ultimate power trip. /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
